###
计算机系统应用英文版:2018,27(10):112-120
本文二维码信息
码上扫一扫!
基于能力依赖图的SEAndroid安全策略分析
(1.中国科学院大学, 北京 100049;2.中国科学院 软件研究所 可信计算与信息保障实验室, 北京 100190)
Analysis of SEAndroid Policies Based on Capability Dependency Graph
(1.University of Chinese Academy of Sciences, Beijing 100049, China;2.Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences, Beijing 100190, China)
摘要
图/表
参考文献
相似文献
本文已被:浏览 1527次   下载 2155
Received:March 13, 2018    Revised:April 03, 2018
中文摘要: SEAndroid作为Android系统安全机制的重要组成部分,直接关系到系统的安全性.在本文中,我们提出一种基于能力依赖图的SEAndroid安全策略分析方法.能力依赖图描述了实际Android系统中用户的能力迁移以及其SEAndroid子系统的访问控制配置.我们首先对SEAndroid的具体实现进行分析,收集安全策略和系统信息,并进行逻辑建模.然后,我们依据SEAndroid的策略判定模式设计逻辑推导规则,并以此利用逻辑编程的方式生成能力依赖图.基于能力依赖图,我们提取出可能的攻击路径和攻击模式.我们对多个AOSP发布的不同Android版本的SEAndroid访问控制系统子进行了评估与分析.我们发现随着Android版本的提升,其SEAndroid安全策略也进行了更新,新的SEAndroid对系统提供了更强的约束和保护.此外,我们在实验中发现了一种被黑客在实际攻击中使用到的攻击模式,从而验证我们方法的有效性.
Abstract:As part of the Android security model, SEAndroid is critical to assure the security of operating systems. In this study, we propose an approach to analyze SEAndroid policies based on capability dependency graph. Capability dependency graph describes attacker's potential capabilities and the dependency relationships among these capabilities. It also describes the configuration of SEAndroid policies. We collect some security related system facts, and encode the collected data to Prolog predicates. We adopt logic programming to automatically compute a capability dependency graph with driving rules. We enumerate all the attack paths from initial nodes to goal nodes in the capability dependency graph, and categorize the attack paths into attack patterns. We apply our approach to analyze and compare some different versions of Android. We find that with the upgrade of the Android version, the SEAndroid security policy has also been updated. The new SEAndroid provides a stronger constraint and protection for the system, and a experimental attack pattern has been verified in the actual system.
文章编号:     中图分类号:    文献标志码:
基金项目:国家自然科学基金(61471344);国家重点研发计划(2017YFB0802902)
引用文本:
曹佳欣,程亮,张阳.基于能力依赖图的SEAndroid安全策略分析.计算机系统应用,2018,27(10):112-120
CAO Jia-Xin,CHENG Liang,ZHANG Yang.Analysis of SEAndroid Policies Based on Capability Dependency Graph.COMPUTER SYSTEMS APPLICATIONS,2018,27(10):112-120