Security design and architecture for Android systems

Security design and architecture of Android system security policy

1. Android
The overall architecture consists of 5 main levels of components, the 5 layers are: Android application layer,
Android framework layer, Dalvik virtual machine layer, User space native code layer and Linux kernel layer.

2. Security boundaries, sometimes referred to as trust boundaries, are special areas in the system that separate different levels of trust.
One of the most straightforward examples is the boundary between kernel space and user space. In the kernel space
The code can perform some underlying operations on the hardware and access all the virtual and physical memory
The code in the user space is not able to access all the memory because of the CPU's security boundary control.

3, the core of Android sandbox
The core mechanism is based on the following concepts: Standard Linux process isolation, most processes have only
User ID (UID), and strictly restricts file system permissions.

#define AID_SHELL 2000 / * adb shell 与 debug shell 用户* /#define AID_CACHE 2001 / *缓存访问* /#define AID_DIAG 2002 / *访问诊断资源* /

4, in some cases, the authority may also appear in the form of Linux power, for example, aid_inet_
The members of the Admin user group are granted Cap_net_admin power, allowing users to configure network access
Ports and routing tables.

1.2 Permissions

1, API Permissions: To control access to high-level features, these features exist in the Android API, box
And in some cases a third-party framework. A common example of using API permissions is
Read_phone_state,
2, file permissions: Default situation
, the application's unique UID and GID can only access the corresponding data storage path on the file system.

[email protected]:/ # ls -l /data/datadrwxr-x--x u0_a3 u0_a3 ... com.android.browserdrwxr-x--x u0_a4 u0_a4 ... com.android.calculator2drwxr-x--x u0_a5 u0_a5 ... com.android.calendardrwxr-x--x u0_a24 u0_a24 ... com.android.camera

3. IPC Authority: The IPC authority directly relates to the communication between the application components (and the IPC facilities of some systems), although
Also has some overlap with API permissions. The Declaration and check enforcement of these permissions may occur without
At the same level, including the runtime environment, library functions, or directly on the application. Specifically, this
A set of permissions that are applied to some of the main mechanisms established on the Android Binder IPC
Android app components.

Second, Level 2.1 application layer

Applications are typically divided into two categories: preinstalled applications and user-installed applications.

1. A particularly interesting part of the AndroidManifest.xml:Manifest file is the Shareduserid attribute. To put it simply,
If two apps are signed by the same key, they can be in their own manifest file
Indicates the same user identifier. In this case, the two applications will be in the same UID
environment, enabling these applications to access the same file system data storage and potential
of other resources.

2. Intent:intent is a message object that contains information about the action to be performed, the target component information that will perform the operation (optional), and some other flag bits or supporting information (which may be critical to the receiver). Almost all common actions involve passing in the system.

Intent。<permission android:name="com.wiley.permission.INSTALL_WIDGET"android:protectionLevel="signature" />...<activity android:name=".InstallWidgetActivity"android:permission="com.wiley.permission.INSTALL_WIDGET"/>

3. Activity: is a user-oriented application component or user interface (UI).
Activity is based on the activity base class, which includes a window and related UI elements. Activity
The underlying management is made up of components known as activity Management Services (activity Manager)
Process, this component also handles the application or internal application to invoke activity
The sending intent.

4, broadcast Receiver: Usually in the application of the Greek
It can also be used when receiving an implicit intent that matches a specific criterion.
The Registerreceiver method programmatically at run time
Registration, this method can be overloaded to set permissions on receiver.

<receiver android:name=".MySMSReceiver"><intent-filter android:priority:"999"><action android:name="android.provider.Telephony.SMS_RECEIVED" /></intent-filter></receiver>

5. Service is a class of application components that run in the background without the user interface, and users do not interact directly with the application that the service belongs to.

<serviceandroid:name="com.yougetitback.androidapplication.FindLocationService"><intent-filter><actionandroid:name="com.yougetitback.androidapplication.FindLocationService" /></intent-filter></service>

The service can usually be stopped, started, or bound, and all of these actions are triggered by intent.

6. Content provider is a structured access interface for a variety of common, shared data stores.

<provider android:name="com.wiley.example.MyProvider"android:writePermission="com.wiley .example.permission.WRITE"android:authorities="com.wiley .example.data" />

The Content URI takes
CONTENT://[AUTHORITYNAME] format, which can include additional path and parameter information (such as
Content://com.wiley.example.data/foo), and this information to provider
The underlying implementation of this can be critical.

2.2 Frame Layer

The Android framework layer provides developers with a
The part of the common task--the package and its class. These tasks may include managing UI elements,
Access to shared data stores, as well as delivery of messages in app components. In other words, the frame layer
Contains any non-application-specific code that is still executed in DALVIKVM.

1. DALVIKVM is based on registers instead of stacks. class->.dex->.apk. DALVIKVM uses Java Native Interface (JNI) and
The underlying native code interacts. This feature allows the Dalvik code and native code to be
Call each other.

2. When the Android device starts, the zygote process is one of the first processes to run. Next
Zygote is responsible for launching other services and the libraries used to load the Android framework. And then
The zygote process acts as the loader for each Dalvik process by replicating its own process copy (also
Called forking, Branch) to create a process.

The second function of Zygote is to start the system_server process, which accommodates the
has a system core service and runs with privileged privileges in the aid user environment of the systems.

2.3 User space native code layer

Native code in the operating system user space constitutes a large part of the Android system, a
The layer consists of two major types of components: the library and the core system service.

1. Many of the underlying functions that the higher-level classes in the Android framework rely on are shared processes
The way the library is implemented and accessed through JNI. In this, many libraries are also
is a well-known open source project used in other Unix-like systems. For example, SQLite provides this
Data storage capabilities, WebKit provides an embeddable web browser engine, FreeType
provides bitmap and vector font rendering capabilities.

Not all of the underlying libraries are standard, and Bionic is a notable exception.
Bionic is a variant of the BSD C Runtime library and is designed to provide a smaller footprint for memory usage.

These libraries are developed using native code, and thus are prone to memory corruption vulnerabilities

2, the core service refers to the establishment of basic operating system environment services and Android native components. These
Services include services that initialize user space (such as Init), services that provide critical debugging capabilities (such as ADBD and Debugggerd), and so on.

3, other services: provide some is not necessarily necessary
Additional features (depending on the device and service)

2.4 Cores

1. Android key changes to the Linux kernel (example 2):

Binder：IPC机制，提供额外的一些特性，比如对调用者和被调用者的安全验证。它已被大量的系统和框架服务所使用OOM修改："Out Of Memory"-killer在内存空间低的时候杀掉进程，在Android分支中，OOM在内存即将用尽时，较传统Linux内核能更快地杀掉进程

2, Binder:binder as
A schema that runs as a client-server model, allowing one process to invoke multiple "remote"
Multiple methods in a process. The binder Architecture abstracts the underlying details so that these methods
The call looks like a local function call.

Aidl
Allows two applications to send and receive data using "Negotiate OK" or a standardized interface,
Makes the interface independent of the specific implementation. Aidl is similar to other interface definition language files,
such as a header file in C + +.

// IRemoteService.aidlpackage com.example.android;// Declare any non-default types here with import statements//在此声明任何非默认类型导入声明/*范例服务接口*/interface IRemoteService {/**请求这一服务的进程ID，做点“有趣”的事情**/int getPid();/**显示一些用作AIDL参数和返回值的基本类型**/void basicTypes(int anInt, long aLong, boolean aBoolean,float aFloat,double aDouble, String aString);}

3, Ashmem: Anonymous shared Memory service, which is widely used in most Android core components,
Includes surface Flinger, Audio Flinger, System Servers, DALVIKVM, and more.
Ashmem can automatically shrink the memory cache and reclaim memory areas when the global available memory is low.
This is ideal for low memory environments.

int fd = ashmem_create_region("SomeAshmem", size);if(fd == 0) {data = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);...

In 2011, Ashmem was shown to have a very serious security flaw that allowed
Elevation of privilege via Android properties

4. Logger: It is based on the type of information,
4 Independent log buffers are available: main (main buffer), radio (radio buffer),
Events (event buffers) with system (System buffers).

$ adb -d logcat

Written in the last

After looking closely at the Android design and architecture, we have clearly learned that Android
System is a very complex system. The designer adheres to the principle of least privilege, which means that any particular
A component should only have access to what it really needs to access. However, while this helps to improve security,
But it also adds to the complexity.

Security design and architecture for Android systems