1、 2200 单词, 1.2 万英文字符, 3850 汉字 出处: Wen Q, Huang L. The Design and Implementation of Android File Access Control SystemC/ Second International Conference on Business Computing and Global Informatization. IEEE, 2012:766-769. The Design and Implementation of Android File Access Control System Q Wen, L Hu
2、ang Abstract: Android is a popular operating system on mobile devices, and people care about the security issues of Android very much. Based on the analysis of the defects in Android security mechanism, this paper proposes the design and implementation of an Android File Access Control System that s
3、upplies authorization and authentication to the file operations in order to prevent the sensitive files. The simulation results indicate that the Android File Access Control System achieves the goal of file access control on Android. Keywords-Android; access control; Linux kernel; virtual file syste
4、m I. INTRODUCTION Mobile device is becoming more and more popular with the coming of the information age. Android is a software stack for mobile devices that includes an operating system, middleware and key applications. Particularly, Android relies on Linux version 2.6 for core system services. Wit
5、h the growing number of users, the security issues of Android have been focused on. As a result, the study of Android File Access Control is significant. A. Android Security Mechanism and Defect Relying on the Linux kernel, Android is a privilege separated operating system, in which each application
6、 creates a sandbox with a distinct system identity (Linux user ID and group ID) at install time. Any data stored by an application will be assigned that applications user ID, and not normally accessible to other applications. Additional security features are provided through a permission mechanism.
7、No application, by default, has the permission to perform any operations that would adversely impact other applications, the operating system, or the user. Applications must statically declare the permissions they require, and the Android system prompts the user for consent at the time the applicati
8、on is installed. There exist defects in Android security mechanism. Android has a super user who has the permission to operate the whole system, and the sandbox of each application becomes invalid once an application is assigned the super user ID. Additionally, the permission mechanism may not meet
9、the demand of security control sometime because of its coarse-grained. B. Goals Recently, many viruses threaten Android system with the access of the sensitive files, this paper aims at designing and implementing an Android File Access Control System, in order to offset the defects in Android securi
10、ty mechanism and prevent the sensitive files from being damaged. II. DESIGN OF ANDROID FILE ACCESS CONTROL SYSTEM A. Access Control Model Access control is the traditional center of gravity of computer security. Its function is to control which principals (persons, processes, and machines) have acce
11、ss to which resources in the system. Access control system is generally made of three key components which are subject, object and security policy. Subject is actor that requests access to an object. Object is a passive entity being accessed. Security policy is to control how subjects and objects co
12、mmunicate and interact with each other. To enforce the rules and objectives of an established security policy, access control models are created. There are three primary models: discretionary access control (DAC), mandatory access control (MAC) and role-based access control (RBAC). DAC model allows
13、the owners of objects to control who accesses them and what operations can be performed on the objects. However MAC model does not leave decisions up to the data owner, instead systems compare the subjects clearances and need-to-know to the objects classification to either grant or disallow access.
14、RABC model makes access decisions based on the rights assigned to a role or group, not an individual user. Relying on Linux kernel, Android has already inherited DAC mechanism from Linux, and RABC is not a suitable solution on mobile platform. Consequently, achieving MAC on Android system is a reaso
15、nable and effective solution. B. System Architecture The architecture of Android File Access Control System is shown in Fig. 1, including policy obtainment module, access control module, kernel communication module, policy management module and policy file. We develop them separately in the user spa
16、ce and the kernel space. Particularly, the policy obtainment module and the access control module are inserted into the virtual file system (VFS), because the VFS is an abstraction layer in Linux kernel on top of the concrete file systems, it can manage all the system calls of operating files. 1) Po
17、licy Obtainment Module: When an application requests to operate a file, policy obtainment module will capture the request and call the kernel communication module to get the authorization information matched with the current operated file. 2) Access Control Module: After the policy obtainment module gets the authorization information, the access control module takes the responsibility for authentication by comparing the operation behavior with the authorization information. It will allow or refuse the file access according to whether the file operation is legal.
