http://www.paper.edu.cn
- 1 -
中国科技论文在线
基于虚拟化及重定向技术的 Android沙箱设
计与实现
崔海娜,张天乐
**
( 北京邮电大学网络空间安全学院,北京 100876; 5
北京邮电大学可信分布式计算与服务教育部重点实验室,北京 100876)
作者简介:崔海娜(1991-),女,北京邮电大学硕士研究生,主要研究方向:终端安全
通信联系人:张天乐(1977-),男,副教授、硕导,主要研究方向:终端安全. E-mail: tlezhang@bupt.edu.cn
摘要:随着移动设备的普及,移动企业管理(EMM)作为解决企业移动化安全和管理问题
的产品应运而生。EMM 的移动性管理元素之一——移动内容管理(MCM),就是通过沙
箱化的技术来实现隔离、监控和控制敏感信息的分发与访问,即移动安全沙箱是企业移动管10
理(EMM)的核心亮点技术之一。文中分析了现有移动沙箱就数据保护方面以及资源消耗
方面的不足,并分析现有 PC 端沙箱系统的实现技术,对 Android 系统内部数据的操作进行
细化处理,提出了一种新型的基于虚拟化及重定向技术的 Android 沙箱系统,通过对 Android
四大组件、系统服务、IO 操作进行虚拟化和重定向,并将虚拟化技术应用于 Android 内部
存储数据,使得文章设计的沙箱可为用户对不信任的应用提供一个独立和安全的运行环境,15
实现应用在沙箱内外双开,并加强对数据的安全防护。该沙箱提供了文件系统隔离,使得在
沙箱内运行的应用产生的文件数据能够得以管理,重定向技术更是解决了沙箱内外进程同时
开启时可能产生的资源冲突。且测试结果表明对数据操作的分类处理加强了沙箱对数据完整
性的保护。
关键词:Android;沙箱;虚拟化;重定向 20
中图分类号:TP311.1
The design and implemention of Android sandbox based on
vitualization and redirection technology
CUI Haina, ZHANG Tianle 25
( School of Cyberspace Security, Beijing University of Posts and Telecommunications, Beijing
100876;
Key Laboratory of Trustworthy Distributed Computing and Service (BUPT), Ministry of
Education, Beijing 100876)
Abstract: The employees are getting rid of the shackles of the original fixed working environment 30
with the popularity of mobile devices. Enterprise mobility management(EMM) as a solution to
enterprise mobile security and the problems of management arises at the historic moment. Mobile
content management(MCM), one of the elements of EMM’s mobility management, achieves the
isolation, monitoring and controlling of distribution and accessing of sensitive information by using the
sandbox technology. That is to say, mobile security sandbox is one of the kernel technologies of EMM.
35
Mobile security sandbox is divided into ordinary sandbox and the core competitiveness of the sandbox,
mobile security sandbox is a non-antivirus security tool. This paper analyzes the existing problems of
current mobile sandboxes, and the existing PC end sandbox systems, and then proposes a new Android
sandbox system which based on virtual and redirect technology. By virtualizing and redirecting the
four major components, system services and IO operations of the Android system, the sandbox which
40
designed in this article provides an independent and safe running environment for the applications that
with untrustworthy property and enables the application to be ran both inside and outside the sandbox.
The sandbox provides file system isolation so that file data generated by applications running in the
sandbox can be managed. The sandbox provides file system isolation so that file data generated by
applications running in the sandbox can be managed. Redirection technology resolves resource
45
conflicts that may occur when the sandbox is started simultaneously and externally. In addition, this
article also achieved without modifying the application installation package and in transparent external
circumstances installed directly inside the sandbox.And the test results show that the classification of
data manipulation enhances the sandbox protection of data integrity.
评论0
最新资源