移动Web操作系统安全综述

摘要/Abstract

摘要： 随着移动互联网和智能终端的发展，终端操作系统也不断推陈出新，近年来出现了一种基于标准统一的Web语言开发的Web操作系统．这类操作系统提供了较好的跨平台性，并可通过云存储和数据的集中管理作为一种移动政务的解决方案．但是这类操作系统由于新发展起来，仍存在不少安全问题需要解决．通过对开源Web操作系统的体系结构、应用类型、安全机制的研究，分析其各自的安全性，最后讨论安全拓展方案．

关键词: Web操作系统, 体系结构, 系统安全, 访问控制, 权限管理

Abstract: With the development of mobile Internet and smart terminals, the terminal operating system has also been continuously updated. In recent years, the Web operating systems which are developed through Web language with unified standard have emerged. Such operating systems provide better cross-platform performance and can be used as an e-government solution for the centralized management as well as cloud storage. However, these operating systems are new development, there are still many security issues that need to be resolved. This article analyzes the architecture, application types, security mechanisms and the respective security of typical open source Web operating systems. Finally, the discussion on future security methods is given.

Key words: Web operating system, system architecture, system security, access control, permission management

杨莹李威吴荻. 移动Web操作系统安全综述[J]. 信息安全研究, 2018, 4(8): 689-697.

参考文献

[1] Mozilla. Firefox OS架构[OL]. [2017-02-27]. https://developer.mozilla.org/zh-CN/Firefox_OS/Platform/Architecture [2] Mozilla. Firefox OS security overview[OL]. [2017-02-27] https://developer.mozilla.org/en-US/Firefox_OS/Security/Security_model [3] Wiki. Google Chrome OS[OL]. [2016-04-16]. https://en.wikipedia.org/wiki/Chrome_OS [4] Wiki. Tizen[OL]. [2017-03-10]. https://zh.wikipedia.org/zh-cn/Tizen [5] Wiki. Ubuntu Touch[OL]. [2018-01-10]. https://en.wikipedia.org/wiki/Ubuntu_Touch [6] Georgiev M, Jana S, Shmatikov V. Rethinking security of Web-based system applications[C]//Proc of Int Conf on World Wide Web. New York: ACM, 2015:366-376 [7] DeFreez D, Shastry B, Chen H, et al. A ﬁrst look at Firefox OS security[J]. Computer Science, 2014 [8] Bae S G, Cho H, Lim I, et al. SAFEWAPI: Web API misuse detector for web applications[C]//Proc of ACM SIGSOFT Int Symp. New York: ACM, 2014:507-517 [9] Chen B, Ming W S, Huang Y L. An anomaly detection module for firefox OS[C]//Proc of the 8th IEEE Int Conf on Software Security and Reliability-Companion. Piscataway, NJ: IEEE, 2014:176-184 [10] Piekarska M, Shastry B, Borgaonkar R. What does the fox say? On the security architecture of firefox OS[C]//Proc of the 9th Int Conf on Availability, Reliability and Security. Piscataway, NJ: IEEE, 2014:172-177 [11] Huang L, Moshchuk A, Wang H, et al. Clickjacking: Attacks and defenses[C]//Proc of USENIX Conf on Security Symp. Berkeley: USENIX, 2012:22-22 [12] West W, Pulimood S M. Analysis of privacy and security in HTML5 web storage[J]. Journal of Computing Sciences in Colleges, 2012, 27(3):80-87 [13] Heiderich M, Schwenk J, Frosch T, et al. mXSS attacks: Attacking well-secured web-applications by using innerHTML mutations[C]// Proc of ACM SIGSAC Conf on Computer & Communications Security. New York: ACM 2013:777-788 [14] Bojinov H, Bursztein E, Dan B. XCS:Cross channel scripting and its impact on web applications[C]//Proc of ACM Conf on Computer and Communications Security, CCS 2009. New York: ACM, 2009:420-431 [15] Danisevskis J, Piekarska M,Seifert J. Dark side of the shader: Mobile GPU-aided malware delivery[C]//Information Security and Cryptology, Berlin: Springer, 2013:483-495 [16] Mulliner C, Golde N, Seifert J. Sms of death: From analyzing to attacking mobile phones on a large scale[C]// Proc of the 20th USENIX Conf on Security. Berkeley: USENIX, 2011:24-24 [17] Mulliner C, Vigna G. Vulnerability analysis of mms user agents[C]// Proc of the 22nd Annual Computer Security Applications Conf. New York: ACM, 2006:77-88 [18] Akhawe D, Li F, He W, et al. Data-confined HTML5 applications[C]//Proc of Computer Security ESORICS 2013. Berlin :Springer, 2013:736-754 [19] Akhawe D, Saxena P, Song D. Privilege separation in HTML5 applications[C]// Proc of USENIX Conf on Security Symp. Berkeley: USENIX, 2012:23-23 [20] Javanmardi S, Shojafar M, Shariatmadari S, et al. PGSW-OS: A novel approach for resource management in a semantic web operating system based on a P2P grid architecture[J]. Journal of Supercomputing, 2014, 69(2):955-975 [21] Syer M, Nagappan M, Adams B, et al. Studying the relationship between source code quality and mobile platform dependence[J]. Software Quality Journal, 2015, 23(3):485-508 [22] Jose G, Sebastian R, Jose D M. A survey on Web OS[J]. 2015:215-217 [23] Gao Z, Suo Z. Research and application of scientific research management system based on Ext +SSH integrated development framework[J]. Modern Electronics Technique, 2015: 52-58 [24] Zhu D, Yang Y, Jin H, et al. Application of modified BLP model on mobile Web operating system[C]//Proc of IEEE Trustcom/bigdatase/ispa. Piscataway, NJ: IEEE, 2017:1818-1824 [25] Ubuntu. Ubuntu Touch[OL]. [2017-03-10]. https://developer.ubuntu.com/en/phone/devices/porting-new-device/ [26] Wiki. Tizen Security[OL]. [2017-03-10]. https://wiki.tizen.org/wiki/Security#All_3.X_security_pages [27] 卿斯汉. Android安全研究进展[J]. 软件学报, 2016, 27(1):45-71 [28] Wiki. Firefox OS Application security[OL]. [2017-12-10]. https://developer.mozilla.org/en-US/docs/Mozilla/Firefox_OS/Security/Application_security [29] Google. Permissions in Chrome apps and extensions[OL]. [2017-03-11]. https://developer.chrome.com/apps/declare_permissions [30] Ubuntu phone documentation[OL]. [2018-01-10]. https://docs.ubuntu.com/phone/en/ [31] Agency N S. Security-enhanced Linux[J]. 2003, 29(9):20-22 [32] Zheng C. Overview of security enhanced Android’s security architecture[C]//Proc of Int Conf on Teaching and Computational Science. Berlin: Springer, 2014 [33] Alan C. Bomberger. et al.The KeyKOS® Nanokernel Architecture.in Proc of the USENIX Workshop on Micro-Kernels and Other Kernel Architectures[C]// USENIX Association. Berkeley: USENIX, 1992: 95-112 [34] Alves T. TrustZone: Integrated Hardware and Software Security[J]. White Paper, 2004