Android apps frequently incorporate third-party libraries that contain native code; this not only facilitates rapid application development and distribution, but also provides new ways to generate revenue. As a matter of fact, one in two apps in Google Play are linked with a library providing ad network services. However, linking applications with third-party code can have severe security implications: malicious libraries written in native code can exfiltrate sensitive information from a running app, or completely modify the execution runtime, since all native code is mapped inside the same address space with the execution environment, namely the Dalvik/ART VM. We propose NaClDroid, a framework that addresses these problems, while still allowing apps to include third-party code. NaClDroidprevents malicious native-code libraries from hijacking Android applications using Software Fault Isolation. More specifically, we place all native code in a Native Client sandbox that prevents unconstrained reads, or writes, inside the process address space. NaClDroid-has little overhead; for native code running inside the NaCl sandbox the slowdown is less than 10% on average.
展开▼
机译:Android应用程序经常包含包含本机代码的第三方库;这不仅促进了快速的应用开发和分配,还提供了产生收入的新方法。事实上,Google Play中的两个应用程序中的一个与提供广告网络服务的图书馆相关联。但是,使用第三方代码链接应用程序可能具有严重的安全含义:以本机代码编写的恶意库可以从运行应用程序中删除敏感信息,或者完全修改执行运行时,因为所有本机代码都映射在与相同的地址空间内执行环境,即Dalvik / Art VM。我们提出NaCldroid,这是一个解决这些问题的框架,同时仍然允许应用程序包括第三方代码。 NacldroidPrevents使用软件故障隔离劫持Android应用程序的恶意本机库库。更具体地说,我们将所有本机代码放在本机客户端沙箱中,该原始代码可防止在进程地址空间内部的无约束读取或写入。 NaCldroid - 几乎没有开销;对于在NACL沙箱内运行的本机代码,速度平均小于10%。
展开▼