Research On Dynamic Measurement Technology Of Android Operating System Kernel

The mobile Internet is becoming more and more closely related to people's daily lives,and mobile smart terminals have evolved into an indispensable part.Among them,the market share of Android smart terminals is over 70%.But there are various vulnerabilities in the Android operating system,and more than 40% have the vulnerabilities in Android kernel layer and thus more and more kernel-level malware appears.In order to cope with the increasing number of kernel-level attacks,the way of measuring the kernel has become an important research of Android kernel protection technology.The Android dynamic measurement technology studied in this topic can verify the factors affecting kernel security during the operation of the Android system,and measure whether the attack behavior exists.Traditional measurement has problems such as single measurement surface and low measurement performance.In response to these problems,this paper has conducted in-depth research on the dynamic measurement technology of the Android operating system kernel.The main research contents and innovations of this paper are as follows:1.An Android kernel dynamic measurement architecture HDMDroid based on ARM hardware virtualization is proposed.The Android kernel is in management mode,the measurement layer is placed in virtualized mode and is separated from the measured Android kernel.Three kinds of measurement objects that can reflect the Android kernel runtime security are designed: the important kernel data structure,the page-level control flow during the kernel system call and the Binder communication transaction,and three measurement units are designed to measure in the measurement layer.Hardware-based trust chain startup protection and memory isolation-based runtime protection are built to ensure the security of the measurement layer itself,effectively reducing the attack surface of the measurement layer.2.Aiming at the problem of the current measurement object selected from the static aspect or the single dynamic measurement surface,a measurement method of Android kernel HIMDroid based on kernel data invariant is proposed.By analyzing the data structure that affects kernel integrity during Android system operation,the study gets the invariant constraints that need to be satisfied when these data structures change dynamically.These constraints are divided into fixed value constraints,subset constraints,boundary constraints,and fixed length constraints.The semantic reconstruction algorithm is designed to reconstruct the measurement object in the measurement layer according to the kernel structure and the underlying binary information.According to the constraint type that the measurement object must satisfy,it analyzes the integrity to determine whether the Android kernel is attacked.To some extent,it solves the problem that the existing data structure of the Android kernel measurement is not comprehensively enough.3.Aiming at the problem that the measurement method of the existing Control Flow Integrity(CFI)brings serious overhead to the system at the instruction and branch level,a page-level CFI measurement method P-CFIDroid for Android system calls is proposed.The hooking target system call and interception technology is designed,and the secondary address translation is used to transparently track the execution during the Android system call at the page level,and the system call control flow sequence is filtered.In order to represent the reference information of the page-level control flow,a Page-Control-Flow Graph(P-CFG)is designed.Using P-CFG to build a control flow reference base and to measure the kernel,to some extent,solves the performance problem of implementing control flow integrity metrics in ARM architecture.4.Aiming at the problem that the existing security protection about the Binder mechanism is mostly from the perspective of application,and cannot measure the framework layer Binder malware and the kernel layer rootkit attacking the Binder transaction,a hypermetric method based on hypervsior for Android kernel Binder is proposed.By analyzing the framework layer Binder malware,this study obtains three types of malicious IPC transactions affecting system integrity.The framework layer Binder malware metric algorithm is designed.The algorithm measures the ungrouped Parcel object according to the malicious IPC transaction.For rootkit attacks in the kernel-level,this study designs the IPC transaction table involving four steps of the Binder transaction to measure the rootkit.In addition,for the case where the Binder attack has been successfully implemented,in order to trace the attacker,the IPC map that implements the intrusion diagnosis and increases the visibility of attacks is constructed.To some extent,the security of the Binder mechanism has been improved.