基于Android的移动终端浏览器沙盒机制的研究与设计
发布时间:2018-09-15 20:00
【摘要】:随着移动互联网技术的高速发展,智能终端使用数量也快速增加,使用移动智能终端上网的客户数量更是快速上升。以电脑接入互联网的用户正在向移动终端接入互联网方式转变。在接入移动互联网的众多设备中手机浏览器扮演很重要的角色,具有极大的商业价值。在应用中内嵌有浏览器,这种应用越来越流行。当应用程序访问网页时,网页中含有JavaScript脚本代码,网页则可以调用本地信息,造成安全漏洞。 在许多智能终端操作系统中,Android操作系统占有较高市场份额。于是对Android操作系统进行了深入研究。以浏览器作为研究的切入点,从应用层的浏览器应用,到Framework层的WebView,接着到JNI,最后到核心库层的WebKit的整个数据传输流程逐层深入地学习。其中对WebView的漏洞和攻击方式进行了深入学习和研究,实验仿真了攻击模型,接着对WebKit的工作原理进行深入学习和研究。根据WebView的漏洞和攻击方式研究,是由于JavaScript语句能够随意调用本地资源的特性给本地信息带来极大的安全隐患。 为了研究防御方法,学习WebCore和JavaScriptCore的解析工作过程,并对JavaScript代码解析过程进行了深入分析和研究。在以上工作原理和开发设计的基础上,学习沙盒安全机制的设计理念和浏览器的设计方式,然后设计了浏览器中的沙盒安全机制。这个沙盒安全机制是在处理JavaScript代码前做代码检测。对进入浏览器的网页内容,通过使用JNI接口实现对底层动态库的调用,这个动态库是对网页内容进行检测,然后将检测结果返回,用提示框形式显示给用户。最后对设计的浏览器沙盒安全机制进行检测和验证。
[Abstract]:With the rapid development of mobile Internet technology, the number of intelligent terminals is also increasing rapidly, and the number of customers using mobile intelligent terminals is increasing rapidly. Access to the Internet by computer users are changing to mobile terminals access to the Internet. Mobile browser plays an important role in many devices connected to the mobile Internet and has great commercial value. With browsers embedded in applications, they are becoming more and more popular. When an application visits a web page, the web page contains JavaScript script code, and the web page can call local information, resulting in a security vulnerability. Android has a high market share in many intelligent terminal operating systems. So the Android operating system is deeply studied. From browser application to Framework layer WebView, to JNI, finally to the core library layer of WebKit the whole data transmission process is studied layer by layer. The vulnerability and attack mode of WebView are studied deeply, the attack model is simulated, and the working principle of WebKit is studied. According to the research of vulnerability and attack mode of WebView, it is because JavaScript statement can call local resource at will, which brings great security trouble to local information. In order to study the defense method, we study the parsing process of WebCore and JavaScriptCore, and deeply analyze and study the JavaScript code parsing process. On the basis of the above working principle and development design, this paper studies the design concept of sandboxie security mechanism and the design method of browser, and then designs the sandboxie security mechanism in browser. This sandboxie security mechanism is to do code detection before processing JavaScript code. For the content of the web page that enters the browser, the dynamic library detects the content of the web page by using the JNI interface to realize the call of the underlying dynamic library, and then returns the result of the detection and displays it to the user in the form of prompt box. Finally, the design of the browser sandboxie security mechanism for detection and verification.
【学位授予单位】:北京邮电大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.092
本文编号:2244361
[Abstract]:With the rapid development of mobile Internet technology, the number of intelligent terminals is also increasing rapidly, and the number of customers using mobile intelligent terminals is increasing rapidly. Access to the Internet by computer users are changing to mobile terminals access to the Internet. Mobile browser plays an important role in many devices connected to the mobile Internet and has great commercial value. With browsers embedded in applications, they are becoming more and more popular. When an application visits a web page, the web page contains JavaScript script code, and the web page can call local information, resulting in a security vulnerability. Android has a high market share in many intelligent terminal operating systems. So the Android operating system is deeply studied. From browser application to Framework layer WebView, to JNI, finally to the core library layer of WebKit the whole data transmission process is studied layer by layer. The vulnerability and attack mode of WebView are studied deeply, the attack model is simulated, and the working principle of WebKit is studied. According to the research of vulnerability and attack mode of WebView, it is because JavaScript statement can call local resource at will, which brings great security trouble to local information. In order to study the defense method, we study the parsing process of WebCore and JavaScriptCore, and deeply analyze and study the JavaScript code parsing process. On the basis of the above working principle and development design, this paper studies the design concept of sandboxie security mechanism and the design method of browser, and then designs the sandboxie security mechanism in browser. This sandboxie security mechanism is to do code detection before processing JavaScript code. For the content of the web page that enters the browser, the dynamic library detects the content of the web page by using the JNI interface to realize the call of the underlying dynamic library, and then returns the result of the detection and displays it to the user in the form of prompt box. Finally, the design of the browser sandboxie security mechanism for detection and verification.
【学位授予单位】:北京邮电大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.092
【参考文献】
相关期刊论文 前1条
1 赵经纬;周余;王自强;都思丹;;基于Webkit的嵌入式浏览器的研究与实现[J];电子测量技术;2009年03期
,本文编号:2244361
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2244361.html
