安卓的性能设计引发安全漏洞
文章来源:未知 文章作者:enread 发布时间:2014-06-20 05:58 字体: [ ]  进入论坛
(单词翻译:双击或拖选)
Georgia Tech researchers have identified a weakness in one of Android's security features and will present their work at Black Hat USA 2014, which will be held August 6-7 in Las Vegas. The research, titled Abusing Performance Optimization1 Weaknesses to Bypass ASLR, identifies an Android performance feature that weakens a software protection called Address Space Layout Randomization (ASLR), leaving software components2 vulnerable to attacks that bypass the protection. The work is aimed at helping3 security practitioners4 identify and understand the future direction of such attacks.
 
The work was conducted at the Georgia Tech Information Security Center (GTISC) by Ph.D. students Byoungyoung Lee and Yeongjin Jang and research scientist Tielei Wang, and reveals that the introduction of performance optimization features can inadvertently(非故意地) harm the security guarantees of an otherwise vetted5 system. In addition to describing how vulnerabilities originate from such designs, they demonstrate real attacks that exploit them.
 
"To optimize6 object tracking for some programming languages, interpreters for the languages may leak address information," said Lee, lead researcher for the effort. "As a concrete example, we'll demonstrate how address information can be leaked in the Safari7 web browser8 by simply running some JavaScript."
 
Bypassing ASLR using hash table leaks was previously9 believed to be obsolete10 due to its complexity11. By exhaustively investigating various language implementations and presenting concrete attacks, the research aims to show that the concern is still valid12.
 
"As part of our talk, we'll present an analysis of the Android Zygote process creation model," Lee said. "The results show that Zygote weakens ASLR as all applications are created with largely identical memory layouts. To highlight the issue, we'll show two different ASLR bypass attacks using real applications -- Google Chrome and VLC Media Player."
 
The Black Hat Briefings were created approximately 16 years ago to provide computer security professionals a place to learn the very latest in information security risks, research and trends. Presented by the brightest in the industry, the briefings cover everything from critical information infrastructure13 to widely used enterprise computer systems to the latest InfoSec research and development. These briefings are vendor-neutral, allowing the presenters14 to speak candidly15(坦白地) about the real problems and potential solutions across both the public and private sectors16.


点击收听单词发音收听单词发音  

1 optimization gIhxY     
n.最佳化,最优化;优选法;优化组合
参考例句:
  • Development of detergents has required optimization of the surfactants structure. 发展洗涤剂时,要求使用最恰当的表面活性剂结构。 来自辞典例句
  • In the case of productivity tools and other non-entertainment-oriented products, this optimization means minimizing work. 对于生产工具和其他非娱乐导向的产品而言,这意味着将工作负荷降至最低。 来自About Face 3交互设计精髓
2 components 4725dcf446a342f1473a8228e42dfa48     
(机器、设备等的)构成要素,零件,成分; 成分( component的名词复数 ); [物理化学]组分; [数学]分量; (混合物的)组成部分
参考例句:
  • the components of a machine 机器部件
  • Our chemistry teacher often reduces a compound to its components in lab. 在实验室中化学老师常把化合物分解为各种成分。
3 helping 2rGzDc     
n.食物的一份&adj.帮助人的,辅助的
参考例句:
  • The poor children regularly pony up for a second helping of my hamburger. 那些可怜的孩子们总是要求我把我的汉堡包再给他们一份。
  • By doing this, they may at times be helping to restore competition. 这样一来, 他在某些时候,有助于竞争的加强。
4 practitioners 4f6cea6bb06753de69fd05e8adbf90a8     
n.习艺者,实习者( practitioner的名词复数 );从业者(尤指医师)
参考例句:
  • one of the greatest practitioners of science fiction 最了不起的科幻小说家之一
  • The technique is experimental, but the list of its practitioners is growing. 这种技术是试验性的,但是采用它的人正在增加。 来自辞典例句
5 vetted c6c2d39ddfb9a855b4c87b24b49b3d60     
v.审查(某人过去的记录、资格等)( vet的过去式和过去分词 );调查;检查;诊疗
参考例句:
  • The recruits were thoroughly vetted before they were allowed into the secret service. 情报机关招募的新成员要经过严格的审查。 来自《简明英汉词典》
  • All staff are vetted for links with extremist groups before being employed. 所有职员录用前均须审查是否与极端分子团体有关。 来自辞典例句
6 optimize WIoxY     
v.使优化 [=optimise]
参考例句:
  • We should optimize the composition of the Standing Committees.优化人大常委会组成人员的结构。
  • We should optimize our import mix and focus on bringing in advanced technology and key equipment.优化进口结构,着重引进先进技术和关键设备。
7 safari TCnz5     
n.远征旅行(探险、考察);探险队,狩猎队
参考例句:
  • When we go on safari we like to cook on an open fire.我们远行狩猎时,喜欢露天生火做饭。
  • They went on safari searching for the rare black rhinoceros.他们进行探险旅行,搜寻那稀有的黑犀牛。
8 browser gx7z2M     
n.浏览者
参考例句:
  • View edits in a web browser.在浏览器中看编辑的效果。
  • I think my browser has a list of shareware links.我想在浏览器中会有一系列的共享软件链接。
9 previously bkzzzC     
adv.以前,先前(地)
参考例句:
  • The bicycle tyre blew out at a previously damaged point.自行车胎在以前损坏过的地方又爆开了。
  • Let me digress for a moment and explain what had happened previously.让我岔开一会儿,解释原先发生了什么。
10 obsolete T5YzH     
adj.已废弃的,过时的
参考例句:
  • These goods are obsolete and will not fetch much on the market.这些货品过时了,在市场上卖不了高价。
  • They tried to hammer obsolete ideas into the young people's heads.他们竭力把陈旧思想灌输给青年。
11 complexity KO9z3     
n.复杂(性),复杂的事物
参考例句:
  • Only now did he understand the full complexity of the problem.直到现在他才明白这一问题的全部复杂性。
  • The complexity of the road map puzzled me.错综复杂的公路图把我搞糊涂了。
12 valid eiCwm     
adj.有确实根据的;有效的;正当的,合法的
参考例句:
  • His claim to own the house is valid.他主张对此屋的所有权有效。
  • Do you have valid reasons for your absence?你的缺席有正当理由吗?
13 infrastructure UbBz5     
n.下部构造,下部组织,基础结构,基础设施
参考例句:
  • We should step up the development of infrastructure for research.加强科学基础设施建设。
  • We should strengthen cultural infrastructure and boost various types of popular culture.加强文化基础设施建设,发展各类群众文化。
14 presenters ef0c9d839d1b89c7a5042cf2bfba92e0     
n.节目主持人,演播员( presenter的名词复数 )
参考例句:
  • Each week presenters would put the case for their favourite candidate. 每个星期主持人推出他们最喜欢的候选人。 来自互联网
  • Karaoke was set up to allowed presenters to sing on the stage. 宴会设有歌唱舞台,可让出席者大演唱功。 来自互联网
15 candidly YxwzQ1     
adv.坦率地,直率而诚恳地
参考例句:
  • He has stopped taking heroin now,but admits candidly that he will always be a drug addict.他眼下已经不再吸食海洛因了,不过他坦言自己永远都是个瘾君子。
  • Candidly,David,I think you're being unreasonable.大卫,说实话我认为你不讲道理。
16 sectors 218ffb34fa5fb6bc1691e90cd45ad627     
n.部门( sector的名词复数 );领域;防御地区;扇形
参考例句:
  • Berlin was divided into four sectors after the war. 战后柏林分成了4 个区。 来自《简明英汉词典》
  • Industry and agriculture are the two important sectors of the national economy. 工业和农业是国民经济的两个重要部门。 来自《现代汉英综合大词典》
TAG标签: security Android software
发表评论
请自觉遵守互联网相关的政策法规,严禁发布色情、暴力、反动的言论。
评价:
表情:
验证码:点击我更换图片