diff options
Diffstat (limited to 'zh-cn/security/enhancements/enhancements41.html')
-rw-r--r-- | zh-cn/security/enhancements/enhancements41.html | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/zh-cn/security/enhancements/enhancements41.html b/zh-cn/security/enhancements/enhancements41.html new file mode 100644 index 00000000..0516b649 --- /dev/null +++ b/zh-cn/security/enhancements/enhancements41.html @@ -0,0 +1,57 @@ +<html devsite><head> + <title>Android 1.5 至 4.1 中的安全增强功能</title> + <meta name="project_path" value="/_project.yaml"/> + <meta name="book_path" value="/_book.yaml"/> + </head> + <body> + <!-- + Copyright 2017 The Android Open Source Project + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + --> + +<p>Android 提供了一个多层安全模型,<a href="/security/index.html">Android 安全性概述</a>中对该模型进行了介绍。每个 Android 更新版本中都包含数十种用于保护用户的安全增强功能。以下是 Android 1.5 至 4.1 版中引入的一些安全增强功能:</p> + +<dl> +<dt><strong>Android 1.5</strong></dt> +<dd><ul> +<li>ProPolice:旨在防止堆栈缓冲区溢出 (-fstack-protector)</li> +<li>safe_iop:旨在减少整数溢出</li> +<li>OpenBSD dlmalloc 的扩展程序:旨在防范 double free() 漏洞和连续块攻击。连续块攻击是利用堆损坏的常见攻击方式。</li> +<li>OpenBSD calloc:旨在防止在内存分配期间发生整数溢出</li> +</ul> +</dd> + +<dt><strong>Android 2.3</strong></dt> +<dd><ul> +<li>格式化字符串漏洞防护功能 (-Wformat-security -Werror=format-security)</li> +<li>基于硬件的 No eXecute (NX):旨在防止在堆栈和堆上执行代码</li> +<li>Linux mmap_min_addr:旨在降低空指针解引用提权风险(在 Android 4.1 中得到了进一步增强)</li> +</ul> +</dd> + +<dt><strong>Android 4.0</strong></dt> +<dd>地址空间布局随机化 (ASLR):旨在随机排列内存中的关键位置</dd> + +<dt><strong>Android 4.1</strong></dt> +<dd><ul> +<li>PIE(位置无关可执行文件)支持</li> +<li>只读重定位/立即绑定 (-Wl,-z,relro -Wl,-z,now)</li> +<li>启用了 dmesg_restrict(避免内核地址泄露)</li> +<li>启用了 kptr_restrict(避免内核地址泄露)</li> +</ul> +</dd> + +</dl> + +</body></html>
\ No newline at end of file |