Android adopted SELinux's mandatory access control (MAC) mechanisms in 2013. Since then, billions of Android devices have benefited from mandatory access control security policies. These policies are expressed in a variety of rules, maintained by Google and extended by Android OEMs. Over the years, the rules have grown to be quite complex, making it challenging to properly understand or configure these policies. In this paper, we perform a measurement study on the SEAndroid repository to understand the evolution of these policies. We propose a new metric to measure the complexity of the policy by expanding policy rules, with their abstraction features such as macros and groups, into primitive "boxes", which we then use to show that the complexity of the SEAndroid policies has been growing exponentially over time. By analyzing the Git commits, snapshot by snapshot, we are also able to analyze the "age" of policy rules, the trend of changes, and the contributor composition. We also look at hallmark events in Android's history, such as the "Stagefright" vulnerability in Android's media facilities, pointing out how these events led to changes in the MAC policies. The growing complexity of Android's mandatory policies suggests that we will eventually hit the limits of our ability to understand these policies, requiring new tools and techniques.
翻译:2013年,机器人采用了SELinux强制性出入控制机制(MAC),2013年。此后,数十亿安地机装置从强制性出入控制安全政策中受益。这些政策体现在由谷歌维护的、由Android OEMs推广的各种规则中。多年来,这些规则变得相当复杂,对正确理解或配置这些政策提出了挑战。在本文件中,我们对SEANDLinux存储库进行了测量研究,以了解这些政策的演变情况。我们提出了一个衡量政策复杂性的新指标,通过扩大政策规则及其抽象特征,如宏观和群体,进入原始的“箱 ”,我们然后用这些“箱” 来显示,SEDANDROD政策的复杂性随着时间的推移而急剧增长。通过对GIT进行快速分析,我们也能通过快速分析分析来分析政策规则的“老化 ” 、 变化趋势以及贡献者构成。我们还研究了Android历史上的标志性事件,例如Android媒体设施中的“Statifright”脆弱性,我们提出了这些事件如何导致MAC政策的变化。我们最终需要这些工具的复杂程度。