桂林電子科技大學(xué)信息科技學(xué)院畢業(yè)設(shè)計(jì)（論文）外文翻譯（原文）系（部）： 信息工程系專(zhuān)業(yè)： 軟件工程學(xué)生姓名： 學(xué)號(hào)： 指導(dǎo)教師單位計(jì)算機(jī)科學(xué)與工程學(xué)院名： 職稱(chēng)：教授2016年5月26日外文原文HowAndroidconqueredthemobileworldinjustthreeyearsNetworkWorld(Online),2010TheadventoftheDroidseenbymanyasturningpointforGoogleinmobilemarketIt'seasytoforgetthatnotsolongago,noonewassureifAndroidwouldeverberelevant.Afterall,theAndroidexplosionhasreallyonlyeruptedoverthepastyear,roughlytwoyearsafterAndroidmadeitsdebutinthefallof2007.SinceJanuaryalone,Androidhasdoubleditstotalmarketshareinthemobileoperatingsystemmarket,anddevicesbasedonAndroidaccountedforawhopping44%ofsmartphonespurchasedinthethirdquarterof2010,accordingtoresearchfirmChangeWave.ResearchfirmGartnerhasprojectedthatbytheendoftheyearsalesofAndroiddeviceswillexceedthosebasedontheBlackBerryOSandtheiPhoneOS,meaningthatAndroidwilltrailonlySymbianastheworld'smost-usedmobileoperatingsystem.Butforthefirsttwoyearsofitsexistence,Androidhadatoughtimemakingmajorwaves.ThefirstdevicetobebasedonAndroid,T-Mobile'sHTCG1,madeitsdebutinthefallof2008andwasmostlyovershadowedbymorehigh-profilesmartphonessuchastheAppleiPhoneandtheBlackBerryStorm.MorganSlain,theCEOofmobileapplicationsdeveloperSplashData,saysthatthislackofinitialsuccessledalotofapplicationdeveloperstohesitatebeforeinvestingtoomanyresourcesindevelopingfortheplatform,despitethefactthatitwasfreeandopensource."WestartedearlydoingAndroiddevelopmentbutatfirstitwasallhypeandnosales,"hesays."Itwasanewplatformforus.Itseemedtohavealotofpotentialbutitwasfrustratingthatthereweren'tanysalescominginforus.ScottWebster,whohasbeencoveringAndroidforthepastthreeyearasoneofthefoundersofthepopularAndroidGuysblog,sayshegotasimilarvibefromdevelopershetalkedtoduringAndroid'searlyyears."Theinitialbuzzfromdeveloperswas,'Wedon'tknowwhatthisisyet,'"hesays."Therewasahugewait-and-seeapproach."GooglepluggedalargechunkofcashintobringingapplicationdevelopersonboardwithAndroidbyofferingatotalof$10millioninprizesaspartofitsAndroidDeveloperChallengeduringAndroid'sinitiallaunch.Slainsaysthatwhilehiscompanyandmanyothersenteredthechallenge,theywerestillgreatlyunsureofAndroid'slong-termpotentialsincetheoperatingsystemwasn'tyetavailableonanymarqueedevicesandtherewasasensethatAndroidwas"allbuzz"withoutanythingtobackitup.That'snottosaythatAndroidasadevelopmentplatformwasnotenticing.SinceAndroidisaLinuxplatformthatusesJavaasitsprogramminglanguage,mostsoftwaredevelopersonthemarketfoundthatwritingprogramsfortheoperatingsystemwasabreeze.GooglealsowentoutofitswaytomakepostinganewapplicationontheAndroidMarketasnap,asthecompanydoesnotscreenapplicationssenttothestoreandwillonlyremovethemifithasreceivedlegitimatecustomercomplaints."GoogledidalotofthingsrightwhenitdesignedAndroid,"saysIDCanalystSteveDrake."Theymadeitopen,theymadeitveryclean,theytriedtokeepitsimpleintermsofitscodeandofferingsandtheymovedveryquicklytomakesureeachnewversionoftheOScontainedrealimprovements."Sotheoperatingsystemitselfwasfine.Nowallitneededwasadevicetodrivepopularity.EntertheDroidAndroidgotitsbigbreaklastNovemberwiththereleaseoftheMotorolaDroidontheVerizonnetwork.TheDroid'sreleasewasimportantbecauseitmarkedthefirsttimethatanAndroid-baseddevicewasbeingsupportedbyeitherofthenation'stwolargestwirelesscarriers.VerizondecidedtoaggressivelymarkettheDroidasabetteralternativetotheAppleiPhonebypointingoutthattheDroidhadaphysicalkeyboardandtheabilitytorunsimultaneousapplications.AndwhiletheDroiddidn'tsellasmanyunitsastheiPhone,itdidsellwellover1million,thusputtingAndroidfirmlyonthemobileoperatingsystemmap.SlainsaysthattheimpactoftheDroidonhiscompany'ssaleswasimmediateandsignificant."Wenoticedadifferenceliterallyovernight,"hesays."AndeversincetheDroidlaunchit'sbeenaconsistentlystrongplatform."PaulCarton,thevicepresidentofresearchatChangeWave,notesthatinterestinMotorolaproductsamongcorporateusersdoubledbetweenAugust2009andNovember2009,asthenumberofcorporateuserssurveyedbyChangeWavewhoplannedtobuyMotorolaproductssurgedfrom5%to10%overthespanofthreemonths."WeweresurprisedbythemonstrousleapinMotorolainterestlastyear,"Cartonsays."Doyouseeanythingelsethatlookslikethatayearago?It'sallbecauseofAndroid."Verizondecidedtoapplythe"Droid"brandtoseveralotherAndroidphonesonitsnetwork,includingtheHTCDroidIncredible,theMotorolaDroidXandtheMotorolaDroidPro.CouplethiswiththefactthatthefirstWiMAX-basedphoneavailableintheUnitedStateswasalsobasedonAndroidandyouhaveseveralhigh-profiledevicesthathavemadeAndroidanationalbrand.Andwhat'smore,peopleseemtobeverypleasedwithAndroiddevicesas67%ofAndroiduserssurveyedbyChangeWavesaidtheywereverysatisfiedwiththeoperatingsystem,secondonlytothe71%ofiPhoneuserswhosaidtheyweresatisfiedwiththeiPhoneOS.Lookingahead,itseemsthatAndroidwilltrytomakeheadwayintotherapidlygrowingmarketfortabletcomputersthatiscurrentlybeingdominatedbyApple'siPad.AlthoughAndroidhasalreadybeenusedastheoperatingsystemfortabletssuchastheSamsungGalaxy,Googleisworkingonanewversionofthesoftwarethatwillbeoptimizedforlarge-screendevicesinwaysthatcurrentversionsaren't.WebstersaysitwillbeinterestingtoseehowmuchGoogletinkerswithAndroidtomakeitabetterfitfortablets."Willtheychangetheexperienceforswipingandfordragginganddropping?"hewonders."We'llhavetowaituntilnextyear,though,becauseitcouldbesixmonthsbeforeweseetabletoptimizationforAndroid."VulHunter:TowardDiscoveringVulnerabilitiesinAndroidApplicationsIEEEMicro2015Vol.35No.1P44-53WiththeprosperityoftheAndroidappeconomy,manyappshavebeenpublishedandsoldinvariousmarkets.However,shortdevelopmentcyclesandinsufficientsecuritydevelopmentguidelineshaveledtomanyvulnerableapps.Althoughsomesystemshavebeendevelopedforautomaticallydiscoveringspecificvulnerabilitiesinapps,theireffectivenessandefficiencyareusuallyrestrictedbecauseoftheexponentialgrowthofpathstoexamineandsimplifiedassumptions.Inthisarticle,theauthorsproposeanewstatic-analysisframeworkforfacilitatingsecurityanalyststodetectvulnerableappsfromthreeaspects.First,theyproposeanapppropertygraph(APG),anewdatastructurecontainingdetailedandpreciseinformationfromapps.Second,bymodelingapp-relatedvulnerabilitiesasgraphtraversals,theauthorsconductgraphtraversalsoverAPGstoidentifyvulnerableappsforeasingtheidentificationprocess.Third,theyreducetheworkloadofmanualverificationbyremovinginfeasiblepathsandgeneratingattackinputswheneverpossible.TheyhaveimplementedtheframeworkinasystemnamedVulHunterwith9,145linesofJavacodeandmodeledfivetypesofvulnerabilities.Checking557popularappsthatarerandomlycollectedfromGooglePlayandhaveatleast1millioninstallations,theauthorsfoundthat375apps(67.3percent)haveatleastonevulnerability.WiththemobileInternet'sprosperity,recentyearshavewitnessedanunprecedentednumberofAndroidapplications("apps”)publishedandsoldinappmarkets.However,shortdevelopmentcyclesandinsufficientsecuritydevelopmentguidelineshaveledtomanyvulnerableapps.Afteranalyzing2,107appsfromcompaniesontheForbesGlobal2000,HPresearchrecentlyfoundthat90percentofappsarevulnerable(/1FK7I5b).Motivatedbyrecentresearch1,weproposeanewstatic-analysisframeworktofacilitatevulnerabilitydiscoveryforappsbyextractingdetailedandpreciseinformationfromapps,easingtheidentificationprocess,andreducingthemanual-verificationworkload.Moreprecisely,wedesignanoveldatastructurecalledtheapppropertygraph(APG),whichsmoothlyintegratesabstractsyntaxtrees(ASTs),aninterprocedurecontrol-flowgraph(ICFG),amethod-callgraph(MCG),andasystemdependencygraph(SDG)torepresenteachapp.AlthoughtheAPGismotivatedbythecodepropertygraph(CPG)1,theAPGdiffersfromtheCPGduetothesignificantdifferencebetweenappsandCsourcecodes(seethe“RelatedWorkinVulnerabilityDiscovery”sidebarfordetails).Forexample,theAPGemploystheICFG,MCG,andSDGtocharacterizethefrequentinterprocedureandintercomponentcommunicationsinapps.TheAPGalsoincorporatespermissionsandotheruniquefeaturesinappsasproperties.Toeasetheidentificationprocess,wemodelcommonvulnerabilitiesofappsreportedintheCommonVulnerabilitiesandExposures(CVE)systemasgraphtraversalsanddetectvulnerableappsbyconductinggraphtraversalsoverAPGs.NotethateachappneedstobeprocessedjustonceforextractingAPGandthenwecanconductvariousgraphtraversals,includingthoseextractedfromnewvulnerabilitypatterns.Moreover,toreducethemanual-verificationworkload,weemploysymbolicexecutiontofilteroutinfeasiblepathsandsuggestattackinputswheneverpossible.IncreatingtheAPG,wetackledmanychallenges,includingdealingwithobjectreferencesandinheritanceinShimpleIRcodesandhandlingAndroid'sevent-drivenmechanism.Also,weproposeanapproachtoconvertShimpleIRcodestoSMT-Lib2codessothattheexistingSMTsolvercanbeused.Finally,weimplementedtheframeworkinVulHunterwith9,145linesofJavacodes.Wemodeledfivecommonvulnerabilitiesasgraphtraversalsandcheckedthesecurityof577popularapps,eachofwhichhasmorethan1millioninstallations.Theresultshowsthat375appshaveatleastonevulnerability.Figure1depictsthemajorstepsinourframework,whichhasthreenecessarystepsandthreeoptionalsteps,dependingonthetypeofvulnerability.VulHunterhasimplementedallthesesteps.Weusearealvulnerableapp,GoSMSPro(com.jb.gosms,v3.72),toillustratehowVulHunterworks.Thisapphasanexportedservice,CellValidateService,whichsendsashortmessageservice(SMS)accordingtoincomingintents.Becausethisservicedoesnotsanitizeincomingintents,anadversarycansendacraftedintentfortriggeringGoSMStosendanSMStoanarbitrarydestinationaddress.Figure2illustratesthevulnerablecodesnippet,thecorrespondingShimpleIRcode,anditsAPG.VulHunterfirstconstructsanapp'sAPGaccordingtoitsAndroidManifest.xmlandclasses.dexandthenstoresitinagraphdata-base,whichusesgraphstructures(includingnodes,edges,andpropert