Security in OSGi applications: Robust OSGi Platforms, secure Bundles

Security in OSGi applications:
Robust OSGi Platforms, secure Bundles
27.10.2009

Pierre Parrend
RESEARCH ON YOUR BEHALF parrend@fzi.de

The vision
What happens if the WebCam Driver is a
Dynamic applications Malware ?

WebCamDriver
Bundle

1. 3.
2.
WebCam
WebCam
Component
Repository
PDA
PDA WebCamDriver
Bundle
DriverLister Bundle
DriverLister Bundle

SOP Platform SOP Platform
(installed on the PDA) (installed on the PDA)

2 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009

Existing applications
Jboss, Server-side Eclipse

• OSGi as application server
• Integration of open source bundles from several sources
• Abuse cases
• Attacks through the web front end
• Backdoor bundles inside the server

Yoxos secure source

• Validation of open source code
• Three levels
• Access from a secure repository
• Basic security analysis of code
• TÜV Certified security audit: external reach, malicious behavior


Outline

Java Security

Assessment method

Robust OSGi Platforms

Secure Bundles

An integration


Java1: Do not trust the Bytecode
 The Bytecode validation process


Java2: From the Sandbox to Permission Domains

 JDK 1.1  JDK 1.2

[LiGong1997]


OSGi-based Applications: Threats

 Exploitation of the platform
 Exploitation of the 3d party bundles


Outline

Java Security

Assessment method


Secure Bundles

An integration

8 27.07.2009

A Metric for Security Protection
 The Coverage Metric
• Percentage of the known vulnerabilities that are protected
• Based on the Attack Surface metric

C

• Enables to
o Assess individual security mechanism
o Compare execution environments


Outline

Java Security

Assessment method


Secure Bundles

An integration

10 27.07.2009

Security Issues in OSGi Platforms

The OSGi Platform Threats
 Denial of service
• Platform stop
• Resource consumption
• Blocking the console
 Undue access
Service layer • Bundle Management
Module layer
• Bundle code
Life-cycle layer
JVM
Host


Stopping the Platform

Stop your application Just crash it

public class RuntimeHaltActivator public class Stopper extends Thread{
implements BundleActivator{
public void start(BundleContext public void run(){
context){ Stopper tt = new Stopper();
Runtime.getRuntime().halt(0); tt.start();
} Stopper tt2 = new Stopper();
} tt2.start();
Stopper tt3 = new Stopper();
tt3.start();
}
}

 Simple example  Thread management features do
• Bundelized application not help
 Bytecode Forgery is another way
to crash the JVM

Blocking the console

Simply sleepy Resource greedy

public class SleepingBundleActivator public class
implements BundleActivator{ InfStartupLoopActivator implements
public void start(BundleContext BundleActivator{
context){ public void start(BundleContext
try{ context){
int sec = 50; while(1==1){}
Thread.sleep(sec * 1000); }
} }
catch(InterruptedException e)
{e.printStackTrace();}
}
}

 Management actions no longer  Also consume most of the
possible available CPU


Playing with the bundles of your neighbour
applications

public class PiratBundleManagerActivator implements BundleActivator{

public void start(BundleContext context){
try {
Bundle[] bundleList = context.getBundles();
String symbolicName;
for(int i=0; i < bundleList.length ; i++) {
symbolicName = bundleList[i].getSymbolicName();
bundleList[i].stop();
bundleList[i].start();
}
} catch(Exception e) {e.printStackTrace();}
}
}


Some other issues
Denial of service

• Consume memory
• Fill the disk
• Saturate the service registry

Illegal access

• Exploit split packages


Assessment of OSGi Platforms

Platform Type # of protected # of identified Coverage
Vulns Vulns
Concierge 0 28 0%
Felix 1 32 3,1 %
Knopflerfish 1 31 3,2 %
Equinox 4 31 13 %

Java Permissions 13 32 41 %
Concierge with Permissions 10 28 36 %
Felix with Permissions 14 32 44 %
Knopflerfish with Permissions 14 31 44 %
Equinox with Permissions 17 31 55 %


Hardened OSGi
Introduces

• Check component size before download, and control
the cumulated size of loaded components
• Check digital signature at install time
• Launch the component activator in a separate Thread
• Limit the number of registered services

Hardened OSGi
Systematizes
Host
• Do not reject harmless unnecessary metadata
• Remove all component data from disk at
uninstallation

 Protection Rate: 25 % for the ‘Malicious Bundles’ catalog entries


Outline

Java Security

Assessment method


Secure Bundles

An integration

18 27.07.2009

Security Issues in OSGi Bundles
OSGi bundles

• Shared resources exposed
• Vulnerabilities can be directly exploited
• Internal code can have more relaxed constraints

Shared
Objects Internal
Code

Shared
Classes


Security Issues in OSGi Bundles
 Point of view of the architecture

Isolation from Isolation between components
the user

VM

Client Access control Isolation from the environment

 More issues
• Enforcement of component life-cycle
• Denial of service


Access Control

Weak class Abuse

public class AlmostSecure{
public class AlmostSecureOverriden {
public AlmostSecure(){
public AlmostSecure(){
this.init();
super();
}
}
protected void init(){
protected void init(){
SecurityManager.check();
}
}
}
}

 Generic issue to Java


Isolation between components
The service who likes to be
manipulated The not so private data

public class HelloWorldServiceImpl
implements HelloWorldService{
package fr.inria.ares.helloworld;
public final String[] public class HelloWorld{
myData={„Param1",„Param2"};
private class HelloWorldPrinter {
private String textHello="HelloWorld";
public void helloWorld() { }
System.out.println("Hello World"); }
}
}

 Similar issues with static  Corrected in Java 5
variables, mutable variables


Denial-of-Service
 A controversial example
• Synchronized code

• Do you consider this a vulnerability ?

Recommendations (1/3)

Bundles should

• only have dependencies on bundles they trust
• never used synchronized statements that rely on third
party code
• provide a hardened public code implementation following
given recommendations



Shared Classes should

• provide only final static non-mutable fields
• set security manager calls during creation in all required
places at the beginning of the method
• all constructors
• clone() method if the class is cloneable
• readObject(ObjectInputStream) if the class is
serializable
• have security check in final methods only



Shared Objects (OSGi Services) should

• only have basic types and serializable final types as
parameter
• perform copy and validation of parameters before using them
• perform data copy before returning a given object in a method
• returned object should be either a basic type or serializable.
• not use Exception that carry any configuration information,
and not serialize data unless a specific security mechanism is
available
• never execute sensitive operations on behalf of other
components.


Contact

FZI Software Engineering
Domain
http://www.fzi.de/se

Dr. Pierre Parrend
Senior Scientist

FZI Forschungszentrum Informatik
Haid-und-Neu-Str. 10-14
D-76131 Karlsruhe
Tel.: +49-721-9654-620
Fax: +49-721-9654-621
http://www.fzi.de/se

27

Security in OSGi applications: Robust OSGi Platforms, secure Bundles

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (19)

Semelhante a Security in OSGi applications: Robust OSGi Platforms, secure Bundles

Semelhante a Security in OSGi applications: Robust OSGi Platforms, secure Bundles (20)

Security in OSGi applications: Robust OSGi Platforms, secure Bundles