Security in OSGi applications: Robust OSGi Platforms, secure Bundles
1. Security in OSGi applications:
Robust OSGi Platforms, secure Bundles
27.10.2009
Pierre Parrend
RESEARCH ON YOUR BEHALF parrend@fzi.de
2. The vision
What happens if the WebCam Driver is a
Dynamic applications Malware ?
WebCamDriver
Bundle
1. 3.
2.
WebCam
WebCam
Component
Repository
PDA
PDA WebCamDriver
Bundle
DriverLister Bundle
DriverLister Bundle
SOP Platform SOP Platform
(installed on the PDA) (installed on the PDA)
2 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
3. Existing applications
Jboss, Server-side Eclipse
• OSGi as application server
• Integration of open source bundles from several sources
• Abuse cases
• Attacks through the web front end
• Backdoor bundles inside the server
Yoxos secure source
• Validation of open source code
• Three levels
• Access from a secure repository
• Basic security analysis of code
• TÜV Certified security audit: external reach, malicious behavior
3 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
5. Java1: Do not trust the Bytecode
The Bytecode validation process
5 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
6. Java2: From the Sandbox to Permission Domains
JDK 1.1 JDK 1.2
[LiGong1997]
6 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
7. OSGi-based Applications: Threats
Exploitation of the platform
Exploitation of the 3d party bundles
7 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
9. A Metric for Security Protection
The Coverage Metric
• Percentage of the known vulnerabilities that are protected
• Based on the Attack Surface metric
C
• Enables to
o Assess individual security mechanism
o Compare execution environments
9 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
11. Security Issues in OSGi Platforms
The OSGi Platform Threats
Denial of service
• Platform stop
• Resource consumption
• Blocking the console
Undue access
Service layer • Bundle Management
Module layer
• Bundle code
Life-cycle layer
JVM
Host
11 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
12. Stopping the Platform
Stop your application Just crash it
public class RuntimeHaltActivator public class Stopper extends Thread{
implements BundleActivator{
public void start(BundleContext public void run(){
context){ Stopper tt = new Stopper();
Runtime.getRuntime().halt(0); tt.start();
} Stopper tt2 = new Stopper();
} tt2.start();
Stopper tt3 = new Stopper();
tt3.start();
}
}
Simple example Thread management features do
• Bundelized application not help
Bytecode Forgery is another way
to crash the JVM
12 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
13. Blocking the console
Simply sleepy Resource greedy
public class SleepingBundleActivator public class
implements BundleActivator{ InfStartupLoopActivator implements
public void start(BundleContext BundleActivator{
context){ public void start(BundleContext
try{ context){
int sec = 50; while(1==1){}
Thread.sleep(sec * 1000); }
} }
catch(InterruptedException e)
{e.printStackTrace();}
}
}
Management actions no longer Also consume most of the
possible available CPU
13 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
14. Playing with the bundles of your neighbour
applications
public class PiratBundleManagerActivator implements BundleActivator{
public void start(BundleContext context){
try {
Bundle[] bundleList = context.getBundles();
String symbolicName;
for(int i=0; i < bundleList.length ; i++) {
symbolicName = bundleList[i].getSymbolicName();
bundleList[i].stop();
bundleList[i].start();
}
} catch(Exception e) {e.printStackTrace();}
}
}
14 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
15. Some other issues
Denial of service
• Consume memory
• Fill the disk
• Saturate the service registry
Illegal access
• Exploit split packages
15 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
16. Assessment of OSGi Platforms
Platform Type # of protected # of identified Coverage
Vulns Vulns
Concierge 0 28 0%
Felix 1 32 3,1 %
Knopflerfish 1 31 3,2 %
Equinox 4 31 13 %
Java Permissions 13 32 41 %
Concierge with Permissions 10 28 36 %
Felix with Permissions 14 32 44 %
Knopflerfish with Permissions 14 31 44 %
Equinox with Permissions 17 31 55 %
16 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
17. Hardened OSGi
Introduces
• Check component size before download, and control
the cumulated size of loaded components
• Check digital signature at install time
• Launch the component activator in a separate Thread
• Limit the number of registered services
Hardened OSGi
Systematizes
Host
• Do not reject harmless unnecessary metadata
• Remove all component data from disk at
uninstallation
Protection Rate: 25 % for the ‘Malicious Bundles’ catalog entries
17 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
19. Security Issues in OSGi Bundles
OSGi bundles
• Shared resources exposed
• Vulnerabilities can be directly exploited
• Internal code can have more relaxed constraints
Shared
Objects Internal
Code
Shared
Classes
19 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
20. Security Issues in OSGi Bundles
Point of view of the architecture
Isolation from Isolation between components
the user
VM
Client Access control Isolation from the environment
More issues
• Enforcement of component life-cycle
• Denial of service
20 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
21. Access Control
Weak class Abuse
public class AlmostSecure{
public class AlmostSecureOverriden {
public AlmostSecure(){
public AlmostSecure(){
this.init();
super();
}
}
protected void init(){
protected void init(){
SecurityManager.check();
}
}
}
}
Generic issue to Java
21 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
22. Isolation between components
The service who likes to be
manipulated The not so private data
public class HelloWorldServiceImpl
implements HelloWorldService{
package fr.inria.ares.helloworld;
public final String[] public class HelloWorld{
myData={„Param1",„Param2"};
private class HelloWorldPrinter {
private String textHello="HelloWorld";
public void helloWorld() { }
System.out.println("Hello World"); }
}
}
Similar issues with static Corrected in Java 5
variables, mutable variables
22 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
23. Denial-of-Service
A controversial example
• Synchronized code
• Do you consider this a vulnerability ?
23 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
24. Recommendations (1/3)
Bundles should
• only have dependencies on bundles they trust
• never used synchronized statements that rely on third
party code
• provide a hardened public code implementation following
given recommendations
24 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
25. Recommendations (2/3)
Shared Classes should
• provide only final static non-mutable fields
• set security manager calls during creation in all required
places at the beginning of the method
• all constructors
• clone() method if the class is cloneable
• readObject(ObjectInputStream) if the class is
serializable
• have security check in final methods only
25 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
26. Recommendations (3/3)
Shared Objects (OSGi Services) should
• only have basic types and serializable final types as
parameter
• perform copy and validation of parameters before using them
• perform data copy before returning a given object in a method
• returned object should be either a basic type or serializable.
• not use Exception that carry any configuration information,
and not serialize data unless a specific security mechanism is
available
• never execute sensitive operations on behalf of other
components.
26 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009