RESEARCH ON YOUR BEHALF
Security in OSGi applications: Robust OSGi Platforms, secure Bundles
27.10.2009
Pierre [email protected]
2 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles
The vision
Dynamic applications What happens if the WebCam Driver is a Malware ?
PDA
ComponentRepository
WebCam
SOP Platform(installed on the PDA)
DriverLister Bundle
WebCamDriverBundle
1.2.
PDA
WebCam
DriverLister Bundle
3.
SOP Platform(installed on the PDA)
WebCamDriverBundle
• OSGi as application server• Integration of open source bundles from several sources• Abuse cases• Attacks through the web front end• Backdoor bundles inside the server
Jboss, Server-side Eclipse
• Validation of open source code• Three levels• Access from a secure repository• Basic security analysis of code• TÜV Certified security audit: external reach, malicious behavior
Yoxos secure source
Existing applications
3 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles
Outline
4 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles
Java Security
Assessment method
Robust OSGi Platforms
Secure Bundles
An integration
The Bytecode validation process
Java1: Do not trust the Bytecode
5 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles
JDK 1.1 JDK 1.2
Java2: From the Sandbox to Permission Domains
6 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles
[LiGong1997]
Exploitation of the platform
Exploitation of the 3d party bundles
OSGi-based Applications: Threats
7 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles
Outline
8 27.07.2009
Java Security
Assessment method
Robust OSGi Platforms
Secure Bundles
An integration
The Coverage Metric• Percentage of the known vulnerabilities that are protected
• Based on the Attack Surface metric
• Enables to o Assess individual security mechanism
o Compare execution environments
A Metric for Security Protection
9 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles
C
Outline
10 27.07.2009
Java Security
Assessment method
Robust OSGi Platforms
Secure Bundles
An integration
Security Issues in OSGi Platforms
The OSGi Platform Threats
Denial of service• Platform stop
• Resource consumption
• Blocking the console
Undue access• Bundle Management
• Bundle code
11 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles
Life-cycle layer
JVM
Module layer
Service layer
Host
Stopping the Platform
Stop your application
Simple example• Bundelized application
Just crash it
Thread management features do not help
Bytecode Forgery is another way to crash the JVM
12 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles
public class RuntimeHaltActivator implements BundleActivator{
public void start(BundleContext context){
Runtime.getRuntime().halt(0);}
}
public class Stopper extends Thread{
public void run(){Stopper tt = new Stopper();tt.start();Stopper tt2 = new Stopper();tt2.start();Stopper tt3 = new Stopper();tt3.start();
}}
Blocking the console
Simply sleepy
Management actions no longer possible
Resource greedy
Also consume most of the available CPU
13 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles
public class SleepingBundleActivator implements BundleActivator{
public void start(BundleContext context){
try{int sec = 50;Thread.sleep(sec * 1000);
}catch(InterruptedException e){e.printStackTrace();}
}}
public class InfStartupLoopActivator implements BundleActivator{
public void start(BundleContext context){
while(1==1){}}
}
Playing with the bundles of your neighbour applications
27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles14
public class PiratBundleManagerActivator implements BundleActivator{
public void start(BundleContext context){try {Bundle[] bundleList = context.getBundles();String symbolicName;for(int i=0; i < bundleList.length ; i++) {
symbolicName = bundleList[i].getSymbolicName();bundleList[i].stop();bundleList[i].start();
}}catch(Exception e) {e.printStackTrace();}
}}
• Consume memory• Fill the disk• Saturate the service registry
Denial of service
• Exploit split packages
Illegal access
Some other issues
15 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles
Assessment of OSGi Platforms
16 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles
Platform Type # of protected Vulns
# of identified Vulns
Coverage
Concierge 0 28 0 %
Felix 1 32 3,1 %
Knopflerfish 1 31 3,2 %
Equinox 4 31 13 %
Java Permissions 13 32 41 %
Concierge with Permissions 10 28 36 %
Felix with Permissions 14 32 44 %
Knopflerfish with Permissions 14 31 44 %
Equinox with Permissions 17 31 55 %
Protection Rate: 25 % for the ‘Malicious Bundles’ catalog entries
Hardened OSGi
17 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles
• Check component size before download, and control the cumulated size of loaded components
• Check digital signature at install time• Launch the component activator in a separate Thread• Limit the number of registered services
Introduces
• Do not reject harmless unnecessary metadata• Remove all component data from disk at
uninstallation
SystematizesHardened OSGi
Host
Outline
18 27.07.2009
Java Security
Assessment method
Robust OSGi Platforms
Secure Bundles
An integration
• Shared resources exposed• Vulnerabilities can be directly exploited
• Internal code can have more relaxed constraints
OSGi bundles
Security Issues in OSGi Bundles
19 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles
Shared Objects
SharedClasses
InternalCode
Point of view of the architecture
More issues• Enforcement of component life-cycle
• Denial of service
Security Issues in OSGi Bundles
20 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles
VM
Client
Isolation from the user
Isolation between components
Isolation from the environmentAccess control
Access Control
Weak class Abuse
Generic issue to Java
21 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles
public class AlmostSecure{public AlmostSecure(){
this.init();}
protected void init(){SecurityManager.check();
}}
public class AlmostSecureOverriden {public AlmostSecure(){
super();}
protected void init(){}
}
Isolation between components
The service who likes to be manipulated
Similar issues with static variables, mutable variables
The not so private data
Corrected in Java 5
22 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles
public class HelloWorldServiceImpl implements HelloWorldService{
public final String[] myData={„Param1",„Param2"};
public void helloWorld() {System.out.println("Hello World");}
}
package fr.inria.ares.helloworld;public class HelloWorld{
private class HelloWorldPrinter {private String textHello="HelloWorld";
}}
A controversial example• Synchronized code
• Do you consider this a vulnerability ?
Denial-of-Service
23 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles
Recommendations (1/3)
27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles24
• only have dependencies on bundles they trust• never used synchronized statements that rely on third
party code• provide a hardened public code implementation following
given recommendations
Bundles should
• provide only final static non-mutable fields• set security manager calls during creation in all required
places at the beginning of the method• all constructors• clone() method if the class is cloneable• readObject(ObjectInputStream) if the class is serializable
• have security check in final methods only
Shared Classes should
Recommendations (2/3)
25 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles
Recommendations (3/3)
26 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles
• only have basic types and serializable final types as parameter
• perform copy and validation of parameters before using them• perform data copy before returning a given object in a method• returned object should be either a basic type or serializable.
• not use Exception that carry any configuration information, and not serialize data unless a specific security mechanism is available
• never execute sensitive operations on behalf of other components.
Shared Objects (OSGi Services) should
Contact
27
Dr. Pierre ParrendSenior Scientist
FZI Forschungszentrum Informatik Haid-und-Neu-Str. 10-14D-76131 KarlsruheTel.: +49-721-9654-620Fax: +49-721-9654-621http://www.fzi.de/se
FZI Software Engineering Domainhttp://www.fzi.de/se