Security in OSGi applications: Robust OSGi Platforms, secure Bundles

2,643 views

Published on

0 Comments
7 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,643
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
52
Comments
0
Likes
7
Embeds 0
No embeds

No notes for slide

Security in OSGi applications: Robust OSGi Platforms, secure Bundles

  1. 1. Security in OSGi applications: Robust OSGi Platforms, secure Bundles 27.10.2009 Pierre Parrend RESEARCH ON YOUR BEHALF parrend@fzi.de
  2. 2. The vision What happens if the WebCam Driver is a Dynamic applications Malware ? WebCamDriver Bundle 1. 3. 2. WebCam WebCam Component Repository PDA PDA WebCamDriver Bundle DriverLister Bundle DriverLister Bundle SOP Platform SOP Platform (installed on the PDA) (installed on the PDA) 2 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
  3. 3. Existing applications Jboss, Server-side Eclipse • OSGi as application server • Integration of open source bundles from several sources • Abuse cases • Attacks through the web front end • Backdoor bundles inside the server Yoxos secure source • Validation of open source code • Three levels • Access from a secure repository • Basic security analysis of code • TÜV Certified security audit: external reach, malicious behavior 3 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
  4. 4. Outline Java Security Assessment method Robust OSGi Platforms Secure Bundles An integration 4 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
  5. 5. Java1: Do not trust the Bytecode  The Bytecode validation process 5 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
  6. 6. Java2: From the Sandbox to Permission Domains  JDK 1.1  JDK 1.2 [LiGong1997] 6 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
  7. 7. OSGi-based Applications: Threats  Exploitation of the platform  Exploitation of the 3d party bundles 7 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
  8. 8. Outline Java Security Assessment method Robust OSGi Platforms Secure Bundles An integration 8 27.07.2009
  9. 9. A Metric for Security Protection  The Coverage Metric • Percentage of the known vulnerabilities that are protected • Based on the Attack Surface metric C • Enables to o Assess individual security mechanism o Compare execution environments 9 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
  10. 10. Outline Java Security Assessment method Robust OSGi Platforms Secure Bundles An integration 10 27.07.2009
  11. 11. Security Issues in OSGi Platforms The OSGi Platform Threats  Denial of service • Platform stop • Resource consumption • Blocking the console  Undue access Service layer • Bundle Management Module layer • Bundle code Life-cycle layer JVM Host 11 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
  12. 12. Stopping the Platform Stop your application Just crash it public class RuntimeHaltActivator public class Stopper extends Thread{ implements BundleActivator{ public void start(BundleContext public void run(){ context){ Stopper tt = new Stopper(); Runtime.getRuntime().halt(0); tt.start(); } Stopper tt2 = new Stopper(); } tt2.start(); Stopper tt3 = new Stopper(); tt3.start(); } }  Simple example  Thread management features do • Bundelized application not help  Bytecode Forgery is another way to crash the JVM 12 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
  13. 13. Blocking the console Simply sleepy Resource greedy public class SleepingBundleActivator public class implements BundleActivator{ InfStartupLoopActivator implements public void start(BundleContext BundleActivator{ context){ public void start(BundleContext try{ context){ int sec = 50; while(1==1){} Thread.sleep(sec * 1000); } } } catch(InterruptedException e) {e.printStackTrace();} } }  Management actions no longer  Also consume most of the possible available CPU 13 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
  14. 14. Playing with the bundles of your neighbour applications public class PiratBundleManagerActivator implements BundleActivator{ public void start(BundleContext context){ try { Bundle[] bundleList = context.getBundles(); String symbolicName; for(int i=0; i < bundleList.length ; i++) { symbolicName = bundleList[i].getSymbolicName(); bundleList[i].stop(); bundleList[i].start(); } } catch(Exception e) {e.printStackTrace();} } } 14 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
  15. 15. Some other issues Denial of service • Consume memory • Fill the disk • Saturate the service registry Illegal access • Exploit split packages 15 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
  16. 16. Assessment of OSGi Platforms Platform Type # of protected # of identified Coverage Vulns Vulns Concierge 0 28 0% Felix 1 32 3,1 % Knopflerfish 1 31 3,2 % Equinox 4 31 13 % Java Permissions 13 32 41 % Concierge with Permissions 10 28 36 % Felix with Permissions 14 32 44 % Knopflerfish with Permissions 14 31 44 % Equinox with Permissions 17 31 55 % 16 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
  17. 17. Hardened OSGi Introduces • Check component size before download, and control the cumulated size of loaded components • Check digital signature at install time • Launch the component activator in a separate Thread • Limit the number of registered services Hardened OSGi Systematizes Host • Do not reject harmless unnecessary metadata • Remove all component data from disk at uninstallation  Protection Rate: 25 % for the ‘Malicious Bundles’ catalog entries 17 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
  18. 18. Outline Java Security Assessment method Robust OSGi Platforms Secure Bundles An integration 18 27.07.2009
  19. 19. Security Issues in OSGi Bundles OSGi bundles • Shared resources exposed • Vulnerabilities can be directly exploited • Internal code can have more relaxed constraints Shared Objects Internal Code Shared Classes 19 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
  20. 20. Security Issues in OSGi Bundles  Point of view of the architecture Isolation from Isolation between components the user VM Client Access control Isolation from the environment  More issues • Enforcement of component life-cycle • Denial of service 20 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
  21. 21. Access Control Weak class Abuse public class AlmostSecure{ public class AlmostSecureOverriden { public AlmostSecure(){ public AlmostSecure(){ this.init(); super(); } } protected void init(){ protected void init(){ SecurityManager.check(); } } } }  Generic issue to Java 21 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
  22. 22. Isolation between components The service who likes to be manipulated The not so private data public class HelloWorldServiceImpl implements HelloWorldService{ package fr.inria.ares.helloworld; public final String[] public class HelloWorld{ myData={„Param1",„Param2"}; private class HelloWorldPrinter { private String textHello="HelloWorld"; public void helloWorld() { } System.out.println("Hello World"); } } }  Similar issues with static  Corrected in Java 5 variables, mutable variables 22 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
  23. 23. Denial-of-Service  A controversial example • Synchronized code • Do you consider this a vulnerability ? 23 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
  24. 24. Recommendations (1/3) Bundles should • only have dependencies on bundles they trust • never used synchronized statements that rely on third party code • provide a hardened public code implementation following given recommendations 24 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
  25. 25. Recommendations (2/3) Shared Classes should • provide only final static non-mutable fields • set security manager calls during creation in all required places at the beginning of the method • all constructors • clone() method if the class is cloneable • readObject(ObjectInputStream) if the class is serializable • have security check in final methods only 25 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
  26. 26. Recommendations (3/3) Shared Objects (OSGi Services) should • only have basic types and serializable final types as parameter • perform copy and validation of parameters before using them • perform data copy before returning a given object in a method • returned object should be either a basic type or serializable. • not use Exception that carry any configuration information, and not serialize data unless a specific security mechanism is available • never execute sensitive operations on behalf of other components. 26 Pierre Parrend – OSGi: Secure Platforms, secure bundles 27.07.2009
  27. 27. Contact FZI Software Engineering Domain http://www.fzi.de/se Dr. Pierre Parrend Senior Scientist FZI Forschungszentrum Informatik Haid-und-Neu-Str. 10-14 D-76131 Karlsruhe Tel.: +49-721-9654-620 Fax: +49-721-9654-621 http://www.fzi.de/se 27

×