Secure Component Deployment in the OSGi(tm) Release 4 Platform

Last years have seen a dramatic increase in the use of component platforms, not only in classical application servers, but also more and more in the domain of Embedded Systems. The OSGi(tm) platform is one of these platforms dedicated to lightweight execution environments, and one of the most prominent. However, new platforms also imply new security flaws, and a lack of both knowledge and tools for protecting the exposed systems. This technical report aims at fostering the understanding of security mechanisms in component deployment. It focuses on securing the deployment of components. It presents the cryptographic mechanisms necessary for signing OSGi(tm) bundles, as well as the detailed process of bundle signature and validation. We also present the SFelix platform, which is a secure extension to Felix OSGi(tm) framework implementation. It includes our implementation of the bundle signature process, as specified by OSGi(tm) Release 4 Security Layer. Moreover, a tool for signing and publishing bundles, SFelix JarSigner, has been developed to conveniently integrate bundle signature in the bundle deployment process

Component-based Access Control: Secure Software Composition through Static Analysis

International audienceExtensible Component Platforms support the discovery, in- stallation, starting, uninstallation of components at runtime. Since they are often targeted at mobile resource-constraint devices, they have both strong performance and security requirements. The current security model for Java systems, Permissions, are based on call stack analysis. They proves to be very time-consuming, which makes them difficult to use in production environments. We therefore define the Component-Based Access Control (CBAC) Se- curity Model, which aims at emulating Java Permissions through static analysis at the installation phase of the components. CBAC is based on a fully declarative approach, that makes it possible to tag arbitrary meth- ods as sensitive. A formal model is defined to guarantee that a given component have sufficient access rights, and that dependencies between components are taken into account. A first implementation of the model is provided for the OSGi Platform, using the ASM library for code anal- ysis. Performance tests show that the cost of CBAC at install time is negligible, because it is executed together with digital signature which is much more costly. Moreover, contrary to Java Permissions, the CBAC security model does not imply any runtime overhead

Vérification automatique pour l'exécution sécurisée de composants Java

National audienceLes plates-formes dynamiques de services permettent d'exécuter simultanément plusieurs composants fournis par des tiers. Ceci apporte une grande flexibilité dans leur utilisation, aussi bien en environnements à ressources limitées que dans le cas de serveurs d'applications. Toutefois, les implications pour la sécurité du système sont encore mal connues: quels sont les risques posés par l'exécution de composants tiers pour la plate-forme d'execution ? pour les autres composants ? Comment y remédier ? A partir d'expérimentations réalisées sur la plate-forme Java/OSGi, nous proposons une classification des vulnérabilités des platesformes dynamiques de services. Deux cas sont considérés: les vulnérabilités de la plate-forme elle-même, et les vulnérabilités des composants. Plusieurs solutions sont proposées pour résoudre ces vulnérabilités. Premièrement, le Contrôle d'accès basé Composants (CBAC, pour Component-based Access Control) permet de limiter l'accès à des méthodes dangereuses de la plate-forme ou des composants. La validation est effectuée par analyse statique de code. La configuration est entièrement déclarative, ce qui rend cette approche extensible, et adaptée pour la protection de méthodes fournies par des composants tiers. Deuxièmement, l'Analyse de Composants faibles (WCA, pour Weak Component Analysis) permet d'identifier les vulnérabilités des composants, par analyse statique de code également. CBAC et WCA exploitent la phase d'installation des composants pour réaliser les vérifications nécessaires. Seuls les composants valides sont installés. WCA peut également être utilisé lors du dévelopement pour améliorer la qualité du code

Java Components Vulnerabilities - An Experimental Classification Targeted at the OSGi Platform

The OSGi Platform finds a growing interest in two different applications domains: embedded systems, and applications servers. However, the security properties of this platform are hardly studied, which is likely to hinder its use in production systems. This is all the more important that the dynamic aspect of OSGi-based applications, that can be extended at runtime, make them vulnerable to malicious code injection. We therefore perform a systematic audit of the OSGi platform so as to build a vulnerability catalog that intends to reference OSGi Vulnerabilities originating in the Core Specification, and in behaviors related to the use of the Java language. Standard Services are not considered. To support this audit, a Semi-formal Vulnerability Pattern is defined, that enables to uniquely characterize fundamental properties for each vulnerability, to include verbose description in the pattern, to reference known security protections, and to track the implementation status of the proof-of-concept OSGi Bundles that exploit the vulnerability. Based on the analysis of the catalog, a robust OSGi Platform is built, and recommendations are made to enhance the OSGi Specifications

More Vulnerabilities in the Java/OSGi Platform: A Focus on Bundle Interactions

Extensible Component Platforms can discover and install code during runtime. Although this feature introduces flexibility, it also brings new security threats: malicious components can quite easily be installed and exploit the rich programming environment and interactions with other components to perform attacks against the system. One example of such environments is the Java/OSGi Platform, which widespreads in the industrial world. Attacks from one component against another can not be prevented through conventional security mechanisms, since they exploit the lack of proper isolation between them: components often share classes and objects. This reports intends to list the vulnerabilities that a component can contain, both from the literature and from our own experience. The Vulnerable Bundle catalog gathers this knowledge. It provides informations related to the characteristics of the vulnerabilities, their consequence, the security mechanisms that would help prevent their exploitation, as well as to the implementation state of the proof-of-concept bundles that are developed to prove that the vulnerability is actually exploitable. The objective of vulnerability classification is of course to provide tools for identifying and preventing them. A first assessment is performed with existing tools, such as Java Permission and FindBugs, and a specific prototype we develop, WBA (Weak Bundle Analysis), and manual code review

Privacy-Aware Service Integration

International audiencePrivacy mechanisms exist for monolithic systems. How- ever, pervasive environments that gather user data to sup- port advanced services provide little control over the data an individual releases. This is a strong inhibitor for the de- velopment of pervasive systems, since most users do not ac- cept that their personal information is sent out to the wild, and potentially passed over to third party systems. We therefore propose a framework to support user con- trol over the data made available to service providers in the context of an OSGi based Extensible Service Systems. A formal privacy model is defined and service and policy descriptions are deduced. Technical system requirements to support these policies are identified. Since guaranteeing privacy inside the system is of little help if any malicious en- tity can break into it, a security architecture for OSGi based Extensible Service Systems is also defined

Monitoring Scheduling for Home Gateways

International audienceIn simple and monolithic systems such as our current home gateways, monitoring is often overlooked: the home user can only reboot the gateway when there is a problem. In next-generation home gateways, more services will be available (pay-per-view TV, games. . . ) and different actors will provide them. When one service fails, it will be impossible to reboot the gateway without disturbing the other services. We propose a management framework that monitors remote gateways. The framework tests response times for various management activities on the gateway, and provides reference time/performance ratios. The values can be used to establish a management schedule that balances the rate at which queries can be performed with the resulting load that the query will induce locally on the gateway. This allows the manager to tune the ratio between the reactivity of monitoring and its intrusiveness on performance

I-JVM: a Java Virtual Machine for Component Isolation in OSGi

The OSGi framework is a Java-based, centralized, component oriented platform. It is being widely adopted as an execution environment for the development of extensible applications. However, current Java Virtual Machines are unable to isolate components from each other. For instance, a malicious component can freeze the complete platform by allocating too much memory or alter the behavior of other components by modifying shared variables. This paper presents I-JVM, a Java Virtual Machine that provides a lightweight approach to isolation while preserving compatibility with legacy OSGi applications. Our evaluation of I-JVM shows that it solves the 8 known OSGi vulnerabilities that are due to the Java Virtual Machine. Overall, the overhead of I-JVM compared to the JVM on which it is based is below 20%

Multi-service, Multi-protocol Management for Residential Gateways

International audienceWhen providing services to home users, management is a key activity. In-home devices, and especially the Residential Gateway, can use multiple management technologies for multiple management activities: read/write parameters, but also deploy, update, start and stop software components. This paper defines management realms around the Residential Gateway, where different actors perform different management activities, using different technologies. We propose techniques that integrate these technologies (TR-069, UPnP, NetConf and JMX). We also address transient issues related to security