a toolbox for statical analysis and transformation of osgi bundles
DESCRIPTION
Nowadays, OSGi is becoming more and more popular in Java world. Consequently, the quantity of available bundles is increasing rapidly, and the means to verify and assess security guaranties about these artifacts are lacking. In the context of opening its platforms to third party applications, Orange is seeking the necessary mechanisms and tools that could be used in order to ensure platforms' protection and robustness. We propose a platform that offers several services that enable statical analysis and transformation of OSGi bundles. The services range from simple ones, like for instance a service for analyzing bundles' manifests, to more complex ones that allow byte-code inspection and transformation. The platform is itself built on OSGi for modularity and extensibility. We further demonstrate the usefulness of our approach by instrumenting an instance of the Eclipse IDE in order to monitor thread creation and CPU consumption per bundle. Radu Kopetz, Technical Architect - Orange LabsTRANSCRIPT
A toolbox for statical analysis and transformation of OSGi bundles
Radu Kopetz – Orange Labsradu.kopetz @orange.com
OSGi Users’ Group France Meeting
25/11/2011
motivations
Source: http://www.drm-x.com/
why OSGi ?
• ease of development
• rich, mature ecosystem
• modularity • modularity
• isolation and security guaranties
chalenges
• platforms’ security and availability
• preserved QoS
• malicious comportement can be both intended or unintendedintended or unintended
security in OSGi
• based on Java 2 security
– Conditional Permission Admin
security in OSGi
• based on Java 2 security
– Conditional Permission Admin
• adds namespace isolation mechanism between bundlesbundles
security in OSGi
• based on Java 2 security
– Conditional Permission Admin
• adds namespace isolation mechanism between bundlesbundles
• but …
security flaws in OSGi
• originate in OSGi platform– infinite loop / thread hanging in bundle activator
– huge manifest file or import statements
– decompression bomb– decompression bomb
security flaws in OSGi
• originate in OSGi platform– infinite loop / thread hanging in bundle activator
– huge manifest file or import statements
– decompression bomb– decompression bomb
• originate in JVM shortcomings: not designed for multi-application systems– memory load injection
– exponential thread creation
– infinite loops
possible approach
bundle
(automated) analysis
possible approach
bundle
(automated) analysis
bundle
deploy !deploy !
possible approach
bundle
(automated) analysis
bundle
deploy !deploy !bundle
possible approach
bundle
(automated) analysis
bundle
deploy !deploy !bundle
StaticalAnalysis and Transformation
possible approach
bundle
(automated) analysis
bundle
deploy !deploy !bundle
StaticalAnalysis and Transformation
Simulation ?
possible approach
bundle
(automated) analysis
bundle
deploy !deploy !bundle
StaticalAnalysis and Transformation
Simulation ? ?
possible approach
bundle
(automated) analysis
bundle
deploy !deploy !bundle
StaticalAnalysis and Transformation
Simulation ? ?
global idea
• a set of generic tools (services)
global idea
• a set of generic tools (services)
• that can be composed to get complex checkings and transformations on bundles
architecture
bundle bundle
bundle bundle bundlebundle
OSGiOSGi
architecture
bundle bundle
bundle bundle bundlebundle
OSGiOSGi
generic (base) services
architecture
bundle bundle
more complex, business - specific services
bundle bundle bundlebundle
OSGiOSGi
generic (base) services
generic services
jars• decompress• compress• estimate size• estimate size• class bytes
generic services
jars• decompress• compress• estimate size• estimate size• class bytes
metadata• manifest contents • DS / iPOJO components
generic services
jars• decompress• compress• estimate size
bytecode• method call search• class related information• method instrumentation• estimate size
• class bytes
metadata• manifest contents • DS / iPOJO components
• method instrumentation
generic services
jars• decompress• compress• estimate size
bytecode• method call search• class related information• method instrumentation• estimate size
• class bytes
metadata• manifest contents • DS / iPOJO components
• method instrumentation
graphs• construction• analysis (strongly connected components)
business - specific services
• remove double imports
business - specific services
• remove double imports
• detect inappropriate method calls
– Runtime.getRuntime.halt()
– System.exit()– System.exit()
business - specific services
• remove double imports
• detect inappropriate method calls
– Runtime.getRuntime.halt()
– System.exit()– System.exit()
• cycles between services
business - specific services
• remove double imports
• detect inappropriate method calls
– Runtime.getRuntime.halt()
– System.exit()– System.exit()
• cycles between services
• associate CPU consumption & Threads with bundles
DÉMODÉMO
how it was done
• unjar
• parse the manifest
• retrieve the Activator / DS components bytes
• instrument the bytecode• instrument the bytecode
• remove digital signature
• jar
how it was done
• unjar
• parse the manifest
• retrieve the Activator / DS components bytes
• instrument the bytecode• instrument the bytecode
• remove digital signature
• jar
=> used almost all of our basic services
bytecode instrumentation
class MyActivator implements BundleActivator {…
public void start(
public void start( BundleContext context)
throws Exception {
// method body
}…
}
bytecode instrumentation
class MyActivator implements BundleActivator {…
public void start(
public void renamed_start(BundleContextcontext) throws Exception {// method body
}
public void start( BundleContext context)
throws Exception {
// method body
}…
}
bytecode instrumentation
class MyActivator implements BundleActivator {…
public void start(
public void renamed_start(BundleContextcontext) throws Exception {// method body
}
public void start(BundleContext context) throws Exception {… // get bundleName from manifest
public void start( BundleContext context)
throws Exception {
// method body
}…
}
… // get bundleName from manifest
ThreadGroup tg = new ThreadGroup(bundleName+"_TGroup");
ThreadGroup oldTg = Thread.currentThread().getThreadGroup();…// modify the thread group of
…// current thread
renamed_start(context);
…// restore the thread group
}
conclusion
• some tools for statical analysis &
transformation of bundles
• complete solution: statical analysis + modified
OSGi framework + modified JVMOSGi framework + modified JVM
• nice to have: public repository with LOTs of
bundles offering generic analysis services
thank you ! questions ?thank you ! questions ?
public void start(final BundleContext context) throws Exception {
Dictionary manifProps = context.getBundle().getHeaders();
String bundleName = manifProps.get("Bundle-Name").toString();
ThreadGroup tg = new ThreadGroup(bundleName+"_ThreadGroup");
ThreadGroup oldTg = Thread.currentThread().getThreadGroup();
Field groupField = Field groupField = Thread.class.getDeclaredField("group");
groupField.setAccessible(true);
groupField.set(Thread.currentThread(),tg);
orange___start(context);
groupField.set(Thread.currentThread(), oldTg);groupField.setAccessible(false);
}