a toolbox for statical analysis and transformation of osgi bundles

A toolbox for statical analysis and transformation of OSGi bundles

Radu Kopetz – Orange Labsradu.kopetz @orange.com

OSGi Users’ Group France Meeting

25/11/2011

motivations

Source: http://www.drm-x.com/

why OSGi ?

• ease of development

• rich, mature ecosystem

• modularity • modularity

• isolation and security guaranties

chalenges

• platforms’ security and availability

• preserved QoS

• malicious comportement can be both intended or unintendedintended or unintended

security in OSGi

• based on Java 2 security

– Conditional Permission Admin

security in OSGi

• based on Java 2 security

– Conditional Permission Admin

• adds namespace isolation mechanism between bundlesbundles

security in OSGi

• based on Java 2 security

– Conditional Permission Admin

• adds namespace isolation mechanism between bundlesbundles

• but …

security flaws in OSGi

• originate in OSGi platform– infinite loop / thread hanging in bundle activator

– huge manifest file or import statements

– decompression bomb– decompression bomb

security flaws in OSGi

• originate in OSGi platform– infinite loop / thread hanging in bundle activator

– huge manifest file or import statements

– decompression bomb– decompression bomb

• originate in JVM shortcomings: not designed for multi-application systems– memory load injection

– exponential thread creation

– infinite loops

possible approach

bundle

(automated) analysis

possible approach

bundle

(automated) analysis

bundle

deploy !deploy !

possible approach

bundle

(automated) analysis

bundle

deploy !deploy !bundle

possible approach

bundle

(automated) analysis

bundle

deploy !deploy !bundle

StaticalAnalysis and Transformation

possible approach

bundle

(automated) analysis

bundle

deploy !deploy !bundle

StaticalAnalysis and Transformation

Simulation ?

possible approach

bundle

(automated) analysis

bundle

deploy !deploy !bundle

StaticalAnalysis and Transformation

Simulation ? ?

possible approach

bundle

(automated) analysis

bundle

deploy !deploy !bundle

StaticalAnalysis and Transformation

Simulation ? ?

global idea

• a set of generic tools (services)

global idea

• a set of generic tools (services)

• that can be composed to get complex checkings and transformations on bundles

architecture

bundle bundle

bundle bundle bundlebundle

OSGiOSGi

architecture

bundle bundle

bundle bundle bundlebundle

OSGiOSGi

generic (base) services

architecture

bundle bundle

more complex, business - specific services

bundle bundle bundlebundle

OSGiOSGi

generic (base) services

generic services

jars• decompress• compress• estimate size• estimate size• class bytes

generic services

jars• decompress• compress• estimate size• estimate size• class bytes

metadata• manifest contents • DS / iPOJO components

generic services

jars• decompress• compress• estimate size

bytecode• method call search• class related information• method instrumentation• estimate size

• class bytes

metadata• manifest contents • DS / iPOJO components

• method instrumentation

generic services

jars• decompress• compress• estimate size

bytecode• method call search• class related information• method instrumentation• estimate size

• class bytes

metadata• manifest contents • DS / iPOJO components

• method instrumentation

graphs• construction• analysis (strongly connected components)

business - specific services

• remove double imports

business - specific services

• remove double imports

• detect inappropriate method calls

– Runtime.getRuntime.halt()

– System.exit()– System.exit()

business - specific services

• remove double imports

• detect inappropriate method calls

– Runtime.getRuntime.halt()

– System.exit()– System.exit()

• cycles between services

business - specific services

• remove double imports

• detect inappropriate method calls

– Runtime.getRuntime.halt()

– System.exit()– System.exit()

• cycles between services

• associate CPU consumption & Threads with bundles

DÉMODÉMO

how it was done

• unjar

• parse the manifest

• retrieve the Activator / DS components bytes

• instrument the bytecode• instrument the bytecode

• remove digital signature

• jar

how it was done

• unjar

• parse the manifest

• retrieve the Activator / DS components bytes

• instrument the bytecode• instrument the bytecode

• remove digital signature

• jar

=> used almost all of our basic services

bytecode instrumentation

class MyActivator implements BundleActivator {…

public void start(

public void start( BundleContext context)

throws Exception {

// method body

}…

}

bytecode instrumentation

class MyActivator implements BundleActivator {…

public void start(

public void renamed_start(BundleContextcontext) throws Exception {// method body

}

public void start( BundleContext context)

throws Exception {

// method body

}…

}

bytecode instrumentation

class MyActivator implements BundleActivator {…

public void start(

public void renamed_start(BundleContextcontext) throws Exception {// method body

}

public void start(BundleContext context) throws Exception {… // get bundleName from manifest

public void start( BundleContext context)

throws Exception {

// method body

}…

}

… // get bundleName from manifest

ThreadGroup tg = new ThreadGroup(bundleName+"_TGroup");

ThreadGroup oldTg = Thread.currentThread().getThreadGroup();…// modify the thread group of

…// current thread

renamed_start(context);

…// restore the thread group

}

conclusion

• some tools for statical analysis &

transformation of bundles

• complete solution: statical analysis + modified

OSGi framework + modified JVMOSGi framework + modified JVM

• nice to have: public repository with LOTs of

bundles offering generic analysis services

thank you ! questions ?thank you ! questions ?

public void start(final BundleContext context) throws Exception {

Dictionary manifProps = context.getBundle().getHeaders();

String bundleName = manifProps.get("Bundle-Name").toString();

ThreadGroup tg = new ThreadGroup(bundleName+"_ThreadGroup");

ThreadGroup oldTg = Thread.currentThread().getThreadGroup();

Field groupField = Field groupField = Thread.class.getDeclaredField("group");

groupField.setAccessible(true);

groupField.set(Thread.currentThread(),tg);

orange___start(context);

groupField.set(Thread.currentThread(), oldTg);groupField.setAccessible(false);

}