📝 Original Info
- Title: Java Components Vulnerabilities - An Experimental Classification Targeted at the OSGi Platform
- ArXiv ID: 0706.3812
- Date: 2011-11-10
- Authors: Researchers from original ArXiv paper
📝 Abstract
The OSGi Platform finds a growing interest in two different applications domains: embedded systems, and applications servers. However, the security properties of this platform are hardly studied, which is likely to hinder its use in production systems. This is all the more important that the dynamic aspect of OSGi-based applications, that can be extended at runtime, make them vulnerable to malicious code injection. We therefore perform a systematic audit of the OSGi platform so as to build a vulnerability catalog that intends to reference OSGi Vulnerabilities originating in the Core Specification, and in behaviors related to the use of the Java language. Standard Services are not considered. To support this audit, a Semi-formal Vulnerability Pattern is defined, that enables to uniquely characterize fundamental properties for each vulnerability, to include verbose description in the pattern, to reference known security protections, and to track the implementation status of the proof-of-concept OSGi Bundles that exploit the vulnerability. Based on the analysis of the catalog, a robust OSGi Platform is built, and recommendations are made to enhance the OSGi Specifications.
💡 Deep Analysis
Deep Dive into Java Components Vulnerabilities - An Experimental Classification Targeted at the OSGi Platform.
The OSGi Platform finds a growing interest in two different applications domains: embedded systems, and applications servers. However, the security properties of this platform are hardly studied, which is likely to hinder its use in production systems. This is all the more important that the dynamic aspect of OSGi-based applications, that can be extended at runtime, make them vulnerable to malicious code injection. We therefore perform a systematic audit of the OSGi platform so as to build a vulnerability catalog that intends to reference OSGi Vulnerabilities originating in the Core Specification, and in behaviors related to the use of the Java language. Standard Services are not considered. To support this audit, a Semi-formal Vulnerability Pattern is defined, that enables to uniquely characterize fundamental properties for each vulnerability, to include verbose description in the pattern, to reference known security protections, and to track the implementation status of the proof-of-
📄 Full Content
arXiv:0706.3812v3 [cs.CR] 27 Jul 2007
apport
de recherche
ISSN 0249-6399
ISRN INRIA/RR–6231–FR+ENG
Thème COM
INSTITUT NATIONAL DE RECHERCHE EN INFORMATIQUE ET EN AUTOMATIQUE
Java Components Vulnerabilities
An Experimental Classification
Targeted at the OSGi Platform
Pierre Parrend — Stéphane Frénot
N° 6231
June 2007
Unité de recherche INRIA Rhône-Alpes
655, avenue de l’Europe, 38334 Montbonnot Saint Ismier (France)
Téléphone : +33 4 76 61 52 00 — Télécopie +33 4 76 61 52 52
Ja
v
a
Comp
onen
ts
V
ulnerabilities
An
Exp
erimen
tal
Classi� ation
T
argeted
at
the
OSGi
Platform ∗
Pierre
P
arrend,
Stéphane
F
rénot
Thème
COM
�
Systèmes
omm
uni an
ts
Pro
jet
ARES
Rapp
ort
de
re
her
he
n°
6231
�
June
2007
�
84
pages
Abstra t:
The
OSGi
Platform
�nds
a
gro
wing
in
terest
in
t
w
o
di�eren
t
appli ations
domains:
em
b
edded
systems,
and
appli ations
serv
ers.
Ho
w
ev
er,
the
se urit
y
prop
erties
of
this
platform
are
hardly
studied,
whi
h
is
lik
ely
to
hinder
its
use
in
pro
du tion
systems.
This
is
all
the
more
imp
ortan
t
that
the
dynami
asp
e t
of
OSGi-based
appli ations,
that
an
b
e
extended
at
run
time,
mak
e
them
vulnerable
to
mali ious
o
de
inje tion.
W
e
therefore
p
erform
a
systemati
audit
of
the
OSGi
platform
so
as
to
build
a
vul-
nerabilit
y
atalog
that
in
tends
to
referen e
OSGi
V
ulnerabilities
originating
in
the
Core
Sp
e i� ation,
and
in
b
eha
viors
related
to
the
use
of
the
Ja
v
a
language.
Implemen
tation
of
Standard
Servi es
are
not
onsidered.
T
o
supp
ort
this
audit,
a
Semi-formal
V
ulnerabilit
y
P
attern
is
de�ned,
that
enables
to
uniquely
hara terize
fundamen
tal
prop
erties
for
ea
h
vulnerabilit
y
,
to
in lude
v
erb
ose
de-
s ription
in
the
pattern,
to
referen e
kno
wn
se urit
y
prote tions,
and
to
tra
k
the
imple-
men
tation
status
of
the
pro
of-of- on ept
OSGi
Bundles
that
exploit
the
vulnerabilit
y
.
Based
on
the
analysis
of
the
atalog,
a
robust
OSGi
Platform
is
built,
and
re ommenda-
tions
are
made
to
enhan e
the
OSGi
Sp
e i� ations.
Key-w
ords:
OSGitm
Platform,
Se urit
y
,
Dep
endabilit
y
,
Ja
v
a,
Hardened
Exe ution
Plat-
form,
V
ulnerabilit
y
Catalog
∗
This
W
ork
is
partialy
founded
b
y
Muse
IST
Pro
je t
n°026442.
V
ulnerabilités
des
Comp
osan
ts
Ja
v
a
Une
Classi� ation
Exp
érimen
tale
Dans
le
Cadre
de
la
Plate-forme
OSGi
Résumé
:
La
plate-forme
d’exé ution
OSGi
ren on
tre
un
in
térêt
grandissan
t
dans
deux
domaines
d’appli ations
di�éren
ts:
les
systèmes
em
barqués,
et
les
serv
eurs
d’appli ations.
Cep
endan
t,
les
propriétés
de
ette
plate-forme
relativ
es
à
la
sé urité
ne
son
t
que
très
p
eu
étudiées,
e
qui
p
eut
fortemen
t
freiner
son
adoption
dans
les
systèmes
industriels.
Ce i
est
d’autan
t
plus
ritique
que
la
p
ossibilité
d’extension
dynamique
à
l’exé ution
o�erte
par
la
plate-forme
OSGi
rend
elle- i
vulnérable
à
l’inje tion
de
o
de
mali ieux.
Nous
e�e tuons
un
audit
de
l’en
vironnemen
t
d’exé ution
OSGi,
a�n
de
réer
un
atalogue
de
vulnérabilités.
Nous
her
hons
à
référen er
les
vulnérabilités
ausées
par
la
sp
é i� ation
`Core’,
ou
bien
par
la
ma
hine
virtuelle
Ja
v
a
sous-ja en
te.
Les
autres
élémen
ts
dé�nis
par
OSGi,
omme
les
servi es
standards,
ne
son
t
pas
onsidérés.
A�n
de
mener
à
bien
et
audit,
nous
dé�nissons
un
P
attern
de
V
ulnérabilité
semi-formel,
qui
p
ermet
de
dé rire
les
ara téristiques
des
vulnérabilités
de
manière
unique,
de
donner
des
informations
omplémen
taires,
de
référen er
les
prote tions
existan
tes,
et
d’iden
ti�er
le
status
de
l’implémen
tation
des
Bundles
OSGi
de
test
qui
démon
tren
t
haque
vulnérabilité.
A
partir
de
ette
analyse,
un
plate-forme
OSGi
robuste
est
onstruite,
et
des
re omman-
dations
p
our
les
sp
é i� ations
OSGi
son
t
données.
Mots- lés
:
Plate-forme
OSGitm
,
Sé urité,
Ja
v
a,
Plate-forme
d’exé ution
renfor ée,
Ca-
talogue
de
V
ulnérabilités
OSGi
V
ulner
abilities
3
Con
ten
ts
1
In
tro
du tion
8
2
Chara terization
of
V
ulnerabilities
in
Comp
onen
t-based
Systems
10
2.1
De�nitions
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
10
2.2
F
rom
Databases
to
T
op-V
ulnerabilit
y
Lists
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
10
2.3
V
ulnerabilit
y
P
atterns
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
13
3
The
Semi-formal
Soft
w
are
V
ulnerabilit
y
P
attern
15
3.1
The
Stru ture
of
the
Semi-formal
V
ulnerabilit
y
P
attern
.
.
.
.
.
.
.
.
.
.
.
.
16
3.2
V
ulnerabilit
y
T
axonomies
for
OSGi-based
Systems
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
17
3.3
A
V
ulnerabilit
y
Example:
`Managemen
t
Utilit
y
F
reezing
In�nite
Lo
op'
.
.
.
21
4
Requiremen
ts
for
se ure
OSGi
Systems
24
4.1
Catalog
Analysis
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
24
4.2
Requiremen
ts
for
a
Hardened
OSGi
Platform
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
27
4.3
Re ommendations
for
a
Hardened
Exe ution
En
vironmen
t
.
.
.
.
.
.
.
.
.
.
.
30
5
Con lusions
33
A
The
OSGi
platform
37
A.1
Ov
erview
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
37
A.2
The
B
…(Full text truncated)…
📸 Image Gallery
Reference
This content is AI-processed based on ArXiv data.
