Skip to Main content Skip to Navigation
New interface
Reports (Research report)

More Vulnerabilities in the Java/OSGi Platform: A Focus on Bundle Interactions

Pierre Parrend 1 Stéphane Frénot 1, 2 
1 AMAZONES - Ambient Middleware Architectures: Service-Oriented, Networked, Efficient and Secured
Inria Grenoble - Rhône-Alpes, CITI - CITI Centre of Innovation in Telecommunications and Integration of services
Abstract : Extensible Component Platforms can discover and install code during runtime. Although this feature introduces flexibility, it also brings new security threats: malicious components can quite easily be installed and exploit the rich programming environment and interactions with other components to perform attacks against the system. One example of such environments is the Java/OSGi Platform, which widespreads in the industrial world. Attacks from one component against another can not be prevented through conventional security mechanisms, since they exploit the lack of proper isolation between them: components often share classes and objects. This reports intends to list the vulnerabilities that a component can contain, both from the literature and from our own experience. The Vulnerable Bundle catalog gathers this knowledge. It provides informations related to the characteristics of the vulnerabilities, their consequence, the security mechanisms that would help prevent their exploitation, as well as to the implementation state of the proof-of-concept bundles that are developed to prove that the vulnerability is actually exploitable. The objective of vulnerability classification is of course to provide tools for identifying and preventing them. A first assessment is performed with existing tools, such as Java Permission and FindBugs, and a specific prototype we develop, WBA (Weak Bundle Analysis), and manual code review.
Document type :
Reports (Research report)
Complete list of metadata

Cited literature [17 references]  Display  Hide  Download
Contributor : Stéphane Frénot Connect in order to contact the contributor
Submitted on : Tuesday, September 16, 2008 - 5:16:05 PM
Last modification on : Wednesday, October 26, 2022 - 8:16:04 AM
Long-term archiving on: : Thursday, June 3, 2010 - 7:17:28 PM


Files produced by the author(s)


  • HAL Id : inria-00322138, version 1



Pierre Parrend, Stéphane Frénot. More Vulnerabilities in the Java/OSGi Platform: A Focus on Bundle Interactions. [Research Report] RR-6649, INRIA. 2008. ⟨inria-00322138⟩



Record views


Files downloads