More Vulnerabilities in the Java/OSGi Platform: A Focus on Bundle Interactions

Pierre Parrend 1 Stéphane Frénot 1, 2
1 AMAZONES - Ambient Middleware Architectures: Service-Oriented, Networked, Efficient and Secured
CITI - CITI Centre of Innovation in Telecommunications and Integration of services, Inria Grenoble - Rhône-Alpes
Abstract : Extensible Component Platforms can discover and install code during runtime. Although this feature introduces flexibility, it also brings new security threats: malicious components can quite easily be installed and exploit the rich programming environment and interactions with other components to perform attacks against the system. One example of such environments is the Java/OSGi Platform, which widespreads in the industrial world. Attacks from one component against another can not be prevented through conventional security mechanisms, since they exploit the lack of proper isolation between them: components often share classes and objects. This reports intends to list the vulnerabilities that a component can contain, both from the literature and from our own experience. The Vulnerable Bundle catalog gathers this knowledge. It provides informations related to the characteristics of the vulnerabilities, their consequence, the security mechanisms that would help prevent their exploitation, as well as to the implementation state of the proof-of-concept bundles that are developed to prove that the vulnerability is actually exploitable. The objective of vulnerability classification is of course to provide tools for identifying and preventing them. A first assessment is performed with existing tools, such as Java Permission and FindBugs, and a specific prototype we develop, WBA (Weak Bundle Analysis), and manual code review.
Type de document :
Rapport
[Research Report] RR-6649, INRIA. 2008
Liste complète des métadonnées

Littérature citée [17 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/inria-00322138
Contributeur : Stéphane Frénot <>
Soumis le : mardi 16 septembre 2008 - 17:16:05
Dernière modification le : mercredi 11 avril 2018 - 01:54:55
Document(s) archivé(s) le : jeudi 3 juin 2010 - 19:17:28

Fichier

RR-6649.pdf
Fichiers produits par l'(les) auteur(s)

Identifiants

  • HAL Id : inria-00322138, version 1

Collections

Citation

Pierre Parrend, Stéphane Frénot. More Vulnerabilities in the Java/OSGi Platform: A Focus on Bundle Interactions. [Research Report] RR-6649, INRIA. 2008. 〈inria-00322138〉

Partager

Métriques

Consultations de la notice

356

Téléchargements de fichiers

624