Skip to Main content Skip to Navigation
Reports

More Vulnerabilities in the Java/OSGi Platform: A Focus on Bundle Interactions

Pierre Parrend 1 Stéphane Frénot 1, 2
1 AMAZONES - Ambient Middleware Architectures: Service-Oriented, Networked, Efficient and Secured
CITI - CITI Centre of Innovation in Telecommunications and Integration of services, Inria Grenoble - Rhône-Alpes
Abstract : Extensible Component Platforms can discover and install code during runtime. Although this feature introduces flexibility, it also brings new security threats: malicious components can quite easily be installed and exploit the rich programming environment and interactions with other components to perform attacks against the system. One example of such environments is the Java/OSGi Platform, which widespreads in the industrial world. Attacks from one component against another can not be prevented through conventional security mechanisms, since they exploit the lack of proper isolation between them: components often share classes and objects. This reports intends to list the vulnerabilities that a component can contain, both from the literature and from our own experience. The Vulnerable Bundle catalog gathers this knowledge. It provides informations related to the characteristics of the vulnerabilities, their consequence, the security mechanisms that would help prevent their exploitation, as well as to the implementation state of the proof-of-concept bundles that are developed to prove that the vulnerability is actually exploitable. The objective of vulnerability classification is of course to provide tools for identifying and preventing them. A first assessment is performed with existing tools, such as Java Permission and FindBugs, and a specific prototype we develop, WBA (Weak Bundle Analysis), and manual code review.
Document type :
Reports
Complete list of metadata

Cited literature [17 references]  Display  Hide  Download

https://hal.inria.fr/inria-00322138
Contributor : Stéphane Frénot <>
Submitted on : Tuesday, September 16, 2008 - 5:16:05 PM
Last modification on : Wednesday, July 8, 2020 - 12:42:42 PM
Long-term archiving on: : Thursday, June 3, 2010 - 7:17:28 PM

File

RR-6649.pdf
Files produced by the author(s)

Identifiers

  • HAL Id : inria-00322138, version 1

Collections

Citation

Pierre Parrend, Stéphane Frénot. More Vulnerabilities in the Java/OSGi Platform: A Focus on Bundle Interactions. [Research Report] RR-6649, INRIA. 2008. ⟨inria-00322138⟩

Share

Metrics

Record views

428

Files downloads

1029