The OSGi Platform: A promising Approach for building secure Java-based Applications

Transcription

1 The OSGi Platform: A promising Approach for building secure Java-based Applications Pierre Parrend Pierre.parrend@insa-lyon.fr Lab. CITI, 21, Avenue J. Capelle Vileurbanne Cedex

2 Introduction Context MUSE European Project 'Multi-Service Everywhere' Multi-Provider Home Gateway Gateway operator Service providers internet last mile Home Gateway Home Equipments Home Network 10/04/2008 Secure OSGi Applications 2

3 Introduction Context Lise ANR Project 'Liability in Software Engineering' Secure Log inside an application platform Isolation between Applications Secure Logs App. 1 Log App. App. 2 10/04/2008 Secure OSGi Applications 3

4 Introduction Target System Java/OSGi Extensible Component Platform Component Support Extensible at Runtime OSGi Platform JVM Bundle Repository 10/04/2008 Secure OSGi Applications 4

5 Introduction What is Security? In strict sense Integrity Confidentiality Availability for the authorized users In a broader sense: Dependability Availability Reliability Safety Confidentiality Integrity Maintainability 10/04/2008 Secure OSGi Applications 5

6 Summary The Java Security Model The OSGi Security Model Vulnerabilities in OSGi-based Applications Security Solutions for the OSGi Platform Secure Management of OSGi Platforms Perspectives 10/04/2008 Secure OSGi Applications 6

7 The Java Security Model What is Java? Applications A Programming Interface (API) A Virtual Machine Java Applications Java API Vendor Specific Packages JVM Operating System Hardware 10/04/2008 Secure OSGi Applications 7 from [Cotroneo2006failures]

8 The Java Security Model Applets and Full Sandboxing For untrusted Web Applets Cannot Access the local System JVM can be killed if the Applet is consuming resources from [Gong1997sbac] 10/04/2008 Secure OSGi Applications 8

9 The Java Security Model Relaxed Sandboxing Security according to code trust level Enables selective access Each Code has specific rights Ex: Network Access, File System Pb: calls with various origins 10/04/2008 Secure OSGi Applications 9 from [Gong1997sbac]

10 The Java Security Model Secure Component Platforms: Protection Domains Secure Component-based Systems SBAC (Stack Based Access Control) Ex: each Component has its own Protection Domain Limitations SBAC System Structure Install Time A B A B C C c1 c2 D Security Policy Policy(A)=D.d2 Policy(B)=D.d1,D.d2 D d1 d2 Dependencies Protection Domain Runtime A B C c1 c2 d1 d2 D Aborted Call Succesfull Call 10/04/2008 Secure OSGi Applications 10

11 The Java Security Model Why is the Java Security Model actually flawed? No strict security analysis has been performed recently Java Permissions are not suitable High Performance overhead Programmative approach Methods have to bid for their own execution right Low level Policy Not bound with a proper High Level Access Control Model No control on Interactions between Components Applications with Multi-Provider Model Permissions guarantee Access Control. What about Security? No ressource Isolation CPU, memory, disk space MVM (Multi-user Virtual Machine) is not yet a production tool 10/04/2008 Secure OSGi Applications 11

12 The Java Security Model Can the Java Security Model be saved? We have to re-think everything 10/04/2008 Secure OSGi Applications 12

13 Summary The Java Security Model The OSGi Security Model Vulnerabilities in OSGi-based Applications Security Solutions for the OSGi Platform Secure Management of OSGi Platforms Perspectives 10/04/2008 Secure OSGi Applications 13

14 The OSGi Security Model What is OSGi? Java-based Extensible Component Platform Bundle Lifecycle Management Service Oriented Programming deploy Component Repository Service Management Life-Cycle Management Dependency Resolver Execution Component Downloader Local interactions 10/04/2008 Local executon Secure OSGi Applications 14

15 The OSGi Security Model Secure Deployment Overview [parrend06secuanalysis] Problem: no supporting tools (2005) Register Certification Authority (CA) Check Identity Sign Bundles with JarSigner Validate Bundle with Security Layer Issuer PublicationRepository A Signed bundle Installation SFeli x Client 10/04/2008 Secure OSGi Applications 15

16 The OSGi Security Model Secure Deployment Bundle Signature and Publication [parrend2007sfelix] 10/04/2008 Secure OSGi Applications 16

17 The OSGi Security Model Secure Deployment Bundle Signature and Publication [parrend2007sfelix] 10/04/2008 Secure OSGi Applications 17

18 The OSGi Security Model Secure Deployment Bundle Verification Signed Bundle Structure [parrend06deployment] HelloWorld Manifest File (1) META-INF MANIFEST.M F SHA-1 fr.insa_lyon.ares.helloworld HelloWorld Activator Signature File (2) Signature Block File (3) SHA-1 PIERREP.S F DSA SHA-1 SHA-1 pub HelloWorldInterfac e PIERREP.DS A HelloWorld mpl 10/04/2008 Secure OSGi Applications 18

19 The OSGi Security Model Secure Deployment Bundle Verification Algorithm [parrend06deployment] Check Identity Of the Signer 5. Identify Signer 1. checkresourceordervalid Check Coherence Of the Signed File 2. checksignatureblockvalid 3. checksignaturefilevalid 4. checkmanifestvalid 10/04/2008 Secure OSGi Applications 19

20 The OSGi Security Model Secure Deployment Bundle Verification OSGi vs. Java specs. [parrend2007sfelix] 10/04/2008 Secure OSGi Applications 20

21 The OSGi Security Model Secure Execution ClassLoader Hierarchy Proper namespace isolation between bundles Enables controlled class sharing through package export/import System Classloader Felix Classloader Bundle Classloaders 10/04/2008 Secure OSGi Applications 21

22 The OSGi Security Model Secure Execution Exploiting Permissions Signer specific permissions Our Felix extension: Bundlepermission keystore "file:/bundlepermissions-1.0.0/main-1.0.0/keystore/keystore.ks"; grant codebase "file:/bundlepermissions-1.0.0/main-1.0.0/bin/felix.jar" { permission java.security.securitypermission "createpolicy.javapolicy"; permission java.util.propertypermission "*", "read,write"; permission java.io.filepermission "/code/osgi-projects/sfelix/felixflavours/bundlepermissions-1.0.0/main-1.0.0/bundle/*", "read";... }; grant signedby "alice" { permission java.io.filepermission "/tmp/*", "read,write"; permission org.osgi.framework.packagepermission "*", "export"; permission org.osgi.framework.servicepermission "*", "register"; }; grant signedby "bob" { permission org.osgi.framework.servicepermission "fr.inria.ares.testservice.myservice", "register"; permission org.osgi.framework.packagepermission "*", "export"; }; 10/04/2008 Secure OSGi Applications 22

23 The OSGi Security Model Secure Execution Conditional Permissions Finer Conditions Important overhead!!! //permissions for all bundles { (..ServicePermission "..LogService" "get" ) (..PackagePermission "..log "import" ) (..PackagePermission "..framework" "import" ) } //conditional permissions { [..BundleSignerCondition "* ; o=acme" ] (..AdminPermission "(signer=\* ; o=acme)" "*" ) (..ServicePermission "..ManagedService" "register" ) (..ServicePermission "..ManagedServiceFactory" "register" ) (..PackagePermission "..cm" "import" ) } 10/04/2008 Secure OSGi Applications 23

24 The OSGi Security Model OSGi Security Lack of implementations Promissing features No criticism of the Java Security Model OSGi Security Documentation Center 10/04/2008 Secure OSGi Applications 24

25 Summary The Java Security Model The OSGi Security Model Vulnerabilities in OSGi-based Applications Security Solutions for the OSGi Platform Secure Management of OSGi Platforms Perspectives 10/04/2008 Secure OSGi Applications 25

26 Summary Vulnerabilities in OSGi-based Applications Security Analysis of OSGi-based Applications required Platform Vulnerabilities Security Analysis of the Execution Environment Bundle Vulnerabilities 10/04/2008 Secure OSGi Applications 26

27 Vulnerabilities in OSGibased Applications Platform Vulnerabilities [Parrend2007osgiVulnerabilities] Java Virtual Machine + OSGi Platform Properties Taxonomies for describing the Platform and the Bundles Definition of Benchmarking Techniques Vulnerability Catalog Benchmarking Results 10/04/2008 Secure OSGi Applications 27

28 Vulnerabilities in OSGibased Applications Platform Vulnerabilities Taxonomies for describing the Platform Extensible Component Platform - The OSGi Framework Operating System JVM OSGi Platform Runtime Classpath Module Layer Life-Cycle Layer Service Layer OSGi Specifications 10/04/2008 Secure OSGi Applications 28

29 Vulnerabilities in OSGibased Applications Platform Vulnerabilities Taxonomies for describing the Bundles Component - OSGi Bundle Intra-bundle Structure Inter-bundle Interactions Bundle Archive J Manifest O Activator O Native Code J Java standard API calls J Java J Language O OSGi API calls OSGi O Services Bundle O Fragments J O Java Component Entity OSGi bundle entity Application Code 10/04/2008 Secure OSGi Applications 29

30 Vulnerabilities in OSGibased Applications Platform Vulnerabilities Benchmarking: Vulnerability Pattern Vulnerability Reference Name, Inheritance, Identifier, Origin, Location of Exploit Code, Source, Target, Consequence Type, Introduction Time, Exploit Time Vulnerability Description Description, Preconditions, Attack Process, Consequence Description, See Also Vulnerability Protection Existing Mechanisms, Enforcement Point, Potential Mechanisms, Attack Prevention, Reaction Vulnerability Implementation Code Reference, OSGi Profile, Date, Test Coverage, Known Vulnerable Platforms, Known Robust Platforms 10/04/2008 Secure OSGi Applications 30

31 Vulnerabilities in OSGibased Applications Platform Vulnerabilities Benchmarking: Protection Rate Attack Surface: number of known attacks against the system [Howard2005attack_surface] Protection Rate: Protection Provided by a given security mechanism 10/04/2008 Secure OSGi Applications 31

32 Vulnerabilities in OSGibased Applications Platform Vulnerabilities Tests Bundles are available in the Malicious-Bundle project Example 1/3: Freezing infinite Loop in Bundle Activator public class InfiniteStartupLoopActivator implements BundleActivator{ public void start(bundlecontext context){ System.out.println("Bundle InfiniteStartupLoop started"); while(1==1){} } } public void stop(bundlecontext context){ System.out.println("Bundle InfiniteStartupLoop stopped"); } 10/04/2008 Secure OSGi Applications 32

33 Vulnerabilities in OSGibased Applications Platform Vulnerabilities Example 2/3: Recursive Thread Creation public class Stopper extends Thread{ Stopper(int id, byte[] payload) { this.id=id; this.payload = payload; } public void run() { Stopper tt = new Stopper(++id, payload); } } tt.start(); Stopper tt2 = new Stopper(++id, payload); tt2.start(); Stopper tt3 = new Stopper(++id, payload); tt3.start(); 10/04/2008 Secure OSGi Applications 33

34 Vulnerabilities in OSGibased Applications Platform Vulnerabilities Example 3/3: Memory Load Injection private void stressmem(int size) { System.out.println("Eating " + size + " bytes of memory"); this.memeater = new byte[size]; for (int i=0 ; i<size ; i++) { this.memeater[i] = 0; } } 10/04/2008 Secure OSGi Applications 34

35 Vulnerabilities in OSGibased Applications Platform Vulnerabilities The Vulnerability Catalog Bundle Archive 3 occurrences Bundle Manifest 3 occurrences Bundle Activator 2 occurrences Bundle Code - Native 2 occurrences Bundle Code - Java 13 occurrences Bundle Code OSGi API 6 occurrences Bundle Fragment 3 occurrences 10/04/2008 Secure OSGi Applications 35

36 Vulnerabilities in OSGibased Applications Platform Vulnerabilities Benchmarking results: Consequences of attacks Consequence Type Consequence type for Components Unavailabilty Performance Breakdown Undue Access 13 (40%) 11 (34%) 9 (28%) Lindqvist's classification Denial of Service Exposure Erroneous Output 23 (72%) 8 (25%) 8 (25%) 10/04/2008 Secure OSGi Applications 36

37 Vulnerabilities in OSGibased Applications Platform Vulnerabilities Benchmarking results: Protection Rate for various OSGi implementations 10/04/2008 Secure OSGi Applications 37

38 Summary Vulnerabilities in OSGi-based Applications Platform Vulnerabilities Bundle Vulnerabilities Security Analysis of the Applications 10/04/2008 Secure OSGi Applications 38

39 Vulnerabilities in OSGibased Applications Bundle Vulnerabilities Java Languages Properties Component Model Vulnerabilities in Public Code only [Parnas1989modularTraces] Bundle A Bundle B Schema Parnas and Wang Model Module OSGi Specifications bundle program function Access program Public Code (exported packages and registered services) 10/04/2008 Secure OSGi Applications 39

40 Vulnerabilities in OSGibased Applications Bundle Vulnerabilities Tests Bundles are available in the Malicious-Bundle project Known Vulnerabilities: Findbugs [Hovemeyer2004findbugs] Make mutable data available for third party code Excessive visibility and modifiers (non final, non private, etc.) Known Vulnerabilities: Sun Secure Coding Guidelines [lai2008javainsecurity] Make safe copies of objects Bypass security checks, through cloning, inheritance, serialization Data leaks through exceptions, privileged execution 10/04/2008 Secure OSGi Applications 40

41 Vulnerabilities in OSGibased Applications Bundle Vulnerabilities New Vulnerability: attack against synchronized method Launcher Alice Malory File Management NFSManager Every 20 s starts() getfilefromnetwork(file1,neta) getfilefromnetwork(file1,neta) starts( ) getfilefromnetwork(file1,n etb) Perform Action getfilefromnetwork(file1,n etb) if(netb) {while(true)} Synchronized Method 10/04/2008 Secure OSGi Applications 41

42 Vulnerabilities in OSGibased Applications Bundle Vulnerabilities New Vulnerability: malicious Inversion of Control Exploit non final parameter in public method ClientClass FileWriterArrayList c(filewriterarraylist) A B a() b(string) c(list) Client Bundle Servant Bundle 10/04/2008 Secure OSGi Applications 42

43 Vulnerabilities in OSGibased Applications Bundle Vulnerabilities Attack Trees: Denial of Service, Undue Access to Code Undue Access to Bundle Code Exploiting Fragments Exploiting public code (services and packages) AND OR Fragments Substitution Access to Host through Fragments Flaws in Parameter Validation Expose Internal Representation By-passing Security Checks Access to Hidden Class Split Package Private Field of Private Nested Class At instanciation In method Call Deserialization Clone Call OverwriteFinalize Privileged overridable Method MethodExecution of Method callerprovided code 10/04/2008 Secure OSGi Applications Security Checks that 43 depends on Class-

44 Vulnerabilities in OSGibased Applications Bundle Vulnerabilities The Vulnerability Catalog Undue Access Exploiting Fragments 1 occurence Undue Access Exploiting Public Code Flaws in Parameters Validation 10 occurences Undue Access Exploiting Public Code Expose Internal Representation 11 occurences Undue Access Exploiting Public Code Bypassing Security Check 9 occurences Undue Access Exploiting Public Code Synchronization 2 occurences 10/04/2008 Secure OSGi Applications 44

45 Summary The Java Security Model The OSGi Security Model Vulnerabilities in OSGi-based Applications Security Solutions for the OSGi Platform Secure Management of OSGi Platforms Perspectives 10/04/2008 Secure OSGi Applications 45

46 Summary Security Solutions for the OSGi Platform Hardened OSGi Component Based Access Control Weak Bundle Analysis Summary 10/04/2008 Secure OSGi Applications 46

47 Security Solutions for the OSGi Platform Hardened OSGi Recommendations [Parrend2007osgiVulnerabilities] Goal: Enhance OSGi Specifications to patch OSGi-related Platform vulnerabilities Do not rely on the embedded Java Archive verifier Bundle Resolution Process should be robust Ignore duplicate imports Handle large manifests without radical performance breakdown Bundle Start Process Start the Bundle Activator in a separate process OSGi Service Registration Explicit limitation of the number of registered services Absolute Maximum could be 50? 10/04/2008 Secure OSGi Applications 47

48 Security Solutions for the OSGi Platform Hardened OSGi - Recommendations Bundle Installation process Maximum storage size of bundle archive (for embedded devices) Should be performed before download when relevant Bundle Uninstallation process Remove Bundle data on the local file system 10/04/2008 Secure OSGi Applications 48

49 Security Solutions for the OSGi Platform Hardened OSGi Protection Rates Relative to OSGi-specific Vulnerabilities # of protected Flaws # of known Flaws PR Hardened OSGi (HO) % Java Permissions % HO + Perms % Relative to all Vulnerabilities in an OSGi Platform 10/04/2008 Secure OSGi Applications 49

50 Summary Security Solutions for the OSGi Platform Hardened OSGi Component Based Access Control Weak Bundle Analysis Summary 10/04/2008 Secure OSGi Applications 50

51 Security Solutions for the OSGi Platform CBAC Component Based Access Control [parrend08cbac] Goal: provide an alternative to Java Permissions Declarative Policies No runtime performance overhead Principles Install time analysis of the Execution Rights of Components Calls that are Sensitive must be explicitly granted Take Composition into account Hypotheses The Component Platform is not modified Each Component contains a valid digital signature 10/04/2008 Secure OSGi Applications 51

52 Security Solutions for the OSGi Platform CBAC Component Based Access Control CBAC System Structure Install Time A B A B PSC PSC c1 c2 PSC PSC C D PSC: Performed Sensitive Call, for each bundle Policy(A)=D.d2 => D.d1 not Allowed PSC = D.d1, D.d2 C d1 d2 Security Policy Policy(A)=D.d2 Policy(B)=D.d1,D.d2 D Forbidden Dependency Authorized Dependency Runtime B c1 c2 C d1 d2 D Method Call 10/04/2008 Secure OSGi Applications 52

53 Security Solutions for the OSGi Platform CBAC Component Based Access Control Required Data pf the Platform Configuration Each Component is identified in the Platform: i p i, the provider (and signer) of component i A pi, the Authorized calls for p i b i, the bundle (or Component) C s pf, bi, the Sensible Calls performed directly by the bundle C I pf, bi, the Innocuous Calls Stored Data PSC {b}i : Performed Sensitive Calls for the Bundle b i directly or through dependencies 10/04/2008 Secure OSGi Applications 53

54 Security Solutions for the OSGi Platform CBAC Component Based Access Control Condition of validity of a Bundle b i Formal proof is available on the web as appendix of the paper: 10/04/2008 Secure OSGi Applications 54

55 Security Solutions for the OSGi Platform CBAC Component Based Access Control Performances 2500 CBAC Check Only Signature Check 2000 Time (ms) ,32 6,49 7,62 9,2 11,74 12,53 13,48 14,28 19,78 33,1 38, ,34 131,48 602,33 5,51 6,33 7,49 7,92 10,97 12,16 13,42 13,88 16,15 24,92 37,09 41,56 76,94 102,14 350,07 10/04/2008 Secure OSGi Applications 55 Size (KBytes)

56 Security Solutions for the OSGi Platform CBAC Component Based Access Control Protection Rates # of protected Flaws # of known Flaws PR Hardened OSGi % Java Permissions % CBAC % HO + Java Perms % HO + CBAC % Review Only % 10/04/2008 Secure OSGi Applications 56

57 Security Solutions for the OSGi Platform CBAC Component Based Access Control No runtime Overhead Reduced Install Time Overhead No Application interruption At the cost of false positive No dangerous Pop-up windows 'This code may be malicious, Cancel or Allow?' Here, administrator only Arbitrary methods and meta-data can be set as sensitive Declarative Security Enables to protect against vulnerabitilies that are discovered after design 10/04/2008 Secure OSGi Applications 57

58 Summary Security Solutions for the OSGi Platform Hardened OSGi Component Based Access Control Weak Bundle Analysis Summary 10/04/2008 Secure OSGi Applications 58

59 Security Solutions for the OSGi Platform WBA Weak Bundle Analysis Goal: Guarantee secure Interaction between Components 10/04/2008 Secure OSGi Applications 59

60 Security Solutions for the OSGi Platform WBA Weak Bundle Analysis Protection Rate # of protected Flaws # of known Flaws PR Java Permissions % CBAC % WBA % WBA+ Perms % WBA + CBAC % Review only % Review % 10/04/2008 Secure OSGi Applications 60

61 Summary Security Solutions for the OSGi Platform Hardened OSGi Component Based Access Control Weak Bundle Analysis Summary 10/04/2008 Secure OSGi Applications 61

62 Security Solutions for the OSGi Platform Summary Vertical validation: validation of the successive layers Hypothesis: bootstrap mechanism can not be tampered with Digital signature for Alice gamecomponent Bundle Validation (Install time) Bootstrap Check (platform start) OSGi Security Bootstrap layer Security Policies 10/04/2008 Secure OSGi Applications 62

63 Security Solutions for the OSGi Platform Summary Horizontal validation: validation of the behavior of each bundle Hypothesis: Tests validate all specification features OSGi Digital Signature CBAC WBA Public Key of trusted Providers Execution Grants WBA Policy INSTALLATION gamecomponent Dig. Sig Junit Tests OSGi R4 CBAC Junit Tests 1 Comp N Comp CBAC Spec WBA Junit Tests WBA Spec. 10/04/2008 Secure OSGi Applications 63

64 Security Solutions for the OSGi Platform Summary Virtual Machine Language Execution Engine Modular Support Extensible Component Platform System Entity Type Formal Safety Proof SupportVerification Bytecode Host Protection Collection Garbage Bugfree J Code J J J W Properties That are: Low Perf. overhead C Language Property Conservation J Isolation J Security Component Management Metadata Validation J C O C Program Behavior Validation C W Access Control C Property J O Supported by Java Supported by OSGi J O Partially supported by Java Partially supported by OSGi C W Supported by CBAC Supported by WBA C W Partially supported by CBAC Partially supported by WBA 10/04/2008 Secure OSGi Applications 64

65 Security Solutions for the OSGi Platform Summary # of protected Flaws # of known Flaws PR Felix + Perms % HO + CBAC + WBA % Review Only % HO + CBAC + WBA + Review % 10/04/2008 Secure OSGi Applications 65

66 Security Solutions for the OSGi Platform Summary Security Challenges Infinite loop in method call/hanging Thread Method does not return (Java) Memory Load Injection If Pointers to object are kept, GC does not help (Java) Decompression Bomb (Java) Exponential Thread Number Crashes the JVM (Java) Service Short Circuit SOP-level vulnerability (OSGi) 10/04/2008 Secure OSGi Applications 66

67 Summary The Java Security Model The OSGi Security Model Vulnerabilities in OSGi-based Applications Security Solutions for the OSGi Platform Secure Management of OSGi Platforms Perspectives 10/04/2008 Secure OSGi Applications 67

68 Secure Management of OSGi Platforms A cryptographic Alternative Identity-based Cryptography [parrend07ibcrypto] Architecture 10/04/2008 Secure OSGi Applications 68

69 Secure Management of OSGi Platforms A cryptographic Alternative Identity-based Cryptography Limitation: PKG as Single Point of Failure Key Management Key Revocation Cryptograph ic Operations CA Trust Level Number of Coms with the CA PKI IB-PKI Ratio Signature Speed High Public Key Dissemination Heyvyweight Public Key is Identifier Transparent, through regular Key Update Key Size, Signature Verification Speed Key escrow Risk if untrusted N+M N 1/M 10/04/2008 Secure OSGi Applications 69

70 Secure Management of OSGi Platforms Secure Remote Management of OSGi Platforms Extension of the bundle life cycle REJECTED State 10/04/2008 Secure OSGi Applications 70

71 Secure Management of OSGi Platforms Secure Remote Management of OSGi Platforms Extension of the bundle life cycle [royon2007bbeuope] 10/04/2008 Secure OSGi Applications 71

72 Summary The Java Security Model The OSGi Security Model Vulnerabilities in OSGi-based Applications Security Solutions for the OSGi Platform Secure Management of OSGi Platforms Perspectives 10/04/2008 Secure OSGi Applications 72

73 Perspectives Around Vulnerabilities CBAC WBA Secure Bundle Life-Cycle Development Requirements 10/04/2008 Secure OSGi Applications 73

74 References References: [Parnas1989modularTraces] Parnas, D. & Wang, Y. The Trace Assertion Method of Module Interface Specification Dept. of Computing and Information Science, Queen's Univ. at Kingston, Ontario, Canada, [Gong1997sbac] Gong, L.; Mueller, M.; Prafullchandra, H. & Schemers, R. Going Beyond the Sandbox: An Overview of the New Security Architecture in the Java Development Kit 1.2 Proceedings of the USENIX Symposium on Internet Technologies and Systems, [Hovemeyer2004findbugs] Hovemeyer, D. & Pugh, W. Finding bugs is easy ACM SIGPLAN Notices, 2004, 39, [Howard2005attack_surface] Howard, M.; Pincus, J. & Wing, J. Lee, D.; Shieh, S. & Tygar, J. (ed.) Computer Security in the 21st Century Measuring Relative Attack Surfaces Springer, 2005, [Cotroneo2006failures] Cotroneo, D.; Orlando, S. & Russo, S. Failures classification and analysis of the Java Virtual Machine 26th IEEE International Conference on Distributed Computing Systems (ICDCS'06), [lai2008javainsecurity] Lai, C. Java Insecurity: Accounting for Subtleties That Can Compromise Code IEEE Software, IEEE Computer Society, 2008, 25, /04/2008 Secure OSGi Applications 74

75 References Own publications: [parrend06secuanalysis] Parrend, P. & Frenot, S. A Security Analysis for Home Gateway Architectures International Conference on Cryptography, Coding & Information Security, CCIS 2006, November 24-26, Venice, Italy, 2006 [parrend06deployment] Parrend, P. & Frenot, S. Secure Component Deployment in the OSGi(tm), RT-0323, Release 4 Platform INRIA, [parrend2007sfelix] Parrend, P. & Frenot, S. Supporting the Secure Deployment of OSGi Bundles First IEEE WoWMoM Workshop on Adaptive and DependAble Mission- and businesscritical mobile Systems, Helsinki, Finland, 2007 [parrend2007osgivulnerabilities] Parrend, P. & Frenot, S. Java Components Vulnerabilities - An Experimental Classification Targeted at the OSGi Platform INRIA RR-6231, 2007, 84 p. [parrend07ibcrypto] Parrend, P.; Galice, S.; Frenot, S. & Ubeda, S. Identity-Based Cryptosystems for Enhanced Deployment of OSGi Bundles International Conference on Emerging Security Information, Systems and Technologies, IARIA SecurWare, [royon2007bbeuope] Royon, Y.; Parrend, P.; Frenot, S.; Papastefano, S.; Abdelnur, H. & de Poel, D.V. Multi-service, Multi-protocol Management for Residential Gateways BroadBand Europe, Antwerp, Belgium, 3-6 December, [parrend08cbac] Parrend, P. & Frenot, S. Tanter, E. & Pautasso, C. (ed.) Component-based Access Control: Secure Software Composition through Static Analysis Software Composition, Springer Berlin / Heidelberg, 2008, LNCS 4954/2008, p /04/2008 Secure OSGi Applications 75

76 Questions? 10/04/2008 Secure OSGi Applications 76