cs.CR 2011-11-10 0

Java Components Vulnerabilities - An Experimental Classification Targeted at the OSGi Platform

The OSGi Platform finds a growing interest in two different applications domains: embedded systems, and applications servers. However, the security properties of this platform are hardly studied, which is likely to hinder its use in production system…

Authors: ** Pierre Parrend, Stéphane Frénot **

Java Components Vulnerabilities - An Experimental Classification Targeted at the OSGi Platform
apport   de recherche ISSN 0249-6399 ISRN INRIA/RR--6231--FR+ENG Thème COM INSTITUT N A TION AL DE RECHERCHE EN INFORMA TIQUE ET EN A UTOMA TIQUE J ava Components V ulnerabilities - An Experimental Classification T argeted at the OSGi Platf orm Pierre Parrend — Stéphane Frénot N° 6231 June 2007 Unité de recherche INRIA Rhône-Alpe s 655, av enue de l’Europ e, 38334 Montbon not Saint Ismier (France) Téléphone : +33 4 76 61 52 00 — Télécopie +33 4 76 61 52 52 Ja v a Comp onen ts V ulnerabilities - An Exp erimen tal Classiation T argeted at the OSGi Platform ∗ Pierre P arrend, Stéphane F rénot Thème COM  Systèmes omm unian ts Pro jet ARES Rapp ort de re her he n ° 6231  June 2007  84 pages Abstrat: The OSGi Platform nds a gro wing in terest in t w o dieren t appliations domains: em b edded systems, and appliations serv ers. Ho w ev er, the seurit y prop erties of this platform are hardly studied, whi h is lik ely to hinder its use in pro dution systems. This is all the more imp ortan t that the dynami asp et of OSGi-based appliations, that an b e extended at run time, mak e them vulnerable to maliious o de injetion. W e therefore p erform a systemati audit of the OSGi platform so as to build a vul- nerabilit y atalog that in tends to referene OSGi V ulnerabilities originating in the Core Sp eiation, and in b eha viors related to the use of the Ja v a language. Implemen tation of Standard Servies are not onsidered. T o supp ort this audit, a Semi-formal V ulnerabilit y P attern is dened, that enables to uniquely  haraterize fundamen tal prop erties for ea h vulnerabilit y , to inlude v erb ose de- sription in the pattern, to referene kno wn seurit y protetions, and to tra k the imple- men tation status of the pro of-of-onept OSGi Bundles that exploit the vulnerabilit y . Based on the analysis of the atalog, a robust OSGi Platform is built, and reommenda- tions are made to enhane the OSGi Sp eiations. Key-w ords: OSGi tm Platform, Seurit y , Dep endabilit y , Ja v a, Hardened Exeution Plat- form, V ulnerabilit y Catalog ∗ This W ork is partialy founded b y Muse IST Pro jet n ° 026442. V ulnerabilités des Comp osan ts Ja v a - Une Classiation Exp érimen tale Dans le Cadre de la Plate-forme OSGi Résumé : La plate-forme d'exéution OSGi renon tre un in térêt grandissan t dans deux domaines d'appliations diéren ts: les systèmes em barqués, et les serv eurs d'appliations. Cep endan t, les propriétés de ette plate-forme relativ es à la séurité ne son t que très p eu étudiées, e qui p eut fortemen t freiner son adoption dans les systèmes industriels. Cei est d'autan t plus ritique que la p ossibilité d'extension dynamique à l'exéution oerte par la plate-forme OSGi rend elle-i vulnérable à l'injetion de o de maliieux. Nous eetuons un audit de l'en vironnemen t d'exéution OSGi, an de réer un atalogue de vulnérabilités. Nous  her hons à référener les vulnérabilités ausées par la sp éiation `Core', ou bien par la ma hine virtuelle Ja v a sous-jaen te. Les autres élémen ts dénis par OSGi, omme les servies standards, ne son t pas onsidérés. An de mener à bien et audit, nous dénissons un P attern de V ulnérabilité semi-formel, qui p ermet de dérire les aratéristiques des vulnérabilités de manière unique, de donner des informations omplémen taires, de référener les protetions existan tes, et d'iden tier le status de l'implémen tation des Bundles OSGi de test qui démon tren t  haque vulnérabilité. A partir de ette analyse, un plate-forme OSGi robuste est onstruite, et des reomman- dations p our les sp éiations OSGi son t données. Mots-lés : Plate-forme OSGi tm , Séurité, Ja v a, Plate-forme d'exéution renforée, Ca- talogue de V ulnérabilités OSGi V ulner abilities 3 Con ten ts 1 In tro dution 8 2 Charaterization of V ulnerabilities in Comp onen t-based Systems 10 2.1 Denitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.2 F rom Databases to T op-V ulnerabilit y Lists . . . . . . . . . . . . . . . . . . . . 10 2.3 V ulnerabilit y P atterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 3 The Semi-formal Soft w are V ulnerabilit y P attern 15 3.1 The Struture of the Semi-formal V ulnerabilit y P attern . . . . . . . . . . . . 16 3.2 V ulnerabilit y T axonomies for OSGi-based Systems . . . . . . . . . . . . . . . 17 3.3 A V ulnerabilit y Example: `Managemen t Utilit y F reezing - Innite Lo op' . . . 21 4 Requiremen ts for seure OSGi Systems 24 4.1 Catalog Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 4.2 Requiremen ts for a Hardened OSGi Platform . . . . . . . . . . . . . . . . . . 27 4.3 Reommendations for a Hardened Exeution En vironmen t . . . . . . . . . . . 30 5 Conlusions 33 A The OSGi platform 37 A.1 Ov erview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 A.2 The Bundles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 A.3 In terations b et w een Bundles . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 B V ulnerabilities List 39 B.1 The Lindqvist Classiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 B.2 Common W eaknesses En umeration (CWE) . . . . . . . . . . . . . . . . . . . 40 B.3 Nineteen Dealy Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 B.4 O W ASP T op T en . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 B.5 Sev en Kingdoms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 C F ormal Expression of the V ulnerabilit y P attern 43 D V ulnerabilit y Catalog 45 D.1 Bundle Ar hiv e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 D.1.1 In v alid Digital Signature V alidation . . . . . . . . . . . . . . . . . . . 45 D.1.2 Big Comp onen t Installer . . . . . . . . . . . . . . . . . . . . . . . . . . 47 D.1.3 Deompression Bom b . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 D.2 Bundle Manifest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 D.2.1 Dupliate P a k age Imp ort . . . . . . . . . . . . . . . . . . . . . . . . . 49 D.2.2 Exessiv e Size of Manifest File . . . . . . . . . . . . . . . . . . . . . . 50 D.2.3 Erroneous v alues of Manifest attributes . . . . . . . . . . . . . . . . . 51 RR n ° 6231 4 Parr end & F r énot D.3 Bundle A tiv ator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 D.3.1 Managemen t Utilit y F reezing - Innite Lo op . . . . . . . . . . . . . . . 52 D.3.2 Managemen t Utilit y F reezing - Thread Hanging . . . . . . . . . . . . . 54 D.4 Bundle Co de - Nativ e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 D.4.1 Run time.exe.kill . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 D.4.2 CPU Load Injetion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 D.5 Bundle Co de - Ja v a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 D.5.1 System.exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 D.5.2 Run time.halt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 D.5.3 Reursiv e Thread Creation . . . . . . . . . . . . . . . . . . . . . . . . 59 D.5.4 Hanging Thread . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 D.5.5 Sleeping Bundle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 D.5.6 Big File Creator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 D.5.7 Co de Observ er . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 D.5.8 Comp onen t Data Mo dier . . . . . . . . . . . . . . . . . . . . . . . . . 64 D.5.9 Hidden Metho d Laun her . . . . . . . . . . . . . . . . . . . . . . . . . 65 D.5.10 Memory Load Injetion . . . . . . . . . . . . . . . . . . . . . . . . . . 66 D.5.11 Stand Alone Innite Lo op . . . . . . . . . . . . . . . . . . . . . . . . . 67 D.5.12 Innite Lo op in Metho d Call . . . . . . . . . . . . . . . . . . . . . . . 68 D.5.13 Exp onen tial Ob jet Creation . . . . . . . . . . . . . . . . . . . . . . . 69 D.6 Bundle Co de - OSGi APi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 D.6.1 Laun h a Hidden Bundle . . . . . . . . . . . . . . . . . . . . . . . . . 70 D.6.2 Pirat Bundle Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 D.6.3 Zom bie Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 D.6.4 Cyle Bet w een Servies . . . . . . . . . . . . . . . . . . . . . . . . . . 73 D.6.5 Numerous Servie Registration . . . . . . . . . . . . . . . . . . . . . . 74 D.6.6 F reezing Numerous Servie Registration . . . . . . . . . . . . . . . . . 75 D.7 Bundle F ragmen ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 D.7.1 Exeute Hidden Classes . . . . . . . . . . . . . . . . . . . . . . . . . . 76 D.7.2 F ragmen t Substitution . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 D.7.3 A ess Proteted P a k age through split P a k ages . . . . . . . . . . . . 78 E A tta k Implemen tations 79 E.1 Innite Lo ops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 E.1.1 First Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 E.1.2 Seond Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 E.1.3 Third Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 E.1.4 F ourth Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 E.1.5 Fifth Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 E.1.6 Other Implemen tations . . . . . . . . . . . . . . . . . . . . . . . . . . 80 E.2 Hanging Thread . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 E.2.1 First Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 E.2.2 Seond Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 INRIA OSGi V ulner abilities 5 E.2.3 Other Implemen tations . . . . . . . . . . . . . . . . . . . . . . . . . . 83 F XML2T ex Do umen tation Generator 84 RR n ° 6231 6 Parr end & F r énot List of Figures 1 P oten tial Lo ations of maliious Co de in a Bundle . . . . . . . . . . . . . . . 19 2 V ulnerabilit y Soures in an OSGi-based System . . . . . . . . . . . . . . . . . 19 3 P oten tial T argets of A tta ks against an OSGi Platform . . . . . . . . . . . . . 20 4 Consequenes of the V ulnerabilities of the OSGi Platform . . . . . . . . . . . 20 5 In tro dution Time for the iden tied a ws . . . . . . . . . . . . . . . . . . . . 20 6 Exploit Time for the iden tied Fla ws . . . . . . . . . . . . . . . . . . . . . . . 21 7 En tities that are Soure of the vulnerabilities . . . . . . . . . . . . . . . . . . 25 8 F untions that pro v e to b e dangerous in the on text of an OSGi Platform . . 25 9 Fla ws in an OSGi Exeution En vironmen t . . . . . . . . . . . . . . . . . . . . 26 10 T argets of A tta ks against an OSGi Exeution en vironmen t . . . . . . . . . . 27 11 A tual Protetion Me hanisms . . . . . . . . . . . . . . . . . . . . . . . . . . 29 12 Cardinalit y for ea h p oten tial Seurit y Me hanisms for the OSGi platform . . 30 13 Ov erview of an OSGi Platform . . . . . . . . . . . . . . . . . . . . . . . . . . 37 14 In tern Struture of an OSGi bundle . . . . . . . . . . . . . . . . . . . . . . . 38 15 Life Cyle of an OSGi Bundles inside the platform . . . . . . . . . . . . . . . 39 16 In teration Me hanisms b et w een the OSGi Bundles . . . . . . . . . . . . . . . 39 17 XML2T ex Pro ess . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 INRIA OSGi V ulner abilities 7 List of T ables 1 V ulnerabilities for the main Op en Soure OSGi Platforms . . . . . . . . . . . 28 RR n ° 6231 8 Parr end & F r énot 1 In tro dution The OSGi Platform, whi h enables m ulti-appliation managemen t o v er Ja v a Virtual Ma-  hines, is urren tly seeing a dramati inrease in its appliation domains. First targeted at em b edded systems su h as m ultimedia automotiv e devies, it has sine widespread in the w orld of appliations, with the Elipse In tegrated Dev elopmen t En vironmen t, and then to appliation serv ers, su h as IBM W ebsphere 6.1, or reen t dev elopmen t with JBoss. Sun is en visioning to in tegrate it in the Sun JVM, and sev eral Ja v a Sp eiation Request (JSR) w ork groups ha v e b een set up on the sub jet 1 . Ho w ev er, target systems are lik ely to b e highly net w ork ed ones, and seurit y impliations ha v e so far b een mostly o v erlo ok ed. A tually , the run time extensibilit y of appliations that is supp orted b y the OSGi platform op en a brand new atta k v etor: o de an b e installed on the y , and no me hanism urren tly guaran tees that this o de is not maliious. As OSGi-based systems mo v e from Op en-Soure pro jets and losed em b edded devies to w ard large-sale systems, this w eakness an turn in to a ma jor vulnerabilit y , unless seurit y impliations are b etter understo o d. W e therefore p erform in this study a systemati analysis of vulnerabilities that are implied b y OSGi bundles, and prop ose adequate oun ter-measures. Up to no w, T w o omplemen tary me hanisms are used to enfore seurit y in the on text of OSGi-based systems. The rst me hanism is bundle digital signature [OSG05 , PF06℄, whi h guaran tees that only bundles from trusted issuers are installed. This trust requiremen t fores the issuer to publish only safe bundles, sine he will liable for an y iniden t aused b y the o de he pro vides. The seond me hanism is based on Ja v a p ermissions, that enable to swit h on or o some atta k-prone features of the Ja v a Virtual Ma hine. These me hanisms are mostly insuien t to guaran tee that systems are safe. First, kno wing the iden tit y of a bundle issuer do es not giv e guaran tees related to the qualit y of its bundles. Seondly , most implemen tations do not ha v e a prop er implemen tation of the digital signature me hanism: they rely on the JVM built-in v eriation me hanism, whi h is not omplian t with OSGi sp eiations [PF07 ℄. And, lastly , Ja v a p ermissions an not b e onsidered as a panaea, sine they are usually not dynami, and ha v e a great ost in term of funtionalit y , but also in term of p erformane. New metho ds and new seurit y me hanisms therefore need to b e dened to pro vide hardened OSGi Platforms. W e presen t in this rep ort our on tribution to this problem, b y addressing sev eral requiremen ts. A metho d for analyzing the seurit y prop erties of the OSGi Platform is dened. It is based on a atalog of vulnerabilities, and an therefore b e ompleted when further kno wledge relativ e to OSGi V ulnerabilities is gathered. Based on the analysis of this atalog, OSGi sp ei vulnerabilities are iden tied, and a protot yp e is built to sho w the seurit y me hanisms that an b e used. Reommendations for an ev olution of the sp eiation of the OSGi Core platform are prop osed to enable the OSGi Comm unit y to tak e adv an tage of this w ork. This resear h rep ort is organized as follo ws. W orks related to vulnerabilit y  harateri- zation and analysis are presen ted in Setion 2 . A denition of our Soft w are V ulnerabilit y 1 h ttp://jp.org/en/jsr/detail?id=277,h ttp://jp.org/ en/jsr/ det ail?id=291 INRIA OSGi V ulner abilities 9 P attern is giv en in Setion 3 : it  haraterized the prop erties of an OSGi system that need to b e listed so as to supp ort vulnerabilit y analysis. The analysis of the vulnerabilit y atalog is then pro vided, and reommendation for building a hardened OSGi Platform is giv en in Setion 4. Complemen tary informations are to b e found in the App endies. In partiular, a pre- sen tation of the OSGi Platform is giv en in App endix A; the formal expression of the V ul- nerabilit y P attern w e dened is giv en in App endix C; the vulnerabilit y atalog in giv en in its in tegralit y in App endix D; and the sp ei implemen tations of atta ks based on the iden tied vulnerabilities are giv en in App endix E . RR n ° 6231 10 Parr end & F r énot 2 Charaterization of V ulnerabilities in Comp onen t-based Systems The lassiation of the seurit y - and vulnerabilit y - prop erties of systems is neessary to omprehend their w eaknesses and to mak e them more robust. W e presen t here the eort that ha v e b een done to establish a preise kno wledge of what vulnerabilities are, ho w to analyse them, and ho w to tak e adv an tage from them to impro v e the omputing systems. First, the terms that are used to  haraterize vulnerabilities are dened. Next, the dislosure me hanisms for soft w are a ws are presen ted. And V ulnerabilit y P atterns that supp ort vulnerabilit y analysis are giv en. 2.1 Denitions The lassiation of seurit y prop erties is based on the distintion b et w een atta k, vulner- abilit y , and a w. The related maliious ations an b e prev en ted b y the use of seurit y protetions, or oun termeasures. The denitions of these terms follo w. Seurit y: the onurren t existene of a) a v ailabilit y for authorized users only , b) onden- tialit y , and ) in tegrit y [ AJB00 ℄. A tta ks: ations that attempt to defeat the exp eted seurit y status of a system. Soft w are vulnerabilit y: an instane of an error in the sp eiation, dev elopmen t, or on- guration of soft w are su h that its exeution an violate the seurit y p oliy [ Krs98 ℄. Soft w are Fla w: a a w is a  harateristi of a soft w are system that builds, when put to- gether with other a ws, a vulnerabilit y . The more generi term of WIFF (W eaknesses, Idiosynrasies, F aults, Fla ws) is also used [ MCJ05 ℄. Seurit y Protetion, or Mitigations, or Coun termeasures or A v oidane strategies: me h- anisms and te hniques that on trol the aess of exeuting programs to stored infor- mation [SS73 ℄ or to other programs. No w that the neessary terms are dened, dislosure me hanisms are presen ted. 2.2 F rom Databases to T op-V ulnerabilit y Lists V ulnerabilit y dislosure aims at pro viding users and designers informations that enable them to tra k the seurit y status of their systems. T w o main approa hes exist: rst, vulnerabili- ties of widespread appliations are published in Referene V ulnerabilit y Information (R VI) Databases so as to en tralize this information; seondly , these vulnerabilities are lassied aording to T op-V ulnerabilit y Lists, that supp ort a omprehensiv e views of p oten tial w eak- nesses. INRIA OSGi V ulner abilities 11 Referene V ulnerabilit y Information (R VI) Databases Catalogs, Lists and T ax- onomies are the fa v orite v etor for expressing the vulnerabilities that are iden tied in soft- w are systems. The approa h v aries aording to the target of the vulnerabilit y iden tiation w ork. Extensiv e databases are mean t to main tain up to date referenes on kno wn soft w are vulnerabilities, so as to fore the system v endor to pat h the error b efore ha k ers an exploit it. T axonomies are partiularly used in resear h w orks, whi h foster to impro v e the kno wl- edge relativ e to the vulnerabilities. Their goal is to dev elop to ols based on this taxonomies. The dra wba k of these systemati approa hes - atalog and taxonomies - is that they are not easy to remem b er, and are th us of limited usefulness for dev elop ers or o de auditor. Sev eral T op V ulnerabilit y Lists ha v e b een prop osed to solv e this problem, and pro vide the soft w are professionals with on v enien t pratial data. The main existing referenes are vulnerabilit y databases. They are also kno wn under the denomination of Rened V ulnerabilit y Information (R VI) soures. T w o main t yp es of R VI exists: the vulnerabilit y mailing lists, and the vulnerabilit y databases. The main mailing lists are the follo wing:  Bugtraq, 1993 on w ards (see h ttp://msgs.seurep oin t.om/bugtraq/),  V uln w at h, 2002 on w ards (see h ttp://www.vuln w at h.org/),  F ull Dislosure, 2002 on w ards (see among others h ttp://selists.org/). The referene vulnerabilit y databases are the follo wing. They are mean t to publish and main tain referene lists of iden tied vulnerabilities.  the CER T (Computer Emergeny Resp onse T eam) Database. It is based on the Com- mon Language for Seurit y Iniden ts [HL98 ℄ 2 .  the CVE (Common V ulnerabilities and Exp osures) Database 3 .  the CWE (Common W eaknesses En umeration) Database. It is b ounded with the CWE, and aims at tra king w eaknesses and a ws that ha v e not y et turned out to b e exploitable for atta k ers 4 .  the CIA C (Computer Iniden t A dvisory Capabilit y) Database 5 .  the OSVDB, Op en Soure V ulnerabilit y Database 6 . It is en tered at Op en Soure Pro duts. Complemen tary Rened V ulnerabilit y Informations Soures are the follo wing organiza- tions: SeuriT eam 7 , P a k et Storm Seurit y 8 , the F ren h Seurit y Iniden t Resp onse T eam 9 , ISS X-F ore 10 , Seunia, and Seurit yF o us. 2 h ttp://www.ert.org/ 3 h ttp://v e.mitre.org/ 4 h ttp://w e.mitre.org/index.h tml 5 h ttp://www.ia.org/ia/index.h tml 6 h ttp://osvdb.org/ 7 h ttp://www.seuriteam.om/ 8 h ttp://pa k etstormseurit y .nl/ 9 h ttp://www.frsirt.om/ 10 h ttp://xfore.iss.net/xfore/alerts RR n ° 6231 12 Parr end & F r énot The limitations of the R VIs is that they follo w no stable p oliy , whi h mak es omparison b et w een soures and b et w een the item of a giv en soures diult [ Chr06 ℄. T op-V ulnerabilit y Lists Sine atalogs are not that easy to remem b er, and therefore to put in to pratie, sev eral `T op N' lists ha v e b een dened. The motiv ation for su h lists is the reurren t dra wba ks of other approa hes: vulnerabilit y atalogs do not pro vide a useful o v erview of the iden tied vulnerabilities [Chr06 ℄. Therefore, an alternativ e approa h has b een dev elop ed: to publish lists of prev alen t atta k ategories. Their goal is to b e used as reminder for dev elop er or seurit y analysts [MG06 ℄, and to serv e as referene for soft w are pro dut  haraterization, through in tegration in to seurit y-based o de assessmen t to ols [ MCJ05 ℄. The most imp ortan t of these vulnera- bilit y lists are presen ted. One lassiation of omputer seurit y In trusions is giv en b y Lindqvist [ LJ97 ℄ (see ap- p endix B.1). It on tains external and hardw are misuse, and sev eral soft w are misuse ases: b ypassing in tended on trol, ativ e and passiv e misuse of resoures, preparation for other misuse ases. The Plo v er lassiation 11 is an example of rationalization of V ulnerabilit y atalogs to supp ort analysis. It is based on the MITRE CVE Database, and on tains 300 sp ei en tries that reet 1400 vulnerabilities iden tied in the CVE database. Its goal is to suppress re- dundany from the original database, so as to enable sien ti analysis, e.g. using statistial approa hes [Chr05 ℄. The Nineteen Deadly Sins of soft w are systems are dened b y Mi hael Ho w ard, from Mirosoft [HL V05 ℄ (see app endix B.3 ). They desrib e the most ommon vulnerabilities that are to b e found in en terprise information systems. They onern W eb based systems, as w ell as the ar hiteture of the information systems and the te hnologies in v olv ed. The Op en W eb Appliation Seurit y Pro jet (O W ASP) main tains a TOP 10 of W eb Appliations vulnerabilities 12 (see the app endix B.4 ). It onerns input v alidation, data storage, as w ell as onguration and error managemen t. Another onsortium for W eb Ap- pliation seurit y enforemen t, the W ASC (W eb Appliation Seurit y Consortium), pro vides its o wn threat lassiation 13 .) A on v enien t vulnerabilit y list is pro vided b y Gary MGra w, through the Sev en King- doms of soft w are vulnerabilities [MG06 ℄ [TCM05 ℄. The n um b er 7 is  hosen to b e easily remem b ered, and ea h en try is ompleted with Ph yla i.e. preise example of the broader ategories that are dened b y the Kingdoms. The kingdoms are the follo wing: Input V alida- tion and represen tation, API abuse, Seurit y F eatures, Time and state, error handling, o de qualit y , enapsulation + en vironmen t (see the app endix B.5). This lassiation is targeted at en terprise information systems. The publiation of newly diso v ered vulnerabilities and of T op-Lists helps the prati- tioner sta y informed of the atual seurit y risks of the system they use, but they pro vide 11 h ttp://v e.mitre.org/do s/plo v er/ 12 h ttp://www.o w asp.org/index.php/O W ASP_T op_T en_Pro jet 13 h ttp://www.w ebappse.org/pro jets/thre at/ INRIA OSGi V ulner abilities 13 little supp ort for systemati analysis. V ulnerabilit y P atterns m ust b e dened to formalize vulnerabilit y informations. 2.3 V ulnerabilit y P atterns The desriptiv e spirit of Design P attern [Ale77 ℄, [GHJV94 ℄, [MM97 ℄, is w ell suited for ap- pliation in the seurit y elds, where the question of organization and exploitation of the kno wledge is en tral to the protetion of systems - and not straigh tforw ard, if one judges from the v arious approa hes that are used. T w o t yp es of patterns are dened in the seurit y domain: A tta k P atterns, and V ulnerabilit y P atterns. A tta k P atterns represen t p oten tial atta ks against a system. They mo del the preon- ditions, pro ess and p ostonditions of the atta k. They an b e om bined with atta k trees, so as to automate the iden tiation of atta ks that are atually build from simpler atomi atta ks [MEL01℄. An extensiv e presen tation of the appliation of atta k pattern is giv en in the b o ok b y Markus S h uma her [S h03 ℄. The use of A tta k P atterns together with with soft w are ar hiteture desription to iden tify vulnerabilities is desrib ed b y Gegi k [GW05℄. The limitation of this approa h is that the atta ks m ust b e mo delized, but the system m ust also b e, whi h mak es this approa h impratial, and often not realisti based on the atual kno wledge that is a v ailable on systems. The V ulnerabilit y P atterns are used in the atalog of vulnerabilities. They often on tain a limited n um b er of information that are mean t to iden tify the vulnerabilit y , but also to not mak e it easily repro dueable without a reasonable amoun t of eort, to prev en t lazy ha k ers to exploit the vulnerabilit y databases as a soure of ready-to-exploit atta k referenes. W e list here the most wide-spread V ulnerabilit y P atterns, along with the attribute they on tain:  Ro  ky He kman pattern 14 : Name, t yp e, subt yp e, AKA, desription, more information;  CER T (Computer Emergeny Resp onse T eam) pattern: name, date, soure, systems aeted, o v erview, desription, qualitativ e impat, solution, referenes;  CVE 15 (Common V ulnerabilit y and Exp osures) pattern: name, desription, status, referene(s);  CIA C 16 (US Departmen t of Energy) pattern: iden tier, name, problem desription, platform, damage, solution, vulnerabilit y assessmen t, referenes. These V ulnerabilit y P atterns are quite simple ones. They ha v e an informativ e goal, but do not in tend as other patterns do at supp orting the repro dution of the vulnerabilit y with a minim um of eort. This approa h mak es sense relativ e to their use on text - making users and administrators a w are of the existene of the a ws - but are not suien t to supp ort detailed analysis of the related vulnerabilities. 14 h ttp://www.ro  kyh.net/ 15 h ttp://v e.mitre.org/ 16 h ttp://www.ia.org/ia/index.h tml RR n ° 6231 14 Parr end & F r énot So as to supp ort the automation of the seurit y pro ess, and to mak e vulnerabilit y analysis p ossible, it is neessary to put onstrain ts on the V ulnerabilit y P atterns. This is p erformed through the denition of taxonomies, whi h pro vide a ne grain desription of the prop erties of ea h vulnerabilit y . Ea h taxonom y should v erify the prop erties of a v alid taxonom y , as dened b y [Krs98 ℄ and [HL98 ℄. These prop erties are the follo wing: ob jetivit y , determinism, rep eatabilit y , sp eiit y (disjuntion), observ abilit y . The seminal w ork on vulnerabilit y taxonom y has b een p erformed b y Abb ott [A CD + 75 ℄ and Bisb ey [BH78 ℄. The a ws are lassied b y t yp e of error (su h as inomplete P arameter v alidation). This approa h turns out not to supp ort deterministi deisions, sine one a w an often b e lassied in sev eral ategories aording to the on text. T o solv e this prob- lem, Landw ehr [LBMC94 ℄ denes three fundamen tal t yp es of taxonomies for vulnerabilities: lassiation b y genesis of the vulnerabilit y , b y time of in tro dution, and b y lo ation (or soure). Moreo v er, vulnerabilities should b e onsidered aording to sp ei onstrain ts or as- sumptions, sine there existene most of the time dep ends on the prop erties of the en vi- ronmen t [Krs98 ℄. This assumptions mak e it neessary to rely on a w ell dened system mo del. F or generi omputing systems, su h a mo del is prop osed b y the Pro ess/Ob jet Mo del [BA T06 ℄. This requiremen t mak es it imp ossible for generi purp ose databases to rely on sp ei taxonomies. F or instane, the Common V ulnerabilit y En umeration [BCHM99 ℄ pro jet has giv en up the use of taxonomies. An expliit system mo del m ust th us b e a v ailable to supp ort vulnerabilit y taxonomies, and therefore the p ossibilit y of seurit y automation or analysis. Extensiv e disussions of vulnerabilit y taxonomies an b e found in [ Krs98 ℄, [SH05 ℄, [WKP05 ℄. The CWE (Common W eaknesses En umeration) Pro jet main tains a w eb page with addi- tional referenes, and a graphial represen tation of ea h taxonom y 17 . In this setion, fundamen tal onepts of vulnerabilit y analysis ha v e b een in tro dued: denitions ha v e b een giv en to pro vide a rm basis to w ork on, and the existing w orks in the domain of vulnerabilit y analysis ha v e b een presen ted. This w ork onerns V ulnerabilit y prop erties, whi h are often presen ted under the form of a taxonom y , and V ulnerabilit y P atterns, whi h gather the information onerning sev eral prop erties in a formalized w a y . Existing Prop erties and P atterns are not suien t to desrib e the vulnerabilities of an OSGi Platform, for sev eral reason: rst, they do not tak e expliitly in to aoun t the presene of a virtual ma hine; seondly , they are usually targeted at monolithi systems, whereas OSGi pro vides a high degree of mo dularit y through the bundles and the dep endeny resolution. W e therefore rst need to dene the prop erties of in terest for an OSGi-based System, as w ell as a suitable P attern, b efore the atual vulnerabilities of the platform an b e analyzed. 17 h ttp://w e.mitre.org/ab out/soures.h tml INRIA OSGi V ulner abilities 15 3 The Semi-formal Soft w are V ulnerabilit y P attern The goal of this study is to iden tify and to  haraterize the vulnerabilities of the OSGi platform, whi h is in tro dued in the App endix A. This  haraterization is to b e done with a set of sp ei prop erties, and organized in a semi-formal V ulnerabilit y P attern. Existing referenes are not suien t to desrib e the vulnerabilities of the OSGi Platform: neither virtualization nor omp onen tization, that are pro vided in the on text of OSGi, are tak en in to aoun t. Moreo v er, w e w an t our V ulnerabilit y P attern to pro vide us with enough information to pat h them or build suitable seurit y me hanism, whi h is not the ase in the literature. The prop erties of in terested that are tra k ed are tak en from existing soft w are seurit y taxonomies. W e add a new en try , the `Consequene Desription', that aims at ev aluating the seriousness of the vulnerabilit y . The P attern is made up of four parts:  a Referene, for rapid onsultation,  a Desription part, for additional and p oten tially more v erb ose information,  an Implemen tation part, to iden tify the test onditions of the vulnerabilit y ,  a Protetion part, b eause the ob jetiv e of iden tifying the vulnerabilit y is to b e able to pat h them. Our exp erimen tal pro ess is the follo wing. First, kno wn a ws that an aet Ja v a o de [Blo01 , BG05 ℄ ha v e b een iden tied, and their impat on an OSGi Platform has b een tested. Seondly , p oten tially dangerous me hanisms, su h as nativ e o de exeution, ha v e b een se- leted from related pro jets. The third soure of information in our quest for vulnerabilities of OSGi bundles is the sp eiations of the elemen ts that mak e up an OSGi platform: the Ja v a Virtual Ma hine, and the OSGi platform itself. Sev eral Ja v a API let the o de aess to the Virtual Ma hine itself ( e.g. the System or Run time API), or are kno wn to ause the exeution hang (Threads). The b eha vior of the OSGi platform in the presene of mal- formed or maliious bundles is not sp eied. W e therefore review the v arious en tities that mak e up this exeution en vironmen t: the format of the bundle meta-data (Manifest File), the registration of servies, the bundle managemen t and fragmen t funtionalities. F or ea h p oten tial vulnerabilit y , w e implemen ted a maliious bundle. This mak es p ossible to v alidate the h yp othesis, and to iden tify the onditions for ea h atta k. When protetions against these atta ks exist, they are v alidated through exp erimen t. The atta k bundles are tested in the four main Op en Soure implemen tations of OSGi, F elix, Knopersh, and Equino x, and Conierge. W e fo us on the b eha vior of the ore of the onsidered exeution en vironmen t, whi h omprises the JVM and the OSGi platform. W e therefore do not onsider the manage- men t to ols for Ja v a systems, su h as JMX, or JVM TI. JMX enables to manage a JVM though o de exeuted inside it. JVM TI is a C library that mak es full on trol o v er the JVM p ossible through a third part y program, whi h an then aess the a v ailable threads, pro vides an extensiv e debugging of the platform, and on trol the JVM state. Seondly , the OSGi bundles omm uniate through servies they publish inside the framew ork. A - ording to the t yp e of data they handle, these servies an b e sub jet to sp ei vul- RR n ° 6231 16 Parr end & F r énot nerabilities. A list of Servie-Lev el vulnerabilities is giv en b y the Findbugs referene list (h ttp://ndbugs.soureforge.net/bugDesriptions.h tml, `Maliious Co de V ulnerabilit y' at- egory). Lastly , the OSGi sp eiation denes a bun h of standard servies (HTTP , devie, servie wiring, UPnP servies, et.). W e do not onsider these servies either. A V ulnerabilit y P attern is dened to normalize the information gathered relativ e to ea h vulnerabilit y (see setion 3.1 ). The taxonomies for ea h prop erties of in terest are giv en and explained in setion 3.2 . An example is giv en in setion 3.3 to highligh t the information pro vided b y the V ulnerabilit y P attern. 3.1 The Struture of the Semi-formal V ulnerabilit y P attern The  harateristis of in terest to desrib e the vulnerabilities of a soft w are system need to b e gathered in a oheren t set that on tains all the informations that are useful to understand and prev en t these vulnerabilities. W e therefore dene a `Semi-formal V ulnerabilit y P attern' that is similar to the `A tta k P atterns' [MEL01 ℄. On the opp osite of this latter, the V ulnerabilit y P attern is en tered around the iden tied vulnerabilit y , so as to mak e their orretion easy . Existing vulnerabilit y patterns, whi h are presen ted in the setion 2 , an not b e reused as-is, sine they pro vide not enough details for our purp ose. The V ulnerabilit y P attern is omp ound of follo wing informations. Its formal expression is giv en in the Ap endix C. V ulnerabilit y Referene  V ulnerabilit y Name: The desriptiv e name of the vulnerabilit y  Iden tier: a unique iden tier for ea h vulnerabilit y . In our atalog, the iden tier is built out of the atalog iden tier, the abbreviation of the soure en tit y , and the n um b er ID of the vulnerabilit y in the atalog for the related soure en tit y .  Origin: The bibliographi referene of the vulnerabilit y .  Lo ation of Exploit Co de: Where the o de that p erforms the atta k is lo ated in the maliious Bundle (see Figure 1).  Soure: the en tit y in the exeution platform that is the soure of the vulnerabilit y , along with the exat a w or funtionalit y ausing it.  T arget: the target of the atta k that an b e p erformed through the vulnerabilit y , i.e. the vitim of the atta k (see gure 3 ).  Consequene T yp e: the t yp e of onsequene of an atta k exploiting this vulnerabilit y (see gure 4 ).  Time of In tro dution: the Life Cyle phase where the vulnerabilit y is in tro dued. Corretiv e measures an b e tak en at this time. Seurit y measures an b e tak en in subsequen t phases so as to prev en t the exploitation of the vulnerabilit y (see gure 5 ).  Time of Exploit: the life-yle phase where the vulnerabilit y an b e exploited (see gure 6). This is the last phase where seurit y measures an b e undertak en. INRIA OSGi V ulner abilities 17 V ulnerabilit y Desription  Desription: a desription of the atta k  Preonditions: prop erties if the systems that m ust b e true so as to mak e the ex- ploitation of the vulnerabilit y p ossible.  A tta k Pro ess: desription of the pro ess of exploitation of the vulnerabilit y .  Consequene Desription: more information relativ e to the onsequenes of an atta k using this vulnerabilit y .  See also: other vulnerabilities based on similar atta k soures. V ulnerabilit y Implemen tation  Co de Referene: the referene of the implemen tation o de ( i.e. the name of the maliious OSGi bundle.)  Conerned OSGi Prole: the OSGi prole(s) where this vulnerabilit y exists.  Date: the date of the reation of the V ulnerabilit y P attern (for referene)  T est Co v erage: the p eren tage of the kno wn implemen tations of the vulnerabilit y that ha v e b een implemen ted in a test bundle. The iden tied implemen tations for the main atta ks are giv en in the App endix E .  T ested on: the OSGi Platform Implemen tations for whi h this vulnerabilit y ha v e b een tested. Protetion  Existing me hanisms: a v ailable protetions to prev en t this vulnerabilit y from b eing exploited.  Life-yle enforemen t p oin t: the life-yle phase where the protetion me hanisms m ust b e enfored.  P oten tial me hanisms: protetions that ould b e dev elop ed so as to prev en t this vulnerabilit y from b eing exploited.  A tta k Prev en tion: the measures that an b e tak en to prev en t an atta k based on this vulnerabilit y to b e fullled, ev en if it is laun hed.  Reation: the orretion ation that an b e tak en to reo v er from a suessful atta k. 3.2 V ulnerabilit y T axonomies for OSGi-based Systems Before analyzing ea h vulnerabilit y , it is neessary to iden tify the prop erties of in terest that need to b e  haraterized. Moreo v er, the p oten tial v alues for ea h prop ert y should b e iden tied, and build a prop erly dened taxonom y . F ollo wing asp ets need to b e onsidered: the referene of the atta k bundle implemen tation that tak es adv an tage of the vulnerabilit y , the life-yle  harateristis of the vulnerabilit y , so as to kno w when the vulnerabilit y is in tro dued, and when it is exploited, and the existing and p oten tial seurit y me hanisms. RR n ° 6231 18 Parr end & F r énot The prop erties w e seleted to b e inluded in the vulnerabilit y pattern are th us the fol- lo wing:  the referene of the vulnerabilit y pattern (to iden tify the o de, and the ondition of the exp erimen ts),  the lo ation of the maliious o de,  the soure of the a w(s) in the system (and the sp ei a w(s) and/or the dangerous funtionalit y(ies)),  the target of atta ks based on the vulnerabilit y ,  the onsequenes of the related atta k, and  the time of in tro dution of the vulnerabilit y ,  the time of exploitation of the vulnerabilit y ,  the exiting protetions against this atta k,  the p oten tial protetions against this atta k. The goal of these prop erties is to mak e the information explanatory , preditiv e [ Krs98 ℄, but also useful [WKP05 ℄. Explanatory , b eause the vulnerabilit y should b e in tuitiv ely un- dersto o d b y the p ersons who onsult the vulnerabilit y atalog w e prop ose, ev en with little previous kno wledge of the OSGi Platform. Preditiv e, b eause the p oten tial v alues of ea h  harateristi should o v er the whole eld of p ossible options, or to explain wh y some are not onerned. Useful, b eause the ob jetiv e of a vulnerabilit y atalog is to highligh t the seu- rit y requiremen ts of the platform under study . The onlusions of the analysis is presen ted in the setion 4 . F or ea h prop ert y , a taxonom y is dened, that on tains the v alues this prop ert y an tak e. T w o approa hes are used to dene this taxonom y . It is either dened a priori, i.e. b efore the atalog is ompleted, or a p osteriori, with data that are iden tied during the exp erimen ts. W e no w presen t the taxonom y for ea h of the prop erties of in terest. The rst t w o prop erties of in terest are the Lo ation of the maliious o de and the soure of the vulnerabilit y . The lo ation onerns the plae in the atta k bundle where the atta k `pa yload' is lo ated. The soure indiates whi h en tit y in the exeution en vironmen t is resp onsible for the vulnerabilit y , i.e. for the system b eha vior that op ens the do or to the atta k. Figure 1 sho ws the p oten tial lo ations of maliious o de inside a malev olen t bundle. The maliious o de an b e lo ated in the ar hiv e struture (su h as ar hiv e o v ersize, or a de- ompression b om b), in the manifest (su h as dupliate imp orts, whi h mak e the installation ab ord), or in the bundle A tiv ator (is this latter is hanging). It an also b e lo ated in the appliativ e o de of the bundle, b eing nativ e o de, Ja v a o de, the Ja v a APIs, or the OSGi API. The maliious o de an also b e lo ated in fragmen t, whi h are sp ei bundle t yp es. The atual soures of vulnerabilities mat h the dieren t La y ers that are dened b y the OSGi Sp eiation, along with the Bundle Rep ository lien t whi h enables installation from remote bundles, and v arious o de prop erties su h as Servies, the JVM APIs, or the algo- rithmi prop erties of the programs. They are sho wn in Figure 2 . Figure 3 sho ws the p oten tial targets of atta ks against an OSGi Platform. These targets an b e either the whole platform, or sp ei OSGi Elemen ts. A tta ks against the whole INRIA OSGi V ulner abilities 19 Figure 1: P oten tial Lo ations of maliious Co de in a Bundle Figure 2: V ulnerabilit y Soures in an OSGi-based System Platform an for instane result in omplete una v ailabilit y if this latter. The vitim OSGi Elemen ts an b e the Platform Managemen t Utilit y , whi h mak es it p ossible for the user to on trol the life-yle of bundles (the ativ ator an hang), the bundle itself (whi h an b e started or stopp ed), Servies (whi h an suer from yles) or pa k ages (for instane, stati data that is b y default not aessible ould b e mo died through Bundle F ragmen ts). Figure 4 sho ws the p oten tial onsequenes of an atta k against an OSGi Platform. Three t yp es of onsequenes are iden tied: Una v ailabilit y , P erformane Breakdo wn, and Undue A ess. Una v ailabilit y an b e ause b y stopping the platform; P erformane Breakdo wn an b e the result of an innite lo op; and Undue A ess an b e p erformed through F ragmen ts or through Reetion o v er Servies. Figure 5 sho ws the atual in tro dution time of the vulnerabilities. The in tro dution time an b e as early as the design and implemen tation of the platform (when the a w originates in the platform), or b e the dev elopmen t time, the generation of the Meta-data of the bundles, the digital signature of the bundle, the installation, or ev en the publiation and resolution of servies. RR n ° 6231 20 Parr end & F r énot Figure 3: P oten tial T argets of A tta ks against an OSGi Platform Figure 4: Consequenes of the V ulnerabilities of the OSGi Platform Figure 5: In tro dution Time for the iden tied a ws The taxonom y for Time of Exploit of the vulnerabilit y is represen ted in gure 6. This time of exploit onerns neessarily the Life-Cyle steps inside the exeution platform. They an therefore b e: the do wnload, installation, Bundle start (if the vulnerabilit y is presen t in the bundle ativ ator) or exeution time (either through servie all, or through use of exp orted pa k ages). The existing protetions against atta ks based on the iden tied vulnerabilit y are the follo wing: only run time exeution p ermissions, either at the JVM lev el or at the OSGi Platform lev el, are urren tly a v ailable to protet an OSGi Platform from ha k ers. W e INRIA OSGi V ulner abilities 21 Figure 6: Exploit Time for the iden tied Fla ws prop ose our o wn implemen tation of the OSGi Bundle Digital Signature v alidation pro ess, whi h is part of the OSGi Seurit y La y er.  Ja v a P ermissions,  OSGi P ermissions (in partiular A dminP ermission),  SF elix implemen tation of the Bundle Digital Signature V alidation. The prop erties of in terest that  haraterize a vulnerabilit y ha v e b een presen ted. Next paragraph giv es the full V ulnerabilit y P attern that is based on these prop erties, and adapted for b etter omprehension. 3.3 A V ulnerabilit y Example: `Managemen t Utilit y F reezing - In- nite Lo op' So as to highligh t the role of the dened V ulnerabilit y P attern, w e no w presen t an example of vulnerabilit y; the `Managemen t Utilit y F reezing - Innite Lo op' vulnerabilit y . The whole vulnerabilit y atalog is giv en in the App endix D . This vulnerabilit y onsists in the presene of an innite Lo op in the ativ ator of a giv en Bundle, whi h auses the platform managemen t to ol (often an OSGi shell) to freeze. The presene of innite lo ops as a vulnerabilit y is giv en b y Blo o  h is `Ja v a Puzzlers - T raps, Pitfalls and Corner Cases', puzzlers 26 to 33 [BG05 ℄. The mat hing P attern is rst giv en, and then explained. The V ulnerabilit y P attern V ulnerabilit y Referene  V ulnerabilit y Name: Managemen t Utilit y F reezing - Innite Lo op  Extends: Innite Lo op in Metho d Call  Iden tier: Mb.osgi.4  Origin: Ares resear h pro jet `maliious-bundle'  Lo ation of Exploit Co de: Bundle A tiv ator  Soure: OSGi Platform - Life-Cyle La y er (No safe Bundle Start) RR n ° 6231 22 Parr end & F r énot  T arget: OSGi Elemen t - Platform Managemen t Utilit y  Consequene T yp e: P erformane Breakdo wn; Una v ailabilit y  In tro dution Time: Dev elopmen t  Exploit Time: Bundle Start V ulnerabilit y Desription  Desription: An innite lo op is exeuted in the Bundle A tiv ator  Preonditions: -  A tta k Pro ess: An innite lo op is exeuted in the Bundle A tiv ator  Consequene Desription: Blo  k the OSGi Managemen t en tit y (the felix, equino x or knopersh shell; when laun hed in the KF graphial in terfae, the shell remain a v ailable but the GUI is frozen). Beause of the innite lo op, most CPU resoure is onsumed  See Also: CPU Load Injetion, Innite Lo op in Metho d Call, Stand Alone Innite Lo op, Hanging Thread Protetion  Existing Me hanisms: -  Enforemen t P oin t: -  P oten tial Me hanisms: Co de stati Analysis ; Resoure Con trol and Isolation - CPU ; OSGi Platform Mo diation - Bundle Startup Pro ess (laun h the bundle a- tiv ator in a separate thread to prev en t startup hanging)  A tta k Prev en tion: -  Reation: - V ulnerabilit y Implemen tation  Co de Referene: F r.inria.ares.innitelo opinmetho dall-0.1.jar  OSGi Prole: J2SE-1.5  Date: 2006-08-24  T est Co v erage: 10%  Kno wn V ulnerable Platforms: F elix; Equino x; Knopersh; Conierge  Kno wn Robust Platforms: SF elix Details of the V ulnerabilit y P attern The `Managemen t Utilit y F reezing - Innite Lo op' is referened under the iden tier `m b.osgi.4', whi h means `maliious bundle ata- log - originates in the OSGi Platform itself - n um b er 4. This vulnerabilit y is an extension of the `Innite Lo op in Metho d Call' one. It has b een iden tied in the frame of the resear h pro jet `Maliious Bundles' of the INRIA Ares T eam.. The lo ation of the maliious o de that p erforms the atta k is the Bundle A tiv ator. Its soure is the Life-Cyle La y er of the OSGi Platform, whi h is not robust against su h a INRIA OSGi V ulner abilities 23 vulnerabilit y . Its target is the Platform Managemen t Utilit y , whi h an b e either the OSGi shell or a graphial in terfae su h as the Knopersh GUI. This vulnerabilit y has a t w o-fold onsequene: the metho d do es not return, so that the aller also freezes; and the innite lo op onsumes most of the a v ailable CPU, whi h auses the existing servies to suer from a serious p erformane breakdo wn. This vulnerabilit y is in tro dued during dev elopmen t, and exploited at bundle start time. Related V ulnerabilit y P atterns are `Managemen t Utilit y F reezing - Hanging Thread', that also targets the Managemen t Utilit y , `Innite Lo op in Metho d Call', `CPU Load Injetion', `Stand-alone Innite Lo op' that ha v e the same onsequene of p erformane breakdo wn, and the `Hanging Thread', that also freezes the alling thread. No sp ei protetion urren tly exists. T w o p oten tial solutions ha v e b een iden tied. The rst onsists in laun hing ev ery Bundle A tiv ator in a new Thread, so as not to blo  k the aller if the ativ ator hangs. The seond solution w ould enable to prev en t in v alid algorithms to b e exeuted: stati o de analysis te hniques su h as Pro of Carrying Co de or similar approa hes [Ne97 ℄ an pro vide formal pro v es of o de w ellformedness. Its referene implemen tation is a v ailable in the OSGi bundle named `fr.inria.ares.innite- lo opinmetho dall-0.1.jar', referened the 2006-08-24. The test o v erage is 10 %, sine ten t yp es of innite lo ops ha v e b een iden tied (see the app endix E), and only one has b een implemen ted. The test bundle ha v e b een tested on the follo wing implemen tations of the OSGi platform: F elix, Equino x, Knopersh, and Conierge. The only robust Platform is our SF elix Platform, whi h is a protot yp e mean t to enhane to urren t F elix implemen tation. This example highligh ts the informations that an b e found in ea h V ulnerabilit y P at- terns. The information related to the other vulnerabilities is giv en under the form of pat- terns, to pro vide a qui k o v erview of the  harateristis, and to mak e analysis p ossible. The atalog of the vulnerabilit y patterns is presen ted in the setion D . The setion 4 presen ts the analysis of this atalog, and the seurit y requiremen ts an an b e dedued from it. RR n ° 6231 24 Parr end & F r énot 4 Requiremen ts for seure OSGi Systems The analysis of the V ulnerabilit y P atterns w e presen ted in the atalog pro vides guidelines for programming seure OSGi-based systems. The ob jetiv e here is t w o fold. First, the w eaknesses of the OSGi Platform are to b e iden tied, so as to pro vide a framew ork for the ev olution of its sp eiation. Seondly , these w eaknesses are to b e made a v ailable in a dev elop er-omplian t w a y , so that programmers an refer to them to v erify that their system do not op en the w a y to kno wn atta ks: the Seven De ad ly Sins of the OSGi R4 Platform are therefore dened. These guidelines are - o ourse - based on the atalog at the momen t of its publiation, and an therefore ev olv e in the future, when new vulnerabilities will b e diso v ered, or when new part of OSGi systems will b e onsidered. A tually , the managemen t to ols su h as JVMTI, and the OSGi standard servies are not onsidered, and an b e the soure for new vulnerabilities. This setion is organized as follo ws. Subsetion 4.1 presen ts the analysis of the atalog through statistis related to the signian t prop erties of the vulnerabilities. Subsetion 4.2 presen ts the Seurit y Requiremen ts for a hardened OSGi Platform. Lastly , Subsetion 4.3 giv es a series of reommendation for the OSGi Sp eiation, in order to mak e the platform more robust. 4.1 Catalog Analysis The analysis of the iden tied V ulnerabilit y P atterns pro vides quan titativ e data relativ e to these vulnerabilities. This subsetion pro vides a summary of the signian t prop erties that  haraterize a vulnerabilit y in an OSGi Exeution En vironmen t. W e use the term OSGi Exeution En vironmen t to desrib e an exeution platform running OSGi on top of a JVM. This denomination highligh ts the fat that not all vulnerabilities are b ound to the OSGi sp eiation itself, but an also originate in other parts of the system. First, quan titativ e results relativ e to the vulnerabilit y soures, funtions, a ws, as w ell as the iden tied atta k targets are giv en. Next, a summary of the vulnerabilities for ea h tested OSGi Platform implemen tation is presen ted. Figure 7 sho ws the soure en tit y of the iden tied vulnerabilities. The most imp ortan t soure is the Ja v a API, whi h auses the bigger part of the vulnerabilities. Next, the Appliation Co de prop erties, the OSGi Life-Cyle La y er and the OSGi Mo dule La y er also generate an imp ortan t n um b er of vulnerabilities. Next omes the Ja v a Run time API, whi h is partiularly sensitiv e, and the OSGi Servie La y er. The Op erating System and the Bundle Rep ository Clien t m ust also b e onsidered as p oten tial soure of vulnerabilities, ev en though their impat is more marginal. Figure 8 sho ws the ardinalit y of the iden tied dangerous funtions. First ome the OSGi Bundle F ailit y , and the Ja v a APIs Reetion, ClassLoader, and Thread. Next, the bundle managemen t, the Ja v a File API and the opp ortunit y of exeuting nativ e o de op en the w a y to abuses. Sev eral other funtions pro v e to b e dangerous: the Run time.halt() and INRIA OSGi V ulner abilities 25 0 1 2 3 4 5 6 7 8 9 JVM - APIs Application Code OSGi Platform - Life-Cycle Layer OSGi Platform - Module Layer JVM - Runtime API OSGi Platform - Service Layer OS OSGi Platform - Bundle Repository Client Source Entity Figure 7: En tities that are Soure of the vulnerabilities the System.exit() metho ds, the la k of on trol on metho d parameters, and the kill utilit y at the OS lev el whi h an b e used to sh ut the platform do wn. 0 0.5 1 1.5 2 2.5 3 3.5 4 Bundle Fragments ClassLoader API Thread API Reflection API Native Code Execution File API Bundle Management Kill utility Value of Method Parameters System.exit method Runtime.halt method Source Function Figure 8: F untions that pro v e to b e dangerous in the on text of an OSGi Platform RR n ° 6231 26 Parr end & F r énot Figure 9 sho ws the ardinalit y of the a ws of a Ja v a-based exeution en vironmen t with the OSGi Platform. The most imp ortan t a w is the la k of algorithm safet y in the Ja v a language. Next ome sev eral prop erties of the OSGi platforms, su h as the la k of safe-default bundle meta-data handling during the dep endeny resolution phase, the la k of on trol on the servie registration pro ess, and the la k of robustness of the bundle start me hanism, whi h hea vily relies on the v alidit y of the bundle ativ ators. Sev eral other puntual a ws ha v e b een iden tied: data of uninstalled bundles is often k ept on the disk spae, b eing not aessible, no dep endeny on trol is p erformed at the servie lev el, the pro ess of Digital Signature v alidation is sometimes not omplian t with the OSGi R4 Sp eiations, and the bundle ar hiv e is nev er  he k ed for size or v alidit y , whi h pro vides no protetion against deompression b om bs or large les, in partiular in resoure-onstrain t en vironmen ts. 0 1 2 3 4 5 6 No Algorithm Safety - Java Bundle Meta-data Handling - No Safe-Default Uncontrolled Service Registration No safe Bundle Start No Removal of Uninstalled Bundle Data Architecture of the Application - No Validation of Service Depe Non OSGi R4-compliant Digital Signature Validation in the JVM No Verification of Bundle Archive Validity No Algorithm Safety - Native Code No Check of Size of Loaded Bundles Source Flaw Figure 9: Fla ws in an OSGi Exeution En vironmen t Figure 10 sho ws the target of atta ks against an OSGi exeution en vironmen t. The en tit y that is the rst target of the iden tied atta ks is the platform. This means that most of the iden tied atta k an easily prev en t all servies on the platform the b e exeuted in a satisfatorily manner. OSGi sp ei elemen ts, su h as pa k ages, Bundles or servies are other frequen t targets. Lastly , the Platform Managemen t Utilit y an also b e targeted, whi h w ould not prev en t the platform to pro vide existing servies, but w ould prev en t an y ev olution of these servies - as w ell as the remo v al of the maliious bundle. The table 1 sho ws a summary of the prop erties of the OSGi Platform implemen ta- tions under study . The onsidered platforms are the main Op en Soure Pro jets: F elix 18 , 18 h ttp://wiki.apa he.org/FELIX/index.h tml INRIA OSGi V ulner abilities 27 0 2 4 6 8 10 12 14 Platform OSGi Element - Package OSGi Element - Bundle OSGi Element - Service OSGi Element - Platform Management Utility Attack Target Figure 10: T argets of A tta ks against an OSGi Exeution en vironmen t Knopersh 19 , Elipse Equino x 20 , and Conierge 21 . F or omparison, w e also pro vide the data related to SF elix, whi h is the Hardened OSGi Platform w e dev elop. It is based on the F elix Platform 0.8.0. Most Op en Soure OSGi Platforms are v ery fragile regarding the set of vulnerabilit y w e iden tied. Equino x pro v es to ha v e sligh tly b etter results than the other ones. SF elix urren tly do es not in tend to pro vide protetions against all the iden tied vulnerabilities, but only to pro vide a rst enhanemen t of urren t implemen tations. The result of our analysis ha v e b een presen ted for the prop erties that  haraterize vulner- abilities of an OSGi Platform: Lo ation of the maliious pa yload in Bundles, V ulnerabilit y Soure, Fla ws and dangerous F untions, as w ell as the iden tied A tta k T argets. It is no w p ossible to iden tify the requiremen t for a Hardened OSGi Platform. 4.2 Requiremen ts for a Hardened OSGi Platform The requiremen t for a Hardened OSGi Platform an b e dedued from the atual and p oten- tial seurit y me hanisms. The ob jetiv e is to highligh t the seurit y me hanisms that need to b e b etter exploited (for the existing ones), and the ones that need to b e dev elop ed (for the p oten tial ones). Priorities an b e set aording to the t yp e of target and onsequenes of the 19 h ttp://www.knopersh.org/ 20 h ttp://www.elipse.org/equino x/ 21 h ttp://onierge.soureforge.net/ RR n ° 6231 28 Parr end & F r énot V ulnerabilit y F elix Knopersh Equino x Conierge SF elix An y with Ja v a P er- missions Exp onen tial Ob jet Creation V V V V V - Exessiv e Size of Manifest File V V R V R - A ess Proteted P a k age through split P a k ages V V V - V R F reezing Numerous Servie Regis- tration - - - V - - Big File Creator V V V V V R Managemen t Utilit y F reezing - Thread Hanging V V V V R - Erroneous v alues of Manifest at- tributes V V V V V - In v alid Digital Signature V alida- tion V - - - R - Cyle Bet w een Servies V V V V V - Hanging Thread V V V V V - Managemen t Utilit y F reezing - In- nite Lo op V V V V R - F ragmen t Substitution V V V - V R Numerous Servie Registration V V V V R - Sleeping Bundle V V V V V - Co de Observ er V V V - V R Reursiv e Thread Creation V V V V V - Dupliate P a k age Imp ort V V R R R - Memory Load Injetion V V V V V - Innite Lo op in Metho d Call V V V V V - Run time.halt V V V V V R CPU Load Injetion V V V V V R System.exit V V V V V R Run time.exe.kill V V V V V R Comp onen t Data Mo dier V V V V V R Stand Alone Innite Lo op V V V V V - Exeute Hidden Classes V V V - V R Pirat Bundle Manager V V V V V R Big Comp onen t Installer - - - - R - Laun h a Hidden Bundle V V V V V R Zom bie Data V R R V R - Deompression Bom b - - - - - - Hidden Metho d Laun her V V V V V R V: Platform is V ulnerable; R: Platform is Robust; - : not relev an t T able 1: V ulnerabilities for the main Op en Soure OSGi Platforms INRIA OSGi V ulner abilities 29 atta ks: it is in an y ase w orth prev en ting an atta k that mak es the whole platform una v ail- able, but it ma y b e less imp ortan t to prev en t atta ks that pro v ok e only the una v ailabilit y of the maliious bundle itself. Figure 11 sho ws the ardinalit y of the atual protetion me hanisms. Most of the vul- nerabilities an b e prev en ted b y Ja v a P ermissions. Ho w ev er, an imp ortan t n um b er of them urren tly ha v e no asso iated protetions. The OSGi A dmin P ermission and the SF elix im- plemen tation of the OSGi Seurit y La y er (Digital Signature V alidation part) aoun t ea h for one vulnerabilit y . 0 2 4 6 8 10 12 14 16 Java Permissions - OSGi AdminPermission SFelix OSGi Security Layer Existing Security Mechanisms Figure 11: A tual Protetion Me hanisms The Figure 12 sho ws the p oten tial protetions iden tied to protet an OSGi Platform against the onsidered atta ks. This p oten tial protetions are o ourse only set as h yp othe- ses: as long as no implemen tation is a v ailable, it is not p ossible to assert that no sp eial ase or hard-to-tra k false p ositiv es and negativ es dot not o ur if the prop ose te hnique is used. The most promising approa h seems to b e stati o de analysis, that w ould help tra k b oth dangerous alls without hea vyw eigh t p ermissions and unsafe algorithms. The OSGi Platform itself w ould tak e b enet of sev eral minor mo diations: b etter handling of ill-formed meta-data, safe startup pro ess for bundles, b etter on trol of servie publiation. Some of these me hanisms ha v e b een exp eriened in the SF elix Platform, and pro v e to b e easy to implemen t. Also, resoure on trol and isolation me hanisms (CPU, Memory , disk spae) w ould mak e the supp ort of m ulti-pro esses safer. The p oten tial protetion me hanism represen t the elemen t that are w orth an imp or- tan t dev elopmen t eort. Ho w ev er, they do not sho w the relativ e priorit y of the seurit y me hanisms. Urgen t seurit y me hanisms are the ones that prev en t atta ks with serious onsequenes - for instane platform una v ailabilit y - to b e p erformed, or the ones that are RR n ° 6231 30 Parr end & F r énot 0 2 4 6 8 10 12 Code static Analysis - Resource Control and Isolation - CPU OSGi Platform Modification - Bundle Startup Process OSGi Platform Modification - Installation Meta-data Handling Resource Control and Isolation - Memory Miscellaneous OSGi Platform Modification - Service Publication Bundle size control before download OSGi Platform Modification - Bundle Uninstall Process Access Control - FileSystem Service-level dependency validation Resource Control and Isolation - Disk Space Potential Security Mechanisms Figure 12: Cardinalit y for ea h p oten tial Seurit y Me hanisms for the OSGi platform required to mak e the use of existing me hanisms eien t and on v enien t for dev elop ers. Consequen tly , the priorit y is to b e set on follo wing protetion me hanisms:  Protetion of A tta ks targeted at the whole Platform (see Figure 10 ), and that impair the a v ailabilit y or the p erformane of all exeuted bundles sim ultaneously ,  Protetion against silen t atta ks: lassial aess on trol me hanisms are required inside the OSGi Platform, to supp ort m utually un trustful bundles,  to ols are required to tak e adv an tages of existing me hanisms: for instane, P ermission are supp orted, but urren tly extremely unon v enien t to set and manage. W e presen ted the requiremen t for dev eloping a Hardened OSGi Platform b y iden tifying the b est promising p oten tial seurit y me hanisms as w ell as the most urgen t to ols for pre- v en ting serious atta ks, or taking adv an tage of existing protetions. Ho w ev er, dev elop ers require ready-to-use guidelines to tak e adv an tage of the kno wledge w e gathered in these study: in the absene of a v ailable to ols, they ha v e to tak e are b y themselv es that the o de they pro due is safe from the kno wn vulnerabilities. 4.3 Reommendations for a Hardened Exeution En vironmen t Hardening the Sp eiations of the OSGi Platform Based on the iden tied vulner- abilit y of the OSGi Platform, w e prop ose follo wing reommendation for an enhaned OSGi INRIA OSGi V ulner abilities 31 Platform. These reommendation do not pretend to solv e ev ery iden tied problems, but in tend to mak e the omm unit y a w are of the easy  hanges that an b e made to the OSGi Sp eiation so as to prev en t a v oidable a ws. These reommendations are v alidated b y the Platform SF elix v ersion 0.2, whi h is a robust extension to the F elix 0.8.0 implemen tation of the OSGi Platform. F ollo wing impro v emen t to the OSGi Release 4 Sp eiation should b e made:  Bundle Installation Pro ess: a maxim um storage size for bundle ar hiv es is set. Alternativ ely , a maxim um storage size for all data stored on the lo al disk is set ( Bund le A r hives and les r e ate d by the bund les ); OSGi R4 p ar. 4.3.3 .  Bundle Uninstallation Pro ess: remo v e the data on the lo al bundle lesystem when a bundle is uninstalled (and not when the platform is stopp ed); OSGi R4 p ar. 4.3.8 .  Bundle Signature V alidation Pro ess: the digital signature m ust b e  he k ed at installed time. It m ust not rely on the Ja v a built-in v alidation me hanism, sine this latter is not omplian t with the OSGi R4 Sp eiations [PF07 ℄; OSGi R4, Par agr aph 2.3 .  Bundle Dep endeny Resolution Pro ess: do not rejet dupliate imp orts. just ignore them; OSGi R4 p ar. 3.5.4 .  Bundle Start Pro ess: laun h the Bundle A tiv ator in a separate thread; OSGi R4 p ar. 4.3.5 .  OSGi Servie Registration: set a Platform Prop ert y that expliitly limits the n um b er of registered servies (default ould b e 50); OSGi R4 p ar. 5.2.3 .  Bundle Do wnload: when a bundle do wnload failit y is a v ailable, the total size of the bundles to installed should b e  he k ed immediately after the dep endeny resolution pro ess. The bundles should b e installed only if the required storage is a v ailable. T o supp ort this mo diations of the OSGi R4 sp eiations, follo wing  hanges ha v e b een applied to the API:  In the Class BundleCon text, a metho d `getA v ailableStorage()' is dened,  A prop ert y `osgi.storage.max' is dened, that is set in the prop ert y onguration le of the OSGi framew ork.  In the lass org.osgi.servie.obr.Resoure, a metho d `getSize()' is dened. This metho d relies on the `size' en try of the bundle meta-data represen tation (usually a XML le). In addition to these simple enhanemen t, more resear h w ork is required in order to dene prop er solution to the iden tied vulnerabilities. The most imp ortan t ones are the follo wing:  Stati Co de Analysis for Ja v a,  Con v enien t P ermission Managemen t for Ja v a and OSGi, RR n ° 6231 32 Parr end & F r énot  Resoure isolation in omp onen t systems,  Mandatory Servie Managemen t. Through this study , w e iden tied b oth te hnial requiremen ts for enhanemen t of the OSGi R4 Sp eiations, and neessary resear h w ork that is neessary to protet the OSGi Platform. Hardening the Sp eiations of the Ja v a Virtual Ma hine Some safet y require- men ts ha v e also b een iden tied at the Virtual Ma hine Lev el. The a ws that ha v e b een iden tied in the Sun Ja v a Virtual Ma hine v ersion 1.6 are the follo wing:  the Ja v a P ermission `exitVM' app ears not to b e eetiv e,  the presene of a manifest with a h uge size in a loaded Jar le in tro dues a dramati slo wdo wn of the JVM when the ar hiv e Manifest is extrated. Our implemen tation sho ws that a simple pat h an orret this matter of fat. A a w has also b een iden tied in the Gn u Classpath, whi h is an op en soure implemen- tation of the Ja v a lasses. Gn u Classpath is used in onjuntion with the Jam VM Virtual Ma hine and targets resoure-limited devies:  the presene of a manifest with a h uge size in a loaded Jar le in tro dues a dramati slo wdo wn of the JVM when the orresp onding JarFile Ob jet is reated, ev en though the Manifest sta ys un used. Requiremen ts for programming seure OSGi Systems ha v e b een iden tied. First, a hard- ened v ersion of the OSGi Platform is needed to prev en t most of the iden tied vulnerabilities to b e exploited. Ho w ev er, sine su h a platform will tak e time to dev elop and v alidate, a pragmati approa h is to b e tak en. First, to ols should b e dev elop ed to ease the managemen t of urren t seurit y me hanisms su h as Ja v a P ermissions, whi h are urren tly not adapted to dynami systems. Seondly , dev elop ers need to k eep on mind what the OSGi vulnerabilities are: this is made p ossible b y the Seven De ad ly Sins of the OSGi R4 Platform. INRIA OSGi V ulner abilities 33 5 Conlusions The ob jetiv e of our study is to impro v e the dep endabilit y lev el of the OSGi platform, as w ell as the kno wledge that is a v ailable relativ e to the vulnerabilities of the OSGi Platform. This impro v emen t is a hiev ed through four omplemen tary on tributions. First, w e dene a metho d for analyzing the seurit y status of soft w are systems, based on a sp ei Soft w are V ulnerabilit y P attern. Seondly , w e pro vide a vulnerabilit y atalog that iden tied a set of vulnerabilities, and the k ey prop erties for understanding - and prev en ting - them. Thirdly , w e dev elop ed a hardened OSGi Platform, SF elix v0.2 22 , that pro vides pro of of onept protetion me hanisms. And w e issue a set of reommendations for the OSGi Sp eiations that in tegrate these protetion me hanisms. Our study is en tered on the OSGi Core sp eiation, and do es not tak e in to aoun t sev eral me hanisms that are - or an b e - often used together with OSGi platforms. In partiular, managemen t failities, su h as JVMTI, and with less impat JMX ha v e not b een studied. OSGi standard servies are neither b een onsidered, and servie engineering questions ha v e b een negleted. These three elemen ts will require further w ork, and will lik ely enri h our vulnerabilit y atalog. A side-eet a hiev emen t of our study is to preisely iden tify the requiremen ts in term of resear h and dev elopmen t, so as to pro vide OSGi platform that are atually robust, and not just partially hardened. Stati Co de analysis seem to b e v ery promising, but suers from signian t theoretial limitation, esp eially in the w orld of Ob jet-Orien ted Languages. Con v enien t p ermission managemen t, and prop er resoure isolation in Ja v a m ulti-appliation systems are also a strong need on the road to w ard OSGi seurit y . The presen t study pro vides a pragmati approa h to soft w are seurit y onerns, targeted at the w orld of OSGi Platforms. It presen t an imp ortan t step to w ard a b etter understanding of OSGi-related seurit y , and help pratitioners implemen t safer system b y pro viding a hardened OSGi protot yp e, SF elix v0.2. An imp ortan t resear h eort is still required to pro vide an OSGi platform whi h seurit y me hanisms an b e said to b e omplete. 22 h ttp://sfelix.gforge.inria.fr/ RR n ° 6231 34 Parr end & F r énot Referenes [A CD + 75℄ R. P . Abb ott, J. S. Chin, J. E. Donnelley , W. L. K onigsford, S. T okub o, and D. A. W ebb. Seurit y analysis and enhanemen ts of omputer op erating systems. T e hnial rep ort, NA TIONAL BUREA U OF ST AND ARDS W ASHINGTONDC INST F OR COMPUTER SCIENCES AND TECHNOLOGY, Deem b er 1975. [AJB00℄ A.A vizienis, J.C.Laprie, and B.Randell. F undamen tal onepts of dep endabilit y . T e hnial Rep ort No00493, LAAS (T oulouse, F rane), 2000. 3rd Information Sur- viv abilit y W orkshop (ISW'2000), Boston (USA), 24-26 Otobre 2000, pp.7-12. [Ale77℄ Christopher Alexander. A Pattern L anguage . Oxford Univ ersit y Press, 1977. [BA T06℄ Anil Bazaz, James D. Arth ur, and Joseph G. T ron t. Mo deling seurit y vulnera- bilities: A onstrain ts and assumptions p ersp etiv e. In 2nd IEEE International Symp osium on Dep endable, A utonomi and Se ur e Computing (D ASC'06) , 2006. [BCHM99℄ Da vid W. Bak er, Stev en M. Christey , William H. Hill, and Da vid E. Mann. The dev elopmen t of a ommon en umeration of vulnerabilities and exp osures. In Se  ond International W orkshop on R e  ent A dvan es in Intrusion Dete tion , 1999. [BG05℄ Josh ua Blo  h and Neal Gafter. Java Puzzlers - T r aps, Pitfal ls and Corner Cases . P earson Eduation, June 2005. [BH78℄ Ri hard Bisb ey and Dennis Hollingw orth. Protetion analysis: Final rep ort. T e h- nial Rep ort ARP A ORDER NO. 2223, ISI/SR-78-13, Information Sienes Insti- tute, Univ ersit y of Southern California, Ma y 1978. [Blo01℄ Josh ua Blo  h. Ee tive Java Pr o gr amming L anguage Guide . A ddison-W esley Pro- fessional, 2001. [Chr05℄ Stev e Christey . The preliminary list of vulnerabilit y examples for resear hers (plo v er). In NIST W orkshop Dening the State of the A rt of Softwar e Se urity T o ols, Gaithersbur g, MD , August 2005. [Chr06℄ Stev en M. Christey . Op en letter on the in terpretation of "vulnerabilit y statistis". Bugtraq, F ull-Dislosure Mailing list, Jan uary 2006. [CO05℄ D. Cro  k er and P . Ov erell. Augmen ted bnf for syn tax sp eiations: Abnf. IETF RfC 4234, Otob er 2005. [GHJV94℄ Eri h Gamma, Ri hard Helm, Ralph Johnson, and John M. Vlissides. Design Patterns: Elements of R eusable Obje t-Oriente d Softwar e . A ddison-W esley Pro- fessional Computing Series. A ddison W esley Professional., 1994. [GW05℄ Mi hael Gegi k and Laurie Williams. Mat hing atta k patterns to seurit y vulnera- bilities in soft w are-in tensiv e system designs. A CM SIGSOFT Softwar e Engine ering Notes , 30(4), July 2005. INRIA OSGi V ulner abilities 35 [HL98℄ John D. Ho w ard and Thomas A. Longsta. A ommon language for omputer seurit y iniden ts. T e hnial Rep ort SAND98-8667, Sandia National Lab oratories, USA, Otob er 1998. [HL V05℄ Mi hael Ho w ard, Da vid LeBlan, and John Viega. 19 De ad ly Sins of Softwar e Se urity . MGra w-Hill Osb orne Media, July 2005. [Krs98℄ Iv an Vitor Krsul. SOFTW ARE VULNERABILITY ANAL YSIS . PhD thesis, Purdue Univ ersit y , Ma y 1998. [LBMC94℄ Carl E. Landw ehr, Alan R. Bull, John P . MDermott, and William S. Choi. A taxonom y of omputer program seurit y a ws, with examples. In A CM Computing Surveys , v olume 26, pages 211254, Septem b er 1994. [LJ97℄ Ulf Lindqvist and Erland Jonsson. Ho w to systematially lassify omputer seurit y in trusions. In IEEE Symp osium on Se urity and Privay , pages 154163, Ma y 1997. [MG06℄ Gary MGra w. Softwar e Se urity - Building Se urity In . P earson Eduation, Jan uary 2006. [MCJ05℄ Rob ert A. Martin, Stev en M. Christey , and Jo e Jarzom b ek. The ase for ommon a w en umeration. In NIST W orkshop on "Softwar e Se urity Assur an e T o ols, T e hniques, and Metho ds", L ong Be ah, CA., USA , No v em b er 2005. [MEL01℄ Andrew P . Mo ore, Rob ert J. Ellison, and Ri hard C. Linger. A tta k mo deling for information seurit y and surviv abilit y . T e hnial Rep ort CMU/SEI-2001-TN-001, CMU/SEI, Mar h 2001. [MM97℄ Thomas J. Mo wbra y and Raphael C. Malv eau. Corb a Design Patterns . John Wiley & Sons, Jan uary 1997. [Ne97℄ George C. Neula. Pro of-arrying o de. In Confer en e R e  or d of POPL '97: The 24th A CM SIGPLAN-SIGA CT Symp osium on Priniples of Pr o gr amming L an- guages , pages 106119, P aris, F rane, jan 1997. [OSG05℄ OSGI Alliane. Osgi servie platform, ore sp eiation release 4. Draft, 07 2005. [PF06℄ Pierre P arrend and Stephane F renot. Seure omp onen t deplo ymen t in the osgi(tm) release 4 platform. T e hnial Rep ort R T-0323, INRIA, June 2006. [PF07℄ Pierre P arrend and Stephane F renot. Supp orting the seure deplo ymen t of osgi bundles. In First IEEE W oWMoM W orkshop on A daptive and Dep endA ble Mission- and BUsiness-riti al mobile Systems, Helsinki, Finland , June 2007. [S h03℄ Markus S h uma her. Se urity Engine ering with Patterns . Springer V erlag, 2003. LNCS n 2754. RR n ° 6231 36 Parr end & F r énot [SH05℄ Rob ert C. Seaord and Allen Householder. A strutured approa h to lassifying se- urit y vulnerabilities. T e hnial Rep ort CMU/SEI-2005-TN-003, Carnegie Mellon Univ ersit y - Soft w are Engineering Institute, Jan uary 2005. [SS73℄ Jerome H. Saltzer and Mi hael D. S hro eder. The protetion of information in omputer systems. In F ourth A CM Symp osium on Op er ating System Priniples , Otob er 1973. [Sun03℄ Sun Mirosystems, In. Jar le sp eiation. Sun Ja v a Sp eiations, 2003. [TCM05℄ Katrina T sip en yuk, Brian Chess, and Gary MGra w. Sev en p erniious kingdoms: A taxonom y of soft w are seurit y errors. IEEE Se urity & Privay , 3(6):8184, No v em b er/Deem b er 2005. [WKP05℄ Sam W eb er, P aul A. Karger, and Amit P aradk ar. A soft w are a w taxonom y: Aiming to ols at seurit y . In Softwar e Engine ering at Se ur e Systems - Building T rustworthy Appli ations , June 2005. INRIA OSGi V ulner abilities 37 A The OSGi platform The OSGi Platform 23 [OSG05 ℄ is a omp onen tization la y er to the Ja v a Virtual Ma hine. It supp orts the run time extension of Ja v a-based appliation through a mo dular approa h: the appliations are parted in to `bundles', that an b e loaded, installed and managed indep en- den tly from ea h other. In this setion, w e presen t rst an o v erview of the OSGi Platform, then the ore onept of OSGi: the bundles and their Life Cyle, and the p ossible in terations b et w een bundles. A.1 Ov erview The OSGi Platform has b een dev elop ed so as to supp ort extensible Ja v a-based systems in resoure-onstrain t systems, su h as automotiv e and mobile en vironmen ts. It has sine then spread in to the w orld of In tegrated Dev elopmen t Appliations (in partiular with Elipse), and in to appliativ e serv ers (IBM W ebsphere 6.1, Harmon y , Co o on, Diretory ...). It runs as an o v erla y to the Ja v a Virtual Ma hine (JVM). The gure 13 sho ws the o v erview of an OSGi-based system, with the Op erating System (OS), the JVM, the platform itself, and the bundles it on tains. Figure 13: Ov erview of an OSGi Platform Three main onepts sustain the OSGi platform: the platform, the bundle, and the in terop erabilit y b et w een the bundles. The Platform manages the appliations. The bundles are the unit of deplo ymen t and exeution. The in terop erabilit y b et w een the bundles is a hiev ed at the lass lev el (aess to pa k ages from other bundles) and at the servie lev el (aess to servies registered b y other bundles). A.2 The Bundles An OSGi bundle is a Jar le [Sun03 ℄ whi h is enhaned b y sp ei meta-data. The t ypi- al struture of a bundle is sho wn in the gure 14 . The MET A-INF/MANIFEST.MF le on tains the neessary OSGi meta-data: the bundle referene name (the `sym b oli name'), its v ersion, the dep endenies and the pro vided resoures. Some pa k ages are exp orted, i.e. 23 h ttp://www.osgi.org/ RR n ° 6231 38 Parr end & F r énot aessible from other bundles inside the platform. The ativ ator is used b y the platform as an initial b o otstrap when the bundle is started. P a k ages an b e exp orted. Servies an b e registered, so as to b e a v ailable for other bundles. Figure 14: In tern Struture of an OSGi bundle Ea h bundle has a restrited view on the OSGi platform: the OSGi Con text, whi h is transmitted to the bundle ativ ator at start time. This on text referene is needed to publish and lo ok-up for servies. It also supp orts the aess to the managemen t funtionalities of the platform. The OSGi bundles an also aess the Op erating System of the ma hine it is running on through nativ e libraries. This p ossibilit y is not sp ei to the OSGi en vironmen t, sine it relies on the Ja v a Run time API, but it allo ws the bundles to break their isolation. The Life Cyle of a bundle inside the OSGi Platform is dened as follo ws. The bundle m ust rst b e installed. When it is required to start, the pa k age-lev el dep endenies with other bundles are resolv ed. When all dep endenies are resolv ed, the bundle ativ ator is laun hed: the sta rt() metho d is alled, and the related o de is exeuted. T ypially , these op erations onsist in onguration and publiation of servies. The bundle is then in the `started' state. Up dating, stopping and uninstalling build the last p ossible op erations for bundle managemen t The gure 15 sho ws the Life Cyle of a bundle inside a OSGi Platform. A.3 In terations b et w een Bundles The in terations b et w een the bundles are done through t w o omplemen tary me hanisms: the pa k age exp ort/imp ort and the servie registration lo okup failit y . These me hanisms are sho wn in the gure 16 . The publiation and lo okup of servies are p erformed through the BundleCon text refer- ene that ea h bundle reeiv es ar startup time. During the publiation pro ess, the adv er- tising bundles registers a servie b y publishing a Ja v a in terfae it is implemen ting, and b y pro viding a lass implemen ting this in terfae. The lo okup is p erformed b y the lien t bundle, whi h gets the servie from the BundleCon text and uses it as a standard Ja v a ob jet. INRIA OSGi V ulner abilities 39 Figure 15: Life Cyle of an OSGi Bundles inside the platform Figure 16: In teration Me hanisms b et w een the OSGi Bundles B V ulnerabilities List The most ommon V ulnerabilit y Lists presen ted in the setion 2.2 are giv en here. B.1 The Lindqvist Classiation The omputer seurit y in trusions iden tied b y Lindqvist [ LJ97 ℄ are the follo wing:  external misuse (not te hnial),  hardw are misuse,  masquerading,  setting up subsequen t misuse,  b ypassing in tended on trols, RR n ° 6231 40 Parr end & F r énot  ativ e misuse of resoure,  passiv e misuse of resoure,  misuse resulting from ination,  use of an indiret aid in ommitting other misuse. B.2 Common W eaknesses En umeration (CWE) The ategories dened in the Common W eaknesses En umeration [ MCJ05 ℄ are the follo wing:  Buer o v ero ws, format strings, et. [BUFF℄;  Struture and V alidit y Problems;[SVM℄;  Sp eial Elemen ts [SPEC℄;  Common Sp eial Elemen t Manipulations[SPECM℄;  T e hnology-Sp ei Sp eial Elemen ts[SPECTS℄;  P athname T ra v ersal and Equiv alene Errors [P A TH℄;  Channel and P ath Errors [CP℄;  Information Managemen t Errors [INF O℄;  Rae Conditions [RA CE℄;  P ermissions, Privileges, and A CLs [PP A℄;  Handler Errors [HAND℄;  User In terfae Errors [UI℄;  In teration Errors [INT℄;  Initialization and Clean up Errors [INIT℄;  Resoure Managemen t Errors [RES℄;  Numeri Errors [NUM℄;  Authen tiation Error [A UTHENT℄;  Cryptographi errors [CR YPTO℄;  Randomness and Preditabilit y [RAND℄;  Co de Ev aluation and Injetion [CODE℄;  Error Conditions, Return V alues, Status Co des [ERS℄;  Insuien t V eriation of Data [VER℄;  Mo diation of Assumed-Imm utable Data [MAID℄;  Pro dut-Em b edded Maliious Co de [MAL℄;  Common A tta k Mitigation F ailures [A TTMIT℄;  Con tainmen t errors (on tainer errors) [CONT℄;  Misellaneous WIFF s [MISC℄. B.3 Nineteen Dealy Sins The 19 Deadly Sins dened b y Ho w ard [ HL V05 ℄ are the follo wing:  buer o v ero ws,  ommand injetion, INRIA OSGi V ulner abilities 41  Cross-site sripting (XSS),  format string problems,  in teger range error,  SQL injetion,  trusting net w ork address information,  failing to protet net w ork tra,  failing to store and protet data,  failing to use ryptographially strong random n um b ers,  improp er le aess,  improp er use of SSL,  use of w eak passw ord-based systems,  unauthen tiated k ey ex hange,  signal rae ondition,  use of 'magi' URLs and hidden forms,  failure to handle errors,  p o or usabilit y ,  information leak age. B.4 O W ASP T op T en The O W ASP T op T en V ulnerabilit y list for 2007 is the follo wing 24 :  Cross Site Sripting (XSS)  Injetion Fla ws  Maliious File Exeution  Inseure Diret Ob jet Referene  Cross Site Request F orgery (CSRF)  Information Leak age and Improp er Error Handling  Brok en Authen tiation and Session Managemen t  Inseure Cryptographi Storage  Inseure Comm uniations  F ailure to Restrit URL A ess B.5 Sev en Kingdoms The Sev en Kingdoms dened b y Gary MGra w [MG06 ℄ are the follo wing. Note that ea h Kingdom on tains a ertain n um b er of Ph yla, that help giv e more preise hin ts so as the atual vulnerabilities.  Input V alidation and represen tation,  API abuse,  Seurit y F eatures, 24 h ttp://www.o w asp.org/index.php/T op_10_2007-WIKI-F ORMA T-TEST RR n ° 6231 42 Parr end & F r énot  Time and state,  error handling,  o de qualit y ,  enapsulation  + en vironmen t INRIA OSGi V ulner abilities 43 C F ormal Expression of the V ulnerabilit y P attern This setion presen ts the V ulnerabilit y P attern in the Augmen ted Ba kus Naur F orm (BNF) [CO05 ℄. The urren t grammar is not mean t to b e losed: it reets the kno wledge relativ e to the onsidered vulnerabilities at a giv en time. It an b e extended with additional attribute v alues. The atalog of the OSGi Maliious Bundles is referred as the `m b' atalog. V ulnerabilit y Referene  VULNERABILITY_NAME ::= text  IDENTIFIER ::= CA T ALOG_ID.SR C_REF.ID with: CA T ALOG_ID ::= m b SR C_REF ::= ar hiv e|ja v a|nativ e|osgi ID ::= (0-9)*  ORIGIN ::= text  LOCA TION ::= Bundle ( Ar hiv e | Manifest | A tiv ator | F ragmen t ) | Appliation Co de - ( Nativ e Co de | Ja v a ( Co de | API ) | OSGi API )  SOUR CE ::= (ENTITY ( FUNCTIONNALITY | FLA W ;)+;)+ with ENTITY ::= OS | JVM - ( Run time API | APIs )| OSGi Platform - (( Mo dule | Life-Cyle | Servie ) La y er | Bundle Rep ository Clien t )| Appliation Co de FUNCTIONNALITY ::= Kill utilit y | V alue of Metho d P arameters | ( System.exit | Run time.halt ) metho d | Nativ e Co de Exeution | Thread API | Reetion API | ClassLoader API | File API | Ja v a Ar hiv e | Bundle Managemen t | Bundle F ragmen ts and: FLA W ::= No Algorithm Safet y - ( Ja v a | Nativ e Co de )| Non OSGi R4-omplian t Digital Signature V alidation in the JVM | No V eriation of Bundle Ar hiv e V alidit y | No Che k of Size of Loaded Bundles | No Che k of Size of stored Data | No safe Bundle Start | No Remo v al of Uninstalled Bundle Data | Bundle Meta-data Handling - No Safe-Default | Unon trolled Servie Registration | Ar hiteture of the Appliation - No V alidation of Servie Dep endeny  T AR GET ::= Platform | OSGi Elemen t - ( Platform Managemen t Utilit y | Bundle | Servie|P a k age )  CONSEQUENCE_TYPE ::= ( Una v ailabilit y | P erformane Breakdo wn | Undue A - ess )( - ( Platform | Servie | P a k age )(, ( Platform | Servie | P a k age ))*)?  INTR ODUCTION_TIME ::= Platform Design or Implemen tation | Dev elopmen t | Bundle Meta-data Generation | Bundle Digital Signature | Installation | Servie Pub- liation or Resolution  EXPLOIT_TIME ::= Do wnload | Installation | Bundle Start | Exeution V ulnerabilit y Desription RR n ° 6231 44 Parr end & F r énot  DESCRIPTION ::= text  PRECONDITIONS ::= text  A TT A CK_PR OCESS ::= text  CONSEQUENCE_DESCRIPTION ::= text  SEE_ALSO ::= VULNERABILITY_NAME (, VULNERABILITY_NAME)* V ulnerabilit y Implemen tation  CODE_REFERENCE ::= FILE_NAME with FILE_NAME the name of a le, as dened b y Unix File Names  OSGI_PR OFILE ::= CDC-1.0/F oundation-1.0 | OSGi/Minim um-1.1 | JRE-1.1 | J2SE- 1.2 | J2SE-1.3 | J2SE-1.4 | J2SE-1.5 | J2SE-1.6 | P ersonalJa v a-1.1 | P ersonalJa v a-1.2 | CDC-1.0/P ersonalBasis-1.0 | CDC-1.0/P ersonalJa v a-1.0  D A TE ::= MONTH.D A Y.YEAR with MONTH ::= (1-12), D A Y ::= (1-31), YEAR ::= (0-3000)  TEST_CO VERA GE ::= (0-100) %  TESTED_ON ::= Osar | F elix | Knopersh | Equino x Protetion  EXISTING_MECHANISMS ::= Ja v a P ermissions | OSGi A dminP ermission | SF elix OSGi Seurit y La y er | -  ENF OR CEMENT_POINT ::= Platform startup | Bundle Installation | -  POTENTIAL_MECHANISMS ::= (POTENTIAL_MECHANISM_NAME (POTEN- TIAL_MECHANISM_DESCR)?)+ with POTENTIAL_MECHANISM_NAME ::= Co de stati Analysis | OSGi Platform Mo diation - ( Bundle Startup Pro ess | Instal- lation Meta-data Handling | Servie Publiation )| Bundle size on trol b efore do wn- load | Servie-lev el dep endeny v alidation | Resoure Con trol and Isolation - ( CPU | Memory | Disk Spae )| A ess Con trol - FileSystem | Misellaneous | - and POTEN- TIAL_MECHANISM_DESCR ::= text  A TT A CK_PREVENTION ::= Stop a ill-b eha ving thread | -  REA CTION ::= Uninstall the maliious bundle | Erase les | Stop the system pro ess | Restart the platform | - INRIA OSGi V ulner abilities 45 D V ulnerabilit y Catalog D.1 Bundle Ar hiv e D.1.1 In v alid Digital Signature V alidation V ulnerabilit y Referene  V ulnerabilit y Name: In v alid Digital Signature V alidation  Iden tier: Mb.ar hiv e.1  Origin: Ares resear h pro jet `maliious-bundle'  Lo ation of Exploit Co de: Bundle Ar hiv e  Soure: OSGi Platform - Life-Cyle La y er (Non OSGi R4-omplian t Digital Signature V alidation in the JVM)  T arget: Platform  Consequene T yp e: Undue A ess  In tro dution Time: Bundle Digital Signature  Exploit Time: Installation V ulnerabilit y Desription  Desription: A bundle whi h signature is NOT omplian t to the OSGi R4 Digital Signature is installed on the platform  Preonditions: No Digital Signature V alidation, or Digital Signature V alidation Pro- ess that relies on the Ja v a JarFile API to p erform the v alidation of the digital signa- ture. The bundle signature m ust b e non OSGi R4 omplian t in one of the follo wing w a ys: resoures ha v e b een remo v ed from the ar hiv e; resoures ha v e b een added; the rst resoures in the ar hiv e are NOT the Manifest File, the Signature File and the Signature Blo  k le in this order (see [ PF06℄).  A tta k Pro ess: Install a bundle with an in v alid digital signature (see preonditions)  Consequene Desription: -  See Also: - Protetion  Existing Me hanisms: SF elix OSGi Seurit y La y er  Enforemen t P oin t: Bundle Installation  P oten tial Me hanisms: -  A tta k Prev en tion: -  Reation: Uninstall the maliious bundle V ulnerabilit y Implemen tation  Co de Referene: Bindex-resoureRemo v ed-1.0.jar, bindex-resouresA dded-1.0.jar, bindex-un v alidResoureOrder-1.0.jar RR n ° 6231 46 Parr end & F r énot  OSGi Prole: J2SE-1.5  Date: 2007-04-25  T est Co v erage: 100%  Kno wn V ulnerable Platforms: F elix  Kno wn Robust Platforms: SF elix INRIA OSGi V ulner abilities 47 D.1.2 Big Comp onen t Installer V ulnerabilit y Referene  V ulnerabilit y Name: Big Comp onen t Installer  Iden tier: Mb.ar hiv e.2  Origin: Ares resear h pro jet `maliious-bundle'  Lo ation of Exploit Co de: Bundle Ar hiv e  Soure: OSGi Platform - Bundle Rep ository Clien t (No Che k of Size of Loaded Bundles)  T arget: Platform  Consequene T yp e: P erformane Breakdo wn  In tro dution Time: Platform Design or Implemen tation  Exploit Time: Exeution V ulnerabilit y Desription  Desription: Remote installation of a bundle whi h size is of similar to the a v ailable devie memory  Preonditions: OSGi platform running on a memory limited devie  A tta k Pro ess: -  Consequene Desription: Little memory is a v ailable for subsequen t op erations  See Also: Big File Creator Protetion  Existing Me hanisms: OSGi A dminP ermission  Enforemen t P oin t: -  P oten tial Me hanisms: Bundle size on trol b efore do wnload  A tta k Prev en tion: -  Reation: - V ulnerabilit y Implemen tation  Co de Referene: -  OSGi Prole: J2SE-1.5  Date: 2007-02-20  T est Co v erage: 00% RR n ° 6231 48 Parr end & F r énot D.1.3 Deompression Bom b V ulnerabilit y Referene  V ulnerabilit y Name: Deompression Bom b  Iden tier: Mb.ar hiv e.3  Origin: Ares resear h pro jet `maliious-bundle'  Lo ation of Exploit Co de: Bundle Ar hiv e  Soure: OSGi Platform - Life-Cyle La y er (No V eriation of Bundle Ar hiv e V alid- it y)  T arget: Platform  Consequene T yp e: P erformane Breakdo wn  In tro dution Time: Dev elopmen t  Exploit Time: Exeution V ulnerabilit y Desription  Desription: The Bundle Ar hiv e is a deompression Bom b (either a h uge le made of iden tial b ytes, or a reursiv e ar hiv e)  Preonditions: -  A tta k Pro ess: Pro vide a Bundle Ar hiv e that is a deompression Bom b for instal- lation (on a OBR, et.)  Consequene Desription: Imp ortan t onsumption of CPU or memory .  See Also: - Protetion  Existing Me hanisms: -  Enforemen t P oin t: -  P oten tial Me hanisms: OSGi Platform Mo diation - Bundle Startup Pro ess (Che k that the Bundle is not a Deompression Bom b ar hiv e)  A tta k Prev en tion: -  Reation: - V ulnerabilit y Implemen tation  Co de Referene: F r.inria.ares.deompression b om b-0.1.jar  OSGi Prole: J2SE-1.5  Date: 2007-04-20  T est Co v erage: 50% INRIA OSGi V ulner abilities 49 D.2 Bundle Manifest D.2.1 Dupliate P a k age Imp ort V ulnerabilit y Referene  V ulnerabilit y Name: Dupliate P a k age Imp ort  Iden tier: Mb.osgi.1  Origin: Ares resear h pro jet `maliious-bundle'  Lo ation of Exploit Co de: Bundle Manifest  Soure: OSGi Platform - Mo dule La y er (Bundle Meta-data Handling - No Safe- Default)  T arget: OSGi Elemen t - Bundle  Consequene T yp e: Una v ailabilit y  In tro dution Time: Bundle Meta-data Generation  Exploit Time: Installation V ulnerabilit y Desription  Desription: A pa k age is imp orted t wie (or more) aording to manifest attribute 'Imp ort-P a k age'. In the F elix and Knopersh OSGi implemen tations, the bundle an not b e installed  Preonditions: -  A tta k Pro ess: -  Consequene Desription: -  See Also: Exessiv e Size of Manifest File, Un v alid A tiv ator Meta-data, Erroneous v alues of Manifest attributes, Insuien t User Meta-data Protetion  Existing Me hanisms: -  Enforemen t P oin t: -  P oten tial Me hanisms: OSGi Platform Mo diation - Installation Meta-data Han- dling (ignore the rep eated imp orts during OSGi metadata analysis)  A tta k Prev en tion: -  Reation: - V ulnerabilit y Implemen tation  Co de Referene: F r.inria.ares.dupliateimp ort-0.1.ja  OSGi Prole: J2SE-1.5  Date: 2006-10-28  T est Co v erage: 100%  Kno wn V ulnerable Platforms: F elix; Knopersh  Kno wn Robust Platforms: Equino x; Conierge; SF elix RR n ° 6231 50 Parr end & F r énot D.2.2 Exessiv e Size of Manifest File V ulnerabilit y Referene  V ulnerabilit y Name: Exessiv e Size of Manifest File  Iden tier: Mb.osgi.2  Origin: Ares resear h pro jet `maliious-bundle'  Lo ation of Exploit Co de: Bundle Manifest  Soure: OSGi Platform - Mo dule La y er (Bundle Meta-data Handling - No Safe- Default)  T arget: OSGi Elemen t - Bundle  Consequene T yp e: Una v ailabilit y  In tro dution Time: Bundle Meta-data Generation  Exploit Time: Installation V ulnerabilit y Desription  Desription: A bundle with a h uge n um b er of (similar) pa k age imp orts (more than 1 Mb yte)  Preonditions: -  A tta k Pro ess: Insert a big n um b er of imp orts in the manifest le of the bundle  Consequene Desription: In the F elix and Knopersh implemen tations, the laun her pro ess tak es a long time (sev eral min utes) to parse the metadata le  See Also: Dupliate P a k age Imp ort, Un v alid A tiv ator Meta-data, Erroneous v alues of Manifest attributes, Insuien t User Meta-data Protetion  Existing Me hanisms: -  Enforemen t P oin t: -  P oten tial Me hanisms: OSGi Platform Mo diation - Installation Meta-data Han- dling ( he k the size of manifest b efore the installation; more generally ,  he k the format of the manifest size b efore the installation)  A tta k Prev en tion: -  Reation: - V ulnerabilit y Implemen tation  Co de Referene: F r.inria.ares.h ugemanifest-0.1.jar  OSGi Prole: J2SE-1.5  Date: 2006-10-28  T est Co v erage: 100%  Kno wn V ulnerable Platforms: F elix; Knopersh; Conierge  Kno wn Robust Platforms: SF elix; Equino x INRIA OSGi V ulner abilities 51 D.2.3 Erroneous v alues of Manifest attributes V ulnerabilit y Referene  V ulnerabilit y Name: Erroneous v alues of Manifest attributes  Iden tier: Mb.osgi.3  Origin: Ares resear h pro jet `maliious-bundle'  Lo ation of Exploit Co de: Bundle Manifest  Soure: OSGi Platform - Mo dule La y er (Bundle Meta-data Handling - No Safe- Default)  T arget: OSGi Elemen t - Bundle  Consequene T yp e: Una v ailabilit y  In tro dution Time: Bundle Meta-data Generation  Exploit Time: Installation V ulnerabilit y Desription  Desription: A bundle that pro vides false meta-data, in this example an non existen t bundle up date lo ation  Preonditions: -  A tta k Pro ess: Set a false v alue for a giv en meta-data en try  Consequene Desription: The ations that rely on the meta-data an not b e exeuted (here, no up date p ossible)  See Also: Dupliate Imp ort, Exessiv e Size of Manifest File Protetion  Existing Me hanisms: -  Enforemen t P oin t: -  P oten tial Me hanisms: OSGi Platform Mo diation - Installation Meta-data Han- dling ( he k the format of the manifest size b efore the installation, and pro vide failsafe default)  A tta k Prev en tion: -  Reation: - V ulnerabilit y Implemen tation  Co de Referene: F r.inria.ares.malformedup datelo ation-0.1.jar  OSGi Prole: J2SE-1.5  Date: 2006-10-28  T est Co v erage: 10%  Kno wn V ulnerable Platforms: F elix; Equino x; Knopersh; Conierge; SF elix RR n ° 6231 52 Parr end & F r énot D.3 Bundle A tiv ator D.3.1 Managemen t Utilit y F reezing - Innite Lo op V ulnerabilit y Referene  V ulnerabilit y Name: Managemen t Utilit y F reezing - Innite Lo op  Extends: Innite Lo op in Metho d Call  Iden tier: Mb.osgi.4  Origin: Ares resear h pro jet `maliious-bundle'  Lo ation of Exploit Co de: Bundle A tiv ator  Soure: OSGi Platform - Life-Cyle La y er (No safe Bundle Start)  T arget: OSGi Elemen t - Platform Managemen t Utilit y  Consequene T yp e: P erformane Breakdo wn; Una v ailabilit y  In tro dution Time: Dev elopmen t  Exploit Time: Bundle Start V ulnerabilit y Desription  Desription: An innite lo op is exeuted in the Bundle A tiv ator  Preonditions: -  A tta k Pro ess: An innite lo op is exeuted in the Bundle A tiv ator  Consequene Desription: Blo  k the OSGi Managemen t en tit y (the felix, equino x or knopersh shell; when laun hed in the KF graphial in terfae, the shell remain a v ailable but the GUI is frozen). Beause of the innite lo op, most CPU resoure is onsumed  See Also: CPU Load Injetion, Innite Lo op in Metho d Call, Stand Alone Innite Lo op, Hanging Thread Protetion  Existing Me hanisms: -  Enforemen t P oin t: -  P oten tial Me hanisms: Co de stati Analysis ; Resoure Con trol and Isolation - CPU ; OSGi Platform Mo diation - Bundle Startup Pro ess (laun h the bundle a- tiv ator in a separate thread to prev en t startup hanging)  A tta k Prev en tion: -  Reation: - V ulnerabilit y Implemen tation  Co de Referene: F r.inria.ares.innitelo opinmetho dall-0.1.jar  OSGi Prole: J2SE-1.5  Date: 2006-08-24 INRIA OSGi V ulner abilities 53  T est Co v erage: 10%  Kno wn V ulnerable Platforms: F elix; Equino x; Knopersh; Conierge  Kno wn Robust Platforms: SF elix RR n ° 6231 54 Parr end & F r énot D.3.2 Managemen t Utilit y F reezing - Thread Hanging V ulnerabilit y Referene  V ulnerabilit y Name: Managemen t Utilit y F reezing - Thread Hanging  Extends: Hanging Thread  Iden tier: Mb.osgi.5  Origin: Ares resear h pro jet `maliious-bundle'  Lo ation of Exploit Co de: Bundle A tiv ator  Soure: OSGi Platform - Life-Cyle La y er (No safe Bundle Start)  T arget: OSGi Elemen t - Platform Managemen t Utilit y  Consequene T yp e: Una v ailabilit y  In tro dution Time: Dev elopmen t  Exploit Time: Bundle Start V ulnerabilit y Desription  Desription: A hanging thread in the Bundle A tiv ator mak es the managemen t utilit y freeze  Preonditions: -  A tta k Pro ess: -  Consequene Desription: Blo  k the OSGi Managemen t en tit y (the felix, equino x or knopersh shell; when laun hed in the KF graphial in terfae, the shell remain a v ailable but the GUI is frozen).  See Also: Managemen t Utilit y F reezing - Innite Lo op, Hanging Thread Protetion  Existing Me hanisms: -  Enforemen t P oin t: -  P oten tial Me hanisms: OSGi Platform Mo diation - Bundle Startup Pro ess (laun h the bundle ativ ator in a separate thread); Co de stati Analysis  A tta k Prev en tion: -  Reation: - V ulnerabilit y Implemen tation  Co de Referene: F r.inria.ares.hangingthread-0.1.jar, fr.inria.ares.hangingthread2- 0.1.jar  OSGi Prole: J2SE-1.5  Date: 2006-08-24  T est Co v erage: 20%  Kno wn V ulnerable Platforms: F elix; Equino x; Knopersh; Conierge  Kno wn Robust Platforms: SF elix INRIA OSGi V ulner abilities 55 D.4 Bundle Co de - Nativ e D.4.1 Run time.exe.kill V ulnerabilit y Referene  V ulnerabilit y Name: Run time.exe.kill  Iden tier: Mb.nativ e.1  Origin: Ares resear h pro jet `maliious-bundle'  Lo ation of Exploit Co de: Appliation Co de - Nativ e Co de  Soure: OS (Kill utilit y); JVM - Run time API (Nativ e Co de Exeution)  T arget: Platform  Consequene T yp e: Una v ailabilit y  In tro dution Time: Dev elopmen t  Exploit Time: Exeution V ulnerabilit y Desription  Desription: A bundle that stops the exeution platform through an OS all  Preonditions: No Seurit yManager, or FileP ermission `exeute' on the required utilities (kill, ps, grep, ut)  A tta k Pro ess: Kill the OS pro ess whi h orresp onds to the exeution platform; this pro ess is iden tied as far it is the paren t pro ess of the pro ess in whi h the maliious sript is exeuted  Consequene Desription: The sh utdo wn ho oks of the platforms arer exeuted  See Also: System.exit, Run time.halt, Reursiv e Thread Creation Protetion  Existing Me hanisms: Ja v a P ermissions  Enforemen t P oin t: Platform startup  P oten tial Me hanisms: Co de stati Analysis  A tta k Prev en tion: -  Reation: Restart the platform V ulnerabilit y Implemen tation  Co de Referene: F r.inria.ares.run time_exe_kill-0.1.jar  OSGi Prole: J2SE-1.5  Date: 2006-08-21  T est Co v erage: 100%  Kno wn V ulnerable Platforms: F elix; Equino x; Knopersh; Conierge; SF elix RR n ° 6231 56 Parr end & F r énot D.4.2 CPU Load Injetion V ulnerabilit y Referene  V ulnerabilit y Name: CPU Load Injetion  Iden tier: Mb.nativ e.2  Origin: MOSGI, Ares resear h pro jet  Lo ation of Exploit Co de: Appliation Co de - Nativ e Co de  Soure: Appliation Co de (No Algorithm Safet y - Nativ e Co de); JVM - Run time API (Nativ e Co de Exeution)  T arget: Platform  Consequene T yp e: Una v ailabilit y  In tro dution Time: Dev elopmen t  Exploit Time: Exeution V ulnerabilit y Desription  Desription: A maliious bundle that onsumes 80% of the host CPU  Preonditions: No Seurit yManager, or Run timeP ermission `loadLibrary'  A tta k Pro ess: Exeute a C all that onsume CPU b y swit hing b et w een CPU- in tensiv e alulation and sleep time, aording to the sp eied ratio  Consequene Desription: Most of the a v ailable CPU of the system is onsumed artiially  See Also: Memory Load Injetion, Ramping Memory Load Injetion, Innite Lo op, Stand-alone Innite Lo op Protetion  Existing Me hanisms: Ja v a P ermissions  Enforemen t P oin t: Platform startup  P oten tial Me hanisms: Misellaneous (extension of the Ja v a-Lev el seurit y me ha- nisms to the nativ e o de)  A tta k Prev en tion: -  Reation: Uninstall the maliious bundle V ulnerabilit y Implemen tation  Co de Referene: F r.inria.ares.puloadinjetor-0.1.jar  OSGi Prole: J2SE-1.5  Date: 2006-08-24  T est Co v erage: 00%  Kno wn V ulnerable Platforms: F elix; Equino x; Knopersh; Conierge; SF elix INRIA OSGi V ulner abilities 57 D.5 Bundle Co de - Ja v a D.5.1 System.exit V ulnerabilit y Referene  V ulnerabilit y Name: System.exit  Iden tier: Mb.ja v a.1  Origin: Ares resear h pro jet `maliious-bundle'  Lo ation of Exploit Co de: Appliation Co de - Ja v a API  Soure: JVM - Run time API (System.exit metho d)  T arget: Platform  Consequene T yp e: Una v ailabilit y  In tro dution Time: Dev elopmen t  Exploit Time: Exeution V ulnerabilit y Desription  Desription: A bundle that stops the platform b y alling 'System.exit(0)'  Preonditions: No Seurit yManager, or presene of the Run timeP ermission `exitVM'  A tta k Pro ess: -  Consequene Desription: -  See Also: Run time.halt, Exe.Kill, Reursiv e Thread Creation Protetion  Existing Me hanisms: Ja v a P ermissions  Enforemen t P oin t: Platform startup  P oten tial Me hanisms: Co de stati Analysis  A tta k Prev en tion: -  Reation: Restart the platform V ulnerabilit y Implemen tation  Co de Referene: F r.inria.ares.system_exit-0.1.jar  OSGi Prole: J2SE-1.5  Date: 2006-08-11  T est Co v erage: 100%  Kno wn V ulnerable Platforms: F elix; Equino x; Knopersh; Conierge; SF elix RR n ° 6231 58 Parr end & F r énot D.5.2 Run time.halt V ulnerabilit y Referene  V ulnerabilit y Name: Run time.halt  Iden tier: Mb.ja v a.2  Origin: Ares resear h pro jet `maliious-bundle'  Lo ation of Exploit Co de: Appliation Co de - Ja v a API  Soure: JVM - Run time API (Run time.halt metho d)  T arget: Platform  Consequene T yp e: Una v ailabilit y  In tro dution Time: Dev elopmen t  Exploit Time: Exeution V ulnerabilit y Desription  Desription: A bundle that stops the platform b y alling 'Run time.getRun time.halt(0)'  Preonditions: No Seurit yManager, or Run timeP ermission `exitVM'  A tta k Pro ess: -  Consequene Desription: The sh utdo wn ho oks are b y-passed  See Also: System.exit, Exe.Kill, Reursiv e Thread Creation Protetion  Existing Me hanisms: Ja v a P ermissions  Enforemen t P oin t: Platform startup  P oten tial Me hanisms: Co de stati Analysis  A tta k Prev en tion: -  Reation: Restart the platform V ulnerabilit y Implemen tation  Co de Referene: F r.inria.ares.run time_halt-0.1.jar  OSGi Prole: J2SE-1.5  Date: 2006-08-11  T est Co v erage: 100%  Kno wn V ulnerable Platforms: F elix; Equino x; Knopersh; Conierge; SF elix INRIA OSGi V ulner abilities 59 D.5.3 Reursiv e Thread Creation V ulnerabilit y Referene  V ulnerabilit y Name: Reursiv e Thread Creation  Iden tier: Mb.ja v a.3  Origin: Ares resear h pro jet `maliious-bundle'  Lo ation of Exploit Co de: Appliation Co de - Ja v a API  Soure: JVM - APIs (Thread API); Appliation Co de (No Algorithm Safet y - Ja v a)  T arget: Platform  Consequene T yp e: Una v ailabilit y  In tro dution Time: Dev elopmen t  Exploit Time: Exeution V ulnerabilit y Desription  Desription: The exeution platform is brough t to rash b y the reation of an exp o- nen tial n um b er of threads  Preonditions: -  A tta k Pro ess: Ea h thread reated b y the atta k bundle reates three other threads, and on tains a relativ ely small pa yload (a p df le). An exessiv e n um b er of Sta kOv ero wErrors auses an OutOfMemoryError  Consequene Desription: -  See Also: System.exit, Run time.halt, Exe.kill, Exp onen tial Ob jet Creation Protetion  Existing Me hanisms: -  Enforemen t P oin t: -  P oten tial Me hanisms: -  A tta k Prev en tion: Stop the ill-b eha ving thread  Reation: Restart the platform V ulnerabilit y Implemen tation  Co de Referene: F r.inria.ares.exp onen tialthreadn um b er-0.1.jar  OSGi Prole: J2SE-1.5  Date: 2006-08-21  T est Co v erage: 50%  Kno wn V ulnerable Platforms: F elix; Equino x; Knopersh; Conierge; SF elix RR n ° 6231 60 Parr end & F r énot D.5.4 Hanging Thread V ulnerabilit y Referene  V ulnerabilit y Name: Hanging Thread  Iden tier: Mb.ja v a.4  Origin: Ja v a puzzlers 77, 85 [ BG05 ℄  Lo ation of Exploit Co de: Appliation Co de - Ja v a API  Soure: JVM - APIs (Thread API); Appliation Co de (V alue of Metho d P arameters)  T arget: OSGi Elemen t - Servie; OSGi Elemen t - P a k age  Consequene T yp e: Una v ailabilit y  In tro dution Time: Dev elopmen t  Exploit Time: Exeution V ulnerabilit y Desription  Desription: Thread that mak e the alling en tit y hang (servie, or pa k age)  Preonditions: -  A tta k Pro ess: Use the Thread.sleep all with a large sleep duration to mak e the exeution hang  Consequene Desription: If the sleep all is p erformed in a syn hronized blo  k, the SIG_KILL (Ctrl+C) signal is augh t b y the platform  See Also: Innite Startup Lo op Protetion  Existing Me hanisms: -  Enforemen t P oin t: -  P oten tial Me hanisms: Co de stati Analysis  A tta k Prev en tion: -  Reation: - V ulnerabilit y Implemen tation  Co de Referene: F r.inria.ares.hangingthread-0.1.jar, fr.inria.ares.hangingthread2- 0.1.jar  OSGi Prole: J2SE-1.5  Date: 2006-08-28  T est Co v erage: 20%  Kno wn V ulnerable Platforms: F elix; Equino x; Knopersh; Conierge; SF elix INRIA OSGi V ulner abilities 61 D.5.5 Sleeping Bundle V ulnerabilit y Referene  V ulnerabilit y Name: Sleeping Bundle  Iden tier: Mb.ja v a.5  Origin: Ares resear h pro jet `maliious-bundle'  Lo ation of Exploit Co de: Appliation Co de - Ja v a API  Soure: JVM - APIs (Thread API)  T arget: OSGi Elemen t - Servie; OSGi Elemen t - P a k age  Consequene T yp e: P erformane Breakdo wn  In tro dution Time: Dev elopmen t  Exploit Time: Exeution V ulnerabilit y Desription  Desription: A maliious bundle that go es to sleep during a sp eied amoun t of time b efore ha ving nished its job (exp eriene time is 50 se.)  Preonditions: -  A tta k Pro ess: -  Consequene Desription: -  See Also: Hanging Thread Protetion  Existing Me hanisms: -  Enforemen t P oin t: -  P oten tial Me hanisms: Co de stati Analysis  A tta k Prev en tion: -  Reation: - V ulnerabilit y Implemen tation  Co de Referene: F r.inria.ares.sleepingbundle-0.1.jar  OSGi Prole: J2SE-1.5  Date: 2006-08-28  T est Co v erage: 100%  Kno wn V ulnerable Platforms: F elix; Equino x; Knopersh; Conierge; SF elix RR n ° 6231 62 Parr end & F r énot D.5.6 Big File Creator V ulnerabilit y Referene  V ulnerabilit y Name: Big File Creator  Iden tier: Mb.ja v a.6  Origin: Ares resear h pro jet `maliious-bundle'  Lo ation of Exploit Co de: Appliation Co de - Ja v a API  Soure: JVM - APIs (File API)  T arget: Platform  Consequene T yp e: P erformane Breakdo wn  In tro dution Time: Dev elopmen t  Exploit Time: Exeution V ulnerabilit y Desription  Desription: A maliious bundle that reate a big (relativ e to a v ailable resoures) les to onsume disk memory spae  Preonditions: No Seurit yManager, or FileP ermission `write' to the maliious bundl  A tta k Pro ess: -  Consequene Desription: -  See Also: Big Bundle Installer Protetion  Existing Me hanisms: Ja v a P ermissions  Enforemen t P oin t: Platform startup  P oten tial Me hanisms: Resoure Con trol and Isolation - Disk Spae (p er user/bundle); A ess Con trol - FileSystem (Limit the aess to the FileSystem to the data diretory of the bundle; on trol the size of the data reated through the BundleCon text)  A tta k Prev en tion: -  Reation: Erase les V ulnerabilit y Implemen tation  Co de Referene: F r.inria.ares.biglereator-0.1.jar  OSGi Prole: J2SE-1.5  Date: 2006-08-29  T est Co v erage: 00%  Kno wn V ulnerable Platforms: F elix; Equino x; Knopersh; Conierge; SF elix INRIA OSGi V ulner abilities 63 D.5.7 Co de Observ er V ulnerabilit y Referene  V ulnerabilit y Name: Co de Observ er  Iden tier: Mb.ja v a.7  Origin: Ares resear h pro jet `maliious-bundle'  Lo ation of Exploit Co de: Appliation Co de - Ja v a API  Soure: JVM - APIs (Reetion API; ClassLoader API)  T arget: OSGi Elemen t - P a k age; OSGi Elemen t - Servie  Consequene T yp e: Undue A ess  In tro dution Time: Dev elopmen t  Exploit Time: Exeution V ulnerabilit y Desription  Desription: A omp onen t that observ es the on ten t of another one  Preonditions: No Seurit yManager, or ReetP ermission  A tta k Pro ess: Use of the reetion API and the ClassLoader API  Consequene Desription: Observ ation of the implemen tation of the published pa k ages and servies, the lasses that are aggregated to these pa k ages and servies, and lasses whi h name are kno wn (or guessed)  See Also: Comp onen t Data Mo dier, Hidden Metho d Laun her Protetion  Existing Me hanisms: Ja v a P ermissions  Enforemen t P oin t: Platform startup  P oten tial Me hanisms: -  A tta k Prev en tion: -  Reation: - V ulnerabilit y Implemen tation  Co de Referene: Priv atelasssp y/fr.inria.ares.servieabuser -0.1 .jar  OSGi Prole: J2SE-1.5  Date: 2007-02-12  T est Co v erage: 100%  Kno wn V ulnerable Platforms: F elix; Equino x; Knopersh; SF elix RR n ° 6231 64 Parr end & F r énot D.5.8 Comp onen t Data Mo dier V ulnerabilit y Referene  V ulnerabilit y Name: Comp onen t Data Mo dier  Extends: Co de Observ er  Iden tier: Mb.ja v a.8  Origin: Ares resear h pro jet `maliious-bundle'  Lo ation of Exploit Co de: Appliation Co de - Ja v a API  Soure: JVM - APIs (Reetion API; ClassLoader API)  T arget: OSGi Elemen t - P a k age; OSGi Elemen t - Servie  Consequene T yp e: Undue A ess  In tro dution Time: Dev elopmen t  Exploit Time: Exeution V ulnerabilit y Desription  Desription: A bundle that mo dies the data (i.e. the v alue of the attributes of the lasses) of another one  Preonditions: No Seurit yManager or ReetP ermission set; the name of the non- exp orted mo died lass m ust b e kno wn b eforehand, and on tain a publi stati eld.  A tta k Pro ess: Use of the reetion API and the ClassLoader API to aess and mo dify the v alue of attributes  Consequene Desription: Mo diation of the publi elds of the ob jets that are aessible from another bundle (servie implemen tations, or ob jets that are attributes of these servie implemen tations, or ob jets that are attributes of these latter ob jets, ...), or of the publi stati (non nal) elds of lasses whi h name is kno wn  See Also: Co de Observ er, Hidden Metho d Laun her Protetion  Existing Me hanisms: Ja v a P ermissions  Enforemen t P oin t: Platform startup  P oten tial Me hanisms: -  A tta k Prev en tion: -  Reation: - V ulnerabilit y Implemen tation  Co de Referene: Priv atelassmanipulator/fr.inria.ares.servieabuse r-0 .1.jar  OSGi Prole: J2SE-1.5  Date: 2007-02-12  T est Co v erage: 100%  Kno wn V ulnerable Platforms: F elix; Equino x; Knopersh; Conierge; SF elix INRIA OSGi V ulner abilities 65 D.5.9 Hidden Metho d Laun her V ulnerabilit y Referene  V ulnerabilit y Name: Hidden Metho d Laun her  Extends: Co de Observ er  Iden tier: Mb.ja v a.9  Origin: Ares resear h pro jet `maliious-bundle'  Lo ation of Exploit Co de: Appliation Co de - Ja v a API  Soure: JVM - APIs (Reetion API; ClassLoader API)  T arget: OSGi Elemen t - P a k age  Consequene T yp e: Undue A ess  In tro dution Time: Dev elopmen t  Exploit Time: Exeution V ulnerabilit y Desription  Desription: A bundle that exeutes metho ds from lasses that are not exp orted of pro vided as servie. All lasses that are referened (diretly or indiretly) as lass attributes an b e aessed. Only publi metho ds an b e in v ok ed  Preonditions: No Seurit yManager, or ReetP ermission set  A tta k Pro ess: Use of the reetion API and the ClassLoader API to aess and exeutes metho ds in lasses that are not exp orted b y the bundle  Consequene Desription: -  See Also: Co de Observ er, Comp onen t Data Mo dier Protetion  Existing Me hanisms: Ja v a P ermissions  Enforemen t P oin t: Platform startup  P oten tial Me hanisms: -  A tta k Prev en tion: -  Reation: - V ulnerabilit y Implemen tation  Co de Referene: Hiddenlassexeutor/fr.inria.ares.servieabuser- 0.1 .jar  OSGi Prole: J2SE-1.5  Date: 2007-02-12  T est Co v erage: 100%  Kno wn V ulnerable Platforms: F elix; Equino x; Knopersh; Conierge; SF elix RR n ° 6231 66 Parr end & F r énot D.5.10 Memory Load Injetion V ulnerabilit y Referene  V ulnerabilit y Name: Memory Load Injetion  Iden tier: Mb.ja v a.10  Origin: MOSGI Ares Resear h Pro jet (OSGi Platform Monitoring)  Lo ation of Exploit Co de: Appliation Co de - Ja v a API  Soure: Appliation Co de (No Algorithm Safet y - Ja v a)  T arget: Platform  Consequene T yp e: P erformane Breakdo wn  In tro dution Time: Dev elopmen t  Exploit Time: Exeution V ulnerabilit y Desription  Desription: A maliious bundle that onsumes most of a v ailable memory (61,65 MB in the example)  Preonditions: -  A tta k Pro ess: Store a h uge amoun t of data in a b yte arra y  Consequene Desription: Only a limited memory spae is a v ailable for the exe- ution of programs  See Also: Ramping Memory Load Injetion, CPU Load Injetion Protetion  Existing Me hanisms: -  Enforemen t P oin t: -  P oten tial Me hanisms: Co de stati Analysis ; Resoure Con trol and Isolation - Memory  A tta k Prev en tion: -  Reation: - V ulnerabilit y Implemen tation  Co de Referene: F r.inria.ares.memloadinjetor-0.1.jar  OSGi Prole: J2SE-1.5  Date: 2006-08-24  T est Co v erage: 100%  Kno wn V ulnerable Platforms: F elix; Equino x; Knopersh; Conierge; SF elix INRIA OSGi V ulner abilities 67 D.5.11 Stand Alone Innite Lo op V ulnerabilit y Referene  V ulnerabilit y Name: Stand Alone Innite Lo op  Iden tier: Mb.ja v a.11  Origin: Ares resear h pro jet `maliious-bundle'  Lo ation of Exploit Co de: Appliation Co de - Ja v a Co de  Soure: Appliation Co de (No Algorithm Safet y - Ja v a)  T arget: Platform  Consequene T yp e: P erformane Breakdo wn  In tro dution Time: Dev elopmen t  Exploit Time: Exeution V ulnerabilit y Desription  Desription: A v oid lo op in a lonesome thread that onsumes m u h of the a v ailable CPU  Preonditions: -  A tta k Pro ess: Innite lo op laun hed in an indep enden t thread  Consequene Desription: -  See Also: Innite Startup Lo op, CPU Load Injetion Protetion  Existing Me hanisms: -  Enforemen t P oin t: -  P oten tial Me hanisms: Co de stati Analysis ; Resoure Con trol and Isolation - CPU  A tta k Prev en tion: -  Reation: - V ulnerabilit y Implemen tation  Co de Referene: F r.inria.ares.standalonelo op-0.1.jar  OSGi Prole: J2SE-1.5  Date: 2006-09-22  T est Co v erage: 10%  Kno wn V ulnerable Platforms: F elix; Equino x; Knopersh; Conierge; SF elix RR n ° 6231 68 Parr end & F r énot D.5.12 Innite Lo op in Metho d Call V ulnerabilit y Referene  V ulnerabilit y Name: Innite Lo op in Metho d Call  Iden tier: Mb.ja v a.12  Origin: Ja v a puzzlers 26 to 33 [ BG05 ℄  Lo ation of Exploit Co de: Appliation Co de - Ja v a Co de  Soure: Appliation Co de (No Algorithm Safet y - Ja v a)  T arget: Platform; OSGi Elemen t - Servie; OSGi Elemen t - P a k age  Consequene T yp e: P erformane Breakdo wn - Platform; Una v ailabilit y - Servie, P a k age  In tro dution Time: Dev elopmen t  Exploit Time: Exeution V ulnerabilit y Desription  Desription: An innite lo op is exeuted in a metho d all (at lass use, pa k age use)  Preonditions: -  A tta k Pro ess: An innite lo op is exeuted in a metho d all  Consequene Desription: Blo  k the alling en tit y (the alling lass or servie. Beause of the innite lo op, most CPU resoure is onsumed  See Also: CPU Load Injetion, Stand-alone Innite Lo op, Hanging Thread Protetion  Existing Me hanisms: -  Enforemen t P oin t: -  P oten tial Me hanisms: Co de stati Analysis ; Resoure Con trol and Isolation - CPU  A tta k Prev en tion: -  Reation: - V ulnerabilit y Implemen tation  Co de Referene: F r.inria.ares.innitelo opinmetho dall-0.1.jar  OSGi Prole: J2SE-1.5  Date: 2006-08-24  T est Co v erage: 10%  Kno wn V ulnerable Platforms: F elix; Equino x; Knopersh; Conierge; SF elix INRIA OSGi V ulner abilities 69 D.5.13 Exp onen tial Ob jet Creation V ulnerabilit y Referene  V ulnerabilit y Name: Exp onen tial Ob jet Creation  Iden tier: Mb.ja v a.13  Origin: Ares resear h pro jet `maliious-bundle'  Lo ation of Exploit Co de: Appliation Co de - Ja v a Co de  Soure: Appliation Co de (No Algorithm Safet y - Ja v a)  T arget: OSGi Elemen t - Servie; OSGi Elemen t - P a k age  Consequene T yp e: Una v ailabilit y  In tro dution Time: Dev elopmen t  Exploit Time: Exeution V ulnerabilit y Desription  Desription: Ob jets are reated in a exp onen tial w a y  Preonditions: -  A tta k Pro ess: A giv en ob jet reate in its onstrutor 3 instanes of ob jet of the same lass  Consequene Desription: The metho d all ab orts with a 'Sta kOv ero wError'  See Also: Reursiv e Thread Creation Protetion  Existing Me hanisms: -  Enforemen t P oin t: -  P oten tial Me hanisms: Co de stati Analysis ; Resoure Con trol and Isolation - Memory  A tta k Prev en tion: -  Reation: - V ulnerabilit y Implemen tation  Co de Referene: F r.inria.ares.exp onen tialob jetreation-0.1  OSGi Prole: J2SE-1.5  Date: 2007-01-09  T est Co v erage: 50%  Kno wn V ulnerable Platforms: F elix; Equino x; Knopersh; Conierge; SF elix RR n ° 6231 70 Parr end & F r énot D.6 Bundle Co de - OSGi APi D.6.1 Laun h a Hidden Bundle V ulnerabilit y Referene  V ulnerabilit y Name: Laun h a Hidden Bundle  Iden tier: Mb.osgi.6  Origin: Ares resear h pro jet `maliious-bundle'  Lo ation of Exploit Co de: Appliation Co de - OSGi API  Soure: OSGi Platform - Life-Cyle La y er (Bundle Managemen t); JVM - APIs (File API)  T arget: Platform  Consequene T yp e: Undue A ess  In tro dution Time: Dev elopmen t  Exploit Time: Exeution V ulnerabilit y Desription  Desription: A bundle that laun hes another bundle it on tains (the on tained bun- dle ould b e masqued as with a 'MyFile.ja v a' le name)  Preonditions: No Seurit yManager, or OSGi P ermissionA dmin and FileP ermission `write' for the maliious bundle  A tta k Pro ess: A bundle reates a new bundle on the le system, and laun hes i  Consequene Desription: A non foreseen bundle is installed. If install time  he k- ing exists (su h as digital signature), it passes through the v eriation pro ess  See Also: Pirat Bundle Manager Protetion  Existing Me hanisms: Ja v a P ermissions  Enforemen t P oin t: Platform startup  P oten tial Me hanisms: -  A tta k Prev en tion: -  Reation: Uninstall the maliious bundle V ulnerabilit y Implemen tation  Co de Referene: F r.inria.ares.silen tloader-0.1.jar, fr.inria.ares.silen tloader.onierge- 0.1.jar (without swing)  OSGi Prole: J2SE-1.5  Date: 2006-10-28  T est Co v erage: 100%  Kno wn V ulnerable Platforms: F elix; Equino x; Knopersh; Conierge; SF elix INRIA OSGi V ulner abilities 71 D.6.2 Pirat Bundle Manager V ulnerabilit y Referene  V ulnerabilit y Name: Pirat Bundle Manager  Iden tier: Mb.osgi.7  Origin: Ares resear h pro jet `maliious-bundle'  Lo ation of Exploit Co de: Appliation Co de - OSGi API  Soure: OSGi Platform - Life-Cyle La y er (Bundle Managemen t)  T arget: OSGi Elemen t - Bundle  Consequene T yp e: Undue A ess  In tro dution Time: Dev elopmen t  Exploit Time: Exeution V ulnerabilit y Desription  Desription: A bundle that manages others without b eing requested to do so(here: stops and starts the vitim bundle)  Preonditions: No Seurit yManager, or OSGi P ermission A dmin  A tta k Pro ess: The pirat bundle aesses to the bundle on text, and then to its vitim bundle  Consequene Desription: -  See Also: Laun h Hidden Bundle Protetion  Existing Me hanisms: Ja v a P ermissions  Enforemen t P oin t: Platform startup  P oten tial Me hanisms: -  A tta k Prev en tion: -  Reation: - V ulnerabilit y Implemen tation  Co de Referene: F r.inria.ares.piratbundlemanager-0.1.jar, fr.inria.ares.piratbundlemanager.onierge- 0.1.jar (no swing)  OSGi Prole: J2SE-1.5  Date: 2006-10-30  T est Co v erage: 40%  Kno wn V ulnerable Platforms: F elix; Equino x; Knopersh; Conierge; SF elix RR n ° 6231 72 Parr end & F r énot D.6.3 Zom bie Data V ulnerabilit y Referene  V ulnerabilit y Name: Zom bie Data  Iden tier: Mb.osgi.8  Origin: Ares resear h pro jet `maliious-bundle'  Lo ation of Exploit Co de: Appliation Co de - OSGi API  Soure: OSGi Platform - Life-Cyle La y er (No Remo v al of Uninstalled Bundle Data)  T arget: Platform  Consequene T yp e: P erformane Breakdo wn  In tro dution Time: Dev elopmen t  Exploit Time: Exeution V ulnerabilit y Desription  Desription: Data stored in the lo al OSGi data store are not deleted when the related bundle is uninstalled. It th us b eomes una v ailable and onsumes disks spae (esp eially on resoure onstrain t devies)  Preonditions: No SeuriyManager, or FileP ermission set  A tta k Pro ess: -  Consequene Desription: -  See Also: Big File Creator Protetion  Existing Me hanisms: Ja v a P ermissions  Enforemen t P oin t: Platform startup  P oten tial Me hanisms: OSGi Platform Mo diation - Bundle Uninstall Pro ess (Delete Bundle Data when Bundles are uninstalled)  A tta k Prev en tion: -  Reation: Erase les V ulnerabilit y Implemen tation  Co de Referene: F r.inria.ares.biglereator-0.1.jar  OSGi Prole: J2SE-1.5  Date: 2007-04-20  T est Co v erage: 100%  Kno wn V ulnerable Platforms: F elix; Conierge  Kno wn Robust Platforms: Equino x; Knopersh; SF elix INRIA OSGi V ulner abilities 73 D.6.4 Cyle Bet w een Servies V ulnerabilit y Referene  V ulnerabilit y Name: Cyle Bet w een Servies  Iden tier: Mb.osgi.9  Origin: Ares resear h pro jet `maliious-bundle'  Lo ation of Exploit Co de: Appliation Co de - OSGi API  Soure: OSGi Platform - Servie La y er (Ar hiteture of the Appliation - No V alida- tion of Servie Dep endeny)  T arget: OSGi Elemen t - Servie; OSGi Elemen t - P a k age  Consequene T yp e: Una v ailabilit y  In tro dution Time: Servie Publiation or Resolution  Exploit Time: Exeution V ulnerabilit y Desription  Desription: A yle exists in the servies all  Preonditions: -  A tta k Pro ess: Servie 1 alls servie 2, whi h alls servie 1. The atta k an b e implemen ted as a fak e 'servie 2', whi h alls servie 1 ba k instead of return prop erly from the metho d that servie 1 alled  Consequene Desription: `ja v a.lang.Sta kOv ero wError', servie 1 an not b e exeuted  See Also: - Protetion  Existing Me hanisms: -  Enforemen t P oin t: -  P oten tial Me hanisms: Servie-lev el dep endeny v alidation  A tta k Prev en tion: -  Reation: - V ulnerabilit y Implemen tation  Co de Referene: F r.inria.ares.lien tserv er1-0.1.jar, fr.inria.ares.lien tserv er2-0.1.jar  OSGi Prole: J2SE-1.5  Date: 2006-10-28  T est Co v erage: 100%  Kno wn V ulnerable Platforms: F elix; Equino x; Knopersh; Conierge; SF elix RR n ° 6231 74 Parr end & F r énot D.6.5 Numerous Servie Registration V ulnerabilit y Referene  V ulnerabilit y Name: Numerous Servie Registration  Iden tier: Mb.osgi.10  Origin: Ares resear h pro jet `maliious-bundle'  Lo ation of Exploit Co de: Appliation Co de - OSGi API  Soure: OSGi Platform - Servie La y er (Unon trolled Servie Registration)  T arget: OSGi Elemen t - Bundle; OSGi Elemen t - Platform Managemen t Utilit y  Consequene T yp e: P erformane Breakdo wn  In tro dution Time: Dev elopmen t  Exploit Time: Exeution V ulnerabilit y Desription  Desription: Registration of a high n um b er of (p ossibly iden tial) servies through an lo op  Preonditions: No Seurit yManager, or OSGi ServieP ermission  A tta k Pro ess: Publish a giv en servie in a(n) (e.g. innite) lo op  Consequene Desription: Imp ortan t duration of bundle stop  See Also: - Protetion  Existing Me hanisms: Ja v a P ermissions  Enforemen t P oin t: Platform startup  P oten tial Me hanisms: OSGi Platform Mo diation - Servie Publiation (limita- tion of the n um b er of servies published in the framew ork)  A tta k Prev en tion: -  Reation: - V ulnerabilit y Implemen tation  Co de Referene: F r.inria.ares.n umerousservies-0.1.jar  OSGi Prole: J2SE-1.5  Date: 2007-01-09  T est Co v erage: 100%  Kno wn V ulnerable Platforms: F elix; Equino x; Knopersh; Conierge  Kno wn Robust Platforms: SF elix INRIA OSGi V ulner abilities 75 D.6.6 F reezing Numerous Servie Registration V ulnerabilit y Referene  V ulnerabilit y Name: F reezing Numerous Servie Registration  Iden tier: Mb.osgi.11  Origin: Ares resear h pro jet `maliious-bundle'  Lo ation of Exploit Co de: Appliation Co de - OSGi API  Soure: OSGi Platform - Servie La y er (Unon trolled Servie Registration)  T arget: OSGi Elemen t - Bundle; OSGi Elemen t - Platform Managemen t Utilit y  Consequene T yp e: P erformane Breakdo wn  In tro dution Time: Dev elopmen t  Exploit Time: Exeution V ulnerabilit y Desription  Desription: Registration of a high n um b er of (p ossibly iden tial) servies through an lo op, in the Conierge OSGi Platform implemen tation  Preonditions: No Seurit yManager, or OSGi ServieP ermission; exeution in the Conierge OSGi Platform  A tta k Pro ess: Publish a giv en servie in a(n) (e.g. innite) lo op  Consequene Desription: The Platform almost totally freeze. OutOfMemory- Errors are rep orted v ery frequen tly when the shell is used or when bundles p erform ations.  See Also: - Protetion  Existing Me hanisms: Ja v a P ermissions  Enforemen t P oin t: Platform startup  P oten tial Me hanisms: OSGi Platform Mo diation - Servie Publiation (limita- tion of the n um b er of servies published in the framew ork)  A tta k Prev en tion: -  Reation: - V ulnerabilit y Implemen tation  Co de Referene: F r.inria.ares.n umerousservies-0.1.jar  OSGi Prole: J2SE-1.5  Date: 2007-04-20  T est Co v erage: 100%  Kno wn V ulnerable Platforms: Conierge RR n ° 6231 76 Parr end & F r énot D.7 Bundle F ragmen ts D.7.1 Exeute Hidden Classes V ulnerabilit y Referene  V ulnerabilit y Name: Exeute Hidden Classes  Iden tier: Mb.osgi.12  Origin: Ares resear h pro jet `maliious-bundle'  Lo ation of Exploit Co de: Bundle F ragmen t  Soure: OSGi Platform - Mo dule La y er (Bundle F ragmen ts)  T arget: OSGi Elemen t - P a k age  Consequene T yp e: Undue A ess  In tro dution Time: Dev elopmen t  Exploit Time: Exeution V ulnerabilit y Desription  Desription: A fragmen t bundle exp orts a p  k age that is not made visible b y the host. Other bundles an then exeute the lasses in this pa k age  Preonditions: No Seurit yManager, or BundleP ermission, `HOST' set to the host, and BundleP ermission, `FRA GMENT', set to the maliious fragmen t  A tta k Pro ess: -  Consequene Desription: Mo diation of stati attributes, publiation of hidden data or exeution of seret pro edure; Conierge do es not supp ort fragmen t, and do es therefore not on tains this vulnerabilit y  See Also: F ragmen t Substitution, A ess Proteted P a k age through split P a k ages Protetion  Existing Me hanisms: Ja v a P ermissions  Enforemen t P oin t: Platform startup  P oten tial Me hanisms: -  A tta k Prev en tion: -  Reation: - V ulnerabilit y Implemen tation  Co de Referene: Usehiddenlass/pa k ageexp ortfragmen t.jar + usehiddenlass/fr.inria.ares.fragmen taomplie-0 .1.jar  OSGi Prole: J2SE-1.5  Date: 2007-02-14  T est Co v erage: 100%  Kno wn V ulnerable Platforms: F elix; Equino x; Knopersh; SF elix INRIA OSGi V ulner abilities 77 D.7.2 F ragmen t Substitution V ulnerabilit y Referene  V ulnerabilit y Name: F ragmen t Substitution  Iden tier: Mb.osgi.13  Origin: Ares resear h pro jet `maliious-bundle'  Lo ation of Exploit Co de: Bundle F ragmen t  Soure: OSGi Platform - Mo dule La y er (Bundle F ragmen ts)  T arget: OSGi Elemen t - Bundle  Consequene T yp e: Undue A ess  In tro dution Time: Dev elopmen t  Exploit Time: Exeution V ulnerabilit y Desription  Desription: A sp ei fragmen t bundle is replae b y another, whi h pro vides the same lasses but with maliious implemen tation  Preonditions: No Seurit yManager, or BundleP ermission `HOST' and `FRA G- MENT' set to the required bundles, and OSGi A dminP ermission set to the substitutor bundle  A tta k Pro ess: A maliious bundles uninstalls the urren t fragmen t, and install a maliious one (that is em b edded in it) instead  Consequene Desription: The host bundle exeutes a false implemen tations of lasses pro vided b y a fragmen t; Conierge do es not supp ort fragmen t, and do es there- fore not on tains this vulnerabilit y  See Also: Laun h Hidden Bundle, Pirat Bundle Manager, Exeute Hidden Class, A ess Proteted P a k age through split P a k ages Protetion  Existing Me hanisms: Ja v a P ermissions  Enforemen t P oin t: Platform startup  P oten tial Me hanisms: -  A tta k Prev en tion: -  Reation: - V ulnerabilit y Implemen tation  Co de Referene: F ragmen tpro videspa k agestohost/fr.inria .ar es.fra gmen tsubstitutor (has an em b edded fragmen tpro videspa k agestohost/testfrag men tlone bundle)  OSGi Prole: J2SE-1.5  Date: 2007-02-16  T est Co v erage: 100%  Kno wn V ulnerable Platforms: F elix; Equino x; Knopersh; SF elix RR n ° 6231 78 Parr end & F r énot D.7.3 A ess Proteted P a k age through split P a k ages V ulnerabilit y Referene  V ulnerabilit y Name: A ess Proteted P a k age through split P a k ages  Iden tier: Mb.osgi.14  Origin: Ares resear h pro jet `maliious-bundle'  Lo ation of Exploit Co de: Bundle F ragmen t  Soure: OSGi Platform - Mo dule La y er (Bundle F ragmen ts)  T arget: OSGi Elemen t - P a k age  Consequene T yp e: Undue A ess  In tro dution Time: Dev elopmen t  Exploit Time: Exeution V ulnerabilit y Desription  Desription: A pa k age is built in the fragmen t, that ha v e the same name than a pa k age in the host. All pa k age-proteted lasses and metho ds an then b e aessed from the fragmen t, and through a pro xy exp orted in the framew ork  Preonditions: No Seurit yManager, or BundleP ermission `HOST' and `FRA G- MENT' set to the suitable bundles  A tta k Pro ess: -  Consequene Desription: Conierge do es not supp ort fragmen t, and do es there- fore not on tains this vulnerabilit y  See Also: Exeute Hidden Class, F ragmen t Substitution Protetion  Existing Me hanisms: Ja v a P ermissions  Enforemen t P oin t: Platform startup  P oten tial Me hanisms: Misellaneous (the Ja v a Ar hiv e dened 'seal' k eyw ord in the Manifest File do es not prev en t the pa k age to b e ompleted b y a split pa k age in the fragmen t. It probably should)  A tta k Prev en tion: -  Reation: - V ulnerabilit y Implemen tation  Co de Referene: F ragmen tsplitpa k age/fr.inria.ares.testhostbundle-0.1.jar + fragmen tsplitpa k age/testfragmen t-0.1.jar + fragmen tsplitpa k age/fr.inria.ares.fragmen tlien t-0 .1.jar  OSGi Prole: J2SE-1.5  Date: 2007-02-17  T est Co v erage: 100%  Kno wn V ulnerable Platforms: F elix; Equino x; Knopersh; SF elix INRIA OSGi V ulner abilities 79 E A tta k Implemen tations The implemen tations of the presen ted atta ks are giv en. T w o t yp es of atta ks an b e p er- formed through sev eral dieren t implemen tations. E.1 Innite Lo ops The v arious implemen tations of Innites Lo ops in Ja v a are giv en. They mat h the V ulner- abilit y m b.ja v a.8 and m b.ja v a.12 in our atalog. E.1.1 First Option boolean ondition==true; While(ondition ); E.1.2 Seond Option This implemen tation is giv en in the Ja v a Puzzler #26 [BG05 ℄. publi stati final int END = Integer.MAX\_VA LUE ; publi stati final int START = END - 100; // or any other start value for (int i = START; i <= END; i++); E.1.3 Third Option This implemen tation is giv en in the Ja v a Puzzler #27 [BG05 ℄. int i = 0; while (-1 << i != 0) {i++;} E.1.4 F ourth Option This implemen tation is giv en in the Ja v a Puzzler #28 [BG05 ℄. RR n ° 6231 80 Parr end & F r énot double i = 1.0/0.0; //an also be set to Double.POSITIVE\ _IN FI NI TY, //or a suffiiently big number (suh as 1.0e17 or bigger) while (i == i + 1); E.1.5 Fifth Option This implemen tation is giv en in the Ja v a Puzzler #45 [BG05 ℄. publi stati void main(String[℄ args) { workHard(); } private stati void workHard() { try { workHard(); } finally { workHard(); } } E.1.6 Other Implemen tations F or further implemen tation of the innite lo op, y ou an also refer to  the Ja v a Puzzler #29 (double i = Double.NaN;while(i! =i);),  the Ja v a Puzzler #30 (String i = a; while (i != i + 0)), puzzler 31 ( short i = -1; while (i != 0) i >= 1;),  the Ja v a Puzzler #32 (In teger i = new In teger(0); In teger j = new In teger(0); while (i <= j && j <= i && i != j);),  the Ja v a Puzzler #33 (in t i = In teger.MIN_V ALUE; while (i != 0 && i == -i);(//or long i = Long.MIN_V ALUE), for() lo op with unsuitable mo diation of the v ariables that in terv ene in the stop ondition). E.2 Hanging Thread The v arious implemen tations of Hanging Threads in Ja v a are giv en. They mat h the V ul- nerabilit y m b.ja v a.9 in our atalog. INRIA OSGi V ulner abilities 81 E.2.1 First Option This implemen tation is giv en in the Ja v a Puzzler #77 [BG05 ℄. RR n ° 6231 82 Parr end & F r énot import java.util.Timer ; import java.util.Timer Ta sk; publi lass Stopper extends Thread{ private volatile boolean quittingTime = false; publi void run() { while (!quittingTime) pretendToWork(); System.out.print ln( `` Be er is good''); } private void pretendToWork() { try { Thread.sleep(300) ; // Sleeping on the job? } ath (InterruptedEx ept io n ex) { } } // It's quitting time, wait for worker - Called by good boss synhronized void quit() throws InterruptedExep tio n { quittingTime = true; join(); } // Resind quitting time - Called by evil boss synhronized void keepWorking() { quittingTime = false; } publi void hang(){ System.out.prin tln (` `H ang in gT hre ad Stopper ready'' +``to behave badly''); try { final Stopper worker = new Stopper(); worker.start(); Timer t = new Timer(true); // Daemon thread t.shedule(new TimerTask() { publi void run() { worker.keepWorki ng () ; } }, 500); Thread.sleep(400 ); worker.quit(); } ath( InterruptedExe pti on e) { e.printStakTra e( ); } } } INRIA OSGi V ulner abilities 83 E.2.2 Seond Option This implemen tation is giv en in the Ja v a Puzzler #85 [BG05 ℄. stati { Thread t = new Thread(new Runnable() { publi void run() { initialized = true; } }); t.start(); try { t.join(); } ath(Interrupted Ex e pti on e) { throw new AssertionError(e ); } } E.2.3 Other Implemen tations F or other implemen tations, see the JLin t Man ual 25 for `deadlo  k errors' (2 o urrenes). 25 h ttp://artho.om/jlin t/man ual.h tml RR n ° 6231 84 Parr end & F r énot F XML2T ex Do umen tation Generator T o ease the v alidation of the V ulnerabilit y P atterns and the generation of the atalog, w e dev elop ed a small to ol based on XML te hnologies, XML2T ex. The o v erall pro ess of the XML2tex Do umen tation Generation pro ess is giv en in Figure 17 . Figure 17 presen ts the o v erview of the XML2tex Do umen tation Generation pro ess. Figure 17: XML2T ex Pro ess First, the vulnerabilit y pattern is  he k ed against a referene XML S hema (XSD). Se- ondly , its is transformed in to an XML rep ort through XSL transformations. An XML Rep ort is a sp ei XML le whi h is easily mappable to do umen tation: its on tains in partiular a title, paragraphs, and so on. Thirdly , the XML rep ort is transformed in to a T ex le through an A d-Ho  parser named Rep ort2T ex. The v alidit y of the V ulnerabilit y P atterns of the atalog is guaran teed b y their v alidation against the formal expression of the P attern giv en in the app endix C. The w ell-formedness of the XML Rep ort and of the T ex le are ensures b y the suessiv e parsers. INRIA Unité de recherche INRIA Rhône-Alpe s 655, av enue de l’Eu rope - 38334 Montbonn ot Sain t-Ismier (France) Unité de reche rche INRIA Futurs : Parc Club Orsay Uni versité - ZAC des V ignes 4, rue Jacques Monod - 91893 ORSA Y Cedex (Franc e) Unité de reche rche INRIA Lorraine : LORIA, T echnopôle de Nancy -Brabois - Campus scientifique 615, rue du Jardin Botani que - BP 101 - 54602 V illers-lè s-Nancy Cedex (France) Unité de reche rche INRIA Rennes : IRISA, Campus univ ersitai re de Beaulie u - 35042 Rennes Cedex (Franc e) Unité de recherch e INRIA Rocquen court : Domaine de V oluceau - Rocquencourt - BP 105 - 78153 Le Chesnay Cedex (France) Unité de reche rche INRIA Sophia Antipolis : 2004, route des Lucioles - BP 93 - 06902 Sophia Antipolis Cedex (France) Éditeur INRIA - Domaine de V oluceau - Rocquencourt , BP 105 - 78153 Le Chesnay Cede x (France) http://www.inria.fr ISSN 0249 -6399 apport   technique

Original Paper

Loading high-quality paper...

Comments & Academic Discussion

Loading comments...

Leave a Comment