A toolbox for statical analysis and transformation of OSGi bundles
Radu Kopetz – Orange Labsradu.kopetz @orange.com
OSGi Users’ Group France Meeting
25/11/2011
motivations
Source: http://www.drm-x.com/
why OSGi ?
• ease of development
• rich, mature ecosystem
• modularity • modularity
• isolation and security guaranties
chalenges
• platforms’ security and availability
• preserved QoS
• malicious comportement can be both intended or unintendedintended or unintended
security in OSGi
• based on Java 2 security
– Conditional Permission Admin
security in OSGi
• based on Java 2 security
– Conditional Permission Admin
• adds namespace isolation mechanism between bundlesbundles
security in OSGi
• based on Java 2 security
– Conditional Permission Admin
• adds namespace isolation mechanism between bundlesbundles
• but …
security flaws in OSGi
• originate in OSGi platform– infinite loop / thread hanging in bundle activator
– huge manifest file or import statements
– decompression bomb– decompression bomb
security flaws in OSGi
• originate in OSGi platform– infinite loop / thread hanging in bundle activator
– huge manifest file or import statements
– decompression bomb– decompression bomb
• originate in JVM shortcomings: not designed for multi-application systems– memory load injection
– exponential thread creation
– infinite loops
possible approach
bundle
(automated) analysis
possible approach
bundle
(automated) analysis
bundle
deploy !deploy !
possible approach
bundle
(automated) analysis
bundle
deploy !deploy !bundle
possible approach
bundle
(automated) analysis
bundle
deploy !deploy !bundle
StaticalAnalysis and Transformation
possible approach
bundle
(automated) analysis
bundle
deploy !deploy !bundle
StaticalAnalysis and Transformation
Simulation ?
possible approach
bundle
(automated) analysis
bundle
deploy !deploy !bundle
StaticalAnalysis and Transformation
Simulation ? ?
possible approach
bundle
(automated) analysis
bundle
deploy !deploy !bundle
StaticalAnalysis and Transformation
Simulation ? ?
global idea
• a set of generic tools (services)
global idea
• a set of generic tools (services)
• that can be composed to get complex checkings and transformations on bundles
architecture
bundle bundle
bundle bundle bundlebundle
OSGiOSGi
architecture
bundle bundle
bundle bundle bundlebundle
OSGiOSGi
generic (base) services
architecture
bundle bundle
more complex, business - specific services
bundle bundle bundlebundle
OSGiOSGi
generic (base) services
generic services
jars• decompress• compress• estimate size• estimate size• class bytes
generic services
jars• decompress• compress• estimate size• estimate size• class bytes
metadata• manifest contents • DS / iPOJO components
generic services
jars• decompress• compress• estimate size
bytecode• method call search• class related information• method instrumentation• estimate size
• class bytes
metadata• manifest contents • DS / iPOJO components
• method instrumentation
generic services
jars• decompress• compress• estimate size
bytecode• method call search• class related information• method instrumentation• estimate size
• class bytes
metadata• manifest contents • DS / iPOJO components
• method instrumentation
graphs• construction• analysis (strongly connected components)
business - specific services
• remove double imports
business - specific services
• remove double imports
• detect inappropriate method calls
– Runtime.getRuntime.halt()
– System.exit()– System.exit()
business - specific services
• remove double imports
• detect inappropriate method calls
– Runtime.getRuntime.halt()
– System.exit()– System.exit()
• cycles between services
business - specific services
• remove double imports
• detect inappropriate method calls
– Runtime.getRuntime.halt()
– System.exit()– System.exit()
• cycles between services
• associate CPU consumption & Threads with bundles
DÉMODÉMO
how it was done
• unjar
• parse the manifest
• retrieve the Activator / DS components bytes
• instrument the bytecode• instrument the bytecode
• remove digital signature
• jar
how it was done
• unjar
• parse the manifest
• retrieve the Activator / DS components bytes
• instrument the bytecode• instrument the bytecode
• remove digital signature
• jar
=> used almost all of our basic services
bytecode instrumentation
class MyActivator implements BundleActivator {…
public void start(
public void start( BundleContext context)
throws Exception {
// method body
}…
}
bytecode instrumentation
class MyActivator implements BundleActivator {…
public void start(
public void renamed_start(BundleContextcontext) throws Exception {// method body
}
public void start( BundleContext context)
throws Exception {
// method body
}…
}
bytecode instrumentation
class MyActivator implements BundleActivator {…
public void start(
public void renamed_start(BundleContextcontext) throws Exception {// method body
}
public void start(BundleContext context) throws Exception {… // get bundleName from manifest
public void start( BundleContext context)
throws Exception {
// method body
}…
}
… // get bundleName from manifest
ThreadGroup tg = new ThreadGroup(bundleName+"_TGroup");
ThreadGroup oldTg = Thread.currentThread().getThreadGroup();…// modify the thread group of
…// current thread
renamed_start(context);
…// restore the thread group
}
conclusion
• some tools for statical analysis &
transformation of bundles
• complete solution: statical analysis + modified
OSGi framework + modified JVMOSGi framework + modified JVM
• nice to have: public repository with LOTs of
bundles offering generic analysis services
thank you ! questions ?thank you ! questions ?
public void start(final BundleContext context) throws Exception {
Dictionary manifProps = context.getBundle().getHeaders();
String bundleName = manifProps.get("Bundle-Name").toString();
ThreadGroup tg = new ThreadGroup(bundleName+"_ThreadGroup");
ThreadGroup oldTg = Thread.currentThread().getThreadGroup();
Field groupField = Field groupField = Thread.class.getDeclaredField("group");
groupField.setAccessible(true);
groupField.set(Thread.currentThread(),tg);
orange___start(context);
groupField.set(Thread.currentThread(), oldTg);groupField.setAccessible(false);
}