Software Security Models for Service-Oriented Programming (SOP) Platforms

Service-oriented programming (SOP) platforms are generic execution environments enforcing a proper architectural model for applications: software components communicate through well-defined interfaces, which eases the configuration and evolution of applications. These platforms take advantage of their networked environment to perform distributed functional tasks, but also to enhance their management and evolution capacity. They are involved in numerous contexts, from applications servers to embedded health-care and automotive sys- tems. The increased flexibility brought in by SOP platforms enables to integrate components provided by different issuers during the design phase and even at runtime.

This trend has nonetheless a serious drawback. Few tools exist to assess the actual quality of the resulting systems, and none is available to guarantee that the selected components do not perform malicious actions. In applications such as e-Business systems or sensitive embedded systems, the intervention of attackers can not be excluded.

Software Security Assurance provides methods for the development of secure applications, but focuses on monolithic systems. Its principle is the following one: vulnerabilities should be identified and solved as early as possible in the life-cycle to avoid runtime abuses and to reduce patching costs. However, this approach is not well-suited for component applications: the development process is not controlled by the integrator. When the integration is performed at runtime, no human intervention is possible to evaluate the quality of the components.

We therefore propose to perform a security analysis of one prototypical SOP platform, the OSGi platform, and to provide protection mechanisms tailored to the identified requirements. The security analysis of the OSGi platform is performed with a dedicated method we define for security benchmarking, SPIP , the Spiral Process for Intrusion Prevention. It supports the assessment of vulnerabilities of the target system and of the protective power of associated security mechanisms. The output of the analysis is: the vulnerabilities of the Java/OSGi platform, and the vulnerabilities of Java SOP components.

Several protections mechanisms are developed to prevent the exploitation of identified vul- nerabilities. They are implemented in the platform itself and at the component level. Hardened OSGi is a set of recommendations for building more robust implementations of the OSGi platform. CBAC, Component-based Access Control, is an access control mechanism that ver- ifies at install time that a component only performs calls it is authorized to. It intends to be more flexible than the Java security manager, to ensure that policy-compliant components only are installed and to reduce as much as possible the verification performance overhead. WCA, Weak Component Analysis, is a tool for identifying exploitable vulnerabilities in SOP components, according to the exposition of classes: shared objects, i.e. SOP services, shared classes, and component internal classes are not plagued by the same type of vulnerabilities.

Our propositions are validated through their integration with a secure JVM dedicated to OSGi applications, the JnJVM. The resulting environment proves to have very encouraging security benchmarking results.