Software Security Models for Service-Oriented Programming (SOP) Platforms
Soutenance de Thèse de doctorat de:
Jury
Pierre Parrend Equipe INRIA-Amazones, Laboratoire Citi INSA-Lyon Directeurs de Thèse: Stéphane Ubéda (Pr.) Stéphane Frénot (McF)
Rapporteurs: pp Didier Donsez ((Pr. Uni. Grenoble I)) Ralf Reusser (Pr. Uni. Karlsruhe) Examinateurs: Ciaran Bryce (MER Uni Genève) Pierre-Etienne Moreau (CR INRIA) 1
Context z
The Evolution of software
Monolithic Applications −
9/12/2008
Component-based Applications
Service-oriented Programming g g ((SOP)) Applications
Challenges z
M Management t
z
Integration
z
Security
Environnements E i t d’ d’exécution é ti pour passerelles ll d domestiques, ti Y Yvan Royon, PhD Thesis, December 2007. Spontaneous Integration of Services in Pervasive Environments, Noha Ibrahim, PhD Thesis, September 2008.
Software Security Models for SOP Platforms
2
Context z
Motivating example: Dynamic SOP applications
‚WebCamDriver‘ ‚WebCamDriver Component
3 3.
1 1. 2.
WebCam
WebCam Componentt C Repository PDA ‚MyContactList‘ Component Java SOP Platform J Pl tf (installed on the PDA)
− 9/12/2008
‚WebCamDriver‘ Component
PDA
JJava SOP Platform Pl tf (installed on the PDA)
What happens if the WebCamDriver Component is a Malware ? Software Security Models for SOP Platforms
3
Context z
Service-oriented programming (SOP) platforms −
EJB 3.0,, OSGi,, Spring, p g, Google g Guice
Discover and deploy Publish Component Repository
Interactions At the service level
SOP Platform Issuer
9/12/2008
Interactions At the class level
Host
Software Security Models for SOP Platforms
4
Context z
Attack vectors against SOP platforms −
Example: p The Java/OSGi p platform
Remote Access
Component R Repository it
User Interface
OSGi Platform Host
Issuer
Exploit Component Deployment
9/12/2008
Exploit Application Vulnerabilities
Exploit SOP Platform Vulnerabilities
Software Security Models for SOP Platforms
Exploit OS Vulnerabilities
This work 5
Context z
Contributions
2.publish 1.sign
Malicious Component
3.a load Protection Domain
Component Repository
3.b check Hardened OSGi
SF-Jarsigner
WCA CBAC Digital Signature Host
Research Contributions Implementation Enhancement Specification Implementation
9/12/2008
Software Security Models for SOP Platforms
6
Outline z
Security for Java-based Software Systems
z
Contributions
z
Conclusions
9/12/2008
Software Security Models for SOP Platforms
7
Security y for Java-based Software Systems z
Building secure software systems: The software development life-cycle −
‘Software security assurance’ Goertzel,, et al. Software Security Assurance: a State-of-The-Art Report (SOAR), 2007.
−
Monolithic view
−
Systems are built from several mandatory and optional parts
9/12/2008
Software Security Models for SOP Platforms
8
Security y for Java-based Software Systems z
Identification of suitable protection mechanisms p −
Benefits/cost trade-off
−
Cost estimation z
z
−
Grows dramatically latter in the life-cycle
Components z
z
9/12/2008
Minimal when flaws are repared early
Reparation only possible if th code the d iis available il bl
Capers Jones, Applied software measurement: assuring productivity and quality, 1999.
Detection otherwise Software Security Models for SOP Platforms
9
Security y for Java-based Software Systems z
Java application security: The principles −
Type yp safety y z
−
Automated memory management z
−
Executed code is not trusted
Isolation of components through class loaders z
z
Through garbage collection
Bytecode validation z
−
Objects only perform actions defined through their type
Prevent naming conflicts between components
Limitations −
Security use case: execution of one malicious applets in the JVM
−
Class loaders enforce namespace isolation only
9/12/2008
Software Security Models for SOP Platforms
10
Security y for Java-based Software Systems z
The Java Security g Manager
z
keystore "file:/home/pierre/keystore.ks";
Code by Bob
Code by Alice
grant signedBy "alice" { permission java java.io.FilePermission io FilePermission "/opt/secret/ /opt/secret/ secretKeys", "read"; permission org.osgi.framework.Package Permission "*", "export"; permission org org.osgi.framework.Service osgi framework Service Permission „*"register"; };
JVM
Protection Domain
z
9/12/2008
Java policy file
Policy File
grant signedBy g g y "bob" { permission org.osgi.framework.Service Permission "fr.inria.ares.testservice.MyService", "register"; permission org.osgi.framework.Package Permission "*", "export"; };
OSGi: Conditonal Permissions Software Security Models for SOP Platforms
11
Security y for Java-based Software Systems z
Critics of Java permissions −
−
High g p performance overhead z
20 to 30 % runtime overhead
z
Cause the withdrawal of security in commercial applications
Hard-coded definition of sensitive methods z
−
−
9/12/2008
New permissions for new code only
Permission hell z
Must be extracted for each configuration
z
Tedious manual process
Runtime verification z
Ab t or execute Abort t dangerous d calls ll
z
In mobile apps for instance, authorization depends on the user Software Security Models for SOP Platforms
12
Outline z
Security for Java-based Software Systems
z
Contributions
z
z
Building a secure Platform: The SPIP Method
z
Enforcing security for components: CBAC, WCA
Conclusions
9/12/2008
Software Security Models for SOP Platforms
13
Building g a secure Platform: The SPIP Method z
The ‘Spiral Process for Intrusion Prevention’
z
The problem −
−
9/12/2008
Identification of security issues in complex systems z
For each subsystem
z
Comparison of various implementations
Evaluation of p protection mechanisms z
Security assessment
z
Comparison
Software Security Models for SOP Platforms
14
Building g a secure Platform: The SPIP Method z
The SPIP Method
9/12/2008
Software Security Models for SOP Platforms
15
Building g a secure Platform: The SPIP Method z
Quantification of the security of a system: the ‘Protection Rate’ −
Security y level of complex p systems y z
−
Not a binary metric: never free of vulnerabilities
‘Percentage of the known vulnerabilities that are protected’ z
Against a reference system (here: an OSGi implementation with all known vulnerabilities)
−
B Based d on th the ‘Att ‘Attackk Surface‘ S f ‘ metric ti
−
Enables to
9/12/2008
(Measuring Relative Attack Surfaces, Howard, 2005.)
z
A Assess individual i di id l security it mechanisms h i
z
Compare execution environments
Security Benchmarks of OSGi Platforms: Toward Hardened OSGi, Software, Practice and Experience, 2008.
Software Security Models for SOP Platforms
16
Building g a secure Platform: The SPIP Method z
Implementation for the OSGi platform −
Iteration 1: The Java/OSGi platform p
−
Iteration 2 .. 4: Propositions
−
9/12/2008
z
Hardened OSGi
z
Component-based Access Control - CBAC
z
Weak Component Analysis - WCA
Iteration 5: Integration with the JnJVM, a secure JVM implementation for OSGi applications
Software Security Models for SOP Platforms
17
Building g a secure Platform: The SPIP Method z
Results: The vulnerability catalogs – ‘Malicious Bundles’ Vulnerability Category Service Binding
Local Access Control Management
Service Layer
Invalid Workflow z No control on service registration
1
Invalid Metadata z Fragments z
Invalid Archive z Invalid Activator z Bundle Management z Proper removal
3 3 3 2 2 1
Native Code execution z File Handling z Reflection z ClassLoader z No algorithm safety
1 1 3 3 7
z
SOP Component Platform
Module Layer
Life-Cycle Layer
z
z
API
Language JVM
#
-
Java Components Vulnerabilities - An Experimental Classification Targeted at the OSGi Platform, INRIA Research Report, 2007.
2
Runtime stopping pp g 2 methods Software Security Models forfor SOP Platforms z Thread management Software Security Models SOP Platforms 4 18 Implementaz Optimization errors tion (not considered) z
Runtime
9/12/2008
18
Building g a secure Platform: The SPIP Method z
Results: The vulnerability catalogs – ‘Vulnerable Bundles’ Vulnerability C t Category Flaws in parameter validation z Exposed Internal Representation z Synchronization z
Objects (S i (Services) )
Classes
6 2 4
Avoidable Calls to the Security Manager
9
z
StandAlone
10
Exposed Internal Representation R t ti z
Component
#
1 z
Serialization
More Vulnerabilities in the Java/OSGi Platform: a Focus on Bundle Interactions, INRIA Research Report, 2008.
9/12/2008
Software Security Models for SOP Platforms
19
Building g a secure Platform: The SPIP Method z
Results: ‘Protection Rate’ for mainstream OSGi platforms
Platform Type
# of protected Vulns
# of identified Vulns
Protection Rate
Concierge
0
28
0%
Felix
1
32
3,1 %
Knopflerfish p
1
31
3,2 %
Equinox
4
31
13 %
Java Permissions
13
32
41 %
Concierge with Permissions
10
28
36 %
Felix with Permissions
14
32
Knopflerfish with Permissions
14
31
44 % 44 %
Equinox with Permissions
17
31
55 %
9/12/2008
Software Security Models for SOP Platforms
20
Building g a secure Platform: The SPIP Method z
Results: Hardened OSGi z
Introduce
z
z z
z
Systematize
z
z
9/12/2008
Protection Rate: 25 % for the ‘Malicious Bundles’ catalog entries
Security Benchmarks of OSGi Platforms: Toward Hardened OSGi, OSGi Software Software, Practice and Experience, 2008.
Check Ch k componentt size i b before f download, and control the cumulated size of loaded components C Check digital signature at install time Launch the component activator in a separate Thread
Hardened OSGi Host
Limit the number of registered services Do not reject harmless unnecessary metadata Remove all component data from disk at uninstallation Software Security Models for SOP Platforms
21
Outline z
Security for Java-based Software Systems
z
Contributions
z
z
Building a secure Platform: The SPIP Method
z
Enforcing security for components: CBAC, WCA
Conclusions
9/12/2008
Software Security Models for SOP Platforms
22
Enforcing g Security y for Components: CBAC, WCA z
The problem −
−
Security y issues with components p z
Maliciousness
z
Vulnerability
Installing secure components z
9/12/2008
Bytecode analysis only
Software Security Models for SOP Platforms
23
Enforcing g Security y for Components: CBAC, WCA z
Definition of tools in the SPIP method
9/12/2008
Software Security Models for SOP Platforms
24
Enforcing g Security y for Components: CBAC, WCA z
The CBAC model: Principles −
Component-based p Access Control
−
Goal z
−
Component-based Access Control: Secure Software Composition through g Static Analysis, y Software Composition, 2008.
Prevent issues from the ‘Malicious Bundles’ catalog g
Principles z
Install time analysis of the execution rights of components −
−
9/12/2008
z
Sensitive calls must be explicitly granted Take composition into account
z
I Intends d to b be an alternative l i to JJava permissions i i OSGi Platform
Hypotheses z
The component platform is not modified
z
Each component contains a valid digital signature Software Security Models for SOP Platforms
CBAC Host
25
Enforcing g Security y for Components: CBAC, WCA z
The CBAC model: Definition
9/12/2008
Software Security Models for SOP Platforms
26
Enforcing g Security y for Components: CBAC, WCA z
The CBAC model: Performances 2500
CBAC Check Only Signature Check 2000
Time (ms s)
1500
1000
500
0 6,33 5,51
7,62 6,49
7,92
10,32 12,23 13,72 17,71 34,06 52,2 86,37 356,76 11,74 13,42 14,28 24,92 38,72 76,94 131,48
Size (KBytes)
9/12/2008
Software Security Models for SOP Platforms
27
Enforcing g Security y for Components: CBAC, WCA z
The CBAC model: Benefits and limitations −
Benefits z
No runtime overhead, reduced install time overhead
z
No application interruption, at the cost of false positive
z
No misleading pop-up windows
z
Arbitrary methods and meta-data can be set as sensitive −
z
−
Limitations z
9/12/2008
Enables to protect against vulnerabilities that are discovered after design Protection Rate: 50 % for the ‘Malicious Bundles’ catalog entries
Policies must be defined in advanced
Software Security Models for SOP Platforms
28
Enforcing g Security y for Components: CBAC, WCA z
The WCA approach: Principles −
Weak Component p Analysis y
−
Goal z
−
Enhancing Automated Detection of Vulnerabilities in Java Components, International Conference on Availability, Reliability and Security (AReS 2009).
Prevent issues from the ‘Vulnerable Bundles’ catalog g
Principles z
Vulnerability identification through static analysis −
z
In exposed code only − Through the code meta-model − Matching M t hi with ith ‘vulnerability ‘ l bilit patterns’ tt ’ Development and install time use − −
9/12/2008
XML version for flexibilityy Hardcoded version for performance
Software Security Models for SOP Platforms
OSGi Platform WCA Host
29
Enforcing g Security y for Components: CBAC, WCA z
The WCA approach: Performances 1200
1000
Time (ms))
800
Hardcoded – Reject – check Hardcoded – Report – check XML – Report – check
600
400
200
0 6,49 4,28
11,91 18,73 43,31 155,3 406,34 8,12 16,79 23,97 99,65 259,45 713,6
Bundle size (KBytes)
9/12/2008
Software Security Models for SOP Platforms
30
Enforcing g Security y for Components: CBAC, WCA z
The WCA approach: Benefits and limitations −
−
9/12/2008
Benefits z
Identification of exploitable vulnerabilities in Java components
z
According to the exposition of the code
z
Principally easy to extend
z
Development and runtime use
z
Protection Rate: 36 % for the ‘Vulnerable Bundles’ catalog entries
Limitations of the implementation z
H d d d version Hardcoded i iis slower l
z
Only structural patterns are supported so far
z
Limited flexibility of the definition of patterns
Software Security Models for SOP Platforms
31
Outline z
Security for Java-based Software Systems
z
Contributions
z
Conclusions
9/12/2008
Software Security Models for SOP Platforms
32
Conclusions z
Development overview 2.publish p 1.sign
M li i Malicious C Componentt
3.a load Protection Domain
Component Repository
3.b check Hardened OSGi
SF-Jarsigner
WCA CBAC Digital Signature Host
Research Contributions Implementation Enhancement Specification Implementation
9/12/2008
Tool
Lines of Code
Digital Signature
330
SF JarSigner SF-JarSigner
557
Malicious Components
155 bundles
Hardened OSGi
224
CBAC
577
WCA
2026
Software Security Models for SOP Platforms
33
Conclusions z
Evaluation of the proposed solutions −
SPIP z
Promising methodology for security analysis
z
Requires − −
−
Validation on further systems Support for cost estimation
T l ffor secure component-based Tools tb d applications li ti z
CBAC −
z
Refined static analysis approach WCA − −
− 9/12/2008
Only a subset of best practices are enforced so far Need of actual isolation between the bundles
Consider further attack vectors Software Security Models for SOP Platforms
34
Conclusions z
Who can benefit from this work ?
Role
Platform developer
Focus on
Execution environment Architecture
Components
System entity
Platform
Components
Components
Life-Cycle Activity
Platform design and coding
Application design
Application Coding
Security analysis for the Platform
Security analysis for all
Security analysis for the Components
Hardened OSGi
CBAC
WCA
Our propositions
Application architect
Application developer
Integration
9/12/2008
Software Security Models for SOP Platforms
35
Conclusions z
Open challenges −
Resource isolation z
−
9/12/2008
First solution: Integration with the JnJVM
Development for industrial use of the OSGi platform z
Specifications
z
Life-cycle support for bundles
z
Management
z
Critical applications: strong isolation between applications
z
M lti Multi-user applications: li ti strong t access control t l mechanism h i
Software Security Models for SOP Platforms
36
Questions ?
2.publish 1.sign
Malicious Component
3.a load Protection Domain
Component Repository
3.b check Hardened OSGi
SF-Jarsigner
WCA CBAC Digital Signature Host
Research Contributions Implementation Enhancement Specification Implementation
9/12/2008
Software Security Models for SOP Platforms
37
References z
z
z
z
z
Karen M. Goertzel, Thoedore Winograd, Holly L. McKinley, Lyndon Oh, Michael Colon, Thomas Mcibbon, Elaine Fedchak, and Robert Vienneau. Software Security Assurance: a State-of-The-Art Report (SOAR). Information Assurance Technology Analysis Center (IATAC) and Data and Analysis Center for Software (DACS), July 2007. Michael Howard, Jon Pincus, and Jeanette M. Wing. Computer Security in the 21st Century, chapter Measuring Relative Attack Surfaces, pages 109–137. Springer, March 2005. Capers Jones. Applied software measurement: assuring productivity and quality. McGraw-Hill, Inc., New York, NY, USA 1999. USA, 1999 Yvan Royon, Environnements d’exécution pour passerelles domestiques, PhD Thesis, INSA-Lyon, December 2007. Noha Ibrahim, Spontaneous Integration of Services in Pervasive Environments, PhD Thesis, INSA-Lyon, September 2008. 2008
9/12/2008
Software Security Models for SOP Platforms
38
Selected Publications z
z
z
z
z
z
z
z
z
z
Journal Article Security Benchmarks of OSGi Platforms: Toward Hardened OSGi, Pierre Parrend, Stephane Frénot, Software, Practice and Experience. Accepted for publication (September 2008). International Conferences, Industrial Conferences Enhancing Automated Detection of Vulnerabilities in Java Components, Pierre Parrend, Forth International Conference on Availability, Reliability and Security (AReS 2009), Fukuoka, Japan, 16th – 19th March 2009. Classification of Component Vulnerabilities in Java Service Oriented Programming (SOP) Platforms, Parrend, Stéphane Frenot, Conference on Component-based Software Engineering, Karlsruhe, Germany, 14-17 October 2008. Component-based Component based Access Control: Secure Software Composition through Static Analysis, Analysis Pierre Parrend, Parrend Stéphane Frenot, Software Composition, Budapest, Hungary, 29-30 March 2008. Multi-service, Multi-protocol Management for Residential Gateways Home Network Management, Y. Royon, P. Parrend, S. Frénot, S. Papastefanos, p H. Abdelnur, D. Van de Poel, S. Frenot, BB Europe, p Antwerp, p December 3-6, 2007. Research Reports More Vulnerabilities in the Java/OSGi Platform: a Focus on Bundle Interactions, Interactions Pierre Parrend, Parrend Stephane Frenot, Frenot INRIA Research Report n°6649, September 2008. Java Components Vulnerabilities - An Experimental Classification Targeted at the OSGi Platform, Pierre Parrend, Stéphane Frenot, INRIA Research Report n° 6231, June 2007´.
9/12/2008
Software Security Models for SOP Platforms
39