Software Security Models for Service-Oriented Programming (SOP

Dec 9, 2008 - EJB 3.0, OSGi, Spring, Google Guice. ,. , p g, g. Discover and deploy. Publish. Component. Repository. Interactions. At the class level.
897KB taille 0 téléchargements 248 vues
Software Security Models for Service-Oriented Programming (SOP) Platforms

Soutenance de Thèse de doctorat de:

Jury

Pierre Parrend Equipe INRIA-Amazones, Laboratoire Citi INSA-Lyon Directeurs de Thèse: Stéphane Ubéda (Pr.) Stéphane Frénot (McF)

Rapporteurs: pp Didier Donsez ((Pr. Uni. Grenoble I)) Ralf Reusser (Pr. Uni. Karlsruhe) Examinateurs: Ciaran Bryce (MER Uni Genève) Pierre-Etienne Moreau (CR INRIA) 1

Context z

The Evolution of software

Monolithic Applications −

9/12/2008

Component-based Applications

Service-oriented Programming g g ((SOP)) Applications

Challenges z

M Management t

z

Integration

z

Security

Environnements E i t d’ d’exécution é ti pour passerelles ll d domestiques, ti Y Yvan Royon, PhD Thesis, December 2007. Spontaneous Integration of Services in Pervasive Environments, Noha Ibrahim, PhD Thesis, September 2008.

Software Security Models for SOP Platforms

2

Context z

Motivating example: Dynamic SOP applications

‚WebCamDriver‘ ‚WebCamDriver Component

3 3.

1 1. 2.

WebCam

WebCam Componentt C Repository PDA ‚MyContactList‘ Component Java SOP Platform J Pl tf (installed on the PDA)

− 9/12/2008

‚WebCamDriver‘ Component

PDA

JJava SOP Platform Pl tf (installed on the PDA)

What happens if the WebCamDriver Component is a Malware ? Software Security Models for SOP Platforms

3

Context z

Service-oriented programming (SOP) platforms −

EJB 3.0,, OSGi,, Spring, p g, Google g Guice

Discover and deploy Publish Component Repository

Interactions At the service level

SOP Platform Issuer

9/12/2008

Interactions At the class level

Host

Software Security Models for SOP Platforms

4

Context z

Attack vectors against SOP platforms −

Example: p The Java/OSGi p platform

Remote Access

Component R Repository it

User Interface

OSGi Platform Host

Issuer

Exploit Component Deployment

9/12/2008

Exploit Application Vulnerabilities

Exploit SOP Platform Vulnerabilities

Software Security Models for SOP Platforms

Exploit OS Vulnerabilities

This work 5

Context z

Contributions

2.publish 1.sign

Malicious Component

3.a load Protection Domain

Component Repository

3.b check Hardened OSGi

SF-Jarsigner

WCA CBAC Digital Signature Host

Research Contributions Implementation Enhancement Specification Implementation

9/12/2008

Software Security Models for SOP Platforms

6

Outline z

Security for Java-based Software Systems

z

Contributions

z

Conclusions

9/12/2008

Software Security Models for SOP Platforms

7

Security y for Java-based Software Systems z

Building secure software systems: The software development life-cycle −

‘Software security assurance’ Goertzel,, et al. Software Security Assurance: a State-of-The-Art Report (SOAR), 2007.



Monolithic view



Systems are built from several mandatory and optional parts

9/12/2008

Software Security Models for SOP Platforms

8

Security y for Java-based Software Systems z

Identification of suitable protection mechanisms p −

Benefits/cost trade-off



Cost estimation z

z



Grows dramatically latter in the life-cycle

Components z

z

9/12/2008

Minimal when flaws are repared early

Reparation only possible if th code the d iis available il bl

Capers Jones, Applied software measurement: assuring productivity and quality, 1999.

Detection otherwise Software Security Models for SOP Platforms

9

Security y for Java-based Software Systems z

Java application security: The principles −

Type yp safety y z



Automated memory management z



Executed code is not trusted

Isolation of components through class loaders z

z

Through garbage collection

Bytecode validation z



Objects only perform actions defined through their type

Prevent naming conflicts between components

Limitations −

Security use case: execution of one malicious applets in the JVM



Class loaders enforce namespace isolation only

9/12/2008

Software Security Models for SOP Platforms

10

Security y for Java-based Software Systems z

The Java Security g Manager

z

keystore "file:/home/pierre/keystore.ks";

Code by Bob

Code by Alice

grant signedBy "alice" { permission java java.io.FilePermission io FilePermission "/opt/secret/ /opt/secret/ secretKeys", "read"; permission org.osgi.framework.Package Permission "*", "export"; permission org org.osgi.framework.Service osgi framework Service Permission „*"register"; };

JVM

Protection Domain

z

9/12/2008

Java policy file

Policy File

grant signedBy g g y "bob" { permission org.osgi.framework.Service Permission "fr.inria.ares.testservice.MyService", "register"; permission org.osgi.framework.Package Permission "*", "export"; };

OSGi: Conditonal Permissions Software Security Models for SOP Platforms

11

Security y for Java-based Software Systems z

Critics of Java permissions −



High g p performance overhead z

20 to 30 % runtime overhead

z

Cause the withdrawal of security in commercial applications

Hard-coded definition of sensitive methods z





9/12/2008

New permissions for new code only

Permission hell z

Must be extracted for each configuration

z

Tedious manual process

Runtime verification z

Ab t or execute Abort t dangerous d calls ll

z

In mobile apps for instance, authorization depends on the user Software Security Models for SOP Platforms

12

Outline z

Security for Java-based Software Systems

z

Contributions

z

z

Building a secure Platform: The SPIP Method

z

Enforcing security for components: CBAC, WCA

Conclusions

9/12/2008

Software Security Models for SOP Platforms

13

Building g a secure Platform: The SPIP Method z

The ‘Spiral Process for Intrusion Prevention’

z

The problem −



9/12/2008

Identification of security issues in complex systems z

For each subsystem

z

Comparison of various implementations

Evaluation of p protection mechanisms z

Security assessment

z

Comparison

Software Security Models for SOP Platforms

14

Building g a secure Platform: The SPIP Method z

The SPIP Method

9/12/2008

Software Security Models for SOP Platforms

15

Building g a secure Platform: The SPIP Method z

Quantification of the security of a system: the ‘Protection Rate’ −

Security y level of complex p systems y z



Not a binary metric: never free of vulnerabilities

‘Percentage of the known vulnerabilities that are protected’ z

Against a reference system (here: an OSGi implementation with all known vulnerabilities)



B Based d on th the ‘Att ‘Attackk Surface‘ S f ‘ metric ti



Enables to

9/12/2008

(Measuring Relative Attack Surfaces, Howard, 2005.)

z

A Assess individual i di id l security it mechanisms h i

z

Compare execution environments

Security Benchmarks of OSGi Platforms: Toward Hardened OSGi, Software, Practice and Experience, 2008.

Software Security Models for SOP Platforms

16

Building g a secure Platform: The SPIP Method z

Implementation for the OSGi platform −

Iteration 1: The Java/OSGi platform p



Iteration 2 .. 4: Propositions



9/12/2008

z

Hardened OSGi

z

Component-based Access Control - CBAC

z

Weak Component Analysis - WCA

Iteration 5: Integration with the JnJVM, a secure JVM implementation for OSGi applications

Software Security Models for SOP Platforms

17

Building g a secure Platform: The SPIP Method z

Results: The vulnerability catalogs – ‘Malicious Bundles’ Vulnerability Category Service Binding

Local Access Control Management

Service Layer

Invalid Workflow z No control on service registration

1

Invalid Metadata z Fragments z

Invalid Archive z Invalid Activator z Bundle Management z Proper removal

3 3 3 2 2 1

Native Code execution z File Handling z Reflection z ClassLoader z No algorithm safety

1 1 3 3 7

z

SOP Component Platform

Module Layer

Life-Cycle Layer

z

z

API

Language JVM

#

-

Java Components Vulnerabilities - An Experimental Classification Targeted at the OSGi Platform, INRIA Research Report, 2007.

2

Runtime stopping pp g 2 methods Software Security Models forfor SOP Platforms z Thread management Software Security Models SOP Platforms 4 18 Implementaz Optimization errors tion (not considered) z

Runtime

9/12/2008

18

Building g a secure Platform: The SPIP Method z

Results: The vulnerability catalogs – ‘Vulnerable Bundles’ Vulnerability C t Category Flaws in parameter validation z Exposed Internal Representation z Synchronization z

Objects (S i (Services) )

Classes

6 2 4

Avoidable Calls to the Security Manager

9

z

StandAlone

10

Exposed Internal Representation R t ti z

Component

#

1 z

Serialization

More Vulnerabilities in the Java/OSGi Platform: a Focus on Bundle Interactions, INRIA Research Report, 2008.

9/12/2008

Software Security Models for SOP Platforms

19

Building g a secure Platform: The SPIP Method z

Results: ‘Protection Rate’ for mainstream OSGi platforms

Platform Type

# of protected Vulns

# of identified Vulns

Protection Rate

Concierge

0

28

0%

Felix

1

32

3,1 %

Knopflerfish p

1

31

3,2 %

Equinox

4

31

13 %

Java Permissions

13

32

41 %

Concierge with Permissions

10

28

36 %

Felix with Permissions

14

32

Knopflerfish with Permissions

14

31

44 % 44 %

Equinox with Permissions

17

31

55 %

9/12/2008

Software Security Models for SOP Platforms

20

Building g a secure Platform: The SPIP Method z

Results: Hardened OSGi z

Introduce

z

z z

z

Systematize

z

z

9/12/2008

Protection Rate: 25 % for the ‘Malicious Bundles’ catalog entries

Security Benchmarks of OSGi Platforms: Toward Hardened OSGi, OSGi Software Software, Practice and Experience, 2008.

Check Ch k componentt size i b before f download, and control the cumulated size of loaded components C Check digital signature at install time Launch the component activator in a separate Thread

Hardened OSGi Host

Limit the number of registered services Do not reject harmless unnecessary metadata Remove all component data from disk at uninstallation Software Security Models for SOP Platforms

21

Outline z

Security for Java-based Software Systems

z

Contributions

z

z

Building a secure Platform: The SPIP Method

z

Enforcing security for components: CBAC, WCA

Conclusions

9/12/2008

Software Security Models for SOP Platforms

22

Enforcing g Security y for Components: CBAC, WCA z

The problem −



Security y issues with components p z

Maliciousness

z

Vulnerability

Installing secure components z

9/12/2008

Bytecode analysis only

Software Security Models for SOP Platforms

23

Enforcing g Security y for Components: CBAC, WCA z

Definition of tools in the SPIP method

9/12/2008

Software Security Models for SOP Platforms

24

Enforcing g Security y for Components: CBAC, WCA z

The CBAC model: Principles −

Component-based p Access Control



Goal z



Component-based Access Control: Secure Software Composition through g Static Analysis, y Software Composition, 2008.

Prevent issues from the ‘Malicious Bundles’ catalog g

Principles z

Install time analysis of the execution rights of components −



9/12/2008

z

Sensitive calls must be explicitly granted Take composition into account

z

I Intends d to b be an alternative l i to JJava permissions i i OSGi Platform

Hypotheses z

The component platform is not modified

z

Each component contains a valid digital signature Software Security Models for SOP Platforms

CBAC Host

25

Enforcing g Security y for Components: CBAC, WCA z

The CBAC model: Definition

9/12/2008

Software Security Models for SOP Platforms

26

Enforcing g Security y for Components: CBAC, WCA z

The CBAC model: Performances 2500

CBAC Check Only Signature Check 2000

Time (ms s)

1500

1000

500

0 6,33 5,51

7,62 6,49

7,92

10,32 12,23 13,72 17,71 34,06 52,2 86,37 356,76 11,74 13,42 14,28 24,92 38,72 76,94 131,48

Size (KBytes)

9/12/2008

Software Security Models for SOP Platforms

27

Enforcing g Security y for Components: CBAC, WCA z

The CBAC model: Benefits and limitations −

Benefits z

No runtime overhead, reduced install time overhead

z

No application interruption, at the cost of false positive

z

No misleading pop-up windows

z

Arbitrary methods and meta-data can be set as sensitive −

z



Limitations z

9/12/2008

Enables to protect against vulnerabilities that are discovered after design Protection Rate: 50 % for the ‘Malicious Bundles’ catalog entries

Policies must be defined in advanced

Software Security Models for SOP Platforms

28

Enforcing g Security y for Components: CBAC, WCA z

The WCA approach: Principles −

Weak Component p Analysis y



Goal z



Enhancing Automated Detection of Vulnerabilities in Java Components, International Conference on Availability, Reliability and Security (AReS 2009).

Prevent issues from the ‘Vulnerable Bundles’ catalog g

Principles z

Vulnerability identification through static analysis −

z

In exposed code only − Through the code meta-model − Matching M t hi with ith ‘vulnerability ‘ l bilit patterns’ tt ’ Development and install time use − −

9/12/2008

XML version for flexibilityy Hardcoded version for performance

Software Security Models for SOP Platforms

OSGi Platform WCA Host

29

Enforcing g Security y for Components: CBAC, WCA z

The WCA approach: Performances 1200

1000

Time (ms))

800

Hardcoded – Reject – check Hardcoded – Report – check XML – Report – check

600

400

200

0 6,49 4,28

11,91 18,73 43,31 155,3 406,34 8,12 16,79 23,97 99,65 259,45 713,6

Bundle size (KBytes)

9/12/2008

Software Security Models for SOP Platforms

30

Enforcing g Security y for Components: CBAC, WCA z

The WCA approach: Benefits and limitations −



9/12/2008

Benefits z

Identification of exploitable vulnerabilities in Java components

z

According to the exposition of the code

z

Principally easy to extend

z

Development and runtime use

z

Protection Rate: 36 % for the ‘Vulnerable Bundles’ catalog entries

Limitations of the implementation z

H d d d version Hardcoded i iis slower l

z

Only structural patterns are supported so far

z

Limited flexibility of the definition of patterns

Software Security Models for SOP Platforms

31

Outline z

Security for Java-based Software Systems

z

Contributions

z

Conclusions

9/12/2008

Software Security Models for SOP Platforms

32

Conclusions z

Development overview 2.publish p 1.sign

M li i Malicious C Componentt

3.a load Protection Domain

Component Repository

3.b check Hardened OSGi

SF-Jarsigner

WCA CBAC Digital Signature Host

Research Contributions Implementation Enhancement Specification Implementation

9/12/2008

Tool

Lines of Code

Digital Signature

330

SF JarSigner SF-JarSigner

557

Malicious Components

155 bundles

Hardened OSGi

224

CBAC

577

WCA

2026

Software Security Models for SOP Platforms

33

Conclusions z

Evaluation of the proposed solutions −

SPIP z

Promising methodology for security analysis

z

Requires − −



Validation on further systems Support for cost estimation

T l ffor secure component-based Tools tb d applications li ti z

CBAC −

z

Refined static analysis approach WCA − −

− 9/12/2008

Only a subset of best practices are enforced so far Need of actual isolation between the bundles

Consider further attack vectors Software Security Models for SOP Platforms

34

Conclusions z

Who can benefit from this work ?

Role

Platform developer

Focus on

Execution environment Architecture

Components

System entity

Platform

Components

Components

Life-Cycle Activity

Platform design and coding

Application design

Application Coding

Security analysis for the Platform

Security analysis for all

Security analysis for the Components

Hardened OSGi

CBAC

WCA

Our propositions

Application architect

Application developer

Integration

9/12/2008

Software Security Models for SOP Platforms

35

Conclusions z

Open challenges −

Resource isolation z



9/12/2008

First solution: Integration with the JnJVM

Development for industrial use of the OSGi platform z

Specifications

z

Life-cycle support for bundles

z

Management

z

Critical applications: strong isolation between applications

z

M lti Multi-user applications: li ti strong t access control t l mechanism h i

Software Security Models for SOP Platforms

36

Questions ?

2.publish 1.sign

Malicious Component

3.a load Protection Domain

Component Repository

3.b check Hardened OSGi

SF-Jarsigner

WCA CBAC Digital Signature Host

Research Contributions Implementation Enhancement Specification Implementation

9/12/2008

Software Security Models for SOP Platforms

37

References z

z

z

z

z

Karen M. Goertzel, Thoedore Winograd, Holly L. McKinley, Lyndon Oh, Michael Colon, Thomas Mcibbon, Elaine Fedchak, and Robert Vienneau. Software Security Assurance: a State-of-The-Art Report (SOAR). Information Assurance Technology Analysis Center (IATAC) and Data and Analysis Center for Software (DACS), July 2007. Michael Howard, Jon Pincus, and Jeanette M. Wing. Computer Security in the 21st Century, chapter Measuring Relative Attack Surfaces, pages 109–137. Springer, March 2005. Capers Jones. Applied software measurement: assuring productivity and quality. McGraw-Hill, Inc., New York, NY, USA 1999. USA, 1999 Yvan Royon, Environnements d’exécution pour passerelles domestiques, PhD Thesis, INSA-Lyon, December 2007. Noha Ibrahim, Spontaneous Integration of Services in Pervasive Environments, PhD Thesis, INSA-Lyon, September 2008. 2008

9/12/2008

Software Security Models for SOP Platforms

38

Selected Publications z

z

z

z

z

z

z

z

z

z

Journal Article Security Benchmarks of OSGi Platforms: Toward Hardened OSGi, Pierre Parrend, Stephane Frénot, Software, Practice and Experience. Accepted for publication (September 2008). International Conferences, Industrial Conferences Enhancing Automated Detection of Vulnerabilities in Java Components, Pierre Parrend, Forth International Conference on Availability, Reliability and Security (AReS 2009), Fukuoka, Japan, 16th – 19th March 2009. Classification of Component Vulnerabilities in Java Service Oriented Programming (SOP) Platforms, Parrend, Stéphane Frenot, Conference on Component-based Software Engineering, Karlsruhe, Germany, 14-17 October 2008. Component-based Component based Access Control: Secure Software Composition through Static Analysis, Analysis Pierre Parrend, Parrend Stéphane Frenot, Software Composition, Budapest, Hungary, 29-30 March 2008. Multi-service, Multi-protocol Management for Residential Gateways Home Network Management, Y. Royon, P. Parrend, S. Frénot, S. Papastefanos, p H. Abdelnur, D. Van de Poel, S. Frenot, BB Europe, p Antwerp, p December 3-6, 2007. Research Reports More Vulnerabilities in the Java/OSGi Platform: a Focus on Bundle Interactions, Interactions Pierre Parrend, Parrend Stephane Frenot, Frenot INRIA Research Report n°6649, September 2008. Java Components Vulnerabilities - An Experimental Classification Targeted at the OSGi Platform, Pierre Parrend, Stéphane Frenot, INRIA Research Report n° 6231, June 2007´.

9/12/2008

Software Security Models for SOP Platforms

39