SlideShare ist ein Scribd-Unternehmen logo

A toolbox for statical analysis and transformation of OSGi bundles

•
•
OSGi User Group France
OSGi User Group France

Nowadays, OSGi is becoming more and more popular in Java world. Consequently, the quantity of available bundles is increasing rapidly, and the means to verify and assess security guaranties about these artifacts are lacking. In the context of opening its platforms to third party applications, Orange is seeking the necessary mechanisms and tools that could be used in order to ensure platforms' protection and robustness. We propose a platform that offers several services that enable statical analysis and transformation of OSGi bundles. The services range from simple ones, like for instance a service for analyzing bundles' manifests, to more complex ones that allow byte-code inspection and transformation. The platform is itself built on OSGi for modularity and extensibility. We further demonstrate the usefulness of our approach by instrumenting an instance of the Eclipse IDE in order to monitor thread creation and CPU consumption per bundle. Radu Kopetz, Technical Architect - Orange Labs

Technologie
1 von 38
Downloaden Sie, um offline zu lesen
A toolbox for statical analysis and transformation of OSGi bundles Radu Kopetz – Orange Labs radu.kopetz @orange.com OSGi Users’ Group France Meeting 25/11/2011
motivations Source: http://www.drm-x.com/
why OSGi ? • ease of development • rich, mature ecosystem • modularity • isolation and security guaranties
chalenges • platforms’ security and availability • preserved QoS • malicious comportement can be both intended or unintended
security in OSGi • based on Java 2 security – Conditional Permission Admin
security in OSGi • based on Java 2 security – Conditional Permission Admin • adds namespace isolation mechanism between bundles
security in OSGi • based on Java 2 security – Conditional Permission Admin • adds namespace isolation mechanism between bundles • but …
security flaws in OSGi • originate in OSGi platform – infinite loop / thread hanging in bundle activator – huge manifest file or import statements – decompression bomb
security flaws in OSGi • originate in OSGi platform – infinite loop / thread hanging in bundle activator – huge manifest file or import statements – decompression bomb • originate in JVM shortcomings: not designed for multi-application systems – memory load injection – exponential thread creation – infinite loops
possible approach (automated) analysis bundle
possible approach (automated) analysis bundle bundle deploy !
possible approach (automated) analysis bundle bundle deploy ! bundle
possible approach (automated) analysis bundle bundle deploy ! bundle Statical Analysis and Transformation
possible approach (automated) analysis bundle bundle deploy ! bundle Statical Analysis and Simulation ? Transformation
possible approach (automated) analysis bundle bundle deploy ! bundle Statical Analysis and Simulation ? ? Transformation
possible approach (automated) analysis bundle bundle deploy ! bundle Statical Analysis and Simulation ? ? Transformation
global idea • a set of generic tools (services)
global idea • a set of generic tools (services) • that can be composed to get complex checkings and transformations on bundles
architecture bundle bundle bundle bundle bundle bundle OSGi
architecture bundle bundle bundle bundle bundle bundle OSGi generic (base) services
architecture more complex, business - specific services bundle bundle bundle bundle bundle bundle OSGi generic (base) services
generic services jars • decompress • compress • estimate size • class bytes
generic services jars • decompress • compress • estimate size • class bytes metadata • manifest contents • DS / iPOJO components
generic services jars bytecode • decompress • method call search • compress • class related information • estimate size • method instrumentation • class bytes metadata • manifest contents • DS / iPOJO components
generic services jars bytecode • decompress • method call search • compress • class related information • estimate size • method instrumentation • class bytes metadata graphs • manifest contents • construction • DS / iPOJO components • analysis (strongly connected components)
business - specific services • remove double imports
business - specific services • remove double imports • detect inappropriate method calls – Runtime.getRuntime.halt() – System.exit()
business - specific services • remove double imports • detect inappropriate method calls – Runtime.getRuntime.halt() – System.exit() • cycles between services
business - specific services • remove double imports • detect inappropriate method calls – Runtime.getRuntime.halt() – System.exit() • cycles between services • associate CPU consumption & Threads with bundles
DÉMO
how it was done • unjar • parse the manifest • retrieve the Activator / DS components bytes • instrument the bytecode • remove digital signature • jar
how it was done • unjar • parse the manifest • retrieve the Activator / DS components bytes • instrument the bytecode • remove digital signature • jar => used almost all of our basic services
bytecode instrumentation class MyActivator implements BundleActivator { … public void start( BundleContext context) throws Exception { // method body } … }
bytecode instrumentation public void renamed_start(BundleContext context) throws Exception { // method body } class MyActivator implements BundleActivator { … public void start( BundleContext context) throws Exception { // method body } … }
bytecode instrumentation public void renamed_start(BundleContext context) throws Exception { // method body } class MyActivator implements BundleActivator { public void start(BundleContext context) … throws Exception { … // get bundleName from manifest public void start( BundleContext context) ThreadGroup tg = new throws Exception { ThreadGroup(bundleName+"_TGroup"); // method body ThreadGroup oldTg = Thread.currentThread().getThreadGroup() } ; … …// modify the thread group of } …// current thread renamed_start(context); …// restore the thread group }
conclusion • some tools for statical analysis & transformation of bundles • complete solution: statical analysis + modified OSGi framework + modified JVM • nice to have: public repository with LOTs of bundles offering generic analysis services
thank you ! questions ?
public void start(final BundleContext context) throws Exception { Dictionary manifProps = context.getBundle().getHeaders(); String bundleName = manifProps.get("Bundle- Name").toString(); ThreadGroup tg = new ThreadGroup(bundleName+"_ThreadGroup"); ThreadGroup oldTg = Thread.currentThread().getThreadGroup(); Field groupField = Thread.class.getDeclaredField("group"); groupField.setAccessible(true); groupField.set(Thread.currentThread(),tg); orange___start(context); groupField.set(Thread.currentThread(), oldTg); groupField.setAccessible(false); }

Empfohlen

Network vs. Code Metrics to Predict Defects: A Replication Study
Network vs. Code Metrics to Predict Defects: A Replication StudyNetwork vs. Code Metrics to Predict Defects: A Replication Study
Network vs. Code Metrics to Predict Defects: A Replication StudyKim Herzig
 
Core java
Core javaCore java
Core javaSavita Rawat
 
Java concurrency
Java concurrencyJava concurrency
Java concurrencyHithem Ahmed
 
Java 7: Quo vadis?
Java 7: Quo vadis?Java 7: Quo vadis?
Java 7: Quo vadis?Michal Malohlava
 
JVM Mechanics: When Does the JVM JIT & Deoptimize?
JVM Mechanics: When Does the JVM JIT & Deoptimize?JVM Mechanics: When Does the JVM JIT & Deoptimize?
JVM Mechanics: When Does the JVM JIT & Deoptimize?Doug Hawkins
 
Groovy DSLs (JavaOne Presentation)
Groovy DSLs (JavaOne Presentation)Groovy DSLs (JavaOne Presentation)
Groovy DSLs (JavaOne Presentation)Jim Driscoll
 
Priming Java for Speed at Market Open
Priming Java for Speed at Market OpenPriming Java for Speed at Market Open
Priming Java for Speed at Market OpenAzul Systems Inc.
 
CppUnit using introduction
CppUnit using introductionCppUnit using introduction
CppUnit using introductionIurii Kyian
 

Empfohlen

Network vs. Code Metrics to Predict Defects: A Replication Study
Network vs. Code Metrics to Predict Defects: A Replication StudyNetwork vs. Code Metrics to Predict Defects: A Replication Study
Network vs. Code Metrics to Predict Defects: A Replication StudyKim Herzig
 
Core java
Core javaCore java
Core javaSavita Rawat
 
Java concurrency
Java concurrencyJava concurrency
Java concurrencyHithem Ahmed
 
Java 7: Quo vadis?
Java 7: Quo vadis?Java 7: Quo vadis?
Java 7: Quo vadis?Michal Malohlava
 
JVM Mechanics: When Does the JVM JIT & Deoptimize?
JVM Mechanics: When Does the JVM JIT & Deoptimize?JVM Mechanics: When Does the JVM JIT & Deoptimize?
JVM Mechanics: When Does the JVM JIT & Deoptimize?Doug Hawkins
 
Groovy DSLs (JavaOne Presentation)
Groovy DSLs (JavaOne Presentation)Groovy DSLs (JavaOne Presentation)
Groovy DSLs (JavaOne Presentation)Jim Driscoll
 
Priming Java for Speed at Market Open
Priming Java for Speed at Market OpenPriming Java for Speed at Market Open
Priming Java for Speed at Market OpenAzul Systems Inc.
 
CppUnit using introduction
CppUnit using introductionCppUnit using introduction
CppUnit using introductionIurii Kyian
 
Java 7 - What's New?
Java 7 - What's New?Java 7 - What's New?
Java 7 - What's New?Kobib9
 
Java class 6
Java class 6Java class 6
Java class 6Edureka!
 
Dynamic Analysis (EVO 2008)
Dynamic Analysis (EVO 2008)Dynamic Analysis (EVO 2008)
Dynamic Analysis (EVO 2008)Tudor Girba
 
Java Day-3
Java Day-3Java Day-3
Java Day-3People Strategists
 
Java class 3
Java class 3Java class 3
Java class 3Edureka!
 
Inter thread communication & runnable interface
Inter thread communication & runnable interfaceInter thread communication & runnable interface
Inter thread communication & runnable interfacekeval_thummar
 
JCConf 2018 - Retrospect and Prospect of Java
JCConf 2018 - Retrospect and Prospect of JavaJCConf 2018 - Retrospect and Prospect of Java
JCConf 2018 - Retrospect and Prospect of JavaJoseph Kuo
 
Millions quotes per second in pure java
Millions quotes per second in pure javaMillions quotes per second in pure java
Millions quotes per second in pure javaRoman Elizarov
 
Cpp unit
Cpp unit Cpp unit
Cpp unit mudabbirwarsi
 
Core java concepts
Core java conceptsCore java concepts
Core java conceptsChikugehlot
 
The CoFX Data Model
The CoFX Data ModelThe CoFX Data Model
The CoFX Data ModelRainer Stropek
 
Configuring Mahout Clustering Jobs - Frank Scholten
Configuring Mahout Clustering Jobs - Frank ScholtenConfiguring Mahout Clustering Jobs - Frank Scholten
Configuring Mahout Clustering Jobs - Frank Scholtenlucenerevolution
 
Java class 4
Java class 4Java class 4
Java class 4Edureka!
 
Introduction of failsafe
Introduction of failsafeIntroduction of failsafe
Introduction of failsafeSunghyouk Bae
 
QtQuick Day 3
QtQuick Day 3QtQuick Day 3
QtQuick Day 3Timo StrĂśmmer
 
TWJUG x Oracle Groundbreakers 2019 Taiwan - What’s New in Last Java Versions
TWJUG x Oracle Groundbreakers 2019 Taiwan - What’s New in Last Java VersionsTWJUG x Oracle Groundbreakers 2019 Taiwan - What’s New in Last Java Versions
TWJUG x Oracle Groundbreakers 2019 Taiwan - What’s New in Last Java VersionsJoseph Kuo
 
Java 8 - Stamped Lock
Java 8 - Stamped LockJava 8 - Stamped Lock
Java 8 - Stamped LockHaim Yadid
 
Testing Django Applications
Testing Django ApplicationsTesting Django Applications
Testing Django ApplicationsGareth Rushgrove
 
Classboxes, nested methods, and real private methods
Classboxes, nested methods, and real private methodsClassboxes, nested methods, and real private methods
Classboxes, nested methods, and real private methodsShugo Maeda
 
2 P Seminar
2 P Seminar2 P Seminar
2 P SeminarLinkiby Belarus
 
DĂŠploiement dynamique d'applications OSGi sur le Cloud
DĂŠploiement dynamique d'applications OSGi sur le CloudDĂŠploiement dynamique d'applications OSGi sur le Cloud
DĂŠploiement dynamique d'applications OSGi sur le CloudOSGi User Group France
 
FraSCAti with OSGi
FraSCAti with OSGiFraSCAti with OSGi
FraSCAti with OSGiOSGi User Group France
 

Weitere ähnliche Inhalte

Was ist angesagt?

Java 7 - What's New?
Java 7 - What's New?Java 7 - What's New?
Java 7 - What's New?Kobib9
 
Java class 6
Java class 6Java class 6
Java class 6Edureka!
 
Dynamic Analysis (EVO 2008)
Dynamic Analysis (EVO 2008)Dynamic Analysis (EVO 2008)
Dynamic Analysis (EVO 2008)Tudor Girba
 
Java class 3
Java class 3Java class 3
Java class 3Edureka!
 
Inter thread communication & runnable interface
Inter thread communication & runnable interfaceInter thread communication & runnable interface
Inter thread communication & runnable interfacekeval_thummar
 
JCConf 2018 - Retrospect and Prospect of Java
JCConf 2018 - Retrospect and Prospect of JavaJCConf 2018 - Retrospect and Prospect of Java
JCConf 2018 - Retrospect and Prospect of JavaJoseph Kuo
 
Millions quotes per second in pure java
Millions quotes per second in pure javaMillions quotes per second in pure java
Millions quotes per second in pure javaRoman Elizarov
 
Core java concepts
Core java conceptsCore java concepts
Core java conceptsChikugehlot
 
The CoFX Data Model
The CoFX Data ModelThe CoFX Data Model
The CoFX Data ModelRainer Stropek
 
Configuring Mahout Clustering Jobs - Frank Scholten
Configuring Mahout Clustering Jobs - Frank ScholtenConfiguring Mahout Clustering Jobs - Frank Scholten
Configuring Mahout Clustering Jobs - Frank Scholtenlucenerevolution
 
Java class 4
Java class 4Java class 4
Java class 4Edureka!
 
Introduction of failsafe
Introduction of failsafeIntroduction of failsafe
Introduction of failsafeSunghyouk Bae
 
TWJUG x Oracle Groundbreakers 2019 Taiwan - What’s New in Last Java Versions
TWJUG x Oracle Groundbreakers 2019 Taiwan - What’s New in Last Java VersionsTWJUG x Oracle Groundbreakers 2019 Taiwan - What’s New in Last Java Versions
TWJUG x Oracle Groundbreakers 2019 Taiwan - What’s New in Last Java VersionsJoseph Kuo
 
Java 8 - Stamped Lock
Java 8 - Stamped LockJava 8 - Stamped Lock
Java 8 - Stamped LockHaim Yadid
 
Testing Django Applications
Testing Django ApplicationsTesting Django Applications
Testing Django ApplicationsGareth Rushgrove
 
Classboxes, nested methods, and real private methods
Classboxes, nested methods, and real private methodsClassboxes, nested methods, and real private methods
Classboxes, nested methods, and real private methodsShugo Maeda
 

Was ist angesagt? (20)

Java 7 - What's New?
Java 7 - What's New?Java 7 - What's New?
Java 7 - What's New?
 
Java class 6
Java class 6Java class 6
Java class 6
 
Dynamic Analysis (EVO 2008)
Dynamic Analysis (EVO 2008)Dynamic Analysis (EVO 2008)
Dynamic Analysis (EVO 2008)
 
Java Day-3
Java Day-3Java Day-3
Java Day-3
 
Java class 3
Java class 3Java class 3
Java class 3
 
Inter thread communication & runnable interface
Inter thread communication & runnable interfaceInter thread communication & runnable interface
Inter thread communication & runnable interface
 
JCConf 2018 - Retrospect and Prospect of Java
JCConf 2018 - Retrospect and Prospect of JavaJCConf 2018 - Retrospect and Prospect of Java
JCConf 2018 - Retrospect and Prospect of Java
 
Millions quotes per second in pure java
Millions quotes per second in pure javaMillions quotes per second in pure java
Millions quotes per second in pure java
 
Cpp unit
Cpp unit Cpp unit
Cpp unit
 
Core java concepts
Core java conceptsCore java concepts
Core java concepts
 
The CoFX Data Model
The CoFX Data ModelThe CoFX Data Model
The CoFX Data Model
 
Configuring Mahout Clustering Jobs - Frank Scholten
Configuring Mahout Clustering Jobs - Frank ScholtenConfiguring Mahout Clustering Jobs - Frank Scholten
Configuring Mahout Clustering Jobs - Frank Scholten
 
Java class 4
Java class 4Java class 4
Java class 4
 
Introduction of failsafe
Introduction of failsafeIntroduction of failsafe
Introduction of failsafe
 
QtQuick Day 3
QtQuick Day 3QtQuick Day 3
QtQuick Day 3
 
TWJUG x Oracle Groundbreakers 2019 Taiwan - What’s New in Last Java Versions
TWJUG x Oracle Groundbreakers 2019 Taiwan - What’s New in Last Java VersionsTWJUG x Oracle Groundbreakers 2019 Taiwan - What’s New in Last Java Versions
TWJUG x Oracle Groundbreakers 2019 Taiwan - What’s New in Last Java Versions
 
Java 8 - Stamped Lock
Java 8 - Stamped LockJava 8 - Stamped Lock
Java 8 - Stamped Lock
 
Testing Django Applications
Testing Django ApplicationsTesting Django Applications
Testing Django Applications
 
Classboxes, nested methods, and real private methods
Classboxes, nested methods, and real private methodsClassboxes, nested methods, and real private methods
Classboxes, nested methods, and real private methods
 
2 P Seminar
2 P Seminar2 P Seminar
2 P Seminar
 

Andere mochten auch

DĂŠploiement dynamique d'applications OSGi sur le Cloud
DĂŠploiement dynamique d'applications OSGi sur le CloudDĂŠploiement dynamique d'applications OSGi sur le Cloud
DĂŠploiement dynamique d'applications OSGi sur le CloudOSGi User Group France
 
Robust Embedded Applications OSGi ME Platforms
Robust Embedded Applications OSGi ME PlatformsRobust Embedded Applications OSGi ME Platforms
Robust Embedded Applications OSGi ME PlatformsOSGi User Group France
 
Isandla tech - psem2m sdk - perspectives v1.0 - ougf
Isandla tech - psem2m sdk - perspectives v1.0 - ougfIsandla tech - psem2m sdk - perspectives v1.0 - ougf
Isandla tech - psem2m sdk - perspectives v1.0 - ougfOSGi User Group France
 
Open home automation infrastructure
Open home automation infrastructureOpen home automation infrastructure
Open home automation infrastructureOSGi User Group France
 
CATS: A Context-Aware Transportation Services Framework for Mobile Environments
CATS: A Context-Aware Transportation Services Framework for Mobile EnvironmentsCATS: A Context-Aware Transportation Services Framework for Mobile Environments
CATS: A Context-Aware Transportation Services Framework for Mobile EnvironmentsOSGi User Group France
 

Andere mochten auch (11)

DĂŠploiement dynamique d'applications OSGi sur le Cloud
DĂŠploiement dynamique d'applications OSGi sur le CloudDĂŠploiement dynamique d'applications OSGi sur le Cloud
DĂŠploiement dynamique d'applications OSGi sur le Cloud
 
FraSCAti with OSGi
FraSCAti with OSGiFraSCAti with OSGi
FraSCAti with OSGi
 
Last night OSGi saved my life
Last night OSGi saved my lifeLast night OSGi saved my life
Last night OSGi saved my life
 
All about Apache ACE
All about Apache ACEAll about Apache ACE
All about Apache ACE
 
Robust Embedded Applications OSGi ME Platforms
Robust Embedded Applications OSGi ME PlatformsRobust Embedded Applications OSGi ME Platforms
Robust Embedded Applications OSGi ME Platforms
 
Chame RIA
Chame RIAChame RIA
Chame RIA
 
Isandla tech - psem2m sdk - perspectives v1.0 - ougf
Isandla tech - psem2m sdk - perspectives v1.0 - ougfIsandla tech - psem2m sdk - perspectives v1.0 - ougf
Isandla tech - psem2m sdk - perspectives v1.0 - ougf
 
Open home automation infrastructure
Open home automation infrastructureOpen home automation infrastructure
Open home automation infrastructure
 
CATS: A Context-Aware Transportation Services Framework for Mobile Environments
CATS: A Context-Aware Transportation Services Framework for Mobile EnvironmentsCATS: A Context-Aware Transportation Services Framework for Mobile Environments
CATS: A Context-Aware Transportation Services Framework for Mobile Environments
 
OUGF - OSAmI - OSGi Ubiquity
OUGF - OSAmI - OSGi UbiquityOUGF - OSAmI - OSGi Ubiquity
OUGF - OSAmI - OSGi Ubiquity
 
Celix universal OSGi
Celix universal OSGiCelix universal OSGi
Celix universal OSGi
 

Ähnlich wie A toolbox for statical analysis and transformation of OSGi bundles

Tuscany : Applying OSGi After The Fact
Tuscany : Applying OSGi After The FactTuscany : Applying OSGi After The Fact
Tuscany : Applying OSGi After The FactLuciano Resende
 
Using the OSGi Application Model on Mobile Devices with CLDC JVM - Dimitar Va...
Using the OSGi Application Model on Mobile Devices with CLDC JVM - Dimitar Va...Using the OSGi Application Model on Mobile Devices with CLDC JVM - Dimitar Va...
Using the OSGi Application Model on Mobile Devices with CLDC JVM - Dimitar Va...mfrancis
 
Gallio Crafting A Toolchain
Gallio Crafting A ToolchainGallio Crafting A Toolchain
Gallio Crafting A ToolchainConSanFrancisco123
 
Apache Bigtop and ARM64 / AArch64 - Empowering Big Data Everywhere
Apache Bigtop and ARM64 / AArch64 - Empowering Big Data EverywhereApache Bigtop and ARM64 / AArch64 - Empowering Big Data Everywhere
Apache Bigtop and ARM64 / AArch64 - Empowering Big Data EverywhereGanesh Raju
 
Introduction to OSGGi
Introduction to OSGGiIntroduction to OSGGi
Introduction to OSGGiMarek Koniew
 
Synapseindia reviews.odp.
Synapseindia reviews.odp.Synapseindia reviews.odp.
Synapseindia reviews.odp.Tarunsingh198
 
OSGi introduction
OSGi introductionOSGi introduction
OSGi introductionDario Bonino
 
Новый InterSystems: open-source, митапы, хакатоны
Новый InterSystems: open-source, митапы, хакатоныНовый InterSystems: open-source, митапы, хакатоны
Новый InterSystems: open-source, митапы, хакатоныTimur Safin
 
An introduction to maven gradle and sbt
An introduction to maven gradle and sbtAn introduction to maven gradle and sbt
An introduction to maven gradle and sbtFabio Fumarola
 
Beyond OSGi Software Architecture
Beyond OSGi Software ArchitectureBeyond OSGi Software Architecture
Beyond OSGi Software ArchitectureJeroen van Grondelle
 
Cinfony - Bring cheminformatics toolkits into tune
Cinfony - Bring cheminformatics toolkits into tuneCinfony - Bring cheminformatics toolkits into tune
Cinfony - Bring cheminformatics toolkits into tunebaoilleach
 
OSGi Service Platform Release 4 Overview - BJ Hargrave, IBM & Peter Kriens, a...
OSGi Service Platform Release 4 Overview - BJ Hargrave, IBM & Peter Kriens, a...OSGi Service Platform Release 4 Overview - BJ Hargrave, IBM & Peter Kriens, a...
OSGi Service Platform Release 4 Overview - BJ Hargrave, IBM & Peter Kriens, a...mfrancis
 
Java tutorials
Java tutorialsJava tutorials
Java tutorialssaryu2011
 
Introduction to OSGi
Introduction to OSGiIntroduction to OSGi
Introduction to OSGipradeepfn
 
OSGi in 5 minutes
OSGi in 5 minutesOSGi in 5 minutes
OSGi in 5 minutesSerge Huber
 
Everything can be a bundle - making OSGi bundles of Java legacy code - Gunnar...
Everything can be a bundle - making OSGi bundles of Java legacy code - Gunnar...Everything can be a bundle - making OSGi bundles of Java legacy code - Gunnar...
Everything can be a bundle - making OSGi bundles of Java legacy code - Gunnar...mfrancis
 
Building modular software with OSGi - Ulf Fildebrandt
Building modular software with OSGi - Ulf FildebrandtBuilding modular software with OSGi - Ulf Fildebrandt
Building modular software with OSGi - Ulf Fildebrandtmfrancis
 
DevOps(4) : Ansible(2) - (MOSG)
DevOps(4) : Ansible(2) - (MOSG)DevOps(4) : Ansible(2) - (MOSG)
DevOps(4) : Ansible(2) - (MOSG)Soshi Nemoto
 

Ähnlich wie A toolbox for statical analysis and transformation of OSGi bundles (20)

Tuscany : Applying OSGi After The Fact
Tuscany : Applying OSGi After The FactTuscany : Applying OSGi After The Fact
Tuscany : Applying OSGi After The Fact
 
Using the OSGi Application Model on Mobile Devices with CLDC JVM - Dimitar Va...
Using the OSGi Application Model on Mobile Devices with CLDC JVM - Dimitar Va...Using the OSGi Application Model on Mobile Devices with CLDC JVM - Dimitar Va...
Using the OSGi Application Model on Mobile Devices with CLDC JVM - Dimitar Va...
 
OSGi bootcamp - part 1
OSGi bootcamp - part 1OSGi bootcamp - part 1
OSGi bootcamp - part 1
 
Gallio Crafting A Toolchain
Gallio Crafting A ToolchainGallio Crafting A Toolchain
Gallio Crafting A Toolchain
 
Apache Bigtop and ARM64 / AArch64 - Empowering Big Data Everywhere
Apache Bigtop and ARM64 / AArch64 - Empowering Big Data EverywhereApache Bigtop and ARM64 / AArch64 - Empowering Big Data Everywhere
Apache Bigtop and ARM64 / AArch64 - Empowering Big Data Everywhere
 
Introduction to OSGGi
Introduction to OSGGiIntroduction to OSGGi
Introduction to OSGGi
 
Synapseindia reviews.odp.
Synapseindia reviews.odp.Synapseindia reviews.odp.
Synapseindia reviews.odp.
 
OSGi introduction
OSGi introductionOSGi introduction
OSGi introduction
 
Новый InterSystems: open-source, митапы, хакатоны
Новый InterSystems: open-source, митапы, хакатоныНовый InterSystems: open-source, митапы, хакатоны
Новый InterSystems: open-source, митапы, хакатоны
 
An introduction to maven gradle and sbt
An introduction to maven gradle and sbtAn introduction to maven gradle and sbt
An introduction to maven gradle and sbt
 
Beyond OSGi Software Architecture
Beyond OSGi Software ArchitectureBeyond OSGi Software Architecture
Beyond OSGi Software Architecture
 
Cinfony - Bring cheminformatics toolkits into tune
Cinfony - Bring cheminformatics toolkits into tuneCinfony - Bring cheminformatics toolkits into tune
Cinfony - Bring cheminformatics toolkits into tune
 
OSGi Service Platform Release 4 Overview - BJ Hargrave, IBM & Peter Kriens, a...
OSGi Service Platform Release 4 Overview - BJ Hargrave, IBM & Peter Kriens, a...OSGi Service Platform Release 4 Overview - BJ Hargrave, IBM & Peter Kriens, a...
OSGi Service Platform Release 4 Overview - BJ Hargrave, IBM & Peter Kriens, a...
 
Java tutorials
Java tutorialsJava tutorials
Java tutorials
 
Intro To OSGi
Intro To OSGiIntro To OSGi
Intro To OSGi
 
Introduction to OSGi
Introduction to OSGiIntroduction to OSGi
Introduction to OSGi
 
OSGi in 5 minutes
OSGi in 5 minutesOSGi in 5 minutes
OSGi in 5 minutes
 
Everything can be a bundle - making OSGi bundles of Java legacy code - Gunnar...
Everything can be a bundle - making OSGi bundles of Java legacy code - Gunnar...Everything can be a bundle - making OSGi bundles of Java legacy code - Gunnar...
Everything can be a bundle - making OSGi bundles of Java legacy code - Gunnar...
 
Building modular software with OSGi - Ulf Fildebrandt
Building modular software with OSGi - Ulf FildebrandtBuilding modular software with OSGi - Ulf Fildebrandt
Building modular software with OSGi - Ulf Fildebrandt
 
DevOps(4) : Ansible(2) - (MOSG)
DevOps(4) : Ansible(2) - (MOSG)DevOps(4) : Ansible(2) - (MOSG)
DevOps(4) : Ansible(2) - (MOSG)
 

KĂźrzlich hochgeladen

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 

KĂźrzlich hochgeladen (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

A toolbox for statical analysis and transformation of OSGi bundles

  • 1. A toolbox for statical analysis and transformation of OSGi bundles Radu Kopetz – Orange Labs radu.kopetz @orange.com OSGi Users’ Group France Meeting 25/11/2011
  • 3. why OSGi ? • ease of development • rich, mature ecosystem • modularity • isolation and security guaranties
  • 4. chalenges • platforms’ security and availability • preserved QoS • malicious comportement can be both intended or unintended
  • 5. security in OSGi • based on Java 2 security – Conditional Permission Admin
  • 6. security in OSGi • based on Java 2 security – Conditional Permission Admin • adds namespace isolation mechanism between bundles
  • 7. security in OSGi • based on Java 2 security – Conditional Permission Admin • adds namespace isolation mechanism between bundles • but …
  • 8. security flaws in OSGi • originate in OSGi platform – infinite loop / thread hanging in bundle activator – huge manifest file or import statements – decompression bomb
  • 9. security flaws in OSGi • originate in OSGi platform – infinite loop / thread hanging in bundle activator – huge manifest file or import statements – decompression bomb • originate in JVM shortcomings: not designed for multi-application systems – memory load injection – exponential thread creation – infinite loops
  • 10. possible approach (automated) analysis bundle
  • 11. possible approach (automated) analysis bundle bundle deploy !
  • 12. possible approach (automated) analysis bundle bundle deploy ! bundle
  • 13. possible approach (automated) analysis bundle bundle deploy ! bundle Statical Analysis and Transformation
  • 14. possible approach (automated) analysis bundle bundle deploy ! bundle Statical Analysis and Simulation ? Transformation
  • 15. possible approach (automated) analysis bundle bundle deploy ! bundle Statical Analysis and Simulation ? ? Transformation
  • 16. possible approach (automated) analysis bundle bundle deploy ! bundle Statical Analysis and Simulation ? ? Transformation
  • 17. global idea • a set of generic tools (services)
  • 18. global idea • a set of generic tools (services) • that can be composed to get complex checkings and transformations on bundles
  • 19. architecture bundle bundle bundle bundle bundle bundle OSGi
  • 20. architecture bundle bundle bundle bundle bundle bundle OSGi generic (base) services
  • 21. architecture more complex, business - specific services bundle bundle bundle bundle bundle bundle OSGi generic (base) services
  • 22. generic services jars • decompress • compress • estimate size • class bytes
  • 23. generic services jars • decompress • compress • estimate size • class bytes metadata • manifest contents • DS / iPOJO components
  • 24. generic services jars bytecode • decompress • method call search • compress • class related information • estimate size • method instrumentation • class bytes metadata • manifest contents • DS / iPOJO components
  • 25. generic services jars bytecode • decompress • method call search • compress • class related information • estimate size • method instrumentation • class bytes metadata graphs • manifest contents • construction • DS / iPOJO components • analysis (strongly connected components)
  • 26. business - specific services • remove double imports
  • 27. business - specific services • remove double imports • detect inappropriate method calls – Runtime.getRuntime.halt() – System.exit()
  • 28. business - specific services • remove double imports • detect inappropriate method calls – Runtime.getRuntime.halt() – System.exit() • cycles between services
  • 29. business - specific services • remove double imports • detect inappropriate method calls – Runtime.getRuntime.halt() – System.exit() • cycles between services • associate CPU consumption & Threads with bundles
  • 31. how it was done • unjar • parse the manifest • retrieve the Activator / DS components bytes • instrument the bytecode • remove digital signature • jar
  • 32. how it was done • unjar • parse the manifest • retrieve the Activator / DS components bytes • instrument the bytecode • remove digital signature • jar => used almost all of our basic services
  • 33. bytecode instrumentation class MyActivator implements BundleActivator { … public void start( BundleContext context) throws Exception { // method body } … }
  • 34. bytecode instrumentation public void renamed_start(BundleContext context) throws Exception { // method body } class MyActivator implements BundleActivator { … public void start( BundleContext context) throws Exception { // method body } … }
  • 35. bytecode instrumentation public void renamed_start(BundleContext context) throws Exception { // method body } class MyActivator implements BundleActivator { public void start(BundleContext context) … throws Exception { … // get bundleName from manifest public void start( BundleContext context) ThreadGroup tg = new throws Exception { ThreadGroup(bundleName+"_TGroup"); // method body ThreadGroup oldTg = Thread.currentThread().getThreadGroup() } ; … …// modify the thread group of } …// current thread renamed_start(context); …// restore the thread group }
  • 36. conclusion • some tools for statical analysis & transformation of bundles • complete solution: statical analysis + modified OSGi framework + modified JVM • nice to have: public repository with LOTs of bundles offering generic analysis services
  • 37. thank you ! questions ?
  • 38. public void start(final BundleContext context) throws Exception { Dictionary manifProps = context.getBundle().getHeaders(); String bundleName = manifProps.get("Bundle- Name").toString(); ThreadGroup tg = new ThreadGroup(bundleName+"_ThreadGroup"); ThreadGroup oldTg = Thread.currentThread().getThreadGroup(); Field groupField = Thread.class.getDeclaredField("group"); groupField.setAccessible(true); groupField.set(Thread.currentThread(),tg); orange___start(context); groupField.set(Thread.currentThread(), oldTg); groupField.setAccessible(false); }