SlideShare une entreprise Scribd logo

Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jahn & Markus Gumbel, ICW

M
mfrancis

OSGi Community Event 2008

Technologie
1  sur  22
Télécharger pour lire hors ligne
June 10-11, 2008 Berlin, Germany Do not disturb my circles - Application isolation with OSGi Mirko Jahn*, Boris Terzic, Markus Gumbel*
2 Agenda •! Motivation •! Java Security shortcomings and what OSGi can add •! What is still missing: Concept for bundle-like domain security •! Implications •! Outlook
3 •! Germany’s internet-based e-health-infrastructure project •! Infrastructure has to be very secure •! Business logic (e.g. prescription workflow) requires digital signatures Why more security? An example “ICW healthcare connector based on Cisco AXP” VPN over Internet Card Terminal Practice Mgt. System Backend
4 Secure and certified applications •! Two types of applications •! “Must-have” (and highly secure) •! on demand •! Reuse (3rd party) components •! Contradiction •! Certification requires a minimal and inflexible but at least an isolated system •! Added value applications require installation of new and potentially malicious software C2 C4 C1 C3
5 Application domain separation •! How to isolate an application domain? •! OS level (e.g. virtual OS) •! Process level (different native applications) •! Component level (within one JVM) •! Holds true for other domains as well •! e.g. automotive sector •! Resource-friendly •! Less complex and easier to maintain C2 C4 C1 C3 !
6 Fort Knox, Kenntucky – Screenshot taken from google maps.
7 Plain JavaTM 2 Security •! Enforced by the JVM •! Loadtime: Code verifier •! Runtime: ClassLoader and SecurityManager •! customizable security through extension of java.security.Permission •! ProtectionDomain objects as main instance to handle roles and permissions •! Policy files as configuration entity
8 Shortcomings of plain JavaTM 2 Security •! Not focused on “component” isolation, but application isolation (like applets) •! No notion of service level security •! No actual notion of lifecycle or dynamism
9 From Clay Bennett: http://www.claybennett.com/pages2/security.html (slightly adapted ;-) )
10 What OSGi has to add? •! Finer grained isolation with new permissions •! PackagePermission (import, export) •! BundlePermission (provide, require, host, fragment) •! ServicePermission (register, get) •! AdminPermission (execute, lifecycle, resolve,...) " Better encapsulation of components •! Dynamic management of policies/ permissions •! Permission Admin (org.osgi.service.permissionadmin.*) •! Conditional Permission Admin (org.osgi.service.condpermadmin.*)
11 How to isolate your code? Identify… •! … application domains and sub-domains •! … intra and inter domain boundaries •! The minimal set of Permissions each bundle needs (explicitly via Java API calls) •! Import and export statements in the manifest files •! Services •! Lifecycle dependencies •! System (sockets, file access, properties,…)
12 How to isolate your code? Assign… •! … different certificates for each domain/ sub-domain •! … permissions on these certificates based on the findings before (including intra and inter domain dependencies) •! … scoping limit for each bundle (only the actual permission needed by the bundle) – use the permission.perm file
13 Define your domain application(s) JVM with SecurityManager Core Domain Bundle A Bundle B Bundle C API indented to be used by other domains API indented only to be used within the domain package or service permissions f.i. ! The distinction between internal and external is only conceptual ! Public API export Public API import Intra domain API export Intra domain API import
14 How to wire your domains? JVM with SecurityManager Core Domain wired with matching permission definitions ...PackagePermission [de.icw.core, EXPORT] ...PackagePermission [de.icw.core,IMPORT] Public API export Public API import Intra domain API export Intra domain API import (Highly Secure) Domain S (Highly Secure) Domain S
15 How to wire your domains? JVM with SecurityManager Core Domain (Highly Secure) Domain S service Domain P How to add 3rd party extensions without knowing their namespace or certificate??? Public API export Public API import
16 How to integrate 3rd party extensions? JVM with SecurityManager Core Domain (Highly Secure) Domain S service Domain P 3rd Party Extension Domain X Public API export Public API import
17 How to integrate 3rd party extensions? JVM with SecurityManager Core Domain (Highly Secure) Domain S service Domain P 3rd Party Extension Domain X Not possible! ! Now, only the exposed API is security relevant!
18 Run & Refactor •! Run usually reveals a huge amount of missing permissions •! Refactor 1.! Investigate missing permissions " either add permissions or use doPrivileged() 2.! Examine permissions assigned to the certificates for undesired overlaps or dependencies. " move or refactor/ redesign 3.! API analysis on tainted parameters based on permissions assigned to the certificates
19 Remaining Challenges •! How to dynamically assign permissions on domains without prior knowledge of their features and without potentially compromising installed and certified domains/ applications? •! How to handle differing permissions depending on the version of a component? •! What about start-up behavior? First come, first serve? How to define, which bundle is the one to set permissions? •! How bullet proof is your OSGi container? Who can tell? " A whitepaper on (OSGi) security is desirable
20 Q & A ?
21 References •! [1] Secure Code Guidelines (Sun) http://java.sun.com/security/seccodeguide.html •! [2] Security Documentation (Sun) http://java.sun.com/javase/6/docs/technotes/guides/security/ •! [3] Coding for least privilege http://en.wikipedia.org/wiki/Least_privilege •! [4] InterComponentWare AG (ICW) http://www.icw-global.com •! [5] Cisco AXP Router and the ICW Box http://www.cisco.com/en/US/prod/collateral/routers/ps9701/ data_sheet_c02_459078.html •! [6] JSR 294 – Improved modularity support in the Java Programming Language http://jcp.org/en/jsr/detail?id=294 •! [7] Spring Application Platform http://www.springsource.com/web/guest/products/suite/applicationplatform
22 Trademarks & Copyrights •! Java is a trademark of Sun Microsystems, Inc. in the United States and other countries. •! OSGi is a trademark of the OSGi Alliance. •! All other trademarks mentioned are trademarks of the respective owners

Recommandé

Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDCShiu-Fun Poon
 
Abusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAbusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAjin Abraham
 
Code by the sea: Web Application Security
Code by the sea: Web Application SecurityCode by the sea: Web Application Security
Code by the sea: Web Application SecurityBoy Baukema
 
Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)Nagaraju Repala
 
CNIT 128: Android Implementation Issues (Part 2)
CNIT 128: Android Implementation Issues (Part 2)CNIT 128: Android Implementation Issues (Part 2)
CNIT 128: Android Implementation Issues (Part 2)Sam Bowne
 
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArtDataArt
 
Device identity
Device identityDevice identity
Device identityLan & Wan Solutions
 
Secure JAX-RS
Secure JAX-RSSecure JAX-RS
Secure JAX-RSRudy De Busscher
 

Recommandé

Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDCShiu-Fun Poon
 
Abusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAbusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAjin Abraham
 
Code by the sea: Web Application Security
Code by the sea: Web Application SecurityCode by the sea: Web Application Security
Code by the sea: Web Application SecurityBoy Baukema
 
Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)Nagaraju Repala
 
CNIT 128: Android Implementation Issues (Part 2)
CNIT 128: Android Implementation Issues (Part 2)CNIT 128: Android Implementation Issues (Part 2)
CNIT 128: Android Implementation Issues (Part 2)Sam Bowne
 
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArtDataArt
 
Device identity
Device identityDevice identity
Device identityLan & Wan Solutions
 
Secure JAX-RS
Secure JAX-RSSecure JAX-RS
Secure JAX-RSRudy De Busscher
 
Open Source KMIP Implementation
Open Source KMIP ImplementationOpen Source KMIP Implementation
Open Source KMIP Implementationsedukull
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
 
Securing Docker Containers
Securing Docker ContainersSecuring Docker Containers
Securing Docker ContainersBlack Duck by Synopsys
 
Know Your Security Model
Know Your Security ModelKnow Your Security Model
Know Your Security ModelMikhail Shcherbakov
 
CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)Sam Bowne
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionJose Manuel Ortega Candel
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaEC-Council
 
Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started Rudy De Busscher
 
CNIT 128 2. Analyzing iOS Applications (Part 2)
CNIT 128 2. Analyzing iOS Applications (Part 2)CNIT 128 2. Analyzing iOS Applications (Part 2)
CNIT 128 2. Analyzing iOS Applications (Part 2)Sam Bowne
 
Injecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperAjin Abraham
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...OpenIDFoundation
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101OWASP
 
Source Code Scanners
Source Code ScannersSource Code Scanners
Source Code ScannersPawel Krawczyk
 
Dev Ops Geek Fest: Automating the ForgeRock Platform
Dev Ops Geek Fest: Automating the ForgeRock PlatformDev Ops Geek Fest: Automating the ForgeRock Platform
Dev Ops Geek Fest: Automating the ForgeRock PlatformForgeRock
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Christian Schneider
 
OpenAM as Flexible Integration Component
OpenAM as Flexible Integration ComponentOpenAM as Flexible Integration Component
OpenAM as Flexible Integration ComponentForgeRock
 
Asec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwnedAsec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwnedDinis Cruz
 
CNIT 128 6. Analyzing Android Applications (Part 1)
CNIT 128 6. Analyzing Android Applications (Part 1)CNIT 128 6. Analyzing Android Applications (Part 1)
CNIT 128 6. Analyzing Android Applications (Part 1)Sam Bowne
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answersOWASP
 
OpenAM Survival Tips
OpenAM Survival TipsOpenAM Survival Tips
OpenAM Survival TipsForgeRock
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...sparkfabrik
 

Contenu connexe

Tendances

Open Source KMIP Implementation
Open Source KMIP ImplementationOpen Source KMIP Implementation
Open Source KMIP Implementationsedukull
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
 
CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)Sam Bowne
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionJose Manuel Ortega Candel
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaEC-Council
 
Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started Rudy De Busscher
 
CNIT 128 2. Analyzing iOS Applications (Part 2)
CNIT 128 2. Analyzing iOS Applications (Part 2)CNIT 128 2. Analyzing iOS Applications (Part 2)
CNIT 128 2. Analyzing iOS Applications (Part 2)Sam Bowne
 
Injecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperAjin Abraham
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...OpenIDFoundation
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101OWASP
 
Dev Ops Geek Fest: Automating the ForgeRock Platform
Dev Ops Geek Fest: Automating the ForgeRock PlatformDev Ops Geek Fest: Automating the ForgeRock Platform
Dev Ops Geek Fest: Automating the ForgeRock PlatformForgeRock
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Christian Schneider
 
OpenAM as Flexible Integration Component
OpenAM as Flexible Integration ComponentOpenAM as Flexible Integration Component
OpenAM as Flexible Integration ComponentForgeRock
 
Asec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwnedAsec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwnedDinis Cruz
 
CNIT 128 6. Analyzing Android Applications (Part 1)
CNIT 128 6. Analyzing Android Applications (Part 1)CNIT 128 6. Analyzing Android Applications (Part 1)
CNIT 128 6. Analyzing Android Applications (Part 1)Sam Bowne
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answersOWASP
 
OpenAM Survival Tips
OpenAM Survival TipsOpenAM Survival Tips
OpenAM Survival TipsForgeRock
 

Tendances (20)

Open Source KMIP Implementation
Open Source KMIP ImplementationOpen Source KMIP Implementation
Open Source KMIP Implementation
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at Runtime
 
Securing Docker Containers
Securing Docker ContainersSecuring Docker Containers
Securing Docker Containers
 
Know Your Security Model
Know Your Security ModelKnow Your Security Model
Know Your Security Model
 
CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam edition
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George Dobrea
 
Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started
 
CNIT 128 2. Analyzing iOS Applications (Part 2)
CNIT 128 2. Analyzing iOS Applications (Part 2)CNIT 128 2. Analyzing iOS Applications (Part 2)
CNIT 128 2. Analyzing iOS Applications (Part 2)
 
Injecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime Whitepaper
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101
 
Source Code Scanners
Source Code ScannersSource Code Scanners
Source Code Scanners
 
Dev Ops Geek Fest: Automating the ForgeRock Platform
Dev Ops Geek Fest: Automating the ForgeRock PlatformDev Ops Geek Fest: Automating the ForgeRock Platform
Dev Ops Geek Fest: Automating the ForgeRock Platform
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
 
OpenAM as Flexible Integration Component
OpenAM as Flexible Integration ComponentOpenAM as Flexible Integration Component
OpenAM as Flexible Integration Component
 
Asec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwnedAsec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwned
 
CNIT 128 6. Analyzing Android Applications (Part 1)
CNIT 128 6. Analyzing Android Applications (Part 1)CNIT 128 6. Analyzing Android Applications (Part 1)
CNIT 128 6. Analyzing Android Applications (Part 1)
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers
 
OpenAM Survival Tips
OpenAM Survival TipsOpenAM Survival Tips
OpenAM Survival Tips
 

Similaire à Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jahn & Markus Gumbel, ICW

Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...sparkfabrik
 
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your CodeHow-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your CodeDevOps.com
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...Felipe Prado
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021lior mazor
 
Enterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentEnterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentKurtis Kemple
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Alexey Dremin
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Qualcomm Developer Network
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 
FIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT AgentsFIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT AgentsFIWARE
 
Take control back on Android devices with Flyve MDM, OW2con'18, June 7-8, 201...
Take control back on Android devices with Flyve MDM, OW2con'18, June 7-8, 201...Take control back on Android devices with Flyve MDM, OW2con'18, June 7-8, 201...
Take control back on Android devices with Flyve MDM, OW2con'18, June 7-8, 201...OW2
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
 
Anil saldhana securityassurancewithj_bosseap
Anil saldhana securityassurancewithj_bosseapAnil saldhana securityassurancewithj_bosseap
Anil saldhana securityassurancewithj_bosseapAnil Saldanha
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Securitysedukull
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API GatewayYohann Ciurlik
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
Reverse Engineering.pptx
Reverse Engineering.pptxReverse Engineering.pptx
Reverse Engineering.pptxSameer Sapra
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 
BOX of Illusion MOSEC'17
BOX of Illusion MOSEC'17BOX of Illusion MOSEC'17
BOX of Illusion MOSEC'17Python0x0
 

Similaire à Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jahn & Markus Gumbel, ICW (20)

Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
 
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your CodeHow-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
Enterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentEnterprise Node - Securing Your Environment
Enterprise Node - Securing Your Environment
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
FIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT AgentsFIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT Agents
 
Take control back on Android devices with Flyve MDM, OW2con'18, June 7-8, 201...
Take control back on Android devices with Flyve MDM, OW2con'18, June 7-8, 201...Take control back on Android devices with Flyve MDM, OW2con'18, June 7-8, 201...
Take control back on Android devices with Flyve MDM, OW2con'18, June 7-8, 201...
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
 
Anil saldhana securityassurancewithj_bosseap
Anil saldhana securityassurancewithj_bosseapAnil saldhana securityassurancewithj_bosseap
Anil saldhana securityassurancewithj_bosseap
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API Gateway
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
Reverse Engineering.pptx
Reverse Engineering.pptxReverse Engineering.pptx
Reverse Engineering.pptx
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
BOX of Illusion MOSEC'17
BOX of Illusion MOSEC'17BOX of Illusion MOSEC'17
BOX of Illusion MOSEC'17
 
How to debug IoT Agents
How to debug IoT AgentsHow to debug IoT Agents
How to debug IoT Agents
 

Plus de mfrancis

Eclipse Modeling Framework and plain OSGi the easy way - Mark Hoffman (Data I...
Eclipse Modeling Framework and plain OSGi the easy way - Mark Hoffman (Data I...Eclipse Modeling Framework and plain OSGi the easy way - Mark Hoffman (Data I...
Eclipse Modeling Framework and plain OSGi the easy way - Mark Hoffman (Data I...mfrancis
 
OSGi and Java 9+ - BJ Hargrave (IBM)
OSGi and Java 9+ - BJ Hargrave (IBM)OSGi and Java 9+ - BJ Hargrave (IBM)
OSGi and Java 9+ - BJ Hargrave (IBM)mfrancis
 
Simplify Web UX Coding using OSGi Modularity Magic - Paul Fraser (A2Z Living)
Simplify Web UX Coding using OSGi Modularity Magic - Paul Fraser (A2Z Living)Simplify Web UX Coding using OSGi Modularity Magic - Paul Fraser (A2Z Living)
Simplify Web UX Coding using OSGi Modularity Magic - Paul Fraser (A2Z Living)mfrancis
 
OSGi for the data centre - Connecting OSGi to Kubernetes - Frank Lyaruu
OSGi for the data centre - Connecting OSGi to Kubernetes - Frank LyaruuOSGi for the data centre - Connecting OSGi to Kubernetes - Frank Lyaruu
OSGi for the data centre - Connecting OSGi to Kubernetes - Frank Lyaruumfrancis
 
Remote Management and Monitoring of Distributed OSGi Applications - Tim Verbe...
Remote Management and Monitoring of Distributed OSGi Applications - Tim Verbe...Remote Management and Monitoring of Distributed OSGi Applications - Tim Verbe...
Remote Management and Monitoring of Distributed OSGi Applications - Tim Verbe...mfrancis
 
OSGi with Docker - a powerful way to develop Java systems - Udo Hafermann (So...
OSGi with Docker - a powerful way to develop Java systems - Udo Hafermann (So...OSGi with Docker - a powerful way to develop Java systems - Udo Hafermann (So...
OSGi with Docker - a powerful way to develop Java systems - Udo Hafermann (So...mfrancis
 
A real world use case with OSGi R7 - Jurgen Albert (Data In Motion Consulting...
A real world use case with OSGi R7 - Jurgen Albert (Data In Motion Consulting...A real world use case with OSGi R7 - Jurgen Albert (Data In Motion Consulting...
A real world use case with OSGi R7 - Jurgen Albert (Data In Motion Consulting...mfrancis
 
OSGi Feature Model - Where Art Thou - David Bosschaert (Adobe)
OSGi Feature Model - Where Art Thou - David Bosschaert (Adobe)OSGi Feature Model - Where Art Thou - David Bosschaert (Adobe)
OSGi Feature Model - Where Art Thou - David Bosschaert (Adobe)mfrancis
 
Migrating from PDE to Bndtools in Practice - Amit Kumar Mondal (Deutsche Tele...
Migrating from PDE to Bndtools in Practice - Amit Kumar Mondal (Deutsche Tele...Migrating from PDE to Bndtools in Practice - Amit Kumar Mondal (Deutsche Tele...
Migrating from PDE to Bndtools in Practice - Amit Kumar Mondal (Deutsche Tele...mfrancis
 
OSGi CDI Integration Specification - Ray Augé (Liferay)
OSGi CDI Integration Specification - Ray Augé (Liferay)OSGi CDI Integration Specification - Ray Augé (Liferay)
OSGi CDI Integration Specification - Ray Augé (Liferay)mfrancis
 
How OSGi drives cross-sector energy management - Jörn Tümmler (SMA Solar Tech...
How OSGi drives cross-sector energy management - Jörn Tümmler (SMA Solar Tech...How OSGi drives cross-sector energy management - Jörn Tümmler (SMA Solar Tech...
How OSGi drives cross-sector energy management - Jörn Tümmler (SMA Solar Tech...mfrancis
 
Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...
Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...
Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...mfrancis
 
It Was Twenty Years Ago Today - Building an OSGi based Smart Home System - Ch...
It Was Twenty Years Ago Today - Building an OSGi based Smart Home System - Ch...It Was Twenty Years Ago Today - Building an OSGi based Smart Home System - Ch...
It Was Twenty Years Ago Today - Building an OSGi based Smart Home System - Ch...mfrancis
 
Popular patterns revisited on OSGi - Christian Schneider (Adobe)
Popular patterns revisited on OSGi - Christian Schneider (Adobe)Popular patterns revisited on OSGi - Christian Schneider (Adobe)
Popular patterns revisited on OSGi - Christian Schneider (Adobe)mfrancis
 
Integrating SLF4J and the new OSGi LogService 1.4 - BJ Hargrave (IBM)
Integrating SLF4J and the new OSGi LogService 1.4 - BJ Hargrave (IBM)Integrating SLF4J and the new OSGi LogService 1.4 - BJ Hargrave (IBM)
Integrating SLF4J and the new OSGi LogService 1.4 - BJ Hargrave (IBM)mfrancis
 
OSG(a)i: because AI needs a runtime - Tim Verbelen (imec)
OSG(a)i: because AI needs a runtime - Tim Verbelen (imec)OSG(a)i: because AI needs a runtime - Tim Verbelen (imec)
OSG(a)i: because AI needs a runtime - Tim Verbelen (imec)mfrancis
 
Flying to Jupiter with OSGi - Tony Walsh (ESA) & Hristo Indzhov (Telespazio V...
Flying to Jupiter with OSGi - Tony Walsh (ESA) & Hristo Indzhov (Telespazio V...Flying to Jupiter with OSGi - Tony Walsh (ESA) & Hristo Indzhov (Telespazio V...
Flying to Jupiter with OSGi - Tony Walsh (ESA) & Hristo Indzhov (Telespazio V...mfrancis
 
MicroProfile, OSGi was meant for this - Ray Auge (Liferay)
MicroProfile, OSGi was meant for this - Ray Auge (Liferay)MicroProfile, OSGi was meant for this - Ray Auge (Liferay)
MicroProfile, OSGi was meant for this - Ray Auge (Liferay)mfrancis
 
Prototyping IoT systems with a hybrid OSGi & Node-RED platform - Bruce Jackso...
Prototyping IoT systems with a hybrid OSGi & Node-RED platform - Bruce Jackso...Prototyping IoT systems with a hybrid OSGi & Node-RED platform - Bruce Jackso...
Prototyping IoT systems with a hybrid OSGi & Node-RED platform - Bruce Jackso...mfrancis
 
How to connect your OSGi application - Dirk Fauth (Bosch)
How to connect your OSGi application - Dirk Fauth (Bosch)How to connect your OSGi application - Dirk Fauth (Bosch)
How to connect your OSGi application - Dirk Fauth (Bosch)mfrancis
 

Plus de mfrancis (20)

Eclipse Modeling Framework and plain OSGi the easy way - Mark Hoffman (Data I...
Eclipse Modeling Framework and plain OSGi the easy way - Mark Hoffman (Data I...Eclipse Modeling Framework and plain OSGi the easy way - Mark Hoffman (Data I...
Eclipse Modeling Framework and plain OSGi the easy way - Mark Hoffman (Data I...
 
OSGi and Java 9+ - BJ Hargrave (IBM)
OSGi and Java 9+ - BJ Hargrave (IBM)OSGi and Java 9+ - BJ Hargrave (IBM)
OSGi and Java 9+ - BJ Hargrave (IBM)
 
Simplify Web UX Coding using OSGi Modularity Magic - Paul Fraser (A2Z Living)
Simplify Web UX Coding using OSGi Modularity Magic - Paul Fraser (A2Z Living)Simplify Web UX Coding using OSGi Modularity Magic - Paul Fraser (A2Z Living)
Simplify Web UX Coding using OSGi Modularity Magic - Paul Fraser (A2Z Living)
 
OSGi for the data centre - Connecting OSGi to Kubernetes - Frank Lyaruu
OSGi for the data centre - Connecting OSGi to Kubernetes - Frank LyaruuOSGi for the data centre - Connecting OSGi to Kubernetes - Frank Lyaruu
OSGi for the data centre - Connecting OSGi to Kubernetes - Frank Lyaruu
 
Remote Management and Monitoring of Distributed OSGi Applications - Tim Verbe...
Remote Management and Monitoring of Distributed OSGi Applications - Tim Verbe...Remote Management and Monitoring of Distributed OSGi Applications - Tim Verbe...
Remote Management and Monitoring of Distributed OSGi Applications - Tim Verbe...
 
OSGi with Docker - a powerful way to develop Java systems - Udo Hafermann (So...
OSGi with Docker - a powerful way to develop Java systems - Udo Hafermann (So...OSGi with Docker - a powerful way to develop Java systems - Udo Hafermann (So...
OSGi with Docker - a powerful way to develop Java systems - Udo Hafermann (So...
 
A real world use case with OSGi R7 - Jurgen Albert (Data In Motion Consulting...
A real world use case with OSGi R7 - Jurgen Albert (Data In Motion Consulting...A real world use case with OSGi R7 - Jurgen Albert (Data In Motion Consulting...
A real world use case with OSGi R7 - Jurgen Albert (Data In Motion Consulting...
 
OSGi Feature Model - Where Art Thou - David Bosschaert (Adobe)
OSGi Feature Model - Where Art Thou - David Bosschaert (Adobe)OSGi Feature Model - Where Art Thou - David Bosschaert (Adobe)
OSGi Feature Model - Where Art Thou - David Bosschaert (Adobe)
 
Migrating from PDE to Bndtools in Practice - Amit Kumar Mondal (Deutsche Tele...
Migrating from PDE to Bndtools in Practice - Amit Kumar Mondal (Deutsche Tele...Migrating from PDE to Bndtools in Practice - Amit Kumar Mondal (Deutsche Tele...
Migrating from PDE to Bndtools in Practice - Amit Kumar Mondal (Deutsche Tele...
 
OSGi CDI Integration Specification - Ray Augé (Liferay)
OSGi CDI Integration Specification - Ray Augé (Liferay)OSGi CDI Integration Specification - Ray Augé (Liferay)
OSGi CDI Integration Specification - Ray Augé (Liferay)
 
How OSGi drives cross-sector energy management - Jörn Tümmler (SMA Solar Tech...
How OSGi drives cross-sector energy management - Jörn Tümmler (SMA Solar Tech...How OSGi drives cross-sector energy management - Jörn Tümmler (SMA Solar Tech...
How OSGi drives cross-sector energy management - Jörn Tümmler (SMA Solar Tech...
 
Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...
Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...
Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...
 
It Was Twenty Years Ago Today - Building an OSGi based Smart Home System - Ch...
It Was Twenty Years Ago Today - Building an OSGi based Smart Home System - Ch...It Was Twenty Years Ago Today - Building an OSGi based Smart Home System - Ch...
It Was Twenty Years Ago Today - Building an OSGi based Smart Home System - Ch...
 
Popular patterns revisited on OSGi - Christian Schneider (Adobe)
Popular patterns revisited on OSGi - Christian Schneider (Adobe)Popular patterns revisited on OSGi - Christian Schneider (Adobe)
Popular patterns revisited on OSGi - Christian Schneider (Adobe)
 
Integrating SLF4J and the new OSGi LogService 1.4 - BJ Hargrave (IBM)
Integrating SLF4J and the new OSGi LogService 1.4 - BJ Hargrave (IBM)Integrating SLF4J and the new OSGi LogService 1.4 - BJ Hargrave (IBM)
Integrating SLF4J and the new OSGi LogService 1.4 - BJ Hargrave (IBM)
 
OSG(a)i: because AI needs a runtime - Tim Verbelen (imec)
OSG(a)i: because AI needs a runtime - Tim Verbelen (imec)OSG(a)i: because AI needs a runtime - Tim Verbelen (imec)
OSG(a)i: because AI needs a runtime - Tim Verbelen (imec)
 
Flying to Jupiter with OSGi - Tony Walsh (ESA) & Hristo Indzhov (Telespazio V...
Flying to Jupiter with OSGi - Tony Walsh (ESA) & Hristo Indzhov (Telespazio V...Flying to Jupiter with OSGi - Tony Walsh (ESA) & Hristo Indzhov (Telespazio V...
Flying to Jupiter with OSGi - Tony Walsh (ESA) & Hristo Indzhov (Telespazio V...
 
MicroProfile, OSGi was meant for this - Ray Auge (Liferay)
MicroProfile, OSGi was meant for this - Ray Auge (Liferay)MicroProfile, OSGi was meant for this - Ray Auge (Liferay)
MicroProfile, OSGi was meant for this - Ray Auge (Liferay)
 
Prototyping IoT systems with a hybrid OSGi & Node-RED platform - Bruce Jackso...
Prototyping IoT systems with a hybrid OSGi & Node-RED platform - Bruce Jackso...Prototyping IoT systems with a hybrid OSGi & Node-RED platform - Bruce Jackso...
Prototyping IoT systems with a hybrid OSGi & Node-RED platform - Bruce Jackso...
 
How to connect your OSGi application - Dirk Fauth (Bosch)
How to connect your OSGi application - Dirk Fauth (Bosch)How to connect your OSGi application - Dirk Fauth (Bosch)
How to connect your OSGi application - Dirk Fauth (Bosch)
 

Dernier

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 

Dernier (20)

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 

Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jahn & Markus Gumbel, ICW

  • 1. June 10-11, 2008 Berlin, Germany Do not disturb my circles - Application isolation with OSGi Mirko Jahn*, Boris Terzic, Markus Gumbel*
  • 2. 2 Agenda •! Motivation •! Java Security shortcomings and what OSGi can add •! What is still missing: Concept for bundle-like domain security •! Implications •! Outlook
  • 3. 3 •! Germany’s internet-based e-health-infrastructure project •! Infrastructure has to be very secure •! Business logic (e.g. prescription workflow) requires digital signatures Why more security? An example “ICW healthcare connector based on Cisco AXP” VPN over Internet Card Terminal Practice Mgt. System Backend
  • 4. 4 Secure and certified applications •! Two types of applications •! “Must-have” (and highly secure) •! on demand •! Reuse (3rd party) components •! Contradiction •! Certification requires a minimal and inflexible but at least an isolated system •! Added value applications require installation of new and potentially malicious software C2 C4 C1 C3
  • 5. 5 Application domain separation •! How to isolate an application domain? •! OS level (e.g. virtual OS) •! Process level (different native applications) •! Component level (within one JVM) •! Holds true for other domains as well •! e.g. automotive sector •! Resource-friendly •! Less complex and easier to maintain C2 C4 C1 C3 !
  • 6. 6 Fort Knox, Kenntucky – Screenshot taken from google maps.
  • 7. 7 Plain JavaTM 2 Security •! Enforced by the JVM •! Loadtime: Code verifier •! Runtime: ClassLoader and SecurityManager •! customizable security through extension of java.security.Permission •! ProtectionDomain objects as main instance to handle roles and permissions •! Policy files as configuration entity
  • 8. 8 Shortcomings of plain JavaTM 2 Security •! Not focused on “component” isolation, but application isolation (like applets) •! No notion of service level security •! No actual notion of lifecycle or dynamism
  • 9. 9 From Clay Bennett: http://www.claybennett.com/pages2/security.html (slightly adapted ;-) )
  • 10. 10 What OSGi has to add? •! Finer grained isolation with new permissions •! PackagePermission (import, export) •! BundlePermission (provide, require, host, fragment) •! ServicePermission (register, get) •! AdminPermission (execute, lifecycle, resolve,...) " Better encapsulation of components •! Dynamic management of policies/ permissions •! Permission Admin (org.osgi.service.permissionadmin.*) •! Conditional Permission Admin (org.osgi.service.condpermadmin.*)
  • 11. 11 How to isolate your code? Identify… •! … application domains and sub-domains •! … intra and inter domain boundaries •! The minimal set of Permissions each bundle needs (explicitly via Java API calls) •! Import and export statements in the manifest files •! Services •! Lifecycle dependencies •! System (sockets, file access, properties,…)
  • 12. 12 How to isolate your code? Assign… •! … different certificates for each domain/ sub-domain •! … permissions on these certificates based on the findings before (including intra and inter domain dependencies) •! … scoping limit for each bundle (only the actual permission needed by the bundle) – use the permission.perm file
  • 13. 13 Define your domain application(s) JVM with SecurityManager Core Domain Bundle A Bundle B Bundle C API indented to be used by other domains API indented only to be used within the domain package or service permissions f.i. ! The distinction between internal and external is only conceptual ! Public API export Public API import Intra domain API export Intra domain API import
  • 14. 14 How to wire your domains? JVM with SecurityManager Core Domain wired with matching permission definitions ...PackagePermission [de.icw.core, EXPORT] ...PackagePermission [de.icw.core,IMPORT] Public API export Public API import Intra domain API export Intra domain API import (Highly Secure) Domain S (Highly Secure) Domain S
  • 15. 15 How to wire your domains? JVM with SecurityManager Core Domain (Highly Secure) Domain S service Domain P How to add 3rd party extensions without knowing their namespace or certificate??? Public API export Public API import
  • 16. 16 How to integrate 3rd party extensions? JVM with SecurityManager Core Domain (Highly Secure) Domain S service Domain P 3rd Party Extension Domain X Public API export Public API import
  • 17. 17 How to integrate 3rd party extensions? JVM with SecurityManager Core Domain (Highly Secure) Domain S service Domain P 3rd Party Extension Domain X Not possible! ! Now, only the exposed API is security relevant!
  • 18. 18 Run & Refactor •! Run usually reveals a huge amount of missing permissions •! Refactor 1.! Investigate missing permissions " either add permissions or use doPrivileged() 2.! Examine permissions assigned to the certificates for undesired overlaps or dependencies. " move or refactor/ redesign 3.! API analysis on tainted parameters based on permissions assigned to the certificates
  • 19. 19 Remaining Challenges •! How to dynamically assign permissions on domains without prior knowledge of their features and without potentially compromising installed and certified domains/ applications? •! How to handle differing permissions depending on the version of a component? •! What about start-up behavior? First come, first serve? How to define, which bundle is the one to set permissions? •! How bullet proof is your OSGi container? Who can tell? " A whitepaper on (OSGi) security is desirable
  • 21. 21 References •! [1] Secure Code Guidelines (Sun) http://java.sun.com/security/seccodeguide.html •! [2] Security Documentation (Sun) http://java.sun.com/javase/6/docs/technotes/guides/security/ •! [3] Coding for least privilege http://en.wikipedia.org/wiki/Least_privilege •! [4] InterComponentWare AG (ICW) http://www.icw-global.com •! [5] Cisco AXP Router and the ICW Box http://www.cisco.com/en/US/prod/collateral/routers/ps9701/ data_sheet_c02_459078.html •! [6] JSR 294 – Improved modularity support in the Java Programming Language http://jcp.org/en/jsr/detail?id=294 •! [7] Spring Application Platform http://www.springsource.com/web/guest/products/suite/applicationplatform
  • 22. 22 Trademarks & Copyrights •! Java is a trademark of Sun Microsystems, Inc. in the United States and other countries. •! OSGi is a trademark of the OSGi Alliance. •! All other trademarks mentioned are trademarks of the respective owners