Timo Aho
ABSTRACT
For some time it has been a growing trend to move applications from the desktop to the web and especially to cloud environment. Very often the web application solutions are based on the Java language. In this case, the OSGi specification is arguably the number one choice for running multiple applications on a single Java virtual machine. Unfortunately, OSGi does not solve all the security vulnerabilities that emerge in such an environment. For instance, computer resource usage is only marginally controlled. In this paper, we discuss the security of the OSGi environment. In particular, we introduce a solution to running untrusted OSGi applications. In our case, controlling the permissions of the applications is fairly simple. A more challenging task is to manage the computer resource usage. We present a moderately straightforward solution that still grants a reasonable level of security. Unlike other similar OSGi resource managers and monitors, our solution does not need any modifications to the web applications or OSGi components. Moreover, we distinguish each web session of an application while competing methods only monitor complete applications as single entities.
- M. Armbrust, A. Fox, R. Griffith, A. D. Joseph, R. Katz, A. Konwinski, G. Lee, D. Patterson, A. Rabkin, I. Stoica, and M. Zaharia. A view of cloud computing. Communications of the ACM, 53(4):50--58, 2010. Google Scholar
Digital Library
- Y. Chen, V. Paxson, and R. H. Katz. What's new about cloud computing security? Technical Report UCB/EECS-2010-5, University of California, Berkeley, CA, 2010.Google Scholar
- N. Geoffray, G. Thomas, G. Muller, P. Parrend, S. Frénot, and B. Folliot. I-JVM: a Java virtual machine for component isolation in OSGi. In International Conference on Dependable Systems and Networks (DSN 2009), Los Alamitos, CA, 2009. IEEE Computer Society.Google ScholarCross Ref
- M. Grönroos. Book of Vaadin. Vaadin Ltd., Turku, Finland, 7th edition, 2013.Google Scholar
- R. Hall, K. Pauls, S. McCulloch, and D. Savage. OSGi in action: Creating modular applications in Java. Manning Publications, Greenwich, CT, 2010. Google ScholarDigital Library
- Java Community Process. Java specification request 121: Application isolation API specification, 2006. Version 2.7, final.Google Scholar
- Java Community Process. Java specification request 284: Resource consumption management API, 2009. Version 2.6, final.Google Scholar
- Java Community Process. Java specification request 315: Java servlet 3.0 specification, 2009. Version 3.0, final.Google Scholar
- H. Lin, C. You, M. Zhou, and H. Mei. Proxy centric approach for component resource monitoring on OSGi platform. Journal of Frontiers of Computer Science and Technology, 5(1):23--31, 2011. In Chinese with English abstract.Google Scholar
- S. Microsystems. Java 2 security architecture, 2002. Version 1.2.Google Scholar
- T. Miettinen. Resource monitoring and visualization of OSGi-based software components. Technical Report 685, VTT, Espoo, Finland, 2008.Google Scholar
- Oracle. Java native interface specification, 2006. Version 6.0.Google Scholar
- Oracle. JVM tool interface, 2006. Version 1.2.1.Google Scholar
- P. Parrend. Software Security Models for Service-Oriented Programming (SOP) Platforms. PhD thesis, Institut National des Sciences Appliquées de Lyon, Lyon, France, 2008.Google Scholar
- P. Parrend and S. Frénot. Java components vulnerabilities: An experimental classification targeted at the OSGi platform. Technical Report 6231, Institut National de Recherche en Informatique et en Automatique, Le Chesnay Cedex, France, 2007.Google Scholar
- R. Schwammberger. Performance isolation for component systems. Master's thesis, Swiss Federal Institute of Technology Zurich, Zurich, Germany, 2009.Google Scholar
- D. Simon, C. Cifuentes, D. Cleal, J. Daniels, and D. White. Java on the bare metal of wireless sensor devices: The Squawk Java virtual machine. In Proceedings of the 2nd International Conference on Virtual Execution Environments (VEE 06), pages 78--88, New York, NY, 2006. ACM. Google ScholarDigital Library
- S. Soman, L. Daynès, and C. Krintz. Task-aware garbage collection in a multi-tasking virtual machine. In Proceedings of the 5th International Symposium on Memory Management (ISMM 06), pages 64--73, New York, NY, 2006. ACM. Google ScholarDigital Library
- The OSGi Alliance. OSGi service platform: Core specification, 2009. Release 4, version 4.2.Google Scholar
Index Terms
- A secure OSGi environment for untrusted web applications
Recommendations
Modular Java web applications
SAC '08: Proceedings of the 2008 ACM symposium on Applied computingAs Java EE applications increase in size and complexity the constraints imposed by the existing component model restrict their utility. In this paper, we describe a solution to the problem related to building modular and evolvable server-side ...
Evaluation of tools for automated unit testing for applications in OSGi
BCI '12: Proceedings of the Fifth Balkan Conference in InformaticsThis work provides an overview and comparison of the currently available tools for testing in OSGi environment such as Pax-Exam, JUnit4OSGi or Spring DM. We developed a plugin for JUnit4OSGi that allows to generate basic skeletons of tests from ordinary ...
Enhancing OSGi with real-time Java support
OSGi was designed with embedded systems in mind, its current support is insufficient for coping with one main characteristic of many embedded systems: real-time performance. This article analyzes different key issues in providing OSGi with real-time ...
Comments