Implantation des services d'analyze statique sur des bundles OSGi

Abstract

Orange ( the brand name of France T el ecom ) provides mobile network, television and Internet services. In order to o er these services, Orange has developed equipment such as the Livebox and the Set Top Box. However, to maintain the quality of service in these equipment, the company researches methods that allow the integration of new features in its equipments, as well as of services developed by third parties. To reach this purpose, Orange studies the possibility of introducing in their equipment an OSGi Service Platform, a dynamic module system for JavaTM, that supports the dynamic and transparent installation of components. This platform would allow the development of applications in a modular fashion, while o ering strong isolation mechanisms. This is necessary to open the Orange Platform for the software developed by third-party providers. In the meantime, recent studies have demonstrated that the OSGi Service Platform possesses a considerable number of security weaknesses. These vulnerabilities, if ignored, can be exploited by the malicious components to block or interfere with Orange services, or to obtain sensitive information from the Orange customers. Something that cannot be neglected by the enterprise. To avoid these problems, a validation platform will be developed that will analyze all the applications developed for Orange equipment, in order to ensure security properties, such as a non-malicious behavior. For example, the validation platform needs to detect a situation where the application wants to occupy a considerable part of the computational resources such as the processor, the RAM, the hard drive, among others. If the constructed platform built does not detect any malicious behavior, Orange will give a certi cation to the third-party application.

Orange (le nom de marque de France T el ecom) fournit des services de r eseaux mobiles, t el evision et Internet. A n d'o rir ces services, Orange a d evelopp e des equipements tels que la Livebox et la Set Top Box. Cependant, pour maintenir la qualit e des services de ces equipements, l'entreprise recherche une m ethode qui permet l'int egration de nouvelles fonctionnalit es, et aussi de services d evelopp es par des tiers. Pour atteindre cet objectif, Orange etudie la possibilit e d'introduire dans ses equipements une plate-forme de services OSGi, un syst eme de modules dynamiques pour JavaTMqui o re la possibilit e de faire des installations dynamiques et transparentes des composants. Cette plate-forme permettra le d eveloppement modulaire des applications, qualit es n ecessaires a des developeurs tiers. Cependant, des etudes r ecentes ont d emontr e que la plate-forme OSGi poss ede un nombre consid erable de failles de s ecurit e. Ces vuln erabilit es, si elles sont ignor ees, peuvent ^etre utilise es par les composants malveillants pour bloquer ou interf erer avec les services d'Orange, ou pour obtenir des informations sensibles des clients Orange. Pour eviter ces probl emes, une plate-forme de validation sera d evelopp ee pour analyser toutes les applications d evelopp ees pour les equipements d'Orange a n d'assurer des propri et es de s ecurit e, comme un comportement non malveillant. Par exemple, la plateforme de validation doit d etecter une situation o u l'application veut occuper une partie consid erable des ressources de calcul comme par exemple le processeur, la m emoire vive, le disque dur, etc. Si la plate-forme construite ne trouve pas un comportement malveillant, Orange donnera une certi cation pour l'application.