Secure Component Deployment in the OSGi(tm) Release 4 Platform

TL;DR

This paper discusses security mechanisms for deploying components in the OSGi Release 4 platform, focusing on cryptographic signing, validation, and a secure extension of the Felix framework to enhance deployment security.

Contribution

It introduces cryptographic signing processes for OSGi bundles, a secure Felix extension, and a signing tool, advancing security in component deployment for embedded systems.

Findings

Implementation of bundle signing and validation process

Development of SFelix platform extension

Creation of SFelix JarSigner tool

Abstract

Last years have seen a dramatic increase in the use of component platforms, not only in classical application servers, but also more and more in the domain of Embedded Systems. The OSGi(tm) platform is one of these platforms dedicated to lightweight execution environments, and one of the most prominent. However, new platforms also imply new security flaws, and a lack of both knowledge and tools for protecting the exposed systems. This technical report aims at fostering the understanding of security mechanisms in component deployment. It focuses on securing the deployment of components. It presents the cryptographic mechanisms necessary for signing OSGi(tm) bundles, as well as the detailed process of bundle signature and validation. We also present the SFelix platform, which is a secure extension to Felix OSGi(tm) framework implementation. It includes our implementation of the bundle signature process, as specified by OSGi(tm) Release 4 Security Layer. Moreover, a tool for signing and publishing bundles, SFelix JarSigner, has been developed to conveniently integrate bundle signature in the bundle deployment process.