Home | Sitemap | Index | Contact | Legals | KIT

Publications of Pierre Parrend

Books/Book Chapters and edited Proceedings

[1] Pierre Parrend. Java Software, chapter Security for Java Platforms. Nova Publishers, New York, 2009. [ bib | http | Abstract ]
The Java environment is composed of two main parts: the Java language and the Java virtual machine. It is designed with the assumption that no software entity is to be trusted and therefore that each need to be checked. The first success of Java was the inception of Java Applets which enabled fully untrusted code provided by unknown web sites to be executed in a browser. This feature demonstrated the isolation brought by the Java Virtual Machine (JVM) between the applications and the underlying operating system. However, the evolution of Java systems from mono-application to multi-component systems induce new vulnerabilities developers are not aware of. This requires that additional security mechanisms are used to support secure Java environments. This survey presents an overview of the security issues for the Java language and Virtual Machine. The default security model is defined and explained. Its three main components are the Java language itself, the Bytecode validation at load time and modularity supports such as the class loaders and permission domains. Known vulnerabilities are presented. They originate either in the JVM or in the code of applications. Two approaches exist for describing code vulnerabilities: source code and Bytecode. This duality enables to identify them both during development through manual code review and tools, and in an automated manner during code deployment or installation. Security extensions for the Java Execution Environment and tools for writing secure Java code are presented. They are of three types: platform extensions, static analysis approaches and behavior injection. Platform extensions consist in strengthening the isolation between components (beans, etc.) and providing support for resource consumption accounting and control. Static analysis is often performed through generic tools that improve the code quality and thus reduce the number of exploitable bugs in the Java code. Some of these tools, such as FindBugs, encompass security-specific bugs, and some, as JSLint are dedicated to security analysis. Bytecode injection enables to introduce security checks in the core of the code. It can be performed with the developers involved, for instance through aspect-oriented programming, or transparently, through Bytecode injection or meta-programming. An overview of the existing protection mechanisms for Java systems according to the life-cycle moment they are enforced and to the development overhead they imply concludes this work

Refereed journal articles

[1] Pierre Parrend and Stéphane Frénot. Security benchmarks of osgi platforms: Toward hardened osgi. Software: Practice & Experience, 2009. [ bib | http | Abstract ]
OSGi Platforms are Extensible Component Platforms, ie they support the dynamic and transparent installation of components that are provided by third party providers at runtime. This feature makes systems built using OSGi extensible and adaptable but opens a dangerous attack vector that has not been considered as such until recently. Performing a security benchmark of the OSGi platform is therefore necessary to gather knowledge related to the weaknesses it introduces as well as to propose enhancements. A suitable Vulnerability Pattern is defined. The attacks that can be performed through malicious OSGi components are identified. Quantitative analysis is then performed so as to characterize the origin of the vulnerabilities and the target and consequences of attacks. The assessment of the security status of the various implementations of the OSGi Platform and of existing security mechanisms is done through a metric we introduce, the Protection Rate. Based on these benchmarks, OSGi-specific security enhancements are identified and evaluated. First recommendations are given. Then evaluation is performed through the Protection Rate metric and performance analysis. Lastly, further requirements for building secure OSGi Platforms are identified.
[2] Pierre Parrend and Stéphane Frénot. Vérification automatique pour l'exécution sécurisée de composants java. Numéro spécial de la revue L'Objet - Composants, Services et Aspects : techniques et outils pour la vérification, 2008. [ bib ]

Refereed conference/Workshop papers

[1] N. Geoffray, G. Thomas, G. Muller, P. Parrend, S. Frenot, and B. Folliot. I-jvm: une machine virtuelle java pour l'isolation de composants dans osgi. In Conference Francaise sur les Systemes d'Exploitation, September 2009. Toulouse, France. [ bib ]
[2] Pierre Parrend. Enhancing automated detection of vulnerabilities in java components. In Forth International Conference on Availability, Reliability and Security (AReS 2009), March 2009. Fukuoka, Japan. [ bib | Abstract ]
Java-based systems are built from components from various providers that are integrated together. Generic coding best practices are gaining momentum, but no tool is availableso far that guarantees that the interactions between these components are performed in a secure manner. We propose the 'Weak Component Analysis' (WCA) tool, which performs static analysis of the component code to identify exploitable vulnerabilities. Three types of classes can be identified in Java components, that each can be exploited through specific vulnerabilities. Internal classes which are not available for other components can be abused in an indirect manner. Shared classes which are provided by libraries can be abused through class-level vulnerabilities. Shared objects, i.e. instantiated classes, which are made available as local services in Service-oriented Programming platforms such as OSGi, Spring and Guice can be abused through object-level vulnerabilities in addition to class-level vulnerabilities.
[3] Nicolas Geoffray, Gael Thomas, Gilles Muller, Pierre Parrend, Stephane Frenot, and Bertil Folliot. I-jvm: a java virtual machine for component isolation in osgi. In 39th IEEE/IFIP Conference on Dependable Systems and Networks (DSN), 2009. Lisbon, Portugal. [ bib ]
[4] Pierre Parrend and Stéphane Frénot. Classification of component vulnerabilities in Java service oriented programming (SOP) platforms. In Conference on Component-based Software Engineering (CBSE'2008), October 2008, volume 5282/2008 of LNCS. Springer Berlin / Heidelberg, Karlsruhe, Germany. October 2008. [ bib | http | Abstract ]
Java-based systems have evolved from stand-alone applications to multi-component to Service Oriented Programming (SOP) platforms. Each step of this evolution makes a set of Java vulnerabilities directly exploitable by malicious code: access to classes in multi-component platforms, and access to object in SOP, is granted to them with often no control. This paper defines two taxonomies that characterize vulnerabilities in Java components: the vulnerability categories, and the goals of the attacks that are based on these vulnerabilities. The `vulnerability category' taxonomy is based on three application types: stand-alone, class sharing, and SOP. Entries express the absence of proper security features at places they are required to build secure component-based systems. The `goal' taxonomy is based on the distinction between undue access, which encompasses the traditional integrity and confidentiality security properties, and denial-of-service. It provides a matching between the vulnerability categories and their consequences. The exploitability of each vulnerability is validated through the development of a pair of malicious and vulnerable components. Experiments are conducted in the context of the OSGi Platform. Based on the vulnerability taxonomies, recommendations for writing hardened component code are issued.
[5] Pierre Parrend and Stéphane Frénot. Component-based access control: Secure software composition through static analysis. In Software Composition (SC'2008), March 2008, volume 4954/2008 of LNCS, pages 68-83. Springer Berlin / Heidelberg. March 2008. [ bib | http | Abstract ]
Extensible Component Platforms support the discovery, installation, starting, uninstallation of components at runtime. Since they are often targeted at mobile resource-constraint devices, they have both strong performance and security requirements. The current security model for Java systems, Permissions, are based on call stack analysis. They proves to be very time-consuming, which makes them difficult to use in production environments. We therefore define the Component-Based Access Control (CBAC) Security Model, which aims at emulating Java Permissions through static analysis at the installation phase ofthe components. CBAC is based on a fully declarative approach, thatmakes it possible to tag arbitrary meth- ods as sensitive. A formal model is defined to guarantee that a given component have sufficientaccess rights, and that dependencies between components are taken into account. A first implementation of the model is provided for the OSGi Platform, using the ASM library for code anal- ysis. Performancetests show that the cost of CBAC at install time is negligible, becauseit is executed together with digital signature which is much more costly. Moreover, contrary to Java Permissions, the CBAC security model does not imply any runtime overhead.
[6] Stéphane Frénot, Yvan Royon, Pierre Parrend, and Denis Beras. Monitoring scheduling for home gateways. In IEEE/IFIP Network Operations and Management Symposium (NOMS), Salvador de Bahia, Brazil, 7-11 April 2008, 2008. [ bib | http | Abstract ]
: In simple and monolithic systems such as our current home gateways, monitoring is often overlooked: the home user can only reboot the gateway when there is a problem. In next-generation home gateways, more services will be available (pay-per-view TV, games...) and different actors will provide them. When one service fails, it will be impossible to reboot the gateway without disturbing the other services. We propose a management framework that monitors remote gateways. The framework tests response times for various management activities on the gateway, and provides reference time/performance ratios. The values can be used to establish a management schedule that balances the rate at which queries can be performed with the resulting load that the query will induce locally on the gateway. This allows the manager to tune the ratio between the reactivity of monitoring and its intrusiveness on performance
[7] Yvan Royon, Pierre Parrend, Stéphane Frénot, Serafeim Papastefano, Humberto Abdelnur, and Dirk Van de Poel. Multi-service, multi-protocol management for residential gateways. In BroadBand Europe, December 2007. [ bib | http ]
[8] Pierre Parrend, Samuel Galice, Stéphane Frénot, and Stéphane Ubeda. Identity-based cryptosystems for enhanced deployment of OSGi bundles. In IARIA International Conference on Emerging Security Information, Systemsand Technologies (SecurWare), October 2007. [ bib | http ]
[9] Pierre Parrend, Stéphane Frénot, and Sebastian Hoehn. Privacy-aware service integration. In Second IEEE International Workshop on Services Integration in Pervasive Environments (SIPE'2007), July 2007. [ bib | http | Abstract ]
Privacy mechanisms exist for monolithic systems. However, pervasive environments that gather user data to support advanced services provide little control over the data an individual releases. This is a strong inhibitor for the development of pervasive systems, since most users do not accept that their personal information is sent out to the wild, but potentially passed over to third party systems. We therefore propose a framework to support user control over the data made available to service providers in the context of an OSGi based Extensible Service Systems. A formal privacy model is defined and service and policy descriptions are deduced. Technical system requirements to support these policies are identified. Since guaranteeing privacy inside the system is of little help if any malicious entity can break into it, a security architecture for OSGi based Extensible Service Systems is also defined.
[10] Pierre Parrend and Stéphane Frénot. Supporting the secure deployment of OSGi bundles. In First IEEE WoWMoM Workshop on Adaptive and DependAble Mission- and bUsiness-critical mobile Systems, Helsinki, Finland, June 2007. [ bib | http | Abstract ]
The OSGi platform is a lightweight management layer over a Java virtual machine that makes runtime extensibility and multi-application support possible in mobile and constraint environments. This powerfull capability opens a particular attack vector against mobile platforms: the installation of malicious OSGi bundles. The first countermeasure is the digital signature of the bundles. We developed a tool suite that supports the signature, the publication and the validation of the bundles in an OSGi framework. Our tools support the publication of bundles onto a remote bundle repository as well as the validation of the signature according to the OSGi R4 specifications. A comparison of existing validation mechanisms shows that our security layer is the only one that is compliant with the specification.
[11] Pierre Parrend and Stéphane Frénot. A security analysis for home gateway architectures. In International Conference on Cryptography, Coding & Information Security, CCIS 2006, November 24-26, Venice, Italy, November 2006. [ bib | http | Abstract ]
Providing Services at Home has become over the last few years a very dynamic and promising technological domain. It is likely to enable wide dissemination of secure and automated living environments. We propose a methodology for identifying threats to Services at Home Delivery systems, as well as a threat analysis of a multi-provider Home Gateway architecture. This methodology is based on a dichotomous positive/preventive study of the target system: it aims at identifying both what the system must do, and what it must not do. This approach completes existing methods with a synthetic view of potential security flaws, thus enabling suitable measures to be taken. Security implications of the evolution of a given system become easier to deal with. A prototype is built based on the conclusions of this analysis
[12] Pierre Parrend, Yvan Royon, and Noha Ibrahim. Service-oriented distributed communities in residential environments. In 1st IEEE International Workshop on Services Integration in Pervasive Environments, Lyon, France, June 2006. [ bib | http ]
[13] Pierre Parrend and Bertrand David. Use of ontologies as a way to automate mde processes. In IEEE EuroCon 2005, Belgrad, Serbia-Montenegro, 2005. [ bib | http | Abstract ]
Model Driven Engineering (MDE) knows growing interest as much as a research domain as an industry process for building software quickly and reliably. However, in the way to reuse and automation of design processes, it has limitation for this purpose, as it focuses on design much more as on user s need. Use of an ontology representing domain design knowledge can be a way to bridge the gap between use scenarios and models, and so to empower MDE approaches.

Technical Reports

[1] Franz Brosch, Henning Groenda, Lucia Kapova, Klaus Krogmann, Michael Kuperberg, Anne Martens, Pierre Parrend, Ralf Reussner, Johannes Stammel, and Emre Taspolatoglu. Software-industrialisierung. Technical report, Fakultät für Informatik, Universität Karlsruhe, Karlsruhe, 2009. Interner Bericht. [ bib | http | Abstract ]
Die Industrialisierung der Software-Entwicklung ist ein zur Zeit sehr stark diskutiertes Thema. Es geht dabei vor allem um die Efizienzsteigerung durch die Steigerung des Standardisierungsgrades, des Automatisierungsgrades sowie eine Erhöhung der Arbeitsteilung. Dies wirkt sich einerseits auf die den Software- Systemen zu Grunde liegenden Architekturen, aber auch auf die Entwicklungsprozesse aus. So sind Service-orientierte Architekturen ein Beispiel für eine gesteigerte Standardisierung innerhalb von Software-Systemen. Es ist zu berücksichtigen, dass sich die Software-Branche von den klassischen produzierenden Industriezweigen dadurch unterscheidet, dass Software ein immaterielles Produkt ist und so ohne hohe Produktionskosten beliebig oft vervielfältigt werden kann. Trotzdem lassen sich viele Erkenntnisse aus den klassischen Industriezweigen auf die Software-Technik übertragen. Die Inhalte dieses Berichts stammen hauptsächlich aus dem Seminar " Software- Industrialisierung welches sich mit der Professionalisierung der Software- Entwi- cklung und des Software-Entwurfs beschäftigte. Während die klassische Software-Entwicklung wenig strukturiert ist und weder im Bezug auf Reproduzierbarkeit oder Qualitätssicherung erhöhten Anforderungen genügt, befindet sich die Software-Entwick- lung im Rahmen der Industrialisierung in einemWandel. Dazu zählen arbeitsteiliges Arbeiten, die Einführung von Entwicklungsprozessen mit vorhersagbaren Eigenschaften (Kosten, Zeitbedarf, ...), und in der Folge die Erstellung von Produkten mit garantierbaren Eigenschaften. Das Themenspektrum des Seminars umfasste dabei unter anderem: * Komponentenbasierte Software-Architekturen * Modellgetriebene Softwareentwicklung: Konzepte und Technologien * Industrielle Softwareentwicklungsprozesse und deren Bewertung Das Seminar wurde wie eine wissenschaftliche Konferenz organisiert: Die Einreichungen wurden in einem zweistufigen Peer-Review-Verfahren begutachtet. In der ersten Stufe wurde eine Begutachtung der studentischen Arbeiten durch Kommilitonen durchgeführt, in der zweiten Stufe eine Begutachtung durch die Betreuer. In verschiedenen Sessions wurden die Artikel wie bei einer Konferenz präsentiert. Die besten Beiträge wurden durch zwei Best Paper Awards ausgezeichnet. Diese gingen an Tom Beyer für seine Arbeit Realoptionen für Entscheidungen in der Software-Entwicklung, sowie an Philipp Meier für seine Arbeit Assessment Methods for Software Product Lines. Ergänzt wurden die Vorträge der Seminarteilnehmer durch zwei eingeladene Vorträge: Collin Rogowski von der 1&1 Internet AG stellte den agilen Softwareentwicklungsprozess beim Mail-Produkt GMX.COM vor. Heiko Koziolek, Wolfgang Mahnke und Michaela Saeftel von ABB referierten über das Thema Software Product Line Engineering anhand der bei ABB entwickelten Robotik-Applikationen.
[2] Pierre Parrend and Stéphane Frénot. More vulnerabilities in the Java/OSGi platform: A focus on bundle interactions. Technical Report RR-6649, INRIA, September 2008. [ bib | http | Abstract ]
Extensible Component Platforms can discover and install code during runtime. Although this feature introduces flexibility, it also brings new security threats: malicious components can quite easily be installed and exploit the rich programming environment and interactions with other components to perform attacks against the system. One example of such environments is the Java/OSGi Platform, which widespreads in the industrial world. Attacks from one component against another can not be prevented through conventional security mechanisms, since they exploit the lack of proper isolation between them: components often share classes and objects. This reports intends to list the vulnerabilities that a component can contain, both from the literature and from our own experience. The Vulnerable Bundle catalog gathers this knowledge. It provides informations related to the characteristics of the vulnerabilities, their consequence, the security mechanisms that would help prevent their exploitation, as well as to the implementation state of the proof-of-concept bundles that are developed to prove that the vulnerability is actually exploitable. The objective of vulnerability classification is of course to provide tools for identifying and preventing them. A first assessment is performed with existing tools, such as Java Permission and FindBugs, and a specific prototype we develop, WBA ( Weak Bundle Analysis), and manual code review.
[3] Pierre Parrend and Stéphane Frénot. Java components vulnerabilities - an experimental classification targeted at the OSGi platform. Research Report RR-6231, INRIA, June 2007. [ bib | http | Abstract ]
The OSGi Platform finds a growing interest in two different applications domains: embedded systems, and applications servers. However, the security properties of this platform are hardly studied, which is likely to hinder its use in production systems. This is all the more important that the dynamic aspect of OSGi-based applications, that can be extended at runtime, make them vulnerable to malicious code injection. We therefore perform a systematic audit of the OSGi platform so as to build a vulnerability catalog that intends to reference OSGi Vulnerabilities originating in the Core Specification, and in behaviors related to the use of the Java language. Standard Services are not considered. To support this audit, a Semi-formal Vulnerability Pattern is defined, that enables to uniquely characterize fundamental properties for each vulnerability, to include verbose description in the pattern, to reference known security protections, and to track the implementation status of the proof-of-concept OSGi Bundles that exploit the vulnerability. Based on the analysis of the catalog, a robust OSGi Platform is built, and recommendations are made to enhance the OSGi Specifications.
[4] Pierre Parrend and Stéphane Frénot. Secure component deployment in the OSGirelease 4 platform. Technical Report RT-0323, INRIA, June 2006. [ bib | http | Abstract ]
Last years have seen a dramatic increase in the use of component platforms, not only in classical application servers, but also more and more in the domain of Embedded Systems. The OSGi(tm) platform is one of these platforms dedicated to lightweight execution environments, and one of the most prominent. However, new platforms also imply new security flaws, and a lack of both knowledge and tools for protecting the exposed systems.> This technical report aims at fostering the understanding of security mechanisms in component deployment. It focuses on securing the deployment of components. It presents the cryptographic mechanisms necessary for signing OSGi(tm) bundles, as well as the detailed process of bundle signature and validation. We also present the SFelix platform, which is a secure extension to Felix OSGi(tm) framework implementation. It includes our implementation of the bundle signature process, as specified by OSGi(tm) Release 4 Security Layer. Moreover, a tool for signing and publishing bundles, SFelix JarSigner, has been developed to conveniently integrate bundle signature in the bundle deployment process.
[5] Pierre Parrend and Isabelle Auge-Blum. Validation temporelle d'architectures embarquees pour l'automobile. Technical Report RR200, CITI Lab, INSA de Lyon, July 2004. [ bib | http | Abstract ]
Cette �tude se situe dans un contexte de fort d�veloppement des applications automobiles bas�es sur l �lectronique, en vue de remplacer certaines pi�ces m�caniques, tels les syst�mes de freinage, de direction. Le protocole le plus utilis� actuellement est CAN, mais il ne suffit pas aux applications n�cessitant un haut degr� de s�curit�. D autres protocoles ont donc �t� d�velopp�s, selon le paradigme Time- Triggered (selon un ordonnancement pr�-d�fini), comme TTA, Flexray. En effet, ce type de protocoles est plus facile � valider. De la rencontre de CAN et des protocoles Time-Triggered est issu TTCAN. C est ce protocole auquel nous allons nous int�resser. Il est indispensable pour un protocole destin� � des applications � haut niveau de s�curit� de disposer d un validation formelle. Nous allons �tudier son comportement temporel � l aide de l outil UPPAAL, qui permet l analyse, � l aide d une m�thode d�velopp�e au CITI. Nous pr�sentons la mod�lisation r�alis�e � fin d analyse, ainsi que les r�sultats obtenus. Ces donn�es nous permettent une comparaison syst�matique avec le protocole TTA, ce qui offre une mise en perspective critique des deux protocoles.
[6] Karen Godary, Pierre Parrend, and Isabelle Auge-Blum. Comparison and temporal validation of automotive real-time architectures. Technical report, CITI Lab, INSA de Lyon, 2004. [ bib | http | Abstract ]
In the automotive domain, the X-by-wire systems are dedicated to critical and real-time applications. These systems have specific needs that must be ful- filled, in particular in the reliability domain. Fault-tolerant architectures have been designed to fit with these requirements : TTA, FlexRay or TTCAN. This paper presents a methodology of temporal validation, and illustrates it for the validation of TTA and TTCAN services. This validation provides some temporal bounds, that can be used for the comparison of these architectures.

Theses

[1] Pierre Parrend. Software Security Models for Service-Oriented Programming (SOP) Platforms. PhD thesis, Institut National des Sciences Appliquées de Lyon, France, December 2008. [ bib ]
[2] Pierre Parrend. Mde et cscw, groupware, travail cooperatif capillaire. Master's thesis, Ecole Centrale de Lyon, 2005. [ bib | http | Abstract ]
Collaborative applications let users work in a shared environment, to support common work. Model Driven Engineering (MDE), aims at separating the description of the application and the description of the target platform and architecture. Numerous patterns are available in the literrature, which may be reused in an MDE process for CSCW. However, they build just ponctual solutions, are may only be useful as a complement to an existing framework. Our proposition to solve this problem is to integrate ontologies in the MDE process, to represent functionnalities of collaborative applications, so as to generate MDE models for collaborative services, deduced from use scenarios. Several work groups have been recently created to study the role of ontologies in MDE on one hand, and in CSCW on the other hand : this is a growing research domain

Other

[1] Pierre Parrend and Stéphane Frénot. Dependability for component systems deployment. Poster, first EuroSys Conference, April 2006. [ bib | http | Abstract ]
Operating Systems and Server Platforms tend to be increasingly organized as sets of components, which enables greater flexibility, as well as easier system upgrade. Even though such architectures evolve more easily as monolithic ones, they are also more difficult to secure. Bringing new components in these kind of systems means also not being able to always assert component reliability and innocuousness We conduct experiments on component system dependability validation using the OSGi platform in the frame of the IST Muse Project for wide band Service at Home delivery. OSGi provides an execution and life cycle management environment for embedded applications in Java [OSGi05]. Deployment is the first step of component management life cycle, after development is completed . It is made up of component publishing, discovery, dependency resolution, downloading, installation, configuration, starting [Hall99]. Dependability [Avizienis00] of a system is the conjunction of several properties of systems : availability, reliability (continuity of correct service), safety (absence of catastrophic consequences), confidentiality, integrity, maintainability. Dependability for component deployment can thus be defined as 'Load and install the right component at the right time'. The right component is one that the user knows not to be malicious, and which provides the desired service. As far as each user do not know a priori each component, two criteria can be applied in order to check that a component is not malicious : either the component is trusted, or it is possible to assert that the code can not execute dangerous actions (or combination of both). The first step to provide a secure component system is to ensure that deployed components come from a trusted provider. This is done through cryptographic signature. Two different technologies exists : signature validation through Public Key Certificate (X.509) Path, often used in closed systems (where a Certification Authority provides trustworthy certificates), or through PGP and publicly available key servers, often used for open Operating Systems based on components (also named modules, or packages). RPM, and Gentoo Portage notably use this approach. Second step is to ensure safe execution of installed components. Extreme case is Java Sandboxing, where all actions that could possibly be harmful are blocked. This enables untrusted applets to be executed safely. In most cases however, it is necessary to provide access to the file system, or to the network, but not to the whole system. This is achieved through execution permissions. The Spin OS, based on the Modula-3 language, or VINO OS, use this mechanism. OSGi also provides permissions for controlling component interoperability that are used together with Java permissions. Our work targets the design and development of a dependable OSGi framework. Few work having been done � surprisingly enough � about this subject, it is necessary to provide a mean of validating OSGi components (named bundles) at load time. OSGi specifications propose to sign bundles through X.509 Signature Certificates, which are included in the archive. This permits validation of the integrity of the bundle, and to authenticate the signer(s). However, confidentiality is not possible, because bundle signing specifications consider that one must be able to use a bundle without taking care of the signature. This is not a problem in open source projects � where the code is anyhow available � but builds a severe restriction in closed systems, enterprise systems, or Service at Home services delivery. We propose two solutions : the first one is to put the encrypted component in the signature file. This implies only minor changes to OSGi specifications and prevents unauthorized users from installing the bundle. The other requires the existence of one (or several) centralized repository(ies). It is then possible to connect the client and the server through a secure communication protocol (such as HTTPS, SSH, or over Virtual Private Networks). In this configuration, OSGi security specifications are too heavy. The second aspect of bundle validation at load time is to ensure that permissions that are necessary for correct execution do not go against existing policies, and that the code does not contain security leaks. Guaranteeing that permissions are valid in the Java world is normally done at runtime, and can cause misbehavior of the program. We propose a new permission validation protocol that enables permission checking before bundle download, thus preventing performance downfall due to loading of unsuitable code: first, a bundle description file containing policy parameters required for its correct execution is downloaded by the client. If this policy is compatible with actual client security policy, the bundle itself is downloaded. Then, coherence of code and description file is checked. It can be extended with Proof Carrying Code (PCC) for guaranteeing code harmlessness. Realizing experiments on dependable component systems on the OSGi platform proves to be highly valuable as well for general analysis of middleware platforms as for the study of OSGi itself, which specifications seem to need to adapt to real network systems � and not only to closed world. This ongoing work is still to be completed by performance analysis of the different solutions. Being specified as a stand-alone platform with some component life cycle management facilities (validation, installation, start, ...) but without any consideration on how these components are downloaded, OSGi framework seems to have still a good evolution potential. [OSGi05] OSGi Service Platform, Core Specification Release 4, OSGi Alliance, 2005. [Hall99] R.S. Hall, D. Heimbigner, & A.L. Wolf, A Cooperative Approach to Support Software Deployment Using the Software Dock, ISCE 1999. [Avizienis00] A. Avizienis, J.C. Laprie & B. Randell, Fundamental concepts of dependability, Technical Report LAAS (Toulouse, France), 2000.