Component-based Access Control: Secure Software Composition through Static Analysis

International audienceExtensible Component Platforms support the discovery, in- stallation, starting, uninstallation of components at runtime. Since they are often targeted at mobile resource-constraint devices, they have both strong performance and security requirements. The current security model for Java systems, Permissions, are based on call stack analysis. They proves to be very time-consuming, which makes them difficult to use in production environments. We therefore define the Component-Based Access Control (CBAC) Se- curity Model, which aims at emulating Java Permissions through static analysis at the installation phase of the components. CBAC is based on a fully declarative approach, that makes it possible to tag arbitrary meth- ods as sensitive. A formal model is defined to guarantee that a given component have sufficient access rights, and that dependencies between components are taken into account. A first implementation of the model is provided for the OSGi Platform, using the ASM library for code anal- ysis. Performance tests show that the cost of CBAC at install time is negligible, because it is executed together with digital signature which is much more costly. Moreover, contrary to Java Permissions, the CBAC security model does not imply any runtime overhead