JCCAP: CAPABILITY-BASED ACCESS CONTROL FOR JAVA CARD

摘要

This paper describes JCCap, a protection facility for cooperating applications in the context of Java Card. It enables the control of access rights between mutually suspicious applications, either between one terminal application and one Java Card applet or between two applets hosted inside the same Java Card. Using JCCap, access to objects is controlled by means of software capabilities that can be exchanged between mutually suspicious applications. An important advantage of JCCap is that the definition of the protection policy of an application (i.e., how access rights are granted to other applications) is completely separated from the application code. The protection policy is described in an extended Interface Definition Language (IDL) at the interface level, thus enhancing modularity, separation of concerns, and ease of expression in the design of the overall security architecture. Each application can define its own protection policy independently from the other applications, thus enabling the expression of mutual suspicion without any prior knowledge about the policies of other applications. Every protection policy is then applied when applications interact with each other. This paper describes the implementation of a prototype of JCCap. It shows the feasibility and applicability of this technique in today's Java Card and outline its advantages.