Automatic Generation and Enforcement of Security Contract for Pervasive Application

Pervasive computing is providing its usability and scope in almost every aspect nowadays. In order to make better use of pervasive services in nomadic devices, pervasive client download might be needed, which would result in serious security problems due to executing untrusted applications. Recently Security-by-Contract has been proposed to address this problem, where an application is required to come with the contract containing a description of the relevant security features while mobile platform will match the contract with its own policy. In this paper a compositional approach to specifying security contract is introduced in the form of extended context free grammar. Then a framework for automatic generation and enforcement of security contract has been presented for Java platform. The main contributions of this paper include: (1) formal definition of security contract is given in the terms of security related operations and the relationship among arguments of these operation; (2) static analysis is utilized to automatically generate security contract for Java source program. The security contract of a Java program can be composed from those of all the methods it invokes; (3) runtime enforcement has been applied to security contracts and achieved by implementing execution monitor in JVM.