Yuta Shimamoto (Okayama University, Okayama, Japan), Hiroyuki Uekawa (NTT Social Informatics Laboratories, Tokyo, Japan), Mitsuaki Akiyama (NTT Social Informatics Laboratories, Tokyo, Japan), Toshihiro Yamauchi (Okayama University, Okayama, Japan)
A Software Bill of Materials (SBOM) enables rapid understanding of software composition and improves the efficiency of vulnerability management. However, inconsistencies between the components described in the SBOM and those that actually exist on a device can result in missed detections or false positives during SBOM-based vulnerability analysis, thereby increasing the risk of executing unknown threats. This study proposes SBOM-based Access Control (SBOM-AC), a mechanism that determines whether a program may be executed by enforcing access control policies derived from the SBOM. By denying the execution of programs that do not match the SBOM, SBOMAC reduces security risks arising from the runtime execution of unmanaged programs. Denial logs can also be used to improve the completeness and accuracy of the SBOM, thereby reducing missed detections and false positives in SBOM-based vulnerability management and enabling the identification of unexpected execution attempts. SBOM-AC can be implemented as a Linux Security Module (LSM), making it suitable for deployment on Linux-based IoT devices and compatible with existing Mandatory Access Control systems. Experimental results show that SBOMAC introduces a maximum latency of only 0.14 ms. Based on this measurement, the estimated performance impact of SBOM-AC on device services is negligible.