Policy Enforcement with Proactive Libraries

Software libraries implement APIs that deliver reusable functionalities. To correctly use these functionalities, software applications must satisfy certain correctness policies, for instance policies about the order some API methods can be invoked and about the values that can be used for the parameters. If these policies are violated, applications may produce misbehaviors and failures at runtime. Although this problem is general, applications that incorrectly use API methods are more frequent in certain contexts. For instance, Android provides a rich and rapidly evolving set of APIs that might be used incorrectly by app developers who often implement and publish faulty apps in the marketplaces. To mitigate this problem, we introduce the novel notion of proactive library, which augments classic libraries with the capability of proactively detecting and healing misuses at runtime. Proactive libraries blend libraries with multiple proactive modules that collect data, check the correctness policies of the libraries, and heal executions as soon as the violation of a correctness policy is detected. The proactive modules can be activated or deactivated at runtime by the users and can be implemented without requiring any change to the original library and any knowledge about the applications that may use the library. We evaluated proactive libraries in the context of the Android ecosystem. Results show that proactive libraries can automatically overcome several problems related to bad resource usage at the cost of a small overhead.

[1]  Leonardo Mariani,et al.  Exception handlers for healing component-based systems , 2013, TSEM.

[2]  Giovanni Denaro,et al.  Test-and-adapt: An approach for improving service interchangeability , 2013, TSEM.

[3]  Frank Eliassen,et al.  MUSIC: an autonomous platform supporting self-adaptive mobile applications , 2008, MobMid '08.

[4]  Yepang Liu,et al.  Taming Android fragmentation: Characterizing and detecting compatibility issues for Android apps , 2016, 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).

[5]  Gabriele Bavota,et al.  API change and fault proneness: a threat to the success of Android apps , 2013, ESEC/FSE 2013.

[6]  Paola Inverardi,et al.  A resource model for adaptable applications , 2006, SEAMS '06.

[7]  Iulian Neamtiu,et al.  Finding resume and restart errors in Android applications , 2016, OOPSLA.

[8]  Iulian Neamtiu,et al.  Towards self-healing smartphone software via automated patching , 2014, ASE.

[9]  David Brumley,et al.  An empirical study of cryptographic misuse in android applications , 2013, CCS.

[10]  Mu Zhang,et al.  AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijacking Attacks in Android Applications , 2014, NDSS.

[11]  Lujo Bauer,et al.  Edit automata: enforcement mechanisms for run-time security policies , 2005, International Journal of Information Security.

[12]  Yliès Falcone,et al.  Runtime Verification and Enforcement for Android Applications with RV-Droid , 2012, RV.

[13]  Jun Yan,et al.  Light-Weight, Inter-Procedural and Callback-Aware Resource Leak Detection for Android Apps , 2016, IEEE Transactions on Software Engineering.

[14]  Andreas Zeller,et al.  Mining temporal specifications from object usage , 2011, Automated Software Engineering.

[15]  Abhik Roychoudhury,et al.  Detecting energy bugs and hotspots in mobile apps , 2014, SIGSOFT FSE.

[16]  Zhenmin Li,et al.  PR-Miner: automatically extracting implicit programming rules and detecting violations in large software code , 2005, ESEC/FSE-13.

[17]  William K. Robertson,et al.  PatchDroid: scalable third-party security patches for Android devices , 2013, ACSAC.

[18]  Timo Knuutila,et al.  Mobile Application Ecosystems: An Analysis of Android Ecosystem , 2016 .

[19]  Daniela Micucci,et al.  Healing Data Loss Problems in Android Apps , 2016, 2016 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW).

[20]  Stas Negara,et al.  ReBA , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[21]  Ding Li,et al.  An investigation into energy-saving programming practices for Android smartphone app development , 2014, GREENS 2014.

[22]  Lei Cen,et al.  AUTOREB: Automatically Understanding the Review-to-Behavior Fidelity in Android Applications , 2015, CCS.

[23]  Mani B. Srivastava,et al.  CAreDroid: Adaptation Framework for Android Context-Aware Applications , 2016, GETMBL.

[24]  Yuan-Shun Dai,et al.  Self-healing and Hybrid Diagnosis in Cloud Computing , 2009, CloudCom.

[25]  Leonardo Mariani,et al.  In-field healing of integration problems with COTS components , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[26]  Jun Yan,et al.  Fixing Resource Leaks in Android Apps with Light-Weight Static Analysis and Low-Overhead Instrumentation , 2016, 2016 IEEE 27th International Symposium on Software Reliability Engineering (ISSRE).

[27]  Mira Mezini,et al.  MUBench: A Benchmark for API-Misuse Detectors , 2016, 2016 IEEE/ACM 13th Working Conference on Mining Software Repositories (MSR).

[28]  Angelos D. Keromytis,et al.  ASSURE: automatic software self-healing using rescue points , 2009, ASPLOS.

[29]  João Paulo Magalhães,et al.  SHõWA: A Self-Healing Framework for Web-Based Applications , 2015, TAAS.

[30]  Leonardo Mariani,et al.  Dynamic Analysis for Diagnosing Integration Faults , 2011, IEEE Transactions on Software Engineering.

[31]  Jacques Klein,et al.  DroidRA: taming reflection to support whole-program analysis of Android apps , 2016, ISSTA.