Frameworks compiled from declarations: a language‐independent approach

Programming frameworks are an accepted fixture in the object‐oriented world, motivated by the need for code reuse, developer guidance and restriction. A new trend is emerging where frameworks require domain experts to provide declarations using a domain‐specific language, influencing the structure and behaviour of the resulting application. These mechanisms address concerns such as user privacy. Although many popular open platforms such as Android are based on declaration‐driven frameworks, current implementations provide ad hoc and narrow solutions to concerns raised by their openness to non‐certified developers. Most widely used frameworks fail to address serious privacy leaks and provide the user with little insight into application behaviour. To address these shortcomings, we show that declaration‐driven frameworks can limit privacy leaks, as well as guide developers, independently from the underlying programming paradigm. To do so, we identify concepts that underlie declaration‐driven frameworks and apply them systematically to an object‐oriented language, Java and a dynamic functional language, Racket. The resulting programming framework generators are used to develop a prototype mobile application, illustrating how we mitigate a common class of privacy leaks. Finally, we explore the possible design choices and propose development principles for developing domain‐specific language compilers to produce frameworks, applicable across a spectrum of programming paradigms. Copyright © 2016 John Wiley & Sons, Ltd.

[1]  Jeremy G. Siek Gradual Typing for Functional Languages , 2006 .

[2]  Norman Hardy,et al.  KeyKOS architecture , 1985, OPSR.

[3]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[4]  Diomidis Spinellis,et al.  Notable design patterns for domain-specific languages , 2001, J. Syst. Softw..

[5]  Michael Snoyman Developing Web Applications with Haskell and Yesod , 2012 .

[6]  Robert N. M. Watson,et al.  Capsicum: Practical Capabilities for UNIX , 2010, USENIX Security Symposium.

[7]  Eric W. Biederman,et al.  Multiple Instances of the Global Linux Namespaces , 2010 .

[8]  Jacques Klein,et al.  Highly precise taint analysis for Android applications , 2013 .

[9]  Eric S. Raymond,et al.  The Art of Unix Programming , 2003 .

[10]  Olin Shivers,et al.  Control-flow analysis of higher-order languages of taming lambda , 1991 .

[11]  Jeff LaMarche,et al.  Beginning iPhone Development: Exploring the iPhone SDK , 2008 .

[12]  Artem Starostin,et al.  A framework for static detection of privacy leaks in android applications , 2012, SAC '12.

[13]  Matthias Kalle Dalheimer Programming with Qt - writing portable GUI applications on UNIX and Win32: covers Qt1.4x and 2.0 , 1999 .

[14]  Byeong-Mo Chang,et al.  A lightweight approach to component-level exception mechanism for robust android apps , 2015, Comput. Lang. Syst. Struct..

[15]  Matthew Flatt Submodules in racket: you want it when, again? , 2014 .

[16]  Mark S. Miller,et al.  Robust composition: towards a unified approach to access control and concurrency control , 2006 .

[17]  Sam Tobin-Hochstadt,et al.  Languages as libraries , 2011, PLDI '11.

[18]  Mordechai Ben-Ari,et al.  Principles of the spin model checker , 2008 .

[19]  Andrew S. Tanenbaum,et al.  A Virtual Machine Based Information Flow Control System for Policy Enforcement , 2008, Electron. Notes Theor. Comput. Sci..

[20]  R. Nigel Horspool,et al.  TouchDevelop: Programming on the Go , 2013, Apress.

[21]  Charles Consel,et al.  DiaSim: a simulator for pervasive computing applications , 2013, Softw. Pract. Exp..

[22]  Yin Liu,et al.  Static analysis for inference of explicit information flow , 2008, PASTE '08.

[23]  Michalis Faloutsos,et al.  Permission evolution in the Android ecosystem , 2012, ACSAC '12.

[24]  Sam Malek,et al.  Testing android apps through symbolic execution , 2012, ACM SIGSOFT Softw. Eng. Notes.

[25]  Markus S. Miller,et al.  Towards a Verified , General-Purpose Operating System Kernel † , 2004 .

[26]  Wenke Lee,et al.  CHEX: statically vetting Android apps for component hijacking vulnerabilities , 2012, CCS.

[27]  Nicholas Robert Cameron,et al.  Encoding Ownership Types in Java , 2010, TOOLS.

[28]  Walid Taha,et al.  Gradual Typing for Objects , 2007, ECOOP.

[29]  Byung-Gon Chun,et al.  TaintDroid: an information flow tracking system for real-time privacy monitoring on smartphones , 2014, Commun. ACM.

[30]  Jonathan Rees,et al.  A security kernel based on the lambda-calculus , 1995 .

[31]  Malcolm Hall,et al.  ProtectMyPrivacy: detecting and mitigating privacy leaks on iOS devices using crowdsourcing , 2013, MobiSys '13.

[32]  Arie van Deursen,et al.  Domain-specific languages: an annotated bibliography , 2000, SIGP.

[33]  Sam Tobin-Hochstadt,et al.  Advanced Macrology and the Implementation of Typed Scheme , 2007 .

[34]  Matthew Might,et al.  Introspective pushdown analysis of higher-order programs , 2012, ICFP.

[35]  Zoran A. Salcic,et al.  Compiling and verifying SC-SystemJ programs for safety-critical reactive systems , 2015, Comput. Lang. Syst. Struct..

[36]  Douglas C. Schmidt,et al.  Object-oriented application frameworks , 1997, CACM.

[37]  C. Consel,et al.  Perceived Needs for Assistive Technologies in older adults and their caregivers , 2015 .

[38]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[39]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[40]  Xuxian Jiang,et al.  A Static Assurance Analysis of Android Applications , 2013 .

[41]  Damien Cassou,et al.  Leveraging software architectures to guide and verify the development of sense/compute/control applications , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[42]  Charles Consel,et al.  Open platforms: new challenges for software engineering , 2010, PSI EtA '10.

[43]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.

[44]  Yves Le Traon,et al.  Automatically securing permission-based software by reducing the attack surface: an application to Android , 2012, 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering.

[45]  Jesse Feiler How to Do Everything: Facebook Applications , 2008 .

[46]  Hao Chen,et al.  Investigating User Privacy in Android Ad Libraries , 2012 .

[47]  Nikolai Tillmann,et al.  User-aware privacy control via extended static-information-flow analysis , 2012, 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering.

[48]  Nickolai Zeldovich,et al.  Practical and Effective Sandboxing for Non-root Users , 2013, USENIX Annual Technical Conference.

[49]  Richard N. Taylor,et al.  Software architecture: foundations, theory, and practice , 2009, 2010 ACM/IEEE 32nd International Conference on Software Engineering.

[50]  M Mernik,et al.  When and how to develop domain-specific languages , 2005, CSUR.

[51]  Xuxian Jiang,et al.  Profiling user-trigger dependence for Android malware detection , 2015, Comput. Secur..

[52]  Hao Chen,et al.  AndroidLeaks: Detecting Privacy Leaks In Android Applications. , 2011 .

[53]  Martin Fowler,et al.  Domain-Specific Languages , 2010, The Addison-Wesley signature series.

[54]  Charles Consel,et al.  A Step-Wise Approach for Integrating QoS throughout Software Development , 2011, FASE.

[55]  Damien Cassou,et al.  Toward a Tool-Based Development Methodology for Pervasive Computing Applications , 2012, IEEE Transactions on Software Engineering.

[56]  J. Shapiro,et al.  EROS: a fast capability system , 2000, OPSR.

[57]  Quentin Enard Développement d'applications logicielles sûres de fonctionnement : une approche dirigée par la conception. (Development of dependable applications: a design-driven approach) , 2013 .

[58]  Richard N. Taylor Software architecture: many faces, many places, yet a central discipline , 2009, ESEC/FSE '09.

[59]  Rick Rogers,et al.  Android Application Development - Programming with the Google SDK , 2009 .

[60]  Jack Nutting,et al.  Beginning iPhone 3 Development , 2009 .