RV-Android: Efficient Parametric Android Runtime Verification, a Brief Tutorial

  • Philip Daian
  • Yliès Falcone
  • Patrick Meredith
  • Traian Florin Şerbănuţă
  • Shin’ichi Shiriashi
  • Akihito Iwai
  • Grigore Rosu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9333)

Abstract

RV-Android is a new freely available open source runtime library for monitoring formal safety properties on Android. RV-Android uses the commercial RV-Monitor technology as its core monitoring library generation technology, allowing for the verification of safety properties during execution and operating entirely in userspace with no kernel or operating system modifications required. RV-Android improves on previous Android monitoring work by replacing the JavaMOP framework with RV-Monitor, a more advanced monitoring library generation tool with core algorithmic improvements that greatly improve resource consumption, efficiency, and battery life considerations. We demonstrate the developer usage of RV-Android with the standard Android build process, using instrumentation mechanisms effective on both Android binaries and source code. Our method allows for both property development and advanced application testing through runtime verification. We showcase the user frontend of RV-Monitor, which is available for public demo use and requires no knowledge of RV concepts. We explore the extra expressiveness the MOP paradigm provides over simply writing properties as aspects through two sample security properties, and show an example of a real security violation mitigated by RV-Android on-device. Lastly, we propose RV as an extension to the next-generation Android permissions system debuting in Android M.

References

  1. 1.
    Google Inc.: Android Developers (2014). http://developers.android.com
  2. 2.
    Falcone, Y., Currea, S., Jaber, M.: Runtime verification and enforcement for Android applications with RV-Droid. In: Qadeer, S., Tasiran, S. (eds.) RV 2012. LNCS, vol. 7687, pp. 88–95. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  3. 3.
    Bauer, A., Küster, J.-C., Vegliach, G.: Runtime verification meets Android security. In: Goodloe, A.E., Person, S. (eds.) NFM 2012. LNCS, vol. 7226, pp. 174–180. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  4. 4.
    Falcone, Y., Currea, S.: Weave Droid: aspect-oriented programming on Android devices: fully embedded or in the cloud. In: [23], pp. 350–353Google Scholar
  5. 5.
    Eclipse: The AspectJ project (2014). http://eclipse.org/aspectj
  6. 6.
    Luo, Q., Zhang, Y., Lee, C., Jin, D., Meredith, P.O.N., Şerbănuţă, T.F., Roşu, G.: RV-Monitor: efficient parametric runtime verification with simultaneous properties. In: Bonakdarpour, B., Smolka, S.A. (eds.) RV 2014. LNCS, vol. 8734, pp. 285–300. Springer, Heidelberg (2014) Google Scholar
  7. 7.
    Mulliner, C.: Dynamic binary instrumentation on Android (2012)Google Scholar
  8. 8.
    Bodden, E.: Instrumenting Android apps with Soot (2014). http://www.bodden.de/2013/01/08/soot-android-instrumentation/
  9. 9.
    Binns, P., Englehart, M., Jackson, M., Vestal, S.: Domain specific software architectures for guidance, navigation and control. J. Softw. Eng. Knowl. Eng. 6(2), 201–227 (1996)CrossRefGoogle Scholar
  10. 10.
    Enck, W., Ongtang, M., McDaniel, P.: Understanding Android security. IEEE Secur. Priv. 7(1), 50–57 (2009)CrossRefGoogle Scholar
  11. 11.
    Shabtai, A., Fledel, Y., Kanonov, U., Elovici, Y., Dolev, S., Glezer, C.: Google Android: a comprehensive security assessment. IEEE Secur. Priv. 8(2), 35–44 (2010)CrossRefGoogle Scholar
  12. 12.
    Google Inc.: Runtime—Android Developers (2015). http://developer.android.com/reference/java/lang/Runtime.html
  13. 13.
    TrendMicro Security Intelligence Blog: Android ransomware uses tor (2014). http://blog.trendmicro.com/trendlabs-security-intelligence/android-ransomware-uses-tor/
  14. 14.
    PCWorld: Cybercriminals are using the Tor network to control their botnets. (2013) http://www.pcworld.com/article/2045183/
  15. 15.
  16. 16.
    BGR: This will be the most important (and possibly most overlooked) new android m feature (2015). http://bgr.com/2015/05/28/android-m-granular-permissions-controls/
  17. 17.
    Android Police: Android M will never ask users for permission to use the internet, and that’s probably okay (2015) Published on the 06 June 2015 at www.androidpolice.com
  18. 18.
    Amalfitano, D., Fasolino, A.R., Tramontana, P., Carmine, S.D., Memon, A.M.: Using GUI ripping for automated testing of Android applications. In: [23], pp. 258–261. http://wpage.unina.it/ptramont/GUIRipperWiki.htm
  19. 19.
    Wontae Choi on Github: Swifthand (2015). https://github.com/wtchoi/swifthand
  20. 20.
    Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. ACM SIGPLAN Not. 49, 259–269 (2014). ACMCrossRefGoogle Scholar
  21. 21.
    Fritz, C., Arzt, S., Rasthofer, S., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: Highly precise taint analysis for Android applications. EC SPRIDE, TU Darmstadt, Technical report (2013)Google Scholar
  22. 22.
    Bodden, E., Hendren, L., Lam, P., Lhoták, O., Naeem, N.A.: Collaborative runtime verification with tracematches. In: Sokolsky, O., Taşıran, S. (eds.) RV 2007. LNCS, vol. 4839, pp. 22–37. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  23. 23.
    Goedicke, M., Menzies, T., Saeki, M. (eds.): IEEE/ACM International Conference on Automated Software Engineering, ASE 2012, Essen, Germany, 3–7 September. ACM (2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Philip Daian
    • 1
  • Yliès Falcone
    • 4
  • Patrick Meredith
    • 1
  • Traian Florin Şerbănuţă
    • 1
  • Shin’ichi Shiriashi
    • 2
  • Akihito Iwai
    • 3
  • Grigore Rosu
    • 1
    • 4
  1. 1.Runtime Verification Inc.UrbanaUSA
  2. 2.Toyota InfoTechnology Center U.S.A.Mountain ViewUSA
  3. 3.Denso International America Inc.San JoseUSA
  4. 4.University of Illinois at Urbana-ChampaignChampaignUSA

Personalised recommendations