PolyCruise: A Cross-Language Dynamic Information Flow Analysis

Wen Li, Jiang Ming, Xiapu Luo, Haipeng Cai

Research output: Chapter in book / Conference proceedingConference article published in proceeding or bookAcademic researchpeer-review

Abstract

Despite the fact that most real-world software systems today are written in multiple programming languages, existing program analysis based security techniques are still limited to single-language code. In consequence, security flaws (e.g., code vulnerabilities) at and across language boundaries are largely left out as blind spots. We present PolyCruise, a technique that enables holistic dynamic information flow analysis (DIFA) across heterogeneous languages hence security applications empowered by DIFA (e.g., vulnerability discovery) for multilingual software. PolyCruise combines a light language-specific analysis that computes symbolic dependencies in each language unit with a language-agnostic online data flow analysis guided by those dependencies, in a way that overcomes language heterogeneity. Extensive evaluation of its implementation for Python-C programs against micro, medium-sized, and large-scale benchmarks demonstrated PolyCruise's practical scalability and promising capabilities. It has enabled the discovery of 14 unknown cross-language security vulnerabilities in real-world multilingual systems such as NumPy, with 11 confirmed, 8 CVEs assigned, and 8 fixed so far. We also contributed the first benchmark suite for systematically assessing multilingual DIFA.
Original languageEnglish
Title of host publicationProceedings of the 31st USENIX Security Symposium (USENIX SEC)
PublisherUSENIX
Pages2513-2530
Publication statusPublished - Aug 2022
EventUSENIX Security Symposium - Boston Marriott Copley Place, Boston, United States
Duration: 10 Aug 202212 Aug 2022
Conference number: 31
https://www.usenix.org/conference/usenixsecurity22

Forum/Symposium

Forum/SymposiumUSENIX Security Symposium
Abbreviated titleUSENIX SEC
Country/TerritoryUnited States
CityBoston
Period10/08/2212/08/22
Internet address

Fingerprint

Dive into the research topics of 'PolyCruise: A Cross-Language Dynamic Information Flow Analysis'. Together they form a unique fingerprint.

Cite this