Abstract
Despite the fact that most real-world software systems today are written in multiple programming languages, existing program analysis based security techniques are still limited to single-language code. In consequence, security flaws (e.g., code vulnerabilities) at and across language boundaries are largely left out as blind spots. We present PolyCruise, a technique that enables holistic dynamic information flow analysis (DIFA) across heterogeneous languages hence security applications empowered by DIFA (e.g., vulnerability discovery) for multilingual software. PolyCruise combines a light language-specific analysis that computes symbolic dependencies in each language unit with a language-agnostic online data flow analysis guided by those dependencies, in a way that overcomes language heterogeneity. Extensive evaluation of its implementation for Python-C programs against micro, medium-sized, and large-scale benchmarks demonstrated PolyCruise's practical scalability and promising capabilities. It has enabled the discovery of 14 unknown cross-language security vulnerabilities in real-world multilingual systems such as NumPy, with 11 confirmed, 8 CVEs assigned, and 8 fixed so far. We also contributed the first benchmark suite for systematically assessing multilingual DIFA.
| Original language | English |
|---|---|
| Title of host publication | Proceedings of the 31st USENIX Security Symposium (USENIX SEC) |
| Publisher | USENIX |
| Pages | 2513-2530 |
| Publication status | Published - Aug 2022 |
| Event | USENIX Security Symposium - Boston Marriott Copley Place, Boston, United States Duration: 10 Aug 2022 → 12 Aug 2022 Conference number: 31 https://www.usenix.org/conference/usenixsecurity22 |
Forum/Symposium
| Forum/Symposium | USENIX Security Symposium |
|---|---|
| Abbreviated title | USENIX SEC |
| Country/Territory | United States |
| City | Boston |
| Period | 10/08/22 → 12/08/22 |
| Internet address |