PolyCruise: A Cross-Language Dynamic Information Flow Analysis

Authors: 

Wen Li, Washington State University, Pullman; Jiang Ming, University of Texas at Arlington; Xiapu Luo, The Hong Kong Polytechnic University; Haipeng Cai, Washington State University, Pullman

Abstract: 

Despite the fact that most real-world software systems today are written in multiple programming languages, existing program analysis based security techniques are still limited to single-language code. In consequence, security flaws (e.g., code vulnerabilities) at and across language boundaries are largely left out as blind spots. We present PolyCruise, a technique that enables holistic dynamic information flow analysis (DIFA) across heterogeneous languages hence security applications empowered by DIFA (e.g., vulnerability discovery) for multilingual software. PolyCruise combines a light language-specific analysis that computes symbolic dependencies in each language unit with a language-agnostic online data flow analysis guided by those dependencies, in a way that overcomes language heterogeneity. Extensive evaluation of its implementation for Python-C programs against micro, medium-sized, and large-scale benchmarks demonstrated PolyCruise's practical scalability and promising capabilities. It has enabled the discovery of 14 unknown cross-language security vulnerabilities in real-world multilingual systems such as NumPy, with 11 confirmed, 8 CVEs assigned, and 8 fixed so far. We also contributed the first benchmark suite for systematically assessing multilingual DIFA.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {279967,
author = {Wen Li and Jiang Ming and Xiapu Luo and Haipeng Cai},
title = {{PolyCruise}: A {Cross-Language} Dynamic Information Flow Analysis},
booktitle = {31st USENIX Security Symposium (USENIX Security 22)},
year = {2022},
isbn = {978-1-939133-31-1},
address = {Boston, MA},
pages = {2513--2530},
url = {https://www.usenix.org/conference/usenixsecurity22/presentation/li-wen},
publisher = {USENIX Association},
month = aug,
}