Go to OpenReview Public Article DBLP homepageXades: Static Taint Analysis Framework for C#-Based Multilingual Applications
Abstract: The C# development ecosystem, centered around the.NET Framework, underpins various platforms for mobile, desktop, and web application development. These platforms support multilingual development, enabling developers to incorporate not only C# but also a variety of subsidiary programming languages. With the rise of multilingual applications, ensuring secure interaction between different programming languages has become a critical aspect of software security. However, prior analysis approaches for Android applications have primarily focused on Java, Python, and C, leaving the risks in C#-based multilingual applications largely unaddressed. We propose a static taint analysis approach tailored for C#-based multilingual applications, along with an implementation for the Xamarin platform, named Xades, to detect sensitive data leaks. Xades offers an overview of how C# code interfaces with other programming languages by constructing a comprehensive call graph that captures cross-language method invocations. To ensure accuracy, Xades analyzes C# code in detail, addressing accessor methods and method chaining to produce a precise call graph. It, then, performs context-, flow-, field-, object- sensitive taint analysis with the call graph. Following the analysis of the C# codebase, Xades produces a taint analysis summary and translates it into Jimple IR, to analyze Xamarin.Android applications through a modified FlowDroid. We evaluated Xades on our benchmarks and real-world apps. As a result, Xades successfully detected all data leaks with interactions between C# and Java in benchmarks. It, also, detected 395 out of 6,087 real-world Android applications leak sensitive data.
External IDs:dblp:journals/access/OKBC25
Loading