PowerPoly: Analyzing Multilingual Programs with the Aid of WebAssembly
摘要
Despite the ubiquity and importance of multilingual programming in modern software systems, it often introduces significant security vulnerabilities, particularly at language boundaries. Current approaches for analyzing multilingual systems are limited, typically focusing on specific language combinations like Java/C or Python/C, and lack generalizability. As a result, there is no clear framework for effectively analyzing multilingual programs in a unified manner. In this paper, to fill this gap, we present PowerPoly, the first approach for analyzing multilingual programs that generalizes to diverse language combinations. Our key idea is to utilize WebAssembly, an emerging low-level code format originally designed for execution, as an intermediate representation for analysis. We first develop a unified intermediate representation utilizing WebAssembly to eliminate language boundaries by translating multilingual programs into this unified intermediate representation. We then showcase PowerPoly’s capability for multilingual program analysis by first designing static analysis, then by designing a set of dynamic program analysis algorithms with user-supplied security plugins. To evaluate our approach, we design and implement a prototype for Rust/C and Go/C multilingual programs and conduct extensive experiments. Our results show that PowerPoly is effective in analyzing multilingual programs by detecting vulnerabilities. And the average Wasm binary code size increase of 10.2% and an average execution time penalty of 26.4%.