Statically Detecting Buffer Overflow in Cross-language Android Applications Written in Java and C/C++

TL;DR

This paper presents PilaiPidi, a static analysis tool for cross-language Android apps that detects buffer overflow vulnerabilities between Java and C/C++, successfully identifying 23 issues in real applications.

Contribution

It introduces a novel data flow analysis approach and tool for cross-language buffer overflow detection in Android applications written in Java and C/C++.

Findings

Detected 23 cross-language buffer overflows in Android apps.

Developers confirmed 11 vulnerabilities in three applications.

PilaiPidi effectively analyzes data flow across Java and C/C++ code.

Abstract

Many applications are being written in more than one language to take advantage of the features that different languages provide such as native code support, improved performance, and language-specific libraries. However, there are few static analysis tools currently available to analyse the source code of such multilingual applications. Existing work on cross-language (Java and C/C++) analysis fails to detect buffer overflow vulnerabilities that are of cross-language nature. In this work, we are addressing how to do cross-language analysis between Java and C/C++. Specifically, we propose an approach to do data flow analysis between Java and C/C++ to detect buffer overflow. We have developed PilaiPidi, a tool that can automatically analyse the data flow in projects written in Java and C/C++. Using our approach, we were able to detect 23 buffer overflow vulnerabilities, which are of cross-language nature, in six different well-known Android applications, and out of these, developers have confirmed 11 vulnerabilities in three applications.