As an alternative to Java, Kotlin has gained rapid popularity since its introduction and has become the default choice for developing Android apps. However, due to its interoperability with Java, Kotlin programs may contain almost the same security vulnerabilities as their Java counterparts. Hence, we question: to what extent can one use an existing Java static taint analysis on Kotlin code? In this paper, we investigate the challenges in implementing a taint analysis for Kotlin compared to Java. To answer this question, we performed an exploratory study where each Kotlin construct was examined and compared to its Java equivalent. We identified 18 engineering challenges that static-analysis writers need to handle differently due to Kotlin's unique constructs or the differences in the generated bytecode between the Kotlin and Java compilers. For eight of them, we provide a conceptual solution, while six of those we implemented as part of SecuCheck-Kotlin, an extension to the existing Java taint analysis SecuCheck.
翻译:作为爪哇的替代方案,科特林公司自推出以来迅速受到欢迎,成为开发安非他明应用程序的默认选择。然而,由于科特林公司与爪哇公司的互操作性,科特林公司的程序可能包含与爪哇公司类似的安全弱点。因此,我们问:对科特林公司代码使用现有的爪哇静态污点分析的力度有多大?在本文件中,我们调查了科特林公司与爪哇公司相比在进行污点分析方面的挑战。为了回答这个问题,我们进行了一项探索性研究,对科特林公司的每座建筑进行了检查,并将其与爪哇公司对等。我们查明了由于科特林公司的独特结构或科特林公司与爪哇公司编译商之间生成的副编码差异,需要不同处理的18项工程挑战。对于其中8项,我们提供了一个概念性解决方案,而我们作为Secuguck-Kotlin公司的一部分执行的6项方案,这是对现有的爪哇陶点分析Secucut Checkle的延伸。