TY - GEN
T1 - HarmoBridge
T2 - 2025 40th IEEE/ACM International Conference on Automated Software Engineering, ASE 2025
AU - Wu, Jiale
AU - Deng, Jiapeng
AU - Zhao, Yanjie
AU - Li, Li
AU - Wang, Haoyu
N1 - Publisher Copyright:
© 2025 IEEE.
PY - 2025
Y1 - 2025
N2 - HarmonyOS is Huawei's distributed operating system designed for diverse smart devices, featuring ArkTS as its primary app development language. To enhance performance and leverage existing libraries, HarmonyOS apps can integrate native C/C++ modules through its Native Development Kit (NDK) mechanism. This creates significant challenges for static analysis, as critical data flows spanning ArkTS and native C/C++ boundaries remain invisible to existing single-language analyzers. Therefore, we present HarmoBridge, the first cross-language static analysis system for HarmonyOS that bridges this gap through novel summary based SumIR abstraction and seamless ecosystem integration. Our approach extracts dataflow summaries from native code (supporting both binary and source code analysis) and translates these summaries into intermediate representations that integrate seamlessly with the existing HarmonyOS analysis infrastructure. HarmoBridge introduces SumIR, a specialized intermediate representation that captures Node-API interaction semantics and converts them to ArkIR-compatible function bodies for downstream analysis tools. Also, we develop CrossFlowBench, a comprehensive benchmark covering representative Node-API interaction patterns, and identify potential security implications where established cross-language attack patterns widely prevalent in mobile ecosystems could adapt to HarmonyOS's architecture. Results demonstrate that HarmoBridge achieves 81.0% accuracy in recovering cross-language data flows on CrossFlowBench, significantly outperforming baseline approaches that treat native calls as opaque operations, establishing a foundation for comprehensive cross-language analysis in the emerging HarmonyOS ecosystem.
AB - HarmonyOS is Huawei's distributed operating system designed for diverse smart devices, featuring ArkTS as its primary app development language. To enhance performance and leverage existing libraries, HarmonyOS apps can integrate native C/C++ modules through its Native Development Kit (NDK) mechanism. This creates significant challenges for static analysis, as critical data flows spanning ArkTS and native C/C++ boundaries remain invisible to existing single-language analyzers. Therefore, we present HarmoBridge, the first cross-language static analysis system for HarmonyOS that bridges this gap through novel summary based SumIR abstraction and seamless ecosystem integration. Our approach extracts dataflow summaries from native code (supporting both binary and source code analysis) and translates these summaries into intermediate representations that integrate seamlessly with the existing HarmonyOS analysis infrastructure. HarmoBridge introduces SumIR, a specialized intermediate representation that captures Node-API interaction semantics and converts them to ArkIR-compatible function bodies for downstream analysis tools. Also, we develop CrossFlowBench, a comprehensive benchmark covering representative Node-API interaction patterns, and identify potential security implications where established cross-language attack patterns widely prevalent in mobile ecosystems could adapt to HarmonyOS's architecture. Results demonstrate that HarmoBridge achieves 81.0% accuracy in recovering cross-language data flows on CrossFlowBench, significantly outperforming baseline approaches that treat native calls as opaque operations, establishing a foundation for comprehensive cross-language analysis in the emerging HarmonyOS ecosystem.
KW - HarmonyOS
KW - Mobile Security
KW - Static Analysis
UR - https://www.scopus.com/pages/publications/105034650769
U2 - 10.1109/ASE63991.2025.00261
DO - 10.1109/ASE63991.2025.00261
M3 - 会议稿件
AN - SCOPUS:105034650769
T3 - Proceedings - 2025 40th IEEE/ACM International Conference on Automated Software Engineering, ASE 2025
SP - 3168
EP - 3179
BT - Proceedings - 2025 40th IEEE/ACM International Conference on Automated Software Engineering, ASE 2025
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 16 November 2025 through 20 November 2025
ER -