面向小程序的函数调用图构建方法  

作　　者：叶瀚 杨哲慜 YE Han;YANG Zhemin(Computer Science and Technology School,Fudan University,Shanghai 200438,China)

机构地区：[1]复旦大学计算机科学技术学院,上海200438

出　　处：《小型微型计算机系统》2024年第9期2228-2234,共7页Journal of Chinese Computer Systems

基　　金：国家自然科学基金项目(62172104)资助.

摘　　要：小程序以弱类型的JavaScript语言作为开发语言,对弱类型语言数据流和控制流的分析是准确构建函数调用图的关键.但由于小程序框架代码闭源,现有工具无法分析出其框架代码和业务代码交互的数据流和控制流信息,使其无法准确构建出函数调用图.为此本文提出了融合指针分析和关系图谱的小程序函数调用图构建方法,该方法先对文档知识进行抽取和融合构建初始关系图谱模型,再通过对代码逻辑数据流的分析来完善关系图谱,最后利用关系图谱整合和挖掘出的交互信息来指导指针分析算法对小程序函数调用图进行构建.基于该方法本文实现了小程序静态分析工具MiniDroid,实验表明MiniDroid构建的小程序函数调用图准确性达到89%,与现有工具相比提升了39%.MiniDroid对敏感API检测准确率为92%,相比于前人检测方法提升了14%.The MiniApp uses the JavaScript as its development language.The analysis of the data flow and control flow of the JavaScript language is the key to accurately construct the call graph.However,due to the closed source of the MiniApp framework code,the existing tools cannot analyze the data flow and control flow information of the interaction between the framework code and the business code,making it impossible to accurately build the call graph.This paper proposes a method of constructing MiniApp call graph by integrating pointer analysis and relational graph.This method constructs the initial relational graph through semantic analysis of documents,and then perfects the relational graph through data flow analysis of code logic.Finally,the pointer analysis algorithm is guided by the interactive information integrated and mined by the relational graph to realize the construction of MiniApp call graph.Based on this method,this paper implements MiniDroid,the static analysis tool of MiniApp.The experiment shows that the accuracy of the call graph built by MiniDroid reaches 89%,which is 39%higher than the existing tools.The accuracy rate of MiniDroid for sensitive API detection is 92%,which is 14%higher than that of previous detection methods.

关 键 词：小程序 函数调用图 指针分析 关系图谱 

分 类 号：TP311[自动化与计算机技术—计算机软件与理论]