SAFERPHP: Finding semantic vulnerabilities in PHP applications

Proceedings of the ACM SIGPLAN 6th Workshop on Programming Languages and Analysis for Security, PLAS 2011

Volumn , Issue , 2011, Pages

  Son, Sooel ^a   Shmatikov, Vitaly ^a  

^a UNIVERSITY OF TEXAS AT AUSTIN   (United States)

Author keywords

Access control; Data flow analysis; Denial of service; PHP; Security checks; Static analysis

Indexed keywords

CROSS SITE SCRIPTING; DENIAL OF SERVICE; INTER-PROCEDURAL ALGORITHMS; PHP; SECURITY CHECKS; SOURCE CODES; SQL INJECTION; STATIC SECURITY ANALYSIS; WEB APPLICATION;

ACCESS CONTROL; ALGORITHMS; COMPUTER CRIME; COMPUTER PROGRAMMING LANGUAGES; DATA FLOW ANALYSIS; SEMANTICS; STATIC ANALYSIS; TRANSMISSION CONTROL PROTOCOL; WORLD WIDE WEB;

SEMANTIC WEB;

EID: 84860306633     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2166956.2166964     Document Type: Conference Paper

References (33)

1. C. Anley. Advanced SQL injection in SQL server applications. http://www.ngssoftware.com/papers/advanced-sql-injection.pdf, 2002.
2. D. Balzarotti, M. Cova, V. Felmetsger, and G. Vigna. Multi-module vulnerability analysis of Web-based applications. In CCS, 2007.
3. A. Barth, C. Jackson, and J. Mitchell. Robust defenses for cross-site request forgery. In CCS, 2008.
4. M. Bond, V. Srivastava, K. McKinley, and V. Shmatikov. Efficient, context-sensitive detection of real-world semantic attacks. In PLAS, 2010.
5. A. Bradley, Z. Manna, and H. Sipma. Termination of polynomial programs. In VMCAI, 2005.
6. J. Burnim, N. Jalbert, C. Stergiou, and K. Sen. Looper: Lightweight detection of infinite loops at runtime. In ASE, 2009.
7. C. Cadar, V. Ganesh, P. Pawlowski, D. Dill, and D. Engler. EXE: Automatically generating inputs of death. In CCS, 2006.
8. R. Chang, G. Jiang, F. Ivanĉić, S. Sankaranarayanan, and V. Shmatikov. Inputs of coma: Static detection of denial-of-serice vulnerabilities. In CSF, 2009.
9. B. Cook, A. Podelski, and A. Rybalchenko. Termination proofs for systems code. SIGPLAN Not., 41(6):415-426, 2006.
10. S. Crosby and D. Wallach. Denial of service via algorithmic complexity attacks. In USENIX Security, 2003.
11. CVE-2007-2872. http://www.securityfocus.com/archive/1/archive/1/470244/ 100/0/threaded.
12. CVE-2009-4418. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009- 4418.
13. A. Diwan, K. McKinley, and J. Moss. Using types to analyze and optimize object-oriented programs. ACM Trans. Program. Lang. Syst., 23(1):30-72, 2001. (Pubitemid 33614269)
14. A. Edwards, T. Jaeger, and X. Zhang. Runtime verification of authorization hook placement for the Linux Security Modules framework. In CCS, 2002.
15. V. Felmetsger, L. Cavedon, C. Kruegel, and G. Vigna. Toward automated detection of logic vulnerabilities in Web applications. In USENIX Security, 2010.
16. D. Grove, G. DeFouw, J. Dean, and C. Chambers. Call graph construction in object-oriented languages. SIGPLAN Not., 32(10):108-124, 1997.
17. A. Gupta, T. Henzinger, R. Majumdar, A. Rybalchenko, and R. Xu. Provig non-termination. In POPL, 2008.
18. Y. Huang, F. Yu, C. Hang, C. Tsai, D. Lee, and S. Kuo. Securing Web application code by static analysis and runtime protection. In WWW, 2004.
19. N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities. In S&P, 2006.
20. N. Jovanovic, C. Kruegel, and E. Kirda. Precise alias analysis for static detection of web application vulnerabilities. In PLAS, 2006.
21. M. Kenney. Ping of death. http://insecure.org/sploits/ping-o-death.html, 1997.
22. A. Klein. Cross site scripting explained. http://crypto.stanford.edu/ cs155/papers/CSS.pdf, 2002.
23. L. Koved, M. Pistoia, and A. Kershenbaum. Access rights analysis for Java. In OOPSLA, 2002.
24. B. Livshits, A. Nori, S. Rajamani, and A. Banerjee. Merlin: specification inference for explicit information flow problems. In PLDI, 2009.
25. S. Muchnik. Advanced Compiler Design and Implementation. Morgan Kaufman, 1997.
26. PHC. http://phpcompiler.org, 2009.
27. CVE-2005-1807. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005- 1807, 2005.
28. M. Pistoia, R. Flynn, L. Koved, and V. Sreedhar. Interprocedu-ral analysis for privileged code placement and tainted variable detection. In ECOOP, 2005.
29. Server Side Include (SSI) injection. http://capec.mitre.org/data/ definitions/101.html, 2007.
30. L. Tan, X. Zhang, X. Ma, W. Xiong, and Y. Zhou. AutoISES: automatically inferring security specifications and detecting violations. In USENIX Security, 2008.
31. G. Wasserman and Z. Su. Sound and precise analysis of web applications for injection vulnerabilities. In PLDI, 2007.
32. WhiteHat Security. WhiteHat website security statistics report. http://www.whitehatsec.com/home/resource/stats.html, 2009.
33. Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In USENIX Security, 2006.