Simulation of Built-in PHP Features for Precise Static Code Analysis

21st Annual Network and Distributed System Security Symposium, NDSS 2014

Volumn , Issue , 2014, Pages

  Dahse, Johannes ^a   Holz, Thorsten ^a  

^a RUHR UNIVERSITY BOCHUM   (Germany)

Author keywords

[No Author keywords available]

Indexed keywords

APPLICATION PROGRAMS; CODES (SYMBOLS); COMPUTER SIMULATION LANGUAGES; DATA FLOW ANALYSIS;

DATA LEAKAGE; ONLINE SHOPPING; SANITIZATION; SCRIPTING LANGUAGES; SECURITY VULNERABILITIES; SERVER ATTACKS; SERVER COMPROMISE; SOURCE CODES; STATIC CODE ANALYSIS; WEB SERVERS;

STATIC ANALYSIS;

EID: 85065902727     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.14722/ndss/2014.23262     Document Type: Conference Paper

References (44)

1. S. Artzi, A. Kiezun, J. Dolby, F. Tip, D. Dig, A. Paradkar, and M. D. Ernst. Finding Bugs in Web Applications Using Dynamic Test Generation and Explicit-State Model Checking. IEEE Trans. Softw. Eng., 36(4), 2010.
2. D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In IEEE Symposium on Security and Privacy, 2008.
3. P. Biggar and D. Gregg. Static Analysis of Dynamic Scripting Languages. 2009.
4. A. S. Christensen, A. Møller, and M. I. Schwartzbach. Precise Analysis of String Expressions. In International Conference on Static Analysis, 2003.
5. J. Clause, W. Li, and A. Orso. Dytan: A Generic Dynamic Taint Analysis Framework. In International Symposium on Software Testing and Analysis (ISSTA), 2007.
6. M. Egele, M. Szydlowski, E. Kirda, and C. Kruegel. Using Static Program Analysis to Aid Intrusion Detection. In Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), 2006.
7. J. S. Foster, M. Fähndrich, and A. Aiken. A Theory of Type Qualifiers. SIGPLAN Not., 34(5), May 1999.
8. J. S. Foster, T. Terauchi, and A. Aiken. Flow-sensitive Type Qualifiers. SIGPLAN Not., 37(5), May 2002.
9. T. P. Group. PHP: Manual Quick Reference. http://php.net/quickref.php, as of July 2013.
10. W. G. Halfond, J. Viegas, and A. Orso. A Classification of SQL Injection Attacks and Countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering, 2006.
11. D. Hauzar and J. Kofron. On Security Analysis of PHP Web Applications. In IEEE Workshop on Security, Trust, and Privacy for Software Applications (STPSA), 2012.
12. M. Hills, P. Klint, and J. Vinju. An Empirical Study of PHP Feature Usage. In International Symposium on Software Testing and Analysis (ISSTA), 2013.
13. P. Hooimeijer, B. Livshits, D. Molnar, P. Saxena, and M. Veanes. Fast and Precise Sanitizer Analysis with BEK. In USENIX Security Symposium, 2011.
14. Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D. Lee, and S.-Y. Kuo. Securing Web Application Code by Static Analysis and Runtime Protection. In International Conference on the World Wide Web (WWW), 2004.
15. Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D. T. Lee, and S.-Y. Kuo. Verifying Web Applications Using Bounded Model Checking. In Conference on Dependable Systems and Networks (DSN), 2004.
16. T. Jim, N. Swamy, and M. Hicks. Defeating Script Injection Attacks with Browser-Enforced Embedded Policies. In International Conference on the World Wide Web (WWW), 2007.
17. N. Jovanovic. TUVSA-0603-002 - MyBloggie: Multiple XSS Vulnerabilities. http://www.iseclab.org/advisories/TUVSA-0603-002.txt, as of July 2013.
18. N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper). In IEEE Symposium on Security and Privacy, 2006.
19. N. Jovanovic, C. Kruegel, and E. Kirda. Precise Alias Analysis for Static Detection of Web Application Vulnerabilities. In Workshop on Programming Languages and Analysis for Security, 2006.
20. N. Jovanovic, C. Kruegel, and E. Kirda. Static Analysis for Detecting Taint-style Vulnerabilities in Web Applications. Journal of Computer Security, Vol 18, N5, August 2010, 08 2010.
21. A. Klein. Cross-Site Scripting Explained. Sanctum White Paper, 2002.
22. E. Kohler. HotCRP Conference Management Software. http://www.read.seas.harvard.edu/~kohler/hotcrp/, as of July 2013.
23. J. A. Kupsch and B. P. Miller. Manual vs. Automated Vulnerability Assessment: A Case Study. International Workshop on Managing Insider Security Threats, 2009.
24. V. B. Livshits and M. S. Lam. Finding Security Vulnerabilities in Java Applications with Static Analysis. In USENIX Security Symposium, 2005.
25. Y. Minamide. Static Approximation of Dynamically Generated Web Pages. In International Conference on the World Wide Web (WWW), 2005.
26. MITRE. Common Vulnerabilities and Exposures (CVE). http://cve.mitre.org/, as of July 2013.
27. MyBB. Open Source Discussion Board. http://www.mybb.com/, as of July 2013.
28. myWebland Group. myBloggie Weblog System. http://mybloggie.mywebland.com/, as of July 2013.
29. J. Newsome and D. Song. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In Symposium on Network and Distributed System Security (NDSS), 2005.
30. osCommerce. Creating Online Stores Worldwide. http://www.oscommerce.com/, as of July 2013.
31. PHP-Nuke. CMS Portal Solution. http://www.phpnuke.org/, as of July 2013.
32. phpBB. Free and Open Source Forum Software. http://www.phpbb.com/, as of July 2013.
33. D. Ray and J. Ligatti. Defining Code-Injection Attacks. In ACM Symposium on Principles of Programming Languages (POPL), 2012.
34. T. Scholte, W. Robertson, D. Balzarotti, and E. Kirda. An Empirical Analysis of Input Validation Mechanisms in Web Applications and Languages. In ACM Symposium On Applied Computing (SAC), 2012.
35. E. J. Schwartz, T. Avgerinos, and D. Brumley. All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask). In IEEE Symposium on Security and Privacy, 2010.
36. S. Son and V. Shmatikov. SaferPHP: Finding Semantic Vulnerabilities in PHP Applications. In ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, 2011.
37. S. Thomas, L. Williams, and T. Xie. On Automated Prepared Statement Generation to Remove SQL Injection Vulnerabilities. Information and Software Technology, 51(3):589–598, 2009.
38. UtopiaSoft. Utopia News Pro. http://www.utopiasoftware.net/newspro/, as of July 2013.
39. W3Techs. Usage of Content Management Systems for Websites. http://w3techs.com/technologies/overview/content_management/all, as of July 2013.
40. W3Techs. Usage of Server-side Programming Languages for Websites. http://w3techs.com/technologies/overview/programming_ language/all, as of December 2013.
41. G. Wasserman and Z. Su. Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. In ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), 2007.
42. G. Wasserman and Z. Su. Static Detection of Cross-Site Scripting Vulnerabilities. In International Conference on Software Engineering, 2008.
43. Y. Xie and A. Aiken. Static Detection of Security Vulnerabilities in Scripting Languages. In USENIX Security Symposium, 2006.
44. F. Yu, M. Alkhalaf, and T. Bultan. STRANGER: An Automata-based String Analysis Tool for PHP. In Symposium on Tools and Algorithms for the Construction and Analysis of Systems (TACAS), 2010.