Detecting Security Vulnerabilities in Object-Oriented PHP Programs

2017 IEEE 17th International Working Conference on Source Code Analysis and Manipulation (SCAM) Pub Date : 2017-09-01 DOI:10.1109/SCAM.2017.20

Mona Nashaat, Karim Ali, James Miller

{"title":"Detecting Security Vulnerabilities in Object-Oriented PHP Programs","authors":"Mona Nashaat, Karim Ali, James Miller","doi":"10.1109/SCAM.2017.20","DOIUrl":null,"url":null,"abstract":"PHP is one of the most popular web development tools in use today. A major concern though is the improper and insecure uses of the language by application developers, motivating the development of various static analyses that detect security vulnerabilities in PHP programs. However, many of these approaches do not handle recent, important PHP features such as object orientation, which greatly limits the use of such approaches in practice. In this paper, we present OOPIXY, a security analysis tool that extends the PHP security analyzer PIXY to support reasoning about object-oriented features in PHP applications. Our empirical evaluation shows that OOPIXY detects 88% of security vulnerabilities found in micro benchmarks. When used on real-world PHP applications, OOPIXY detects security vulnerabilities that could not be detected using state-of-the-art tools, retaining a high level of precision. We have contacted the maintainers of those applications, and two applications’ development teams verified the correctness of our findings. They are currently working on fixing the bugs that lead to those vulnerabilities.","PeriodicalId":306744,"journal":{"name":"2017 IEEE 17th International Working Conference on Source Code Analysis and Manipulation (SCAM)","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2017-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"4","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 IEEE 17th International Working Conference on Source Code Analysis and Manipulation (SCAM)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SCAM.2017.20","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 4

Abstract

PHP is one of the most popular web development tools in use today. A major concern though is the improper and insecure uses of the language by application developers, motivating the development of various static analyses that detect security vulnerabilities in PHP programs. However, many of these approaches do not handle recent, important PHP features such as object orientation, which greatly limits the use of such approaches in practice. In this paper, we present OOPIXY, a security analysis tool that extends the PHP security analyzer PIXY to support reasoning about object-oriented features in PHP applications. Our empirical evaluation shows that OOPIXY detects 88% of security vulnerabilities found in micro benchmarks. When used on real-world PHP applications, OOPIXY detects security vulnerabilities that could not be detected using state-of-the-art tools, retaining a high level of precision. We have contacted the maintainers of those applications, and two applications’ development teams verified the correctness of our findings. They are currently working on fixing the bugs that lead to those vulnerabilities.

查看原文本刊更多论文

检测面向对象PHP程序中的安全漏洞

PHP是当今最流行的web开发工具之一。一个主要的问题是应用程序开发人员对语言的不正确和不安全的使用，这促使开发各种静态分析来检测PHP程序中的安全漏洞。然而，这些方法中的许多都不处理最新的、重要的PHP特性，例如面向对象，这极大地限制了这些方法在实践中的使用。在本文中，我们提出了OOPIXY，一个安全分析工具，它扩展了PHP安全分析器PIXY，以支持对PHP应用程序中面向对象特性的推理。我们的经验评估表明，OOPIXY在微基准测试中检测到88%的安全漏洞。在实际的PHP应用程序中使用时，OOPIXY可以检测到使用最先进的工具无法检测到的安全漏洞，从而保持了很高的精度。我们已经联系了这些应用程序的维护者，两个应用程序的开发团队验证了我们发现的正确性。他们目前正在修复导致这些漏洞的错误。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2017 IEEE 17th International Working Conference on Source Code Analysis and Manipulation (SCAM)

自引率

0.00%

发文量