模拟精确的静态代码分析建立在PHP的特点..docx

Simulation of Built-in PHP Features forPrecise Static Code AnalysisJohannes DahseHorst G¨ortz Institute for IT-Security (HGI)Ruhr-University Bochum, Germanyjohannes.dahse@rub.deThorsten HolzHorst G¨ortz Institute for IT-Security (HGI)Ruhr-University Bochum, Germanythorsten.holz@rub.deAbstract—The World Wide Web grew rapidly during the lastdecades and is used by millions of people every day for onlineshopping, banking, networking, and other activities. Many ofthese websites are developed with PHP, the most popular scriptinglanguage on the Web. However, PHP code is prone to differenttypes of critical security vulnerabilities that can lead to dataleakage, server compromise, or attacks against an application’susers. This problem can be addressed by analyzing the sourcecode of the application for security vulnerabilities before theapplication is deployed on a web server. In this paper, we presenta novel approach for the precise static analysis of PHP code todetect security vulnerabilities in web applications. As dismissedby previous work in this area, a comprehensive configurationand simulation of over 900 PHP built-in features allows us toprecisely model the highly dynamic PHP language. By performingan intra- and inter-procedural data flow analysis and by creatingblock and function summaries, we are able to efficiently performa backward-directed taint analysis for 20 different types ofvulnerabilities. Furthermore, string analysis enables us to validatesanitization in a context-sensitive manner. Our method is thefirst to perform fine-grained analysis of the interaction betweendifferent types of sanitization, encoding, sources, sinks, markupcontexts, and PHP settings. We implemented a prototype of ourapproach in a tool called RIPS. Our evaluation shows that RIPSis capable of finding severe vulnerabilities in popular real-worldapplications: we reported 73 previously unknown vulnerabilitiesin five well-known PHP applications such as phpBB, osCommerce,and the conference mana