一個進階的PHP網頁應用程式安全驗證之靜態分析工具

Abstract

The importance of Web applications has increased continually in recent years. As more and more services are delivered through Web applications, they have become a major target of security attacks. In addition, Web applications are often implemented by programmers with time-to-market pressure and limited security skills. These situations result in an increasing security threat that may lead to the compromise of sensitive information. Due to the fact that security vulnerabilities are often rather intricate, especially when the relevant code spans many different functions and source files,finding all potential vulnerabilities without the assistance of an automated tool is impractical. PHP is one of the most popular languages for Web application development. To detect security vulnerabilities in PHP Web applications, many program analysis techniques, in particular by static analysis approaches, have been developed. In this thesis, we design and implement a static code analysis tool for PHP that improves over an existing analyzer. Our tool translates a PHP program into a CIL program and applies taint analysis on the CIL representation. We support most PHP5 features and preserve the semantics of the source program in our translation. The new object-oriented features in PHP5 bring new vulnerable points in programs. We also design and implement interprocedural analysis and alias analysis algorithms which provide support for object-oriented features of PHP. Our interprocedural analysis allows taint analysis to cross function boundaries and provide more precise and complete analysis results. Alias analysis can discover the relationship between variables that are mapped to the same memory location in program. Finally, we demonstrate the effectiveness of our approach by detecting XSS vulnerabilities that cross object and alias relationships. We also confirm these vulnerabilities by executing our CIL representation as well as the original PHP source programs.