debunking design flaws in php code using static call
play

Debunking Design Flaws in PHP Code using Static Call Graphs Berlin - PowerPoint PPT Presentation

Jul 31, 2023 •406 likes •543 views

Debunking Design Flaws in PHP Code using Static Call Graphs Berlin PHP Usergroup Falko Menge 07.11.2007 1 Agenda Motivation PHPCallGraph Results 3D Exploration with the CGA framework Conclusion 2 Motivation When

  1. Debunking Design Flaws in PHP Code using Static Call Graphs Berlin PHP Usergroup Falko Menge 07.11.2007 1

  2. Agenda ● Motivation ● PHPCallGraph ● Results ● 3D Exploration with the CGA framework ● Conclusion 2

  3. Motivation ● When working with large software systems: – Hard to get an overview of the system – High number of dependencies – Reading complete source code takes too much time – Even harder if its not your own code ● Automatic visualization of dependencies could help to handle the complexity 3

  4. PHPCallGraph: First Prototype ● Static call graph generator for PHP ● 50 lines of PHP code ● Source code parsing with regular expressions – Lead to several bugs ● Graph rendering with DOT – Part of open source GraphViz framework for visualization of directed and undirected graphs 4

  5. PHPCallGraph: Improvements ● Leveraging InstantSVC CodeAnalyzer ● Parsing of method bodies with PHP's Tokenizer ● DOT generation through PEAR package Image_GraphViz by Sebastian Bergmann ● ezcConsoleTools for command line frontend ● Output driver for 3D exploration with CGA 5

  6. Results 6

  7. Results ● Design flaws which can be detected – Cyclic dependencies – Dead code – Candidates for refactoring ● Subclasses ● Separation of concerns ● Introduction of visibilities (especially when migrating from PHP4 to PHP5) 7

  8. Identifying Candidates for Refactoring ● Real world example: – Function library of 55 functions – Nearly 2000 lines of code (90KB) ● Call graph shows lots of dependencies => Introduction of several classes 8

  9. Identifying Candidates for Refactoring ● Real world example: – One single class containing 130 methods – Over 5000 lines of code (190KB) ● Call graph shows clearly separated clusters => Separation into different classes 9

  10. 3D Exploration with CGA ● Framework for analyzing complex software systems ● Focus on various aspects of system dynamics ● Provides elaborate visualization techniques ● Analysis of function level dynamics and long-term system evolution ● Developed by Computer Graphics System group of the Hasso Plattner Institute 10

  11. 3D Exploration with CGA 11

  12. 3D Exploration with CGA 12

  13. Conclusion ● Static call graphs can be leveraged to gain a better understanding of large systems ● Various design flaws can be detected ● Reflection can be used for static analysis http://phpcallgraph.sf.net http://instantsvc.sf.net http://cgs.hpi.uni-potsdam.de/trac/cga/ 13

Recommend

Static Code Analysis on Networking Code: Identifying the capabilities of finding implementation

Static Code Analysis on Networking Code: Identifying the capabilities of finding implementation

RP1 Presenter: Ivar Slotboom Supervisor: Wouter van Dongen , DongIT UvA/SNE Static Code Analysis on Networking Code: Identifying the capabilities of finding implementation flaws using Abstract Syntax Trees RP1 4th of July, 2019 Presenter:

439 views • 20 slides
Examining the Code [Reading assignment: Chapter 6, pp. 91-104] Static white-box testing

Examining the Code [Reading assignment: Chapter 6, pp. 91-104] Static white-box testing

Examining the Code [Reading assignment: Chapter 6, pp. 91-104] Static white-box testing Static white-box testing is the process of carefully and methodically reviewing the software design, architecture, or code for bugs without executing

309 views • 17 slides
Google Study: Google Study: Could those memory failures be caused by design flaws? Could those

Google Study: Google Study: Could those memory failures be caused by design flaws? Could those

Google Study: Google Study: Could those memory failures be caused by design flaws? Could those memory failures be caused by design flaws? Barbara P. Aichinger Vice President New Business Development FuturePlus Systems Corporation

886 views • 21 slides
Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

I NTELLI D ROID A Targeted Input Generator for the Dynamic Analysis of Android Malware Michelle Y. Wong and David Lie University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016 ! ! ! B ACKGROUND Static vs.

1.02k views • 32 slides
System Call Vulnerabilities in Linux Storage Stack Nima Mohammadi Sepand Haghighi Fall - 2016

System Call Vulnerabilities in Linux Storage Stack Nima Mohammadi Sepand Haghighi Fall - 2016

System Call Vulnerabilities in Linux Storage Stack Nima Mohammadi Sepand Haghighi Fall - 2016 Outline Introduction Static Code Analysis Static Analyzer List Kernels Static Analysis Report Conclusion 2 System

809 views • 22 slides
Code Code Code on the Presentation of Persons with Disabilities in the Media What you call us

Code Code Code on the Presentation of Persons with Disabilities in the Media What you call us

Code Code Code on the Presentation of Persons with Disabilities in the Media What you call us IS HOW YOU SEE US This publication is funded by SIDA, the Swedish International Development Cooperation Agency, through MyRight- Empowers People

343 views • 20 slides
Securely Implementing Network Protocols: Detecting and Preventing Logical Flaws Mathy Vanhoef

Securely Implementing Network Protocols: Detecting and Preventing Logical Flaws Mathy Vanhoef

Securely Implementing Network Protocols: Detecting and Preventing Logical Flaws Mathy Vanhoef (KU Leuven) Black Hat Webcast, 24 August 2017 @vanhoefm Introduction Many protocols have been affected by logical bugs Design flaws Implementation

692 views • 31 slides
ECE 3574: Applied Software Design: Static Polymorphism using Templates Chris Wyatt Today we will

ECE 3574: Applied Software Design: Static Polymorphism using Templates Chris Wyatt Today we will

ECE 3574: Applied Software Design: Static Polymorphism using Templates Chris Wyatt Today we will look at how to reuse code using polymorphism and specifically static polymorphism through generic programming Generics in C++ using Templates

410 views • 12 slides
Static Code Analysis of Complex PHP Application Vulnerabilities Johannes Dahse Static Code

Static Code Analysis of Complex PHP Application Vulnerabilities Johannes Dahse Static Code

Static Code Analysis Automatisierte Sicherheitsanalyse of Complex PHP Application Vulnerabilities von Webapplikationen Static Code Analysis of Complex PHP Application Vulnerabilities Johannes Dahse Static Code Analysis Automatisierte

1.48k views • 89 slides
DESIGN FLAWS IN PROPOSED ART PLAN: A SOLUTION AS DESIGNED, THE ALBUQUERQUE RAPID TRANSIT PROJECT

DESIGN FLAWS IN PROPOSED ART PLAN: A SOLUTION AS DESIGNED, THE ALBUQUERQUE RAPID TRANSIT PROJECT

DESIGN FLAWS IN PROPOSED ART PLAN: A SOLUTION AS DESIGNED, THE ALBUQUERQUE RAPID TRANSIT PROJECT WILL INFLICT DAMAGE TO HISTORICALLY SENSITIVE DISTRICTS ALONG THE CENTRAL CORRIDOR; NOB HILL, UNIVERSITY, EDO AND DOWNTOWN. MAKE ART SMART SUPPORTS

306 views • 27 slides
Source Code Analysis for Security through LLVM Lu Zhao HP Fortify lu.zhao@hp.com Static Code

Source Code Analysis for Security through LLVM Lu Zhao HP Fortify lu.zhao@hp.com Static Code

Source Code Analysis for Security through LLVM Lu Zhao HP Fortify lu.zhao@hp.com Static Code Analyzer for Security Static Code Analyzer for Security (HP Fortify SCA) C/C++ Java Vulnerabilities LLVM Language independent Services C/C++ Swift

325 views • 31 slides
Bridging the Semantic Gap Through Static Code Analysis Christian Schneider, Jonas Pfoh, Claudia

Bridging the Semantic Gap Through Static Code Analysis Christian Schneider, Jonas Pfoh, Claudia

Motivation Static Code Analysis Implementation Conclusion References Bridging the Semantic Gap Through Static Code Analysis Christian Schneider, Jonas Pfoh, Claudia Eckert { schneidc,pfoh,eckertc } @in.tum.de Chair for IT Security

632 views • 28 slides
Google Study: Could Those Memory Failures Be Caused By Design Flaws? By Barbara P. Aichinger,

Google Study: Could Those Memory Failures Be Caused By Design Flaws? By Barbara P. Aichinger,

Google Study: Could Those Memory Failures Be Caused By Design Flaws? By Barbara P. Aichinger, FuturePlus Systems Corporation JEDEC Memory Server Forum Shenzhen, China March 1, 2012 Abstract : The conclusions of the extensive Google study

243 views • 12 slides
Flaws and Frauds Flaws and Frauds in IDPS evaluation in IDPS evaluation Dr. Stefano Zanero, PhD

Flaws and Frauds Flaws and Frauds in IDPS evaluation in IDPS evaluation Dr. Stefano Zanero, PhD

Flaws and Frauds Flaws and Frauds in IDPS evaluation in IDPS evaluation Dr. Stefano Zanero, PhD Post-Doc Researcher, Politecnico di Milano CTO, Secure Network Outline Establishing a need for testing methodologies Testing for

1.13k views • 43 slides
UMBC A B M A L T F O U M B C I M Y O R T 1 (11/15/04) I E S R C E O V

UMBC A B M A L T F O U M B C I M Y O R T 1 (11/15/04) I E S R C E O V

Advanced VLSI Design Combination Logic Design I CMPE 640 Combinational Logic: Static versus Dynamic Static : At every point in time (except during the switching transient), each gate output is connected to either V DD or V SS via a

271 views • 12 slides
Static analysis of OpenAFS code base Cheyenne Wills OpenAFS 2019 Workshop Overview What is

Static analysis of OpenAFS code base Cheyenne Wills OpenAFS 2019 Workshop Overview What is

Static analysis of OpenAFS code base Cheyenne Wills OpenAFS 2019 Workshop Overview What is static analysis What are the tools Analysis of the OpenAFS code base What is static analysis Static analysis is performed by analysing

556 views • 20 slides
ss 4 Cl Class CSC 472/583 Software Security System Call, Shellcode Dr. Si Chen

ss 4 Cl Class CSC 472/583 Software Security System Call, Shellcode Dr. Si Chen

ss 4 Cl Class CSC 472/583 Software Security System Call, Shellcode Dr. Si Chen (schen@wcupa.edu) System Call Page 2 System Call User code can be arbitrary User code cannot modify kernel memory The call mechanism switches code to

840 views • 17 slides
Static and dynamic verification Software inspections Concerned with analysis of the static

Static and dynamic verification Software inspections Concerned with analysis of the static

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis Software

430 views • 12 slides
Program Code Analyzers Agenda The Problem Dynamic and Static Tools Examples of

Program Code Analyzers Agenda The Problem Dynamic and Static Tools Examples of

Generic Programming and Library Development The Problems Presentation on Program Code Analyzers Dynamic and Static Tools May 18 th 2007 Examples of Tools Program Code Analyzers Agenda The Problem Dynamic and Static Tools

388 views • 13 slides
Application Logic Flaws Professor Larry Heimann Web Application Security Information Systems

Application Logic Flaws Professor Larry Heimann Web Application Security Information Systems

Application Logic Flaws Professor Larry Heimann Web Application Security Information Systems Discussion of Lab 6 Due end of the week on October 17th (11:59am) Complete findings record, attach screenshots and/or code files to confirm

847 views • 16 slides
Static execution-time analysis CPU speed model Bounds on Static (Sub)program code exec time

Static execution-time analysis CPU speed model Bounds on Static (Sub)program code exec time

Tid rum Static Execution Time Analysis Niklas Holsti Space Systems Finland Ltd (now) Tidorum Ltd(to be) Overview Area of interest Current state Work in progress What to do next 1 bo Akademi, ES lab, 2003-10-03 Tid rum

466 views • 12 slides
Static and dynamic verification Software inspections Concerned with analysis of the

Static and dynamic verification Software inspections Concerned with analysis of the

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis

310 views • 12 slides
Binarylevel program analysis: Static Disassembly Gang Tan CSE 597 Spring 2019 Penn State

Binarylevel program analysis: Static Disassembly Gang Tan CSE 597 Spring 2019 Penn State

Binarylevel program analysis: Static Disassembly Gang Tan CSE 597 Spring 2019 Penn State University 3 Disassemblers Disassembler Convert machine code in a binary file into assembly code or code in an equivalent IR Assume a

514 views • 26 slides
Static code checking In the Linux kernel Presented by Arnd Bergmann Date April 6, 2016 Event

Static code checking In the Linux kernel Presented by Arnd Bergmann Date April 6, 2016 Event

Static code checking In the Linux kernel Presented by Arnd Bergmann Date April 6, 2016 Event Embedded Linux Conference Static code checking in the Linux kernel 1. Overview 2. Randconfig issues 3. Checking tools 4. Automated checking

586 views • 48 slides

More recommend