static code analysis of complex php application
play

Static Code Analysis of Complex PHP Application Vulnerabilities - PowerPoint PPT Presentation

Static Code Analysis Automatisierte Sicherheitsanalyse of Complex PHP Application Vulnerabilities von Webapplikationen Static Code Analysis of Complex PHP Application Vulnerabilities Johannes Dahse Static Code Analysis Automatisierte


  1. Static Code Analysis Automatisierte Sicherheitsanalyse of Complex PHP Application Vulnerabilities von Webapplikationen Static Code Analysis of Complex PHP Application Vulnerabilities Johannes Dahse

  2. Static Code Analysis Automatisierte Sicherheitsanalyse of Complex PHP Application Vulnerabilities von Webapplikationen 1. Introduction 2. Static Code Analysis 3. First-order Bug Detection 4. Second-order Bug Detection 5. Gadget Chain Detection

  3. 1. Introduction Static Code Analysis 2. Static Code Analysis Automatisierte Sicherheitsanalyse 3. First-order Bugs of Complex PHP Application Vulnerabilities von Webapplikationen 4. Second-order Bugs 5. Gadget Chains 1.1 About ● Johannes Dahse ● @FluxReiners ● websec.wordpress.com ● Ph.D. IT-Security, Ruhr-University Bochum ● Security Consultant / CTF Player ● Developer of RIPS ● CEO of RIPS Technologies 3

  4. 1. Introduction Static Code Analysis 2. Static Code Analysis Automatisierte Sicherheitsanalyse 3. First-order Bugs of Complex PHP Application Vulnerabilities von Webapplikationen 4. Second-order Bugs 5. Gadget Chains 1.2 Research Timeline ● 2007 – 2009: PHP Scanner based on Regex used for CTF competitions ● 2009 – 2011: RIPS 0.1 - 0.5 based on Tokenizer open sourced during MOPS ● 2012: RIPS 1.0 based on AST and CFG subject of master thesis ● 2013 – 2015: RIPS 1.0 – 2.0 www.ripstech.com subject of doctor thesis ● 2016: RIPS 2.0 Standalone / Cloud Product 4

  5. 1. Introduction Static Code Analysis 2. Static Code Analysis Automatisierte Sicherheitsanalyse 3. First-order Bugs of Complex PHP Application Vulnerabilities von Webapplikationen 4. Second-order Bugs 5. Gadget Chains 1.3 The Role of PHP ● 82.2 % of the websites run PHP as server-side language ● Dynamic language, built-in features, oddities / pitfalls ● 25 % of all reported CVE vulnerabilities are related to PHP ● Sucuri Website Hacked Report: 97 % of hacked websites run PHP CMS Source: W 3 Techs Source: MITRE CVE 8000 PHP 7000 ASP 6000 Java 5000 CFM Other 4000 Ruby PHP 3000 Perl 2000 Python 1000 JS 0 0 10 20 30 40 50 60 70 80 90 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 5

  6. 1. Introduction Static Code Analysis 2. Static Code Analysis Automatisierte Sicherheitsanalyse 3. First-order Bugs of Complex PHP Application Vulnerabilities von Webapplikationen 4. Second-order Bugs 5. Gadget Chains 1.4 Problem ● Detect and eliminate security vulnerabilities in PHP applications ● Hundred thousands lines of code ● Complex and hard to spot vulnerabilities ● Manual code reviews become ineffective Callgraph for Wordpress Index Page 6

  7. 1. Introduction Static Code Analysis 2. Static Code Analysis Automatisierte Sicherheitsanalyse 3. First-order Bugs of Complex PHP Application Vulnerabilities von Webapplikationen 4. Second-order Bugs 5. Gadget Chains 1.5 Approach ● Automated security analysis of PHP code ● Static code analysis Static Dynamic analyze code analyze code without execution while execution Code Coverage full Single execution path Data Coverage Compile-time data Runtime data (valid for environment) Decidability Halting Problem Real data 7

  8. 1. Introduction Static Code Analysis 2. Static Code Analysis Automatisierte Sicherheitsanalyse 3. First-order Bugs of Complex PHP Application Vulnerabilities von Webapplikationen 4. Second-order Bugs 5. Gadget Chains 1.6 Challenges - Dynamic PHP language - Support variety of language features - Detect common vulnerability types - Detect complex vulnerabilities - Scale to large applications - Non-annotation based 8

  9. 1. Introduction Static Code Analysis 2. Static Code Analysis Automatisierte Sicherheitsanalyse 3. First-order Bugs of Complex PHP Application Vulnerabilities von Webapplikationen 4. Second-order Bugs 5. Gadget Chains 2. Static Code Analysis 9

  10. 1. Introduction Static Code Analysis 2. Static Code Analysis Automatisierte Sicherheitsanalyse 3. First-order Bugs of Complex PHP Application Vulnerabilities von Webapplikationen 4. Second-order Bugs 5. Gadget Chains 2.1 Overview ● Transform code into abstract syntax tree (AST) 1 $cookie = $_COOKIE ['text']; Variable Variable String $cookie = $_COOKIE['text']; Assign var expr $cookie $_COOKIE variable array dim 'text' string Code AST Basic Blocks CFG Report 10

  11. 1. Introduction Static Code Analysis 2. Static Code Analysis Automatisierte Sicherheitsanalyse 3. First-order Bugs of Complex PHP Application Vulnerabilities von Webapplikationen 4. Second-order Bugs 5. Gadget Chains 2.1 Overview ● Transform code into abstract syntax tree (AST) ● Split AST into basic blocks Code AST Basic Blocks CFG Report 11

  12. 1. Introduction Static Code Analysis 2. Static Code Analysis Automatisierte Sicherheitsanalyse 3. First-order Bugs of Complex PHP Application Vulnerabilities von Webapplikationen 4. Second-order Bugs 5. Gadget Chains 2.1 Overview ● Transform code into abstract syntax tree (AST) ● Split AST into basic blocks ● Analyze data flow within each basic block Code AST Basic Blocks CFG Report 12

  13. 1. Introduction Static Code Analysis 2. Static Code Analysis Automatisierte Sicherheitsanalyse 3. First-order Bugs of Complex PHP Application Vulnerabilities von Webapplikationen 4. Second-order Bugs 5. Gadget Chains 2.1 Overview ● Transform code into abstract syntax tree (AST) ● Split AST into basic blocks ● Analyze data flow within each basic block ● Summarize data flow in block and function summaries Code AST Basic Blocks CFG Report 13

  14. 1. Introduction Static Code Analysis 2. Static Code Analysis Automatisierte Sicherheitsanalyse 3. First-order Bugs of Complex PHP Application Vulnerabilities von Webapplikationen 4. Second-order Bugs 5. Gadget Chains 2.1 Overview ● Transform code into abstract syntax tree (AST) ● Split AST into basic blocks ● Analyze data flow within each basic block ● Summarize data flow in block and function summaries ● Connect basic blocks to a control flow graph (CFG) Code AST Basic Blocks CFG Report 14

  15. 1. Introduction Static Code Analysis 2. Static Code Analysis Automatisierte Sicherheitsanalyse 3. First-order Bugs of Complex PHP Application Vulnerabilities von Webapplikationen 4. Second-order Bugs 5. Gadget Chains 2.1 Overview ● Transform code into abstract syntax tree (AST) ● Split AST into basic blocks ● Analyze data flow within each basic block ● Summarize data flow in block and function summaries ● Connect basic blocks to a control flow graph (CFG) ● Perform backwards-directed taint analysis for each sensitive sink Code AST Basic Blocks CFG Report 15

  16. 1. Introduction Static Code Analysis 2. Static Code Analysis Automatisierte Sicherheitsanalyse 3. First-order Bugs of Complex PHP Application Vulnerabilities von Webapplikationen 4. Second-order Bugs 5. Gadget Chains 2.1 Overview ● Transform code into abstract syntax tree (AST) ● Split AST into basic blocks ● Analyze data flow within each basic block ● Summarize data flow in block and function summaries ● Connect basic blocks to a control flow graph (CFG) ● Perform backwards-directed taint analysis for each sensitive sink Code AST Basic Blocks CFG Report 16

  17. 1. Introduction Static Code Analysis 2. Static Code Analysis Automatisierte Sicherheitsanalyse 3. First-order Bugs of Complex PHP Application Vulnerabilities von Webapplikationen 4. Second-order Bugs 5. Gadget Chains 2.2 Refinement Code AST Basic CFG Report Blocks 17

  18. 1. Introduction Static Code Analysis 2. Static Code Analysis Automatisierte Sicherheitsanalyse 3. First-order Bugs of Complex PHP Application Vulnerabilities von Webapplikationen 4. Second-order Bugs 5. Gadget Chains 2.2 Refinement Precise Simulation of PHP Built-in Features - Sources + sinks - Input sanitization + encoding - Built-in functions (data flow) Code AST Basic CFG Report Blocks 18

  19. 1. Introduction Static Code Analysis 2. Static Code Analysis Automatisierte Sicherheitsanalyse 3. First-order Bugs of Complex PHP Application Vulnerabilities von Webapplikationen 4. Second-order Bugs 5. Gadget Chains 2.2 Refinement source Precise Simulation of PHP Built-in Features - Sources + sinks - Input sanitization + encoding - Built-in functions (data flow) sink Code AST Basic CFG Report Blocks 19

  20. 1. Introduction Static Code Analysis 2. Static Code Analysis Automatisierte Sicherheitsanalyse 3. First-order Bugs of Complex PHP Application Vulnerabilities von Webapplikationen 4. Second-order Bugs 5. Gadget Chains 2.2 Refinement Efficient Data Flow Analysis Precise Simulation of - Block and function summaries PHP Built-in Features - Inter-procedural - Sources + sinks - Object- and field-sensitive - Input sanitization + encoding - Backwards-directed data flow & - Built-in functions (data flow) forwards-directed object analysis Code AST Basic CFG Report Blocks 20

Recommend


More recommend