simulation of built-in php features · 9/4/2017 · 7)file inclusion 8)file upload 9)file write...
TRANSCRIPT
Simulation of Built-in PHP Features for Precise Static Code Analysis
Johannes Dahse and Thorsten HolzRuhr-University Bochum
NDSS ’14, 23-26 February 2014, San Diego, CA, USA
2
php is everywhere.
CVE entries (2013)
http://www.coelho.net/php_cve.html
Server-side programming languages
http://php.net/usage.php
1. Introduction2. Implementation3. Evaluation4. Conclusion
3
1. Introduction2. Implementation3. Evaluation4. Conclusion
4
Target: Taint-style Vulnerabilities
<?php $id = $_GET['id']; $sql = “SELECT data FROM users WHERE id = '$id' “; mysql_query($sql);?>
<?php $name = $_GET['name']; $html = “<h1>Hello $name</h1>“; print($html);?>
● SQL injection
● Cross-Site Scripting
source
sensitive sink
1. Introduction2. Implementation3. Evaluation4. Conclusion
5
source
1. Introduction2. Implementation3. Evaluation4. Conclusion
PHP Built-in Features
● 228+ Extensions
● 5700+ built-in functions Sinks, sanitization, data flow
● 10+ superglobal variables $GLOBALS, $_FILES, $_SERVER ...
● Settings magic_quotes_gpc, register_globals
6
Our Approach
● Static Code Analysis for PHP applications● Precise simulation of built-in features is the key
to detect taint-style vulnerabilities to accept your paper on your own
1. Introduction2. Implementation3. Evaluation4. Conclusion
7
Source: http://rewalls.com
2. Implementation
1. Introduction2. Implementation3. Evaluation4. Conclusion
8
Precise Simulation
1. Introduction2. Implementation3. Evaluation4. Conclusion
<?php $uri = trim($_SERVER['PHP_SELF']); $uri = urldecode($uri); $url = 'http://rub.de/' . htmlentities($uri); $html = “<a href='$url' >back</a>“; print($html);?>
http://rub.de/index.php/payload
9
Precise Simulation
1. Introduction2. Implementation3. Evaluation4. Conclusion
<?php $uri = trim($_SERVER['PHP_SELF']); $uri = urldecode($uri); $url = 'http://rub.de/' . htmlentities($uri); $html = “<a href='$url' >back</a>“; print($html);?>
1. taintable sources● $_FILES[]['name']● $_FILES[]['tmp_name']● $_SERVER['PHP_SELF']● $_SERVER['REMOTE_ADDR']
10
Precise Simulation
1. Introduction2. Implementation3. Evaluation4. Conclusion
<?php $uri = trim($_SERVER['PHP_SELF']); $uri = urldecode($uri); $url = 'http://rub.de/' . htmlentities($uri); $html = “<a href='$url' >back</a>“; print($html);?>
1. taintable sources● $_FILES[]['name']● $_FILES[]['tmp_name']● $_SERVER['PHP_SELF']● $_SERVER['REMOTE_ADDR']
$_SERVERS1
PHP_SELF
Path ../Traversal http://rub.de/index.php/../../../../
11
Precise Simulation
1. Introduction2. Implementation3. Evaluation4. Conclusion
1. taintable sources● $_FILES[]['name']● $_FILES[]['tmp_name']● $_SERVER['PHP_SELF']● $_SERVER['REMOTE_ADDR']
$_SERVER
● Format string● Regular expressions
2. data flow
S1
Path ../Traversal
<?php $uri = trim($_SERVER['PHP_SELF']); $uri = urldecode($uri); $url = 'http://rub.de/' . htmlentities($uri); $html = “<a href='$url' >back</a>“; print($html);?>
PHP_SELF
12
Precise Simulation
1. Introduction2. Implementation3. Evaluation4. Conclusion
1. taintable sources● $_FILES[]['name']● $_FILES[]['tmp_name']● $_SERVER['PHP_SELF']● $_SERVER['REMOTE_ADDR']
$_SERVER
3. encoding● Encoding stack● Interaction with sanitization
● Format string● Regular expressions
2. data flow
S1
Path ../Traversal
<?php $uri = trim($_SERVER['PHP_SELF']); $uri = urldecode($uri); $url = 'http://rub.de/' . htmlentities($uri); $html = “<a href='$url' >back</a>“; print($html);?>
PHP_SELF
13
Precise Simulation
1. Introduction2. Implementation3. Evaluation4. Conclusion
1. taintable sources● $_FILES[]['name']● $_FILES[]['tmp_name']● $_SERVER['PHP_SELF']● $_SERVER['REMOTE_ADDR']
$_SERVER
3. encoding● Encoding stack● Interaction with sanitization
● Format string● Regular expressions
2. data flow
S1
<?php $uri = trim($_SERVER['PHP_SELF']); $uri = urldecode($uri); $url = 'http://rub.de/' . htmlentities($uri); $html = “<a href='$url' >back</a>“; print($html);?>
PHP_SELF
14
Precise Simulation
1. Introduction2. Implementation3. Evaluation4. Conclusion
1. taintable sources● $_FILES[]['name']● $_FILES[]['tmp_name']● $_SERVER['PHP_SELF']● $_SERVER['REMOTE_ADDR']
$_SERVER
4. sanitization
3. encoding● Encoding stack● Interaction with sanitization
● Sanitization tags● Context-sensitive
● Format string● Regular expressions
2. data flow
S1
<?php $uri = trim($_SERVER['PHP_SELF']); $uri = urldecode($uri); $url = 'http://rub.de/' . htmlentities($uri); $html = “<a href='$url' >back</a>“; print($html);?>
PHP_SELF
15
Precise Simulation
1. Introduction2. Implementation3. Evaluation4. Conclusion
1. taintable sources● $_FILES[]['name']● $_FILES[]['tmp_name']● $_SERVER['PHP_SELF']● $_SERVER['REMOTE_ADDR']
$_SERVER
4. sanitization
3. encoding● Encoding stack● Interaction with sanitization
● Sanitization tags● Context-sensitive
● Format string● Regular expressions
2. data flow
S1
XSS <>Element
XSS DQ" Attribute
<?php $uri = trim($_SERVER['PHP_SELF']); $uri = urldecode($uri); $url = 'http://rub.de/' . htmlentities($uri); $html = “<a href='$url' >back</a>“; print($html);?>
PHP_SELF
16
Precise Simulation
1. Introduction2. Implementation3. Evaluation4. Conclusion
1. taintable sources● $_FILES[]['name']● $_FILES[]['tmp_name']● $_SERVER['PHP_SELF']● $_SERVER['REMOTE_ADDR']
$_SERVER
4. sanitization
3. encoding● Encoding stack● Interaction with sanitization
● Sanitization tags● Context-sensitive
● Format string● Regular expressions
2. data flow
5. sinks● Parameter● Vulnerability type
S1
XSS DQ" Attribute
XSS <>Element
<?php $uri = trim($_SERVER['PHP_SELF']); $uri = urldecode($uri); $url = 'http://rub.de/' . htmlentities($uri); $html = “<a href='$url' >back</a>“; print($html);?>
PHP_SELF
17
Precise Simulation
1. Introduction2. Implementation3. Evaluation4. Conclusion
1. taintable sources● $_FILES[]['name']● $_FILES[]['tmp_name']● $_SERVER['PHP_SELF']● $_SERVER['REMOTE_ADDR']
$_SERVER
4. sanitization
3. encoding● Encoding stack● Interaction with sanitization
● Sanitization tags● Context-sensitive
● Format string● Regular expressions
2. data flow
5. sinks● Parameter● Vulnerability type
6. markup context
<a href='http://rub.de/S1' >back</a>
→ XSS Single-Quoted ' Attribute
S1
XSS DQ" Attribute
XSS <>Element
<?php $uri = trim($_SERVER['PHP_SELF']); $uri = urldecode($uri); $url = 'http://rub.de/' . htmlentities($uri); $html = “<a href='$url' >back</a>“; print($html);?>
PHP_SELF
18
Precise Simulation
1. Introduction2. Implementation3. Evaluation4. Conclusion
1. taintable sources● $_FILES[]['name']● $_FILES[]['tmp_name']● $_SERVER['PHP_SELF']● $_SERVER['REMOTE_ADDR']
$_SERVER
4. sanitization
3. encoding● Encoding stack● Interaction with sanitization
● Sanitization tags● Context-sensitive
● Format string● Regular expressions
2. data flow
5. sinks● Parameter● Vulnerability type
6. markup context
<a href='http://rub.de/S1' >back</a>
→ ' onclick='alert(document.cookie)
S1
XSS DQ" Attribute
XSS <>Element
<?php $uri = trim($_SERVER['PHP_SELF']); $uri = urldecode($uri); $url = 'http://rub.de/' . htmlentities($uri); $html = “<a href='$url' >back</a>“; print($html);?>
PHP_SELF
19
Precise Simulation
1. Introduction2. Implementation3. Evaluation4. Conclusion
● 952 built-in functions ● 20 vulnerability types● 45 markup contexts
1. taintable sources● $_FILES[]['name']● $_FILES[]['tmp_name']● $_SERVER['PHP_SELF']● $_SERVER['REMOTE_ADDR']
$_SERVER
4. sanitization
3. encoding● Encoding stack● Interaction with sanitization
● Sanitization tags● Context-sensitive
● Format string● Regular expressions
2. data flow
5. sinks● Parameter● Vulnerability type
6. markup context
<a href='http://rub.de/S1' >back</a>
→ ' onclick='alert(document.cookie)
S1
XSS DQ" Attribute
XSS <>Element
PHP_SELF
20
Source: http://rewalls.com
3. Evaluation
1. Introduction2. Implementation3. Evaluation4. Conclusion
21
Software● HotCRP 2.60
● MyBB 1.6.10
● OsCommerce 2.3.3
● phpBB2 2.0.23
● phpBB3 3.0.11
1. Introduction2. Implementation3. Evaluation4. Conclusion
phpBB3
phpBB2
osCommerce
MyBB
HotCRP
0 50000 100000 150000 200000
LOC
22
Vulnerability Detection● 73 True Positives (72%)
● 29 False Positives (28%) 19 FP in OsCommerce Root cause: Path-sensitivity
● 10 False Negatives (24%) 42 CVE entries 8 FN in MyBB Root cause: OOP
1. Introduction2. Implementation3. Evaluation4. Conclusion
48
11
8
321
Cross-Site ScriptingSQL InjectionFile WritePath TraversalVariable TamperingCRLF Injection
23
Software in Related Work● Criteria
Available Follow-up version exists Patch-only
● Our results 31 new vulnerabilities detected 0 false positives Precise simulation pays off
1. Introduction2. Implementation3. Evaluation4. Conclusion
MyBloggie 2.1.4
NewsPro 1.1.5
phpBB3
phpBB2
osCommerce
MyBB
HotCRP
0 50000 100000 150000 200000
LOC
24
Vulnerability Example● Blind SQL Injection in HotCRP 2.60
● Fixed in version 2.61
● HotCRP stores credentials in plaintext
1. Introduction2. Implementation3. Evaluation4. Conclusion
25
1. Introduction2. Implementation3. Evaluation4. Conclusion
26
Source: http://rewalls.com
4. Conclusion
1. Introduction2. Implementation3. Evaluation4. Conclusion
27
Conclusion● New approach to PHP static code analysis
20 vulnerability types, 45 markup contexts 900+ built-in features simulated
● 73 new vulnerabilities, 28% false positives Current vulnerabilities base on complex PHP features Modeling these features precisely is crucial, missed by previous work
● Future work Path-sensitivity OOP
1. Introduction2. Implementation3. Evaluation4. Conclusion
29
Thank you! Enjoy the conference.
30
Backup Slides
31
Built-in Function Coverage
● Every 13th line of code calls a built-in function ● Static point of view
● 970 unique calls ● 70% covered
● 37 651 total calls● 89% covered
● Remaining calls are less relevant● Do not influence our analysis results
1. Introduction2. Implementation3. Evaluation4. Conclusion
89%
11% Covered
Ignored
32
Target: Taint-style Vulnerabilities
<?php $id = mysql_real_escape_string($_GET['id']); $sql = “SELECT data FROM users WHERE id = $id “; mysql_query($sql);?>
<?php $name = htmlentities($_GET['name']); $html = “<h1>Hello $name</h1>“; print($html);?>
● SQL injection
● Cross-Site Scripting
source
sensitive sink
1. Introduction2. Implementation3. Evaluation4. Conclusion
sanitization
33
Path-sensitive sanitization
34
Supported vulnerability types
1) Code Execution2) Command Execution3) Connect Injection4) Cross-Site Scripting5) Denial of Service6) Env. Manipulation7) File Inclusion8) File Upload9) File Write10)HTTP Resp. Splitting
11) LDAP Injection12) Open Redirect13) Path Traversal14) Reflection Injection15) Session Fixation16) SQL Injection17) Unserialize18) Variable Tampering19) XML/XXE Injection20) XPath Injection
35
Evaluation results
36
SQL Injection in phpBB2
admin_styles.php?style=rips&install_to=_GET&0[style_name]=rips&0[template_name)VALUES('sqli','sqli')-- -]=1