DOI QR코드

DOI QR Code

Implementation of a Static Analyzer for Detecting the PHP File Inclusion Vulnerabilities

PHP 파일 삽입 취약성 검사를 위한 정적 분석기의 구현

  • 안준선 (한국항공대학교 항공전자및정보통신공학부) ;
  • 임성채 (동덕여자대학교 컴퓨터학과)
  • Received : 2011.03.21
  • Accepted : 2011.07.28
  • Published : 2011.10.31

Abstract

Since web applications are accessed by anonymous users via web, more security risks are imposed on those applications. In particular, because security vulnerabilities caused by insecure source codes cannot be properly handled by the system-level security system such as the intrusion detection system, it is necessary to eliminate such problems in advance. In this paper, to enhance the security of web applications, we develop a static analyzer for detecting the well-known security vulnerability of PHP file inclusion vulnerability. Using a semantic based static analysis, our vulnerability analyzer guarantees the soundness of the vulnerability detection and imposes no runtime overhead, differently from the other approaches such as the penetration test method and the application firewall method. For this end, our analyzer adopts abstract interpretation framework and uses an abstract analysis domain designed for the detection of the target vulnerability in PHP programs. Thus, our analyzer can efficiently analyze complicated data-flow relations in PHP programs caused by extensive usage of string data. The analysis results can be browsed using a JAVA GUI tool and the memory states and variable values at vulnerable program points can also be checked. To show the correctness and practicability of our analyzer, we analyzed the source codes of open PHP applications using the analyzer. Our experimental results show that our analyzer has practical performance in analysis capability and execution time.

인터넷 상의 웹 응용 프로그램은 불특정 다수의 사용자가 접근할 수 있기 때문에 보안상의 위험이 가중된다. 특히, 응용 프로그램의 소스코드에 보안 취약성이 있을 경우에는 침입 탐지 시스템과 같은 시스템 수준의 방어가 어렵기 때문에 이를 미리 제거하는 것이 중요하다. 본 논문에서는 웹 응용 프로그램의 대표적인 소스 코드 취약성인 PHP 파일 삽입 취약성을 자동으로 검출할 수 있는 정적 분석기의 구현에 대해 다룬다. 본 연구에서는 의미 기반의 정적 분석을 사용하여 소스 코드의 취약성을 미리 자동으로 검출하고 수정하도록 함으로써, 기존의 침입 테스트 기법이나 응용 프로그램 방화벽 사용과 다르게 보안 취약성을 안전하게 제거하면서 추가적인 실행 시간 부하를 피하고자 하였다. 이를 위하여 의미 기반 분석 방법인 요약 해석 방법론을 적용했으며, PHP 삽입 취약성에 최적화된 요약 분석 공간을 설계하여 사용함으로써 PHP의 특성인 복잡한 문자열 기반 자료 흐름을 효과적으로 처리하면서 목적으로 하는 취약성을 효과적으로 검출할 수 있었다. 프로그램의 취약성 분석 결과는 Java GUI 도구를 통해 확인할 수 있으며, 분석된 취약성 지점에서의 메모리 상태 및 계산 정보도 같은 도구를 사용해 확인할 수 있다. 구현된 분석기의 취약성 검출의 정확성과 실행 속도를 검증하기 위하여 공개된 PHP 프로그램을 사용하여 성능 실험을 수행하였으며, 이를 통해 구현된 분석기의 실용성을 확인하였다.

Keywords

References

  1. Curphey, M., Endler, D., Hau, W., Taylor, S., Smith, T., Russell, A., McKenna, G., Parke, R., McLaughlin, K., Tranter, N., Klien, A., Groves, D., By-Gad, I., Huseby, S., Eizner, M., McNamara, R. "A Guide to Building Secure Web Applications," The Open Web Application Security Project, v.1.1.1, http://www.cgisecurity.com/owasp/html/guide.html, Sep., 2002.
  2. Gartner, "Now is the time for security at Application Level", 2006, 12.
  3. D. Turner, S. Entwisle, "Symantec Internet Security Threat Report Vol.IX - Trends for July 05-December 05," Symantec, March, 2006.
  4. Common Weakness Enumeration, cwe.mitre.org.
  5. Common Vulnerabilities and Exposures, mitre.cve.org.
  6. OWASP Top Ten Project, http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project.
  7. SANS: CWE/SANS TOP 25 Most Dangerous Software Errors, Http link: http://www.sans.org/top25-software-errors.
  8. CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion'), Http link: http://cwe.mitre.org/data/definitions/98.html
  9. Scott, D., Sharp, R., "Developing Secure Web Applications," IEEE internet Computing, Vol.6, No.6, pp.38-45, Nov., 2002. https://doi.org/10.1109/MIC.2002.1067735
  10. Scott, D., Sharp, R. "Abstracting Application-Level Web Security," Proc. 11th Int''l Conf. World Wide Web (WWW2002), pp.396-407, May 17-22, 2002. https://doi.org/10.1145/511446.511498
  11. Sanctum Inc. "AppShield 4.0 Whitepaper," http://www.sanctuminc.com, 2002.
  12. Kavado, Inc. "InterDo Version 3.0," Kavado Whitepaper, 2003.
  13. Huang, Y. W., Huang, S. K., Lin, T. P., Tsai, C. H. "Web Application Security Assessment by Fault Injection and Behavior Monitoring," In Proc. 12th International World Wide Web Conference (WWW2003), pp.148-159, May 21-25, 2003.
  14. Fortify Software, Http link: http://fortify.com
  15. Alfred V. Aho, Ravi Sethi, Jeffrey D. Ullman, Compilers: Principles, Techniques and Tools, Addison Wesley.
  16. Wassermann, Zhendong Su., "Sound and Precise Analysis of Web Applications for Injection Vulnerabilities," In Proceedings of PLDI 2007, pp.32-41, San Diego, CA, June 10-13, 2007 https://doi.org/10.1145/1250734.1250739
  17. Gary Wassermann and Zhendong Su, "Static Detection of Cross-Site Scripting Vulnerabilities," In Proceedings of ICSE 2008, Leipzig, Germany, May 10-18, 2008. https://doi.org/10.1145/1368088.1368112
  18. Flemming Nielson, Hanne Riis Nielson, Chris Hankin, "Principles of Program Analysis." Springer, 452pp, 2005.
  19. Patric Cousot, Radia Cousot, "Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints," Proceedings of the 4th ACM SIGACT-SIGPLAN symposium on Principles of programming languages, pp.238-252, LA, California, USA, 1977. https://doi.org/10.1145/512950.512973
  20. PHP: Hypertext Preprocessor, Http link: http://www.php.net
  21. Gagnon, E. M., Hendren, L. J., "SableCC, an Object-Oriented Compiler Framework," Proc. 1998 Conf. Technology of Object-Oriented Languages and Systems (TOOLS-98), pp. 140-154, Santa Barbara, California, USA, Aug. 3-7, 1998. https://doi.org/10.1109/TOOLS.1998.711009
  22. Patrick Cousot, "Abstract Interpretation Based Formal Methods and Future Challenges", In Informatics, 10 Years Back - 10 Years Ahead, R. Wilhelm (Ed.), Lecture Notes in Computer Science 2000, pp.138-156, 2001. https://doi.org/10.1007/3-540-44577-3_10
  23. Joonsen Ahn, "Differential Evaluation of Fixpoints of Non-distributive Functions", IEICE Transactions on Information and Systems, Vol.E-86-D, No.12, pp.2710-2721, Dec., 2003.