DOI QR코드

DOI QR Code

Vulnerability Analysis and Development of Secure Coding Rules for PHP

PHP 보안 취약점 분석과 시큐어 코딩 규칙 개발

  • 한경숙 (한국산업기술대학교 컴퓨터공학과) ;
  • 박우열 (홍익대학교 컴퓨터공학과) ;
  • 양일권 (홍익대학교 컴퓨터공학과) ;
  • 손창환 (홍익대학교 컴퓨터공학과) ;
  • 표창우 (홍익대학교 컴퓨터공학과)
  • Received : 2015.03.18
  • Accepted : 2015.09.09
  • Published : 2015.11.15

Abstract

This paper shows secure coding rules for PHP programs. Programmers should comply with these rules during development of their programs. The rules are crafted to restrain 28 weaknesses that are composed of 22 corresponding to reported CVEs of PHP, the children of CWE-661 for PHP, and the top 5 weaknesses according to OWASP. The rule set consists of 28 detailed rules under 14 categories. This paper also demonstrates through examples that programs complying with these rules can curb weaknesses. The rules can also serve as a guideline in developing analysis tools for security purposes.

이 논문은 PHP 프로그램의 시큐어 코딩 규칙을 보이고 있다. 이 코딩 규칙들은 PHP와 관련된 28개 보안약점의 발생을 억제하기 위하여 프로그램 개발 단계에서 준수하도록 규정한 것이다. 28개 보안약점은 CVE에 보고된 실제 취약점 사례에서 분류된 22개 보안약점과 PHP 언어로 작성된 프로그램의 보안약점(CWE-661)의 하위 보안약점들, OWASP의 PHP Top5 보안약점들에서 선별하였다. 이를 기반으로 하여 14개 시큐어 코딩 규칙 범주에 걸쳐 28개 세부규칙을 개발하였다. 이 논문은 또한 적용 사례를 통해 규칙 적용이 보안약점 억제 효과가 있음을 보이고 있다. 개발된 규칙은 PHP 프로그램의 보안 목적의 분석 도구 개발의 기준으로 활용될 수 있다.

Keywords

Acknowledgement

Supported by : 정보통신기술진흥센터

References

  1. Tassey, Gregory, "The economic impacts of inadequate infrastructure for software testing," National Institute of Standards and Technology, RTI Project, 7007.011, 2002.
  2. Ministry of Public Administration and Security, "Guideline for Development and Operation of Information Systems," Ministry of Public Administration and Security, 2012. 6. (in Korean)
  3. Usage statistics and market share of PHP for websites, [Online]. Available: http://w3techs.com/technologies/details/pl-php/all/all, (Downloaded 2014, Nov. 5)
  4. "Common Vulnerabilities and Exposures," [Online]. Available: http://cve.mitre.org/
  5. "Common Weakness Enumeration," [Online]. Available: http://cwe.mitre.org/
  6. "National Vulnerability Database," [Online]. Available: http://cwe.mitre.org/
  7. B. Chess and J. West, "Secure Programming with Static Analysis," Addison-Wesley, 2007.
  8. K.Han, et al., "An Improvement of the Guideline of Secure Software Development for Korea E-Government," KIISC, 22.5: pp. 1179-1189, 2012. (in Korean)
  9. Ministry of Public Administration and Security, Korea Internet & Security Agency, "Guide for Security in Software Development," 2012. 9 (in Korean)
  10. CERT, "CERT Coding Standard," [Online]. Available: https://www.securecoding.cert.org/confluence/display/seccode/CERT+Coding+Standard, (Downloaded 2014, Nov.)
  11. LERDORF, Rasmus; TATROE, Kevin; MACIN-MACINTYRE, Peter, "Programming PHP," O'Reilly Media, Inc, 2006.
  12. PHP.net, PHP Manual - Appendices, [Online]. Available: http://php.net/manual/en/appendices.php, (Downloaded 2014, Nov. 5)
  13. OWASP, PHP Top 5, [Online]. Available: https://www.owasp. org/index.php/PHP_Top_5