Browse > Article
http://dx.doi.org/10.3745/KIPSTA.2011.18A.5.193

Implementation of a Static Analyzer for Detecting the PHP File Inclusion Vulnerabilities  

Ahn, Joon-Seon (한국항공대학교 항공전자및정보통신공학부)
Lim, Seong-Chae (동덕여자대학교 컴퓨터학과)
Publication Information
The KIPS Transactions:PartA / v.18A, no.5, 2011 , pp. 193-204 More about this Journal
Abstract
Since web applications are accessed by anonymous users via web, more security risks are imposed on those applications. In particular, because security vulnerabilities caused by insecure source codes cannot be properly handled by the system-level security system such as the intrusion detection system, it is necessary to eliminate such problems in advance. In this paper, to enhance the security of web applications, we develop a static analyzer for detecting the well-known security vulnerability of PHP file inclusion vulnerability. Using a semantic based static analysis, our vulnerability analyzer guarantees the soundness of the vulnerability detection and imposes no runtime overhead, differently from the other approaches such as the penetration test method and the application firewall method. For this end, our analyzer adopts abstract interpretation framework and uses an abstract analysis domain designed for the detection of the target vulnerability in PHP programs. Thus, our analyzer can efficiently analyze complicated data-flow relations in PHP programs caused by extensive usage of string data. The analysis results can be browsed using a JAVA GUI tool and the memory states and variable values at vulnerable program points can also be checked. To show the correctness and practicability of our analyzer, we analyzed the source codes of open PHP applications using the analyzer. Our experimental results show that our analyzer has practical performance in analysis capability and execution time.
Keywords
PHP File Inclusion Vulnerability; Static Analysis; Abstract Interpretation; Security Vulnerability;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Gagnon, E. M., Hendren, L. J., "SableCC, an Object-Oriented Compiler Framework," Proc. 1998 Conf. Technology of Object-Oriented Languages and Systems (TOOLS-98), pp. 140-154, Santa Barbara, California, USA, Aug. 3-7, 1998.   DOI
2 Patrick Cousot, "Abstract Interpretation Based Formal Methods and Future Challenges", In Informatics, 10 Years Back - 10 Years Ahead, R. Wilhelm (Ed.), Lecture Notes in Computer Science 2000, pp.138-156, 2001.   DOI   ScienceOn
3 Joonsen Ahn, "Differential Evaluation of Fixpoints of Non-distributive Functions", IEICE Transactions on Information and Systems, Vol.E-86-D, No.12, pp.2710-2721, Dec., 2003.
4 Scott, D., Sharp, R. "Abstracting Application-Level Web Security," Proc. 11th Int''l Conf. World Wide Web (WWW2002), pp.396-407, May 17-22, 2002.   DOI
5 Sanctum Inc. "AppShield 4.0 Whitepaper," http://www.sanctuminc.com, 2002.
6 Kavado, Inc. "InterDo Version 3.0," Kavado Whitepaper, 2003.
7 Huang, Y. W., Huang, S. K., Lin, T. P., Tsai, C. H. "Web Application Security Assessment by Fault Injection and Behavior Monitoring," In Proc. 12th International World Wide Web Conference (WWW2003), pp.148-159, May 21-25, 2003.
8 Fortify Software, Http link: http://fortify.com
9 Alfred V. Aho, Ravi Sethi, Jeffrey D. Ullman, Compilers: Principles, Techniques and Tools, Addison Wesley.
10 Wassermann, Zhendong Su., "Sound and Precise Analysis of Web Applications for Injection Vulnerabilities," In Proceedings of PLDI 2007, pp.32-41, San Diego, CA, June 10-13, 2007   DOI
11 PHP: Hypertext Preprocessor, Http link: http://www.php.net
12 Gary Wassermann and Zhendong Su, "Static Detection of Cross-Site Scripting Vulnerabilities," In Proceedings of ICSE 2008, Leipzig, Germany, May 10-18, 2008.   DOI
13 Flemming Nielson, Hanne Riis Nielson, Chris Hankin, "Principles of Program Analysis." Springer, 452pp, 2005.
14 Patric Cousot, Radia Cousot, "Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints," Proceedings of the 4th ACM SIGACT-SIGPLAN symposium on Principles of programming languages, pp.238-252, LA, California, USA, 1977.   DOI
15 Curphey, M., Endler, D., Hau, W., Taylor, S., Smith, T., Russell, A., McKenna, G., Parke, R., McLaughlin, K., Tranter, N., Klien, A., Groves, D., By-Gad, I., Huseby, S., Eizner, M., McNamara, R. "A Guide to Building Secure Web Applications," The Open Web Application Security Project, v.1.1.1, http://www.cgisecurity.com/owasp/html/guide.html, Sep., 2002.
16 Gartner, "Now is the time for security at Application Level", 2006, 12.
17 OWASP Top Ten Project, http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project.
18 D. Turner, S. Entwisle, "Symantec Internet Security Threat Report Vol.IX - Trends for July 05-December 05," Symantec, March, 2006.
19 Common Weakness Enumeration, cwe.mitre.org.
20 Common Vulnerabilities and Exposures, mitre.cve.org.
21 SANS: CWE/SANS TOP 25 Most Dangerous Software Errors, Http link: http://www.sans.org/top25-software-errors.
22 CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion'), Http link: http://cwe.mitre.org/data/definitions/98.html
23 Scott, D., Sharp, R., "Developing Secure Web Applications," IEEE internet Computing, Vol.6, No.6, pp.38-45, Nov., 2002.   DOI   ScienceOn