rips rips
play

RIPS RIPS A static source code analyser NDS Seminar for - PowerPoint PPT Presentation

May 04, 2023 •442 likes •803 views

RIPS RIPS A static source code analyser NDS Seminar for vulnerabilities in PHP scripts A static source code analyser A static source code analyser for vulnerabilities in PHP scripts for vulnerabilities in PHP scripts 1 Johannes Dahse

  1. RIPS RIPS A static source code analyser NDS Seminar for vulnerabilities in PHP scripts A static source code analyser A static source code analyser for vulnerabilities in PHP scripts for vulnerabilities in PHP scripts 1 Johannes Dahse Johannes Dahse

  2. 0. Table of Contents RIPS A static source code analyser 1. Introduction 2. Implementation for vulnerabilities in PHP scripts 3. Summary 1. Introduction 1.1 Motivation 1.2 PHP Vulnerabilities 1.3 Taint Analysis 1.4 Static VS Dynamic Code Analysis 2. Implementation: RIPS 2.1 Configuration 2.2 The Tokenizer 2.3 Token Analysis 2.4 Webinterface 2.5 Results 2.6 Limitations & Future Work 3. Summary 2 Johannes Dahse

  3. 0. Table of Contents RIPS A static source code analyser 1. Introduction 2. Implementation for vulnerabilities in PHP scripts 3. Summary 1. Introduction 3 Johannes Dahse

  4. 0. Table of Contents RIPS A static source code analyser 1. Introduction 2. Implementation for vulnerabilities in PHP scripts 3. Summary 1.1 Motivation - vulnerabilities 2.0 with web 2.0 - PHP is the most popular scripting language - 30% of all vulnerabilities were PHP related in 2009 - finding vulnerabilities can be automated (minimizes time and costs) - lots of free blackbox scanners available - very few open source whitebox scanners (for PHP) - Capture The Flag (CTF) contests 4 Johannes Dahse

  5. 0. Table of Contents RIPS A static source code analyser 1. Introduction 2. Implementation for vulnerabilities in PHP scripts 3. Summary 1.2 Basic Concept of PHP Vulnerabilities PVF user input vulnerability (potentially vulnerable functions) system() Remote Command Execution $_GET $_POST fopen() File Disclosure $_COOKIE $_FILES eval() Remote Code Execution $_SERVER include() Local/Remote File Inclusion $_ENV ... mysql_query() SQL Injection + = print() Cross-Site Scripting getenv() mysql_fetch_result() header() HTTP Response Splitting file_get_contents() mail() Email Header Injection ... ... ... 5 Johannes Dahse

  6. 0. Table of Contents RIPS A static source code analyser 1. Introduction 2. Implementation for vulnerabilities in PHP scripts 3. Summary 1.3 The Concept of Taint Analysis - identify PVF ( file_get_contents () , system () ) - trace back parameters and check if they are „tainted“ 6 Johannes Dahse

  7. 0. Table of Contents RIPS A static source code analyser 1. Introduction 2. Implementation for vulnerabilities in PHP scripts 3. Summary 1.3 The Concept of Taint Analysis Not a vulnerability (file name cannot be influenced by a user): Vulnerability detected (user can execute system commands): /vuln.php?pass=foobar; nc –l –p 7777 –e /bin/bash 7 Johannes Dahse

  8. 0. Table of Contents RIPS A static source code analyser 1. Introduction 2. Implementation for vulnerabilities in PHP scripts 3. Summary 1.4 Static VS Dynamic Code Analysis Static Source Code Analysis: - parse source code - lexical analysis (tokens) - interprocedual/flow-sensitive analysis - taint analysis Dynamic Code Analysis: - compile source code - parse byte code - taint analysis 8 Johannes Dahse

  9. 0. Table of Contents RIPS A static source code analyser 1. Introduction 2. Implementation for vulnerabilities in PHP scripts 3. Summary 1.4 Static VS Dynamic Code Analysis Static Source Code Analysis: - parse source code - lexical analysis (tokens) - interprocedual/flow-sensitive analysis - taint analysis Dynamic Code Analysis: - compile source code - parse byte code - taint analysis 9 Johannes Dahse

  10. 0. Table of Contents RIPS A static source code analyser 1. Introduction 2. Implementation for vulnerabilities in PHP scripts 3. Summary 2. Implementation 10 Johannes Dahse

  11. 0. Table of Contents RIPS A static source code analyser 1. Introduction 2. Implementation for vulnerabilities in PHP scripts 3. Summary 2.1 Configuration PVF parameter securing functions system 1 escapeshellarg, escapeshellcmd file_put_contents 1,2 printf 0 htmlentities, htmlspecialchars ... array_walk_recursive 2 preg_replace_callback 1,2 preg_quote RIPS in its current state scans for 167 PVF 11 Johannes Dahse

  12. 0. Table of Contents RIPS A static source code analyser 1. Introduction 2. Implementation for vulnerabilities in PHP scripts 3. Summary 2.1 Configuration global securing functions user input file input file_get_contents intval $_GET zip_read count $_POST ... round $_COOKIE strlen $_FILES database input md5 $_SERVER mysql_fetch_array base64_encode $_ENV mysql_fetch_row ... ... ... 12 Johannes Dahse

  13. 0. Table of Contents RIPS A static source code analyser 1. Introduction 2. Implementation for vulnerabilities in PHP scripts 3. Summary 2.2 Most apparent approach - grep / search by regular expression for PVF: $lines = file($file); foreach($lines as $line) { if(preg_match(' /exec\(.*\$/ ', $line)) echo 'vulnerable: ' . $line; } - fail: exec ($cmd); no exec($cmd); /* exec($cmd); */ $t= 'exec() and $var' ; exec( './transfer $100' ); 13 Johannes Dahse

  14. 0. Table of Contents RIPS A static source code analyser 1. Introduction 2. Implementation for vulnerabilities in PHP scripts 3. Summary 2.2 Most apparent approach - grep / search by regular expression for PVF: $lines = file($file); foreach($lines as $line) { if(preg_match(' /exec\(.*\$/ ', $line)) echo 'vulnerable: ' . $line; } - fail: exec ($cmd); no exec($cmd); /* exec($cmd); */ $t= 'exec() and $var' ; exec( './transfer $100' ); 14 Johannes Dahse

  15. 0. Table of Contents RIPS A static source code analyser 1. Introduction 2. Implementation for vulnerabilities in PHP scripts 3. Summary 2.2 The Tokenizer - splits source code into tokens for correct analysis - token_get_all () parses the given source string into PHP language tokens (using the Zend engine's lexical scanner) array token_get_all (string $source ) - returns three element array or single character for each token array( TOKEN_NAME , STRING , LINENR ) 15 Johannes Dahse

  16. 0. Table of Contents RIPS A static source code analyser 1. Introduction 2. Implementation for vulnerabilities in PHP scripts 3. Summary array( 2.2 The Tokenizer array(T_OPEN_TAG, ' <?php ', 1), array(T_VARIABLE, ' $cmd ', 2), array(T_WHITESPACE, ' ', 2), ' = ', token_get_all(): array(T_WHITESPACE, ' ', 2), array(T_VARIABLE, ' $_GET ', 2), ' [ ', 1 <?php array(T_CONSTANT_ENCAPSED_STRING, ' cmd ', 2), 2 $cmd = $_GET['cmd']; ' ] ', 3 system($cmd); ' ; ', array(T_STRING, ' system ', 3), 4 ?> ' ( ', array(T_VARIABLE, ' $cmd ', 3), ' ) ', ' ; ', array(T_CLOSE_TAG, ' ?> ', 4) ); 16 Johannes Dahse

  17. 0. Table of Contents RIPS A static source code analyser 1. Introduction 2. Implementation for vulnerabilities in PHP scripts 3. Summary array( 2.2 The Tokenizer array(T_OPEN_TAG, ' <?php ', 1), array(T_VARIABLE, ' $cmd ', 2), array(T_WHITESPACE, ' ', 2), token_get_all(): ' = ', array(T_WHITESPACE, ' ', 2), array(T_VARIABLE, ' $_GET ', 2), 1 <?php ' [ ', 2 $cmd = $_GET['cmd']; array(T_CONSTANT_ENCAPSED_STRING, ' cmd ', 2), ' ] ', 3 system($cmd); ' ; ', 4 ?> array(T_STRING, ' system ', 3), ' ( ', array(T_VARIABLE, ' $cmd ', 3), delete insignificant tokens for ' ) ', correct analysis ' ; ', array(T_CLOSE_TAG, ' ?> ', 4) ); 17 Johannes Dahse

  18. 0. Table of Contents RIPS A static source code analyser 1. Introduction 2. Implementation for vulnerabilities in PHP scripts 3. Summary 2.2 The Tokenizer Fix token list: 1 if(isset($_GET['cmd'])) 2 $cmd = $_GET['cmd']; 3 else 4 $cmd = '2010'; 5 system('cal ' . $cmd); 18 Johannes Dahse

  19. 0. Table of Contents RIPS A static source code analyser 1. Introduction 2. Implementation for vulnerabilities in PHP scripts 3. Summary 2.2 The Tokenizer Fix token list: 1 if(isset($_GET['cmd'])) 2 { $cmd = $_GET['cmd']; } 3 else 4 { $cmd = '2010'; } 5 system('cal ' . $cmd); Add braces for correct token analysis 19 Johannes Dahse

  20. 0. Table of Contents RIPS A static source code analyser 1. Introduction 2. Implementation for vulnerabilities in PHP scripts 3. Summary 2.3 Token Analysis - loop through all tokens, detect connected language constructs $tokens = fix_tokens( token_get_all ($code) ); foreach($tokens as $token) { list($token_name, $token_value, $line_nr) = $token; if($token_name === T_VARIABLE && .... if($token_name === T_STRING && .... if($token_name === T_FUNCTION && .... ... } 20 Johannes Dahse

  21. 0. Table of Contents RIPS A static source code analyser 1. Introduction 2. Implementation for vulnerabilities in PHP scripts 3. Summary 2.3 Token Analysis (flow-sensitive) curly braces if(condition) { ... } T_FUNCTION function foo($a, $b) {...} T_RETURN function check($a) { return (int)$a;} T_INCLUDE include ($BASE_DIR.'index.php'); T_EXIT if(empty($a)) exit ; 21 Johannes Dahse

  22. 0. Table of Contents RIPS A static source code analyser 1. Introduction 2. Implementation for vulnerabilities in PHP scripts 3. Summary 2.3 Token Analysis T_VARIABLE global $text [] = 'hello' ; - identify variable declarations - add to either local (in function) or global variable list - add current program flow dependency Variable Declaration Dependency $m = $_GET['mode']; $m $b $b+=$a; if($m == 2) $c['name'] $c['name'] = $b; while($d=fopen($c['name'], 'r')) $d 22 Johannes Dahse

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Ripser++: GPU-Accelerated Computation of Vietoris-Rips Persistence Barcodes Simon Zhang, Mengbai

Ripser++: GPU-Accelerated Computation of Vietoris-Rips Persistence Barcodes Simon Zhang, Mengbai

Ripser++: GPU-Accelerated Computation of Vietoris-Rips Persistence Barcodes Simon Zhang, Mengbai Xiao and Hao Wang The Ohio State University, USA 1 What is a Vietoris-Rips Filtration? Let X be a set of points with an underlying metric

334 views • 29 slides
The Security State of Open Source PHP Applications Dr. Johannes Dahse, RIPS Technologies GmbH

The Security State of Open Source PHP Applications Dr. Johannes Dahse, RIPS Technologies GmbH

The Security State of Open Source PHP Applications Dr. Johannes Dahse, RIPS Technologies GmbH Introduction About Johannes Dahse Master IT Security at RUB, Germany (2006 - 2012) Capture The Flag (CTF) Contests Security Consultant

673 views • 64 slides
Vietoris-Rips Complexes of Regular Polygons Samir Chowdhury Adam Jaffe The Ohio State University

Vietoris-Rips Complexes of Regular Polygons Samir Chowdhury Adam Jaffe The Ohio State University

Vietoris-Rips Complexes of Regular Polygons Samir Chowdhury Adam Jaffe The Ohio State University Stanford University Joint work with Henry Adams (Colorado State University) Bonginkosi Sibanda (Brown University) January 13, 2018 AMS Special

741 views • 40 slides
Sea-ice verification by using binary image distance metrics B. Casati, JF. Lemieux, G. Smith, P.

Sea-ice verification by using binary image distance metrics B. Casati, JF. Lemieux, G. Smith, P.

Sea-ice verification by using binary image distance metrics B. Casati, JF. Lemieux, G. Smith, P. Pestieau, A. Cheng Talk outline: the quest for an informative metric (from Hausdorff to Baddeley, and beyond ) Variable: RIPS vs IMS sea-ice

705 views • 45 slides
Simplicial complexes associated with cloud points Seminar algorithms Jorge Cordero Eindhoven

Simplicial complexes associated with cloud points Seminar algorithms Jorge Cordero Eindhoven

Simplicial complexes associated with cloud points Seminar algorithms Jorge Cordero Eindhoven University of Technology 8 May 2018 Outline Motivation 1 Recap 2 Nerves 3 Cech complex 4 Vietoris-Rips complex 5 Delaunay complex 6

675 views • 53 slides
Project 1 Robert Windisch Automated security check for WordPress plugins Static Code Analysis

Project 1 Robert Windisch Automated security check for WordPress plugins Static Code Analysis

Project 1 Robert Windisch Automated security check for WordPress plugins Static Code Analysis Powered by RIPS Technologies High-tech company based in Bochum, Germany Supports the full feature stack of the PHP language Detects

1.06k views • 47 slides
New PHP Exploitation Techniques Johannes Dahse, PHP.RUHR 2018 Dortmund, Germany, 08.11.2018

New PHP Exploitation Techniques Johannes Dahse, PHP.RUHR 2018 Dortmund, Germany, 08.11.2018

New PHP Exploitation Techniques Johannes Dahse, PHP.RUHR 2018 Dortmund, Germany, 08.11.2018 Intro Johannes Dahse Capture The Flag, 5 years Security Consultant, 5 years Developer RIPS open source (2009-2013) Ph.D. Static Code Analysis @

856 views • 36 slides
Research programs at RIKEN RIBF UENO, Hideki RIKEN Nishina Center JCNP2015, RCNP, November 7-12,

Research programs at RIKEN RIBF UENO, Hideki RIKEN Nishina Center JCNP2015, RCNP, November 7-12,

Research programs at RIKEN RIBF UENO, Hideki RIKEN Nishina Center JCNP2015, RCNP, November 7-12, 2015 RIBF key experimental devices SAMURAI - large acceptance SCRIT - e-RI collision RIPS GARIS 1 &amp; 2 - spin-oriented - SHE researches Rare

512 views • 28 slides
CARBON NANOTUBE GRADIENT LAYERS REINFORCED ALUMINUM MATRIX COMPOSITE MATERIALS H. Kwon 1,2 *, S.

CARBON NANOTUBE GRADIENT LAYERS REINFORCED ALUMINUM MATRIX COMPOSITE MATERIALS H. Kwon 1,2 *, S.

18 TH INTERNATIONAL CONFERENCE ON COMPOSITE MATERIALS CARBON NANOTUBE GRADIENT LAYERS REINFORCED ALUMINUM MATRIX COMPOSITE MATERIALS H. Kwon 1,2 *, S. Kim 2 , A. Kwon 2 , U. Chung 2 , H. Cho 2 , H. Kurita 3 , A. Kawasaki 3 , M. Leparoux 4 1 RIPS

872 views • 4 slides
A few security issues to takeover 34% of all websites Johannes Dahse, PHP.RUHR 2019 Dortmund,

A few security issues to takeover 34% of all websites Johannes Dahse, PHP.RUHR 2019 Dortmund,

A few security issues to takeover 34% of all websites Johannes Dahse, PHP.RUHR 2019 Dortmund, Germany, 08.11.2019 1 Intro Johannes Dahse Former CTF addict Security Consultant RIPS open source, static analysis for PHP security Ph.D. Static

643 views • 37 slides
Securing web applications is not nearly as easy! 3 4 5 6

Securing web applications is not nearly as easy! 3 4 5 6

GuardRails GuardRails Web applications are easier to create A Data-Centric Web Application Security Framework than ever! Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia

113 views • 8 slides
Protecting Mobile Devices from Physical Memory Attacks with Targeted Encryption Le Guan , Chen

Protecting Mobile Devices from Physical Memory Attacks with Targeted Encryption Le Guan , Chen

Protecting Mobile Devices from Physical Memory Attacks with Targeted Encryption Le Guan , Chen Cao, Sencun Zhu, Jingqiang Lin, Peng Liu, Yubin Xia, and Bo Luo Why do Physical-space Threats Concern for SmartPhones? Why do Physical-space Threats

318 views • 31 slides
Automatic Network Protocol Analysis Gilbert Wondracek, Paolo Milani Comparetti, Christopher

Automatic Network Protocol Analysis Gilbert Wondracek, Paolo Milani Comparetti, Christopher

Secure Systems Lab Technical University Vienna Automatic Network Protocol Analysis Gilbert Wondracek, Paolo Milani Comparetti, Christopher Kruegel and Engin Kirda pmilani@ sssup.it gilbert@ seclab.tuwien.ac.at chris@ cs.ucsb.edu engin.kirda@

606 views • 28 slides
CO 445H MOBILE PLATFORM SECURITY AND MOBILE PRIVACY Dr. Benjamin Livshits Privacy International

CO 445H MOBILE PLATFORM SECURITY AND MOBILE PRIVACY Dr. Benjamin Livshits Privacy International

CO 445H MOBILE PLATFORM SECURITY AND MOBILE PRIVACY Dr. Benjamin Livshits Privacy International Data Tracking 2 http://privacyinternational.org/feature/2433/i-asked-online-tracking-company-all-my-data-and-heres-what-i-found Two Main Attack

986 views • 63 slides
Outline 31st IEEE Symposium on Security &amp; Privacy Introduction TaintScope: A

Outline 31st IEEE Symposium on Security &amp; Privacy Introduction TaintScope: A

Outline 31st IEEE Symposium on Security &amp; Privacy Introduction TaintScope: A Checksum-Aware Background Directed Fuzzing Tool for Automatic Motivation Software Vulnerability Detection TaintScope Intuition Tielei Wang 1 ,

427 views • 5 slides
An information-flow calculus for the non-security expert Alejandro Russo (russo@chalmers.se)

An information-flow calculus for the non-security expert Alejandro Russo (russo@chalmers.se)

An information-flow calculus for the non-security expert Alejandro Russo (russo@chalmers.se) Visiting Associate Professor, Stanford, CA, U.S.A. Chalmers, Gteborg, Sweden Work-in-progress with Pablo Buiras (Chalmers), Deian Stefan (Stanford),

328 views • 20 slides
Pointers char *a = hi; ! Solution exists: ( char *)*p = &amp;a; ! = =

Pointers char *a = hi; ! Solution exists: ( char *)*p = &amp;a; ! = =

Pointers char *a = hi; ! Solution exists: ( char *)*p = &amp;a; ! = = untainted ! ( char *)*q = p; ! char *b = fgets(); ! = = tainted *q = b; &quot; printf(*p); untainted Misses illegal flow! !

634 views • 13 slides
EthPloit : From Fuzzing to Efficient Exploit Generation against Smart Contracts Qingzhao Zhang 1,2

EthPloit : From Fuzzing to Efficient Exploit Generation against Smart Contracts Qingzhao Zhang 1,2

EthPloit : From Fuzzing to Efficient Exploit Generation against Smart Contracts Qingzhao Zhang 1,2 , Yizhuo Wang 1 , Juanru Li 1 , Siqi Ma 3 1 Shanghai Jiao Tong University , China 2 University of Michigan , America 3 Data 61, CSIRO , Australia

918 views • 38 slides
Modelgen: Mining Explicit Information Flow Specifications from Concrete Executions Lazaro Clapp,

Modelgen: Mining Explicit Information Flow Specifications from Concrete Executions Lazaro Clapp,

Modelgen: Mining Explicit Information Flow Specifications from Concrete Executions Lazaro Clapp, Saswat Anand, Alex Aiken Stanford University I Why mine specifications? Whole-program static analysis Application Whole-program static

992 views • 84 slides
PointlessTain,ng? Evalua,ngthePrac,calityofPointer Tain,ng

PointlessTain,ng? Evalua,ngthePrac,calityofPointer Tain,ng

PointlessTain,ng? Evalua,ngthePrac,calityofPointer Tain,ng AsiaSlowinska,HerbertBos VrijeUniversiteitAmsterdam Whypointertain,ng? AFacks Exploitlowlevelmemoryerrors

1.41k views • 65 slides
DR. CHECKER A Soundy Analysis for Linux Kernel Drivers Aravind Machiry, Chad Spensky , Jake Corina,

DR. CHECKER A Soundy Analysis for Linux Kernel Drivers Aravind Machiry, Chad Spensky , Jake Corina,

DR. CHECKER A Soundy Analysis for Linux Kernel Drivers Aravind Machiry, Chad Spensky , Jake Corina, Nick Stephens, Christopher Kruegel, and Giovanni Vigna University of California, Santa Barbara USENIX Security 2017 seclab THE COMPUTER SECURITY

995 views • 66 slides
PIITracker: Automatic Tracking of Personally Identifiable Information in Windows Meisam Navaki

PIITracker: Automatic Tracking of Personally Identifiable Information in Windows Meisam Navaki

PIITracker: Automatic Tracking of Personally Identifiable Information in Windows Meisam Navaki Arefi (mnavaki@unm.edu) Geoffrey Alexander Jedidiah R. Crandall What is PII? Personally Identifiable Information (PII) is information that can

380 views • 20 slides
A posteriori taint-tracking for demonstrating non-interference in expressive low-level languages

A posteriori taint-tracking for demonstrating non-interference in expressive low-level languages

A posteriori taint-tracking for demonstrating non-interference in expressive low-level languages Peter Aldous and Matthew Might University of Utah This title is a little much, so Faster automated proofs that information doesnt leak in

1.66k views • 115 slides
Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't

Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't

Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't care Erik Bosman &lt;erik@minemu.org&gt; Traditional Stack Smashing buf[16] GET / HTTP/1.1 00baseretnarg1arg2 Traditional Stack Smashing buf[16]

1.29k views • 100 slides

More recommend