Static Code Analysis of Complex PHP Application Vulnerabilities - PowerPoint PPT Presentation

Static Code Analysis Automatisierte Sicherheitsanalyse of Complex PHP Application Vulnerabilities von Webapplikationen Static Code Analysis of Complex PHP Application Vulnerabilities Johannes Dahse

Static Code Analysis Automatisierte Sicherheitsanalyse of Complex PHP Application Vulnerabilities von Webapplikationen 1. Introduction 2. Static Code Analysis 3. First-order Bug Detection 4. Second-order Bug Detection 5. Gadget Chain Detection

1. Introduction Static Code Analysis 2. Static Code Analysis Automatisierte Sicherheitsanalyse 3. First-order Bugs of Complex PHP Application Vulnerabilities von Webapplikationen 4. Second-order Bugs 5. Gadget Chains 1.1 About ● Johannes Dahse ● @FluxReiners ● websec.wordpress.com ● Ph.D. IT-Security, Ruhr-University Bochum ● Security Consultant / CTF Player ● Developer of RIPS ● CEO of RIPS Technologies 3

1. Introduction Static Code Analysis 2. Static Code Analysis Automatisierte Sicherheitsanalyse 3. First-order Bugs of Complex PHP Application Vulnerabilities von Webapplikationen 4. Second-order Bugs 5. Gadget Chains 1.2 Research Timeline ● 2007 – 2009: PHP Scanner based on Regex used for CTF competitions ● 2009 – 2011: RIPS 0.1 - 0.5 based on Tokenizer open sourced during MOPS ● 2012: RIPS 1.0 based on AST and CFG subject of master thesis ● 2013 – 2015: RIPS 1.0 – 2.0 www.ripstech.com subject of doctor thesis ● 2016: RIPS 2.0 Standalone / Cloud Product 4

1. Introduction Static Code Analysis 2. Static Code Analysis Automatisierte Sicherheitsanalyse 3. First-order Bugs of Complex PHP Application Vulnerabilities von Webapplikationen 4. Second-order Bugs 5. Gadget Chains 1.3 The Role of PHP ● 82.2 % of the websites run PHP as server-side language ● Dynamic language, built-in features, oddities / pitfalls ● 25 % of all reported CVE vulnerabilities are related to PHP ● Sucuri Website Hacked Report: 97 % of hacked websites run PHP CMS Source: W 3 Techs Source: MITRE CVE 8000 PHP 7000 ASP 6000 Java 5000 CFM Other 4000 Ruby PHP 3000 Perl 2000 Python 1000 JS 0 0 10 20 30 40 50 60 70 80 90 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 5

1. Introduction Static Code Analysis 2. Static Code Analysis Automatisierte Sicherheitsanalyse 3. First-order Bugs of Complex PHP Application Vulnerabilities von Webapplikationen 4. Second-order Bugs 5. Gadget Chains 1.4 Problem ● Detect and eliminate security vulnerabilities in PHP applications ● Hundred thousands lines of code ● Complex and hard to spot vulnerabilities ● Manual code reviews become ineffective Callgraph for Wordpress Index Page 6

1. Introduction Static Code Analysis 2. Static Code Analysis Automatisierte Sicherheitsanalyse 3. First-order Bugs of Complex PHP Application Vulnerabilities von Webapplikationen 4. Second-order Bugs 5. Gadget Chains 1.5 Approach ● Automated security analysis of PHP code ● Static code analysis Static Dynamic analyze code analyze code without execution while execution Code Coverage full Single execution path Data Coverage Compile-time data Runtime data (valid for environment) Decidability Halting Problem Real data 7

1. Introduction Static Code Analysis 2. Static Code Analysis Automatisierte Sicherheitsanalyse 3. First-order Bugs of Complex PHP Application Vulnerabilities von Webapplikationen 4. Second-order Bugs 5. Gadget Chains 1.6 Challenges - Dynamic PHP language - Support variety of language features - Detect common vulnerability types - Detect complex vulnerabilities - Scale to large applications - Non-annotation based 8

1. Introduction Static Code Analysis 2. Static Code Analysis Automatisierte Sicherheitsanalyse 3. First-order Bugs of Complex PHP Application Vulnerabilities von Webapplikationen 4. Second-order Bugs 5. Gadget Chains 2. Static Code Analysis 9

1. Introduction Static Code Analysis 2. Static Code Analysis Automatisierte Sicherheitsanalyse 3. First-order Bugs of Complex PHP Application Vulnerabilities von Webapplikationen 4. Second-order Bugs 5. Gadget Chains 2.1 Overview ● Transform code into abstract syntax tree (AST) 1 $cookie = $_COOKIE ['text']; Variable Variable String $cookie = $_COOKIE['text']; Assign var expr $cookie $_COOKIE variable array dim 'text' string Code AST Basic Blocks CFG Report 10

1. Introduction Static Code Analysis 2. Static Code Analysis Automatisierte Sicherheitsanalyse 3. First-order Bugs of Complex PHP Application Vulnerabilities von Webapplikationen 4. Second-order Bugs 5. Gadget Chains 2.1 Overview ● Transform code into abstract syntax tree (AST) ● Split AST into basic blocks Code AST Basic Blocks CFG Report 11

1. Introduction Static Code Analysis 2. Static Code Analysis Automatisierte Sicherheitsanalyse 3. First-order Bugs of Complex PHP Application Vulnerabilities von Webapplikationen 4. Second-order Bugs 5. Gadget Chains 2.1 Overview ● Transform code into abstract syntax tree (AST) ● Split AST into basic blocks ● Analyze data flow within each basic block Code AST Basic Blocks CFG Report 12

1. Introduction Static Code Analysis 2. Static Code Analysis Automatisierte Sicherheitsanalyse 3. First-order Bugs of Complex PHP Application Vulnerabilities von Webapplikationen 4. Second-order Bugs 5. Gadget Chains 2.1 Overview ● Transform code into abstract syntax tree (AST) ● Split AST into basic blocks ● Analyze data flow within each basic block ● Summarize data flow in block and function summaries Code AST Basic Blocks CFG Report 13

1. Introduction Static Code Analysis 2. Static Code Analysis Automatisierte Sicherheitsanalyse 3. First-order Bugs of Complex PHP Application Vulnerabilities von Webapplikationen 4. Second-order Bugs 5. Gadget Chains 2.1 Overview ● Transform code into abstract syntax tree (AST) ● Split AST into basic blocks ● Analyze data flow within each basic block ● Summarize data flow in block and function summaries ● Connect basic blocks to a control flow graph (CFG) Code AST Basic Blocks CFG Report 14

1. Introduction Static Code Analysis 2. Static Code Analysis Automatisierte Sicherheitsanalyse 3. First-order Bugs of Complex PHP Application Vulnerabilities von Webapplikationen 4. Second-order Bugs 5. Gadget Chains 2.1 Overview ● Transform code into abstract syntax tree (AST) ● Split AST into basic blocks ● Analyze data flow within each basic block ● Summarize data flow in block and function summaries ● Connect basic blocks to a control flow graph (CFG) ● Perform backwards-directed taint analysis for each sensitive sink Code AST Basic Blocks CFG Report 15

1. Introduction Static Code Analysis 2. Static Code Analysis Automatisierte Sicherheitsanalyse 3. First-order Bugs of Complex PHP Application Vulnerabilities von Webapplikationen 4. Second-order Bugs 5. Gadget Chains 2.1 Overview ● Transform code into abstract syntax tree (AST) ● Split AST into basic blocks ● Analyze data flow within each basic block ● Summarize data flow in block and function summaries ● Connect basic blocks to a control flow graph (CFG) ● Perform backwards-directed taint analysis for each sensitive sink Code AST Basic Blocks CFG Report 16

1. Introduction Static Code Analysis 2. Static Code Analysis Automatisierte Sicherheitsanalyse 3. First-order Bugs of Complex PHP Application Vulnerabilities von Webapplikationen 4. Second-order Bugs 5. Gadget Chains 2.2 Refinement Code AST Basic CFG Report Blocks 17

1. Introduction Static Code Analysis 2. Static Code Analysis Automatisierte Sicherheitsanalyse 3. First-order Bugs of Complex PHP Application Vulnerabilities von Webapplikationen 4. Second-order Bugs 5. Gadget Chains 2.2 Refinement Precise Simulation of PHP Built-in Features - Sources + sinks - Input sanitization + encoding - Built-in functions (data flow) Code AST Basic CFG Report Blocks 18

1. Introduction Static Code Analysis 2. Static Code Analysis Automatisierte Sicherheitsanalyse 3. First-order Bugs of Complex PHP Application Vulnerabilities von Webapplikationen 4. Second-order Bugs 5. Gadget Chains 2.2 Refinement source Precise Simulation of PHP Built-in Features - Sources + sinks - Input sanitization + encoding - Built-in functions (data flow) sink Code AST Basic CFG Report Blocks 19

1. Introduction Static Code Analysis 2. Static Code Analysis Automatisierte Sicherheitsanalyse 3. First-order Bugs of Complex PHP Application Vulnerabilities von Webapplikationen 4. Second-order Bugs 5. Gadget Chains 2.2 Refinement Efficient Data Flow Analysis Precise Simulation of - Block and function summaries PHP Built-in Features - Inter-procedural - Sources + sinks - Object- and field-sensitive - Input sanitization + encoding - Backwards-directed data flow & - Built-in functions (data flow) forwards-directed object analysis Code AST Basic CFG Report Blocks 20

Static Code Analysis of Complex PHP Application Vulnerabilities - PowerPoint PPT Presentation

Static Code Analysis Automatisierte Sicherheitsanalyse of Complex PHP Application Vulnerabilities von Webapplikationen Static Code Analysis of Complex PHP Application Vulnerabilities Johannes Dahse Static Code Analysis Automatisierte

Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Static analysis of OpenAFS code base Cheyenne Wills OpenAFS 2019 Workshop Overview What is

Bridging the Semantic Gap Through Static Code Analysis Christian Schneider, Jonas Pfoh, Claudia

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Static and dynamic verification Software inspections Concerned with analysis of the static

Static Code Analysis on Networking Code: Identifying the capabilities of finding implementation

Static and dynamic verification Software inspections Concerned with analysis of the

Static execution-time analysis CPU speed model Bounds on Static (Sub)program code exec time

Dataflow Analysis Iterative Data-flow Analysis and Static-Single-Assignment cs5363 1

Reducing the overhead of direct application instrumentation using prior static analysis 3 rd May

Source Code Analysis for Security through LLVM Lu Zhao HP Fortify lu.zhao@hp.com Static Code

Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Graph-based analysis of JavaScript source code repositories Gbor Szrnyas Graph Processing

Comparing the Effectiveness of Penetration Testing and Static Code Analysis Detection of SQL

CMSC 245 Wrap-up This class is about understanding how programs work To do this, were going

Faculty Early Career Development (CAREER) Program Program Solicitation NSF 15-555 For

AST 1420 Galactic Structure and Dynamics M51 Cen A NGC 1300 M81 NGC 3923 Why study galaxies?

SENSE PARSING BROAD in a 3.1 Two classes of parsing methods 117 3.1 Two classes of parsing

Syntax and ANTLR Syntax vs. Semantics Semantics: What does a program mean? Defined by

11/8/2012 The Structure of a Compiler (2) The Structure of a Compiler (1) Any compiler must

Introduction Sebastian Hack http://compilers.cs.uni-saarland.de Compiler Construction Core

Direct Reflection for Free! Joomy Korkut Princeton University advised by Andrew W. Appel