PHP Security Research       

links

Larry Koved photo

PHP Security Research - overview


The LAMP stack (Linux, Apache, mySQL, PHP/Perl/Python) is very popular because of the ease with which web applications can rapidly be developed. Substantial open source code exists to rapidly create Web applications. However, software quality, including security, is a major issue for the deployment of such applications. Security flaws, for instance, can be introduced at several points in the life cycle of a Web application:

  • at the client side in the web browser,
  • on the wire,
  • at the front end of the server,
  • in the web application on the server,
  • at Web services level, and
  • in the back end (e.g., databases).

An end-to-end Web application consists of components and modules written in multiple languages, including JavaScript, HTML, PHP, Python, Java, and SQL. The goal of this project is to perform an end-to-end security analysis based on the use of static and dynamic analysis of programs written in multiple languages.

Our approach for addressing the end-to-end software quality and security of Web applications consists of building tools for analyzing programs written in multiple languages. Our current focus is on analyzing PHP applications for detecting software errors, including security vulnerabilities that may exist in such applications. Our approach includes not only analysis of PHP programs, but also includes analysis of configuration files, and the interplay that exists between PHP, Apache, and database configurations.

Our next step will be to extend our approach to analyzing programs written in JavaScript and databases, including the respective configuration files. Our tools can be used during the development, build, and deployment of web (PHP) applications. We intend for the tools to be available as Eclipse plugins.

Publications

  • Tadeusz Pietraszek, Chris Vanden Berghe. Defending against Injection Attacks through Context-Sensitive String Evaluation. In Recent Advances in Intrusion Detection (RAID 2005), volume 3858 of Lecture Notes in Computer Science, pages 124-145, Seattle, WA, 2005. Springer-Verlag.
  • V.C. Sreedhar. Static and Dynamic Analysis for PHP Security. NYPHPCon. (PDF)
  • Wietse Venema. PHP tainted variables. NY PHP users group. (PPT) ]