VulPathsFinder: A Static Method for Finding Vulnerable Paths in PHP Applications Based on CPG-Reference-Cited by-同舟云学术

VulPathsFinder: A Static Method for Finding Vulnerable Paths in PHP Applications Based on CPG

Published:2023-08-14 Issue:16 Volume:13 Page:9240
ISSN:2076-3417
Container-title:Applied Sciences
language:en
Short-container-title:Applied Sciences

Author:

Zhao Chunhui¹,Tu Tengfei¹^ORCID,Wang Cheng¹,Qin Sujuan¹

Affiliation:

1. State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China

Abstract

Today, as PHP application technology is becoming increasingly mature, the functions of modern multi-layer web applications are becoming more and more complete, and the complexity is also gradually increasing. While providing developers with various business functions and interfaces, multi-tier Web applications also successfully cover the details of application development. This type of web application adopts a unified entrance, many object-oriented codes are used, and features such as encapsulation, inheritance, and polymorphism bring challenges to vulnerability mining from the perspective of static analysis. A large amount of object-oriented code makes it impossible for a simple function name-matching method to build a complete call graph (CG), resulting in the inability to perform a comprehensive interprocedural analysis. At the same time, the encapsulation feature of the class makes the data hidden in the object attribute, and the vulnerability path cannot be obtained through the general data-flow analysis. In response to the above issues, we propose a vulnerability detection method that supports vulnerability detection for multi-layer web applications based on MVC (Model-View-Control) architecture. First, we improve the construction of the call graph and Code Property Graph (CPG). Then, based on the enhanced Code Property Graph, we propose a technique to support vulnerability detection for multi-layer web applications. Based on this approach, we implemented a prototype of VulPathsFinder, a security analysis tool extended from the PHP security analyzer Joern-PHP. Then, we select ten MVC based and ten non-MVC-based applications to form a test dataset and validate the effectiveness of VulPathsFinder based on this dataset. Experimental results show that, compared with currently available tools, VulPathsFinder can handle framework applications more effectively, build a complete code property map, and detect vulnerabilities in framework applications that existing tools cannot detect.

Funder

National Key R&D Program of China

Publisher

MDPI AG

Subject

Fluid Flow and Transfer Processes,Computer Science Applications,Process Chemistry and Technology,General Engineering,Instrumentation,General Materials Science

Link

https://www.mdpi.com/2076-3417/13/16/9240/pdf

Reference40 articles.

1. Jovanovic, N., Kruegel, C., and Kirda, E. (2006, January 21–24). Pixy: A static analysis tool for detecting web application vulnerabilities. Proceedings of the 2006 IEEE Symposium on Security and Privacy (S&P’06), Berkeley/Oakland, CA, USA.

2. Dahse, J., and Holz, T. (2014, January 23–26). Simulation of Built-in PHP Features for Precise Static Code Analysis. Proceedings of the NDSS, San Diego, CA, USA.

3. Nashaat, M., Ali, K., and Miller, J. (2017, January 17–18). Detecting Security Vulnerabilities in Object-Oriented PHP Programs. Proceedings of the 2017 IEEE 17th International Working Conference on Source Code Analysis and Manipulation (SCAM), Shanghai, China.

4. Nunes, P.J.C., Fonseca, J., and Vieira, M. (2015, January 22–25). phpSAFE: A security analysis tool for OOP web application plugins. Proceedings of the 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, Rio de Janeiro, Brazil.

5. Hauzar, D., and Kofroň, J. (2014, January 1–5). Weverca: Web applications verification for php. Proceedings of the Software Engineering and Formal Methods: 12th International Conference, SEFM 2014, Grenoble, France. Proceedings 12.