Detecting Security Vulnerabilities in Object-Oriented PHP Programs

Mona Nashaat, Karim Ali, James Miller

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

PHP is one of the most popular web development tools in use today. A major concern though is the improper and insecure uses of the language by application developers, motivating the development of various static analyses that detect security vulnerabilities in PHP programs. However, many of these approaches do not handle recent, important PHP features such as object orientation, which greatly limits the use of such approaches in practice. In this paper, we present OOPIXY, a security analysis tool that extends the PHP security analyzer PIXY to support reasoning about object-oriented features in PHP applications. Our empirical evaluation shows that OOPIXY detects 88% of security vulnerabilities found in micro benchmarks. When used on real-world PHP applications, OOPIXY detects security vulnerabilities that could not be detected using state-of-the-art tools, retaining a high level of precision. We have contacted the maintainers of those applications, and two applications' development teams verified the correctness of our findings. They are currently working on fixing the bugs that lead to those vulnerabilities.

Original languageEnglish (US)
Title of host publicationProceedings - 2017 IEEE 17th International Working Conference on Source Code Analysis and Manipulation, SCAM 2017
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages159-164
Number of pages6
ISBN (Electronic)9781538632383
DOIs
StatePublished - Oct 30 2017
Event17th IEEE International Working Conference on Source Code Analysis and Manipulation, SCAM 2017 - Shanghai, China
Duration: Sep 17 2017Sep 18 2017

Publication series

NameProceedings - 2017 IEEE 17th International Working Conference on Source Code Analysis and Manipulation, SCAM 2017
Volume2017-October

Conference

Conference17th IEEE International Working Conference on Source Code Analysis and Manipulation, SCAM 2017
Country/TerritoryChina
CityShanghai
Period9/17/179/18/17

Keywords

  • analysis
  • dynamic languages
  • object-oriented programming
  • php
  • security

ASJC Scopus subject areas

  • Software
  • Safety, Risk, Reliability and Quality

Cite this