TY - GEN
T1 - Detecting Security Vulnerabilities in Object-Oriented PHP Programs
AU - Nashaat, Mona
AU - Ali, Karim
AU - Miller, James
N1 - Publisher Copyright:
© 2017 IEEE.
PY - 2017/10/30
Y1 - 2017/10/30
N2 - PHP is one of the most popular web development tools in use today. A major concern though is the improper and insecure uses of the language by application developers, motivating the development of various static analyses that detect security vulnerabilities in PHP programs. However, many of these approaches do not handle recent, important PHP features such as object orientation, which greatly limits the use of such approaches in practice. In this paper, we present OOPIXY, a security analysis tool that extends the PHP security analyzer PIXY to support reasoning about object-oriented features in PHP applications. Our empirical evaluation shows that OOPIXY detects 88% of security vulnerabilities found in micro benchmarks. When used on real-world PHP applications, OOPIXY detects security vulnerabilities that could not be detected using state-of-the-art tools, retaining a high level of precision. We have contacted the maintainers of those applications, and two applications' development teams verified the correctness of our findings. They are currently working on fixing the bugs that lead to those vulnerabilities.
AB - PHP is one of the most popular web development tools in use today. A major concern though is the improper and insecure uses of the language by application developers, motivating the development of various static analyses that detect security vulnerabilities in PHP programs. However, many of these approaches do not handle recent, important PHP features such as object orientation, which greatly limits the use of such approaches in practice. In this paper, we present OOPIXY, a security analysis tool that extends the PHP security analyzer PIXY to support reasoning about object-oriented features in PHP applications. Our empirical evaluation shows that OOPIXY detects 88% of security vulnerabilities found in micro benchmarks. When used on real-world PHP applications, OOPIXY detects security vulnerabilities that could not be detected using state-of-the-art tools, retaining a high level of precision. We have contacted the maintainers of those applications, and two applications' development teams verified the correctness of our findings. They are currently working on fixing the bugs that lead to those vulnerabilities.
KW - analysis
KW - dynamic languages
KW - object-oriented programming
KW - php
KW - security
UR - http://www.scopus.com/inward/record.url?scp=85047197104&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85047197104&partnerID=8YFLogxK
U2 - 10.1109/SCAM.2017.20
DO - 10.1109/SCAM.2017.20
M3 - Conference contribution
AN - SCOPUS:85047197104
T3 - Proceedings - 2017 IEEE 17th International Working Conference on Source Code Analysis and Manipulation, SCAM 2017
SP - 159
EP - 164
BT - Proceedings - 2017 IEEE 17th International Working Conference on Source Code Analysis and Manipulation, SCAM 2017
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 17th IEEE International Working Conference on Source Code Analysis and Manipulation, SCAM 2017
Y2 - 17 September 2017 through 18 September 2017
ER -