Visible to the public Detecting Security Vulnerabilities in Object-Oriented PHP Programs

TitleDetecting Security Vulnerabilities in Object-Oriented PHP Programs
Publication TypeConference Paper
Year of Publication2017
AuthorsNashaat, M., Ali, K., Miller, J.
Conference Name2017 IEEE 17th International Working Conference on Source Code Analysis and Manipulation (SCAM)
Date Publishedsep
KeywordsAnalysis, Benchmark testing, composability, Computer architecture, dynamic languages, feature extraction, Metrics, microbenchmarks, object orientation feature, object oriented security, object-oriented PHP programs, object-oriented programming, OOPIXY, PHP, PIXY PHP security analyzer, program debugging, program diagnostics, pubcrawl, resilience, Resiliency, safety-critical software, security, security analysis tool, security vulnerability detection, static analysis, Tools
AbstractPHP is one of the most popular web development tools in use today. A major concern though is the improper and insecure uses of the language by application developers, motivating the development of various static analyses that detect security vulnerabilities in PHP programs. However, many of these approaches do not handle recent, important PHP features such as object orientation, which greatly limits the use of such approaches in practice. In this paper, we present OOPIXY, a security analysis tool that extends the PHP security analyzer PIXY to support reasoning about object-oriented features in PHP applications. Our empirical evaluation shows that OOPIXY detects 88% of security vulnerabilities found in micro benchmarks. When used on real-world PHP applications, OOPIXY detects security vulnerabilities that could not be detected using state-of-the-art tools, retaining a high level of precision. We have contacted the maintainers of those applications, and two applications' development teams verified the correctness of our findings. They are currently working on fixing the bugs that lead to those vulnerabilities.
Citation Keynashaat_detecting_2017