Design And Development Of An Automatic Vulnerability Analysis Tool Of PHP Program

The age of the Internet has been promoting the development of the Web applications. However, the security problems in that Web applications have grown more and more serious. The flaws and vulnerabilities have become one of the primary sources of security problems. The powerful PHP language with high efficiency is widely applied to the dynamic scripting languages on the server-side. So the research of security flaw analysis technology based on PHP program is of great practical significance.We use the technology of static source code analysis with the data flow analysis. And we mainly research and extend the taint propagation analysis technology. Especially, We focus on vulnerability model, parse tree, control flow graph, alias analysis, literal analysis and taint analysis, etc. We finally developed a practical analysis tool named Paz. It can detect cross-site scripting vulnerabilities and SQL injection vulnerabilities in the PHP source code. In this thesis, the taint propagation analysis technology can be described as follows:First of all, PHP source code can be translated into a parse tree and then into a control flow graph as the intermediate representation, in order to describe each program point and code execution process.Secondly, we introduce lattice definition for taint analysis to describe the taint value of all variables at each program point. And we also introduce transfer functions definition for taint analysis to express the change of taint value after a variety of program statements are executed.Thirdly, for the cross-site scripting vulnerabilities and SQL injection vulnerabilities, we define the entry point functions when taint data are put into the procedure and the sensitive sink functions when trigger vulnerabilities. In addition we also need to define the sanitization ability of built-in function.Finally, we need to conservatively define all the entry point variables as taint data. According to the code execution process of control flow graph and the spot value change of transfer function, we finally can calculate taint value of that variable at sensitive sink. If the stain value is tainted, the line of code may report vulnerabilities; but If the stain is untainted, then it won’t report vulnerabilities.In this thesis, we have creatively worked out several problems in the existing analysis technology and tools at home and abroad Our novel approaches effectively reduce the rate of false negative and false positive of the analysis.1) We in-depth researched the interprocedural alias analysis. And then the aliasinformation given by the alias analysis would be applied to value analysis andstain analysis, greatly reducing the false negative rate and also reducing thefalse positive rate to some extent.2) We have resolved the problem of file inclusions through the literal analysis,especially for the include file names are variables. So, it makes the wholecontrol flow graph tends to be complete and significantly improve the accuracyof analysis.3) We took a detailed analysis and looked into the multidimensional arrays in theliteral analysis and taint analysis, especially solved the situation when arrayindexes were variables, effectively reducing the false positive rate.