Php manish

PHP’s role in web applications. PHP’s role in CVE vulnerabilities. Dataflow analysis with taint. Tainted variables implementation. Performance: 1% run-time overhead. Project status, gripes, and availability. PHP Tainted variables

PHP Tainted variables Application Client host Web browser Application Server host Web server user dbms Applications written in HTML, Javascript, Java, (Flash, pdf, doc, ppt) Applications written in PHP, ASP, Java, Perl, Ruby, Haskell, (SQL, Shell) Server Client

Open source scripting language, primarily for dynamically-generated web page content. Powers websites from Yahoo, Wikipedia, Flickr, Facebook, to personal blogs. Other server-side technology: ASP 2 , JSP 3 , CGI 4 , Perl, Python, Ruby, Haskell, SQL, Shell, . . . 1 Personal Home Page tools (1995); PHP Hypertext Processor (1997) 2 Active Server Pages (Microsoft); 3 Java server Pages (code written in Java) 4 Common Gateway Interface (used for external programs) PHP Tainted variables

File: hello.php URL: http://example.com/hello.php? name=Wietse Mixes busines logic and data presentation PHP Tainted variables <html> <body> <?php echo " Hello, " . $_GET[ ' name ' ] ; ?> Static hypertext... </body> </html> Hello, Wietse Static hypertext...

Source: http://www.nexen.net/ PHP dominates ASP by a wide margin. Note: PHP runs on Windows and *n*x. PHP Tainted variables

Source: http://www.nexen.net/ PHP 4: 2000-2007. No security fixes after 2008/08. PHP 5: 2004-present. Now at version 5.2.5. PHP Tainted variables

CVE 1 over-all statistics for 2006: #1 (18.5%) Cross-site scripting 2 . #2 (13.6%) SQL injection 3 . #3 (13.1%) PHP file include attack. == == == #17 (0.4%) Shell command injection 4 . 1 Common Vulnerabilities and Exposures http://cve.mitre.org/docs/vuln-trends/index.html 234 These numbers also include non-PHP applications. PHP Tainted variables

Template SQL query for login authentication: Attack: Actual SQL query: PHP Tainted variables select * from users where username= ' $username ' and password= ' $password ' Username: admin Password: ' or 1=1 -- select * from users where username= ' admin ' and password= ' ' or 1=1 -- ' Now it is data Now it is executable code

Different names for the same type of bug: SQL injection. Cross-site scripting (= HTML code injection). Shell command injection. and others. Contrary to popular belief, this is not simply an input validation problem. Quotes may appear in legitimate inputs (O’Reilly). Each output context has different special characters. PHP Tainted variables

Magic quotes: insert before , to prevent SQL code injection (removed in PHP6). Happens automatically with data from network/file/dbms. SQL, HTML and Shell have different special characters. Safe mode: whitelist files and directories; blacklist functions and entire classes (removed in PHP6). Does not distinguish illegitimate requests (user-specified file) from legitimate requests (application-specified file). Input filters (PHP5) are “magic quotes done right”. SQL, HTML and Shell have different special characters. PHP Tainted variables ' " \ nul \

“ This is a proposal to add basic Perl/Ruby like tainting support to PHP: an option that is turned off by default, and that programmers may turn on at runtime to alert them when they make the common mistake of using uncleansed input with include, echo, system, open, etc.” http://news.php.net/php.internals/26979 PHP Tainted variables

“ Yesterday, I had a heated debate with Stefan Esser, one of the most active people (if not the most active person) in the field of PHP security. I told him that I, as well as a lot of other contributors to the PHP project, are at odds with the way he's behaving; While at the same time appreciating the highly skilled job he's doing for PHP.” http://suraski.net/blog/index.php?/archives/15-Stefan-Esser-quits-securityphp.net.html PHP Tainted variables

Detect and report opportunities for: Code injection (HTML, SQL, Shell). Script hijacking (“include”, “eval”, ...). Support multiple enforcement levels: Do nothing (default) / log warning / terminate execution. Reduce run-time overhead 1 down to ~1%: Make “always on” enforcement a realistic option. 1 Up to 20% in competing taint-for-PHP approaches. PHP Tainted variables

Script: echo "Hello, " . $_GET['name']; Request: GET /hello.php?name=Wietse PHP Tainted variables source =request “ Wietse ” status=tainted operator=concat propagate taint source =script “ Hello, ” status=clean “ Hello, Wietse ” status=tainted sink =echo detect taint Note: this is the simplest way to propagate taint

E_NONE (default) Execution completes normally. E_WARNING (audit mode) Execution continues after logging a warning message. E_ERROR (enforcement mode) Execution terminates after logging the above warning. PHP Tainted variables Warning: echo(): Argument contains data that is not converted with htmlspecialchars() or htmlentities() in /path/to/script on line X

PHP Tainted variables source=network “ Wietse ” status=tainted operator=concat propagate taint source=script “ Hello, ” status=clean “ Hello, Wietse ” status=clean sink=echo detect taint “ Wietse ” status=clean conversion= htmlentities convert data, remove taint Script: echo " Hello, " . html-entities ($_GET[ ' name ' ]); Request : GET /hello.php? name=Wietse

PHP Tainted variables 1 Configurable Taint flavor Source mark policy 1 Conversion function Sink detect policy 1 TC_HTML Input from web or database htmlspecialchars htmlemtities HTML output TC_MYSQL Input from web or database mysql_escape_string mysql_real_escape_string MySQL query TC_SHELL Input from web or database escapeshellcmd escapeshellarg Shell command TC_SELF Input from web untaint($var, TC_SELF) include, eval, ... TC_USER1 TC_USER2 application dependent untaint($var, TC_SELF) application dependent

Detects where a program fails to convert data with htmlentities(), mysql_real_escape_string(), etc. Detects XSS, SQL, or Shell code injection without malicious input. Ditto with include vulnerability, etc. Low run-time overhead: 0.5-1.5% in macro perfor-mance tests, independent of the taint_error_level setting. PHP Tainted variables

Coverage limitations. Vulnerabilities are detected only in code that actually executes (WYRIAYD). False “missing conversion” warnings when data is guaranteed to never contain special characters. Output conversion doesn’t eliminate all problems: PHP Tainted variables mysql_query( " select * from users where name= " . mysql_real_escape_string($name) . " and .. if (ctype_alnum($name)) { mysql_query( " select * from users where name=$name ...

Macro benchmark: 0.5-1.5% for “make test” user-mode time (also includes a small amount of non-PHP execution). Exact amount depends on CPU. Micro benchmark: user time 2% for bench.php. No data memory overhead: the zval 1 data structure has 16 bits of unused padding on 32-bit CPUs. Main trick for low CPU overhead: branch-less code on the critical path, and avoiding << or >>. 1 The PHP engine’s internal data structure with the type and value for each variable and constant. PHP Tainted variables

Primary focus on the low-level operators (bit-wise, numeric, string, assignment, etc.). Slow taint propagation example, binary operator: Fast taint propagation example, same operator: PHP Tainted variables if (op->taint1 || op2->taint) result->taint = (op1->taint | op2->taint); else result->taint = 0; result->taint = (op1->taint | op2->taint);

Done: Most of the Zend VM. Some object stuff is still TODO. Server APIs: CLI, CGI, Apache1, Apache2. Some standard extensions + PCRE + MySQL + MySQLI. Other extensions may need " taint_error_level = E_NONE " to avoid false alarms. Reason: some code doesn’t use the standard zval initialization macros; uninitialized taint bits contain junk. Plan: keep this code alive for a year or so. PHP Tainted variables

PHP Makefile ignores C include file dependencies. Fix: my first PHP program (translated from Perl :-). Documentation ends near the PHP extension level. Little documentation on interfaces within PHP engine. No documentation on interfaces for server API. etc. That’s about 200k lines of mostly undocumented code. Search engines are polluted with empty skeleton manual pages. Pagerank does not help here. PHP Tainted variables

First implementation released November 2007, updated every 1-2 months. PHP license version 3.01. Website: http://wiki.php.net/rfc/taint/ Source: ftp://ftp.porcupine.org/pub/php/index.html Alternatives: http://grasp.coresecurity.com/ PHP Tainted variables

Modify the PHP engine with per-character taint status information: String: Hello, Wietse Status: clean tainted Automatically fix “tainted” special characters: Modified echo() automatically replaces tainted “<“ and “>” etc. by safe “<” and “>” etc. equivalents. Other automatic tainted substring fixups with SQL queries and with shell commands. Sounds good, doesn’t it? PHP Tainted variables

Pros: No PHP application source code changes. One safety net for all applications. Cons: Run-time overhead up to 20% for modified PHP engine (example: GRASP by Core Security). Encourages programmer ignorance: just turn it on, and stop worrying about security holes. When the safety net leaks, you still have a hole. PHP Tainted variables

Use source-to-source PHP translator, and insert PHP code with extra checks where static analysis can’t decide that data will be safe. Problem: PHP‘s semantics complicate static analysis. Code is compiled at run-time: eval($x), include($x), autoload($classname) Functions are defined at run-time: if ($x) { function foo() { body1 } } else { function foo() { body2 } } Aliasing via indirection and references: $y = $$x; $z = &$$y; PHP Tainted variables

Php manish

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Php manish (20)

Recently uploaded (20)

Php manish