SlideShare a Scribd company logo

Dynamic PHP web-application analysis

A
ax330d

This document discusses dynamic analysis of PHP web applications. It begins by explaining what dynamic analysis is and its benefits and limitations. It then surveys the current state of tools for PHP dynamic analysis, including code instrumentation tools, patches and extensions for PHP interpreters, and external profiling tools. A key focus is on developing a PHP extension for dynamic analysis, as it allows full control and transparency. The document outlines the capabilities of a PHP extension, such as handling function entry and exit, working with opcodes, and hooking dynamically evaluated strings. It introduces PVT, a new PHP dynamic analysis tool implemented as a PHP extension, covering its features and providing statistics on its performance. It concludes with plans for further improving PVT and references.

1 of 43
Download to read offline
Dynamic PHP web-application analysis Arthur Gerkis Ruhr University Bochum HackPra 2012/2013
Who am I? ○ independent computer security researcher - bug-hunter ○ in past doing web application security analysis and pentesting ○ author of several articles in russian IT- security printed magazine "Xakep" ○ senseless browser bug slayer 2
Outline i. About dynamic analysis ii. Dynamic analysis today iii. PHP extension capabilities iv. PVT extension 3
So, what was dynamic analysis about? i. About dynamic analysis
Dynamic analysis DA is a properties inspection of running application: 1. prepare environment & run application 2. collect run-time data 3. analyse data In general used for: profiling, code coverage, tracing, etc. 5
Why dynamic analysis? ○ operate with real data values - is known which function which arguments has, return values, etc. ○ avoid static analysis false positives (more efficient is a combination of DA & SA) ○ easier to analyse obfuscated code 6
Why not dynamic analysis? ○ single dynamic analysis can not cover all code paths ○ can be slow - depends on implementation, computing powers, LoC ○ may depend on environment - OS, bits, PHP versions, etc. ○ may be dangerous to execute code without knowing what results will be (e.g. malicious) 7
DA tools implementations (general) ● code instrumentation ○ source code ○ compile-time ○ execution/run-time ● patches and extensions for compiler or interpreter ● external (e.g. system) tools 8
DA tools implementations (PHP) ● code instrumentation ○ source code (web-application) ○ compile-time ○ execution/run-time ● patches and extensions for compiler or interpreter ● external (e.g. system) tools 9
State of PHP dynamic analysis as of today ii. Dynamic analysis today
Tools - code instrumentation ○ PHP Vulnerability Hunter autosectools.com/PHP-Vulnerability-Scanner Author: John Leitch ○ Saner* iseclab.org/papers/oakland-saner.pdf Authors: Davide Balzarotti, Marco Cova, Vika Felmetsger, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, Giovanni Vigna ○ WAFA* research.cs.queensu.ca/~cordy/Papers/ACD_WSE09_WAFA.pdf Authors: Manar H. Alalfi, James R. Cordy, Thomas R. Dean ○ PHP Aspis https://github.com/jpapayan/aspis Authors: Dr Peter Pietzuch, Dr Matteo Migliavacca, Ioannis Papagiannis 11 * Tool was not found in public access
Tools - PHP interpreters ○ Taint support for PHP https://wiki.php.net/rfc/taint Author: Wietse Venema 12
Taint support for PHP
Tools - PHP interpreters ○ Taint support for PHP https://wiki.php.net/rfc/taint Author: Wietse Venema ○ CORE Grasp grasp.coresecurity.com/ Author: CoreLabs ○ PHPrevent* cs.virginia.edu/nguyen/phprevent/ Authors: Anh Nguyen-Tuong, Salvatore Guarnieri, Doug Greene, Jeff Shirley, David Evans * Tool was not found in public access 14
Tools - PHP extension ○ bytekit https://github.com/Tyrael/bytekit Author: Stefan Esser ○ evalhook php-security.org/2010/05/13/article-decoding-a-user-space-encoded-php-script/index.html Author: Stefan Esser ○ taint pecl.php.net/package/taint Author: Xinchen Hui ○ Dtrace pecl.php.net/package/DTrace Author: Wez Furlong 15
Tools - external tools ○ strace - Linux, truss - Solaris/BSD, ktrace - OS X (< 10.5)/BSD ○ DTrace - OS X/Solaris/QNX/BSD ○ SystemTap, LTTng - Linux ○ gdb (use PHP's .gdbinit), any other debugger 16
Tools - gdb example
Tools - miscellaneous Xdebug +(KCachegrind, PHPUnit, php-code- coverage, NetBeans IDE), XHProf, pfff As well there should exist unknown tools - small, private and unreleased. 18
Our choice - PHP extension ○ transparent to web-application - no influence on code and execution path ○ full control over web-application - dump values of variables, trace functions, taint variables, etc. 19
Developing PHP extension? ○ no actual documentation - blog-posts, outdated book and couple of chapters: ○ Expert PHP and MySQL - Andrew Curioso, Ronald Bradford, Patrick Galbraith, 2010 (Chapter) ○ Extending and Embedding PHP - Sara Golemon, 2006 ○ Advanced PHP Programming - George Schlossnagle, 2004 (Chapter) ○ may be intimidating to follow PHP changes ○ up-to-date source of information are another extensions source code (Suhosin, bytekit, XDebug) ○ http://lxr.php.net/ - PHP source code search via OpenGrok 20
What is a PHP extension capable of? iii. PHP extension capabilities
Dissected PHP lifecycle PHP_MINIT_FUNCTION(foobar) { [...] orig_compile_string = zend_compile_string; zend_compile_string = foobar_compile_string; old_execute = zend_execute; zend_execute = foobar_execute; old_zend_execute_internal = zend_execute_internal; zend_execute_internal = foobar_execute_internal; return SUCCESS; } PHP_MSHUTDOWN_FUNCTION(foobar) { [...] zend_compile_string = orig_compile_string; zend_execute = old_execute; zend_execute_internal = old_zend_execute_internal; [...] return SUCCESS; } PHP_RINIT_FUNCTION(foobar) { [...] return SUCCESS; } PHP_RSHUTDOWN_FUNCTION(foobar) { [...] return SUCCESS; } 22
Handle function entry and exit Register every executing function and have access to all data functions works with: ○ trace execution path and generate call graph later ○ understand application architecture ○ explore application executed paths and detect yet unexplored areas ○ intercept identifiers when passing data to any function 23
Handle function entry and exit // execute_internal() doesn't catch nested internal function calls (calllbacks) static void foobar_execute_internal(zend_execute_data *execute_data_ptr, int return_value_used TSRMLS_DC) { [...] // Here Zend internal functions gets executed // Work with stuff like opcodes, variables, handle function entries. execute_internal(execute_data_ptr, return_value_used TSRMLS_CC); // Here is possible to handle function exits. } static void foobar_execute(zend_op_array *op_array TSRMLS_DC) { [...] // Here user functions gets executed // Work with stuff like opcodes, variables, handle function entries. old_execute(op_array TSRMLS_CC); // Here is possible to handle function exits. } 24
Implement functions and classes Implementing own PHP internal classes and functions allow to extend PHP functionality for different use: ○ fighting with bottlenecks, optimize execution time ○ utilize OS-specific functionality ○ extend web-application capabilities ○ provide debugging and profiling facilities 25
Work with opcode PHP allows complete control over every opcode: ○ dump opcodes on the fly and observe them later for low-level analysis (e.g. for obfuscated code) ○ set opcode handler for complete control over application 26
Work with opcode static void php_taint_register_handlers(TSRMLS_D) { zend_set_user_opcode_handler(ZEND_ECHO, php_taint_echo_handler); [...] } static int php_taint_echo_handler(ZEND_OPCODE_HANDLER_ARGS) { zend_op *opline = execute_data->opline; [...] return ZEND_USER_OPCODE_DISPATCH; } PHP_MINIT_FUNCTION(foobar) { [...] php_taint_register_handlers(TSRMLS_C); return SUCCESS; } 27
Hook dynamically evaluated strings Catch every dynamically executed string and log it - see what happens inside of ○ eval(), create_function() ○ assert(), ○ preg_replace() with "e" 28
Hook dynamically evaluated strings static zend_op_array *evalhook_compile_string(zval *source_string, char *filename TSRMLS_DC) { [...] len = Z_STRLEN_P(source_string); copy = estrndup(Z_STRVAL_P(source_string), len); [...] return orig_compile_string(source_string, filename TSRMLS_CC); } 29
Set Zend extension callbacks Zend provides possibility to set various handlers for more fine-grained control: ○ statement handler, allows: ○ single stepping through code ○ profiling ○ implement stepping debugger ○ function entry/exit handlers ○ op_array manipulation 30
Set Zend extension callbacks // Set in our extension // Defined in Zend/zend_extensions.h struct _zend_extension { ZEND_DLEXPORT zend_extension zend_extension_entry = { char *name; "Foobar extension", char *version; char *author; FOOBAR_VERSION, char *URL; "Author", char *copyright; NULL, startup_func_t startup; "Copyright (c)", shutdown_func_t shutdown; NULL, // foobar_zend_startup activate_func_t activate; deactivate_func_t deactivate; NULL, // foobar_zend_shutdown NULL, // activate_func_t message_handler_func_t message_handler; NULL, // deactivate_func_t op_array_handler_func_t op_array_handler; NULL, // message_handler_func_t NULL, // op_array_handler_func_t statement_handler_func_t statement_handler; statement_handler, // statement_handler_func_t fcall_begin_handler_func_t fcall_begin_handler; fcall_end_handler_func_t fcall_end_handler; NULL, // fcall_begin_handler_func_t NULL, // fcall_end_handler op_array_ctor_func_t op_array_ctor; op_array_dtor_func_t op_array_dtor; NULL, // op_array_ctor_func_t NULL, // op_array_dtor_func_t int (*api_no_check)(int api_no); STANDARD_ZEND_EXTENSION_PROPERTIES int (*build_id_check)(const char* build_id); [...] }; }; 31
Tasks for PHP extension ○ assist in debugging - XDebug, vld ○ hardening PHP - Suhosin ○ execution time optimization - APC, XCache ○ web-application security evaluation - bytekit, evalhook, taint ○ protective measures - Zend Guard, ionCube ○ etc. 32
Introducing PVT iv. PVT extension
New PHP dynamic analysis tool Named PVT - PHP Vulnerability Tracer: ○ the idea of PVT is to provide tools to assist in web-application security audit ○ the aim of PVT is to be transparent to web- application, fully-automated, easy to use and highly customizable - achieved via being PHP extension. 34
PVT - Swiss knife ○ draws dynamic code execution graphs (allows code navigation) ○ hooks all eval'd strings ○ catches your marker in arguments of function or just every argument in every function ○ can dump chosen or all variables ○ opcode dumper for low-level analysis ○ settings for each module 35
PVT - Swiss knife * namings may change later 36
Sounds good? ○ may be slow as hell if you switch too many modules or run it on heavy web-application ○ works only on Linux* ○ works only on PHP 5.2/5.3 ○ may be not very comfortable in use - logs are plain text files, needs dot, requires Perl ... 37
Statistics Statistics shown are for Wordpress 3.4. (opening simple pages like index.php) Title Time, seconds 1 Without PVT 0.14 2 All modules switched On 16.67 3 dump_ops = On 9.45 4 All modules On except dump_ops 6.45 5 catch_marker = On 4.79 6 dump_vars = On 1.18 7 trace_func = On 0.64 8 eval_hook = On 0.16 38
Demo
In perspective ○ speed optimization (priority) ○ add variable tracing ○ connect logs and graph ○ data tainting (?) ○ opcode graphs ○ convenient logs management ○ find and eliminate bugs You can help with ideas and bug reports! 40
Acknowledgments ○ Stefan Esser ○ Vladimir Vorontsov 41
References ○ https://github.com/ax330d/pvt ○ https://wiki.php.net/rfc/taint ○ https://wiki.php.net/internals/references ○ www.smartflow.org/aspis ○ grasp.coresecurity.com/ ○ www.cs.virginia.edu/phprevent/ ○ https://github.com/Tyrael/bytekit ○ http://www.cs.ucsb.edu/~rusvika/papers/ssp08_saner.pdf ○ research.cs.queensu.ca/~cordy/Papers/ACD_WSE09_WAFA.pdf ○ sebastian-bergmann.de/archives/871-bytekit-cli.html ○ solaris.reys.net/dtrace-php-scripts/ ○ solaris.reys.net/debugging-php-with-dtrace-part-2/ ○ https://blogs.oracle.com/shanti/entry/dtrace_support_for_php ○ wezfurlong.org/blog/2005/aug/dtracing-php-on-solaris/ ○ PHP Tainted variables: An idea whose time has come - Wietse Venema, 2008 ○ Static and Dynamic Analysis for PHP Security - V.C.Sreedhar, 2006 ○ Static and Dynamic Analysis at Ning - David Sklar, 2008 ○ Analysing PHP Code - Sebastian Bergmann, 2009 ○ PHP Extension Writing - Marcus Borger, Wez Furlong, Sara Golemon, 2005 42
Questions? You can reach me on twitter.com/ax330d, or e-mail to user ax330d on the gmail server.

Recommended

RIPS - static code analyzer for vulnerabilities in PHP
RIPS - static code analyzer for vulnerabilities in PHPRIPS - static code analyzer for vulnerabilities in PHP
RIPS - static code analyzer for vulnerabilities in PHP
Sorina Chirilă
 
50 shades of PHP
50 shades of PHP50 shades of PHP
50 shades of PHP
Maksym Hopei
 
Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitRemote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profit
Dharmalingam Ganesan
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructure
Andrew Petukhov
 
Presentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasuresPresentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasurestharindunew
 
Static and Dynamic Analysis at Ning
Static and Dynamic Analysis at NingStatic and Dynamic Analysis at Ning
Static and Dynamic Analysis at Ning
ZendCon
 
Understand study
Understand studyUnderstand study
Understand study
Antonio Costa aka Cooler_
 
How PHP Works ?
How PHP Works ?How PHP Works ?
How PHP Works ?
Ravi Raj
 

Recommended

RIPS - static code analyzer for vulnerabilities in PHP
RIPS - static code analyzer for vulnerabilities in PHPRIPS - static code analyzer for vulnerabilities in PHP
RIPS - static code analyzer for vulnerabilities in PHP
Sorina Chirilă
 
50 shades of PHP
50 shades of PHP50 shades of PHP
50 shades of PHP
Maksym Hopei
 
Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitRemote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profit
Dharmalingam Ganesan
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructure
Andrew Petukhov
 
Presentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasuresPresentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasurestharindunew
 
Static and Dynamic Analysis at Ning
Static and Dynamic Analysis at NingStatic and Dynamic Analysis at Ning
Static and Dynamic Analysis at Ning
ZendCon
 
Understand study
Understand studyUnderstand study
Understand study
Antonio Costa aka Cooler_
 
How PHP Works ?
How PHP Works ?How PHP Works ?
How PHP Works ?
Ravi Raj
 
Binary art - Byte-ing the PE that fails you (extended offline version)
Binary art - Byte-ing the PE that fails you (extended offline version)Binary art - Byte-ing the PE that fails you (extended offline version)
Binary art - Byte-ing the PE that fails you (extended offline version)
Ange Albertini
 
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
CTruncer
 
0d1n
0d1n0d1n
0d1n
Antonio Costa aka Cooler_
 
Snake bites : Python for Pentesters
Snake bites : Python for PentestersSnake bites : Python for Pentesters
Snake bites : Python for Pentesters
Anant Shrivastava
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
midnite_runr
 
AFPS_2011
AFPS_2011AFPS_2011
AFPS_2011Rajorshi Ghosh Choudhury
 
Dynamic Binary Instrumentation
Dynamic Binary Instrumentation Dynamic Binary Instrumentation
Dynamic Binary Instrumentation
Cysinfo Cyber Security Community
 
Raptor web application firewall
Raptor web application firewallRaptor web application firewall
Raptor web application firewall
Antonio Costa aka Cooler_
 
Xdebug
XdebugXdebug
Xdebug
Tobias Schlitt
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-Framework
VeilFramework
 
Python build your security tools.pdf
Python build your security tools.pdfPython build your security tools.pdf
Python build your security tools.pdf
TECHNOLOGY CONTROL CO.
 
Code Injection in Windows
Code Injection in WindowsCode Injection in Windows
Code Injection in Windows
n|u - The Open Security Community
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
VeilFramework
 
PSR7 - interoperabilità HTTP
PSR7 - interoperabilità HTTPPSR7 - interoperabilità HTTP
PSR7 - interoperabilità HTTP
Massimiliano Arione
 
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleThreat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Dharmalingam Ganesan
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
Kapil Nagrale
 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreA Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
CTruncer
 
Pentester++
Pentester++Pentester++
Pentester++
CTruncer
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
Evgeni Tsonev
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacksharshal kshatriya
 
Static Analysis of PHP Code – IPC Berlin 2016
Static Analysis of PHP Code – IPC Berlin 2016Static Analysis of PHP Code – IPC Berlin 2016
Static Analysis of PHP Code – IPC Berlin 2016
Rouven Weßling
 
BSides Algiers - PHP Static Code Analysis - Abdeldjalil Belakhdar
BSides Algiers - PHP Static Code Analysis - Abdeldjalil BelakhdarBSides Algiers - PHP Static Code Analysis - Abdeldjalil Belakhdar
BSides Algiers - PHP Static Code Analysis - Abdeldjalil BelakhdarShellmates
 

More Related Content

What's hot

Binary art - Byte-ing the PE that fails you (extended offline version)
Binary art - Byte-ing the PE that fails you (extended offline version)Binary art - Byte-ing the PE that fails you (extended offline version)
Binary art - Byte-ing the PE that fails you (extended offline version)
Ange Albertini
 
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
CTruncer
 
0d1n
0d1n0d1n
0d1n
Antonio Costa aka Cooler_
 
Snake bites : Python for Pentesters
Snake bites : Python for PentestersSnake bites : Python for Pentesters
Snake bites : Python for Pentesters
Anant Shrivastava
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
midnite_runr
 
Dynamic Binary Instrumentation
Dynamic Binary Instrumentation Dynamic Binary Instrumentation
Dynamic Binary Instrumentation
Cysinfo Cyber Security Community
 
Raptor web application firewall
Raptor web application firewallRaptor web application firewall
Raptor web application firewall
Antonio Costa aka Cooler_
 
Xdebug
XdebugXdebug
Xdebug
Tobias Schlitt
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-Framework
VeilFramework
 
Python build your security tools.pdf
Python build your security tools.pdfPython build your security tools.pdf
Python build your security tools.pdf
TECHNOLOGY CONTROL CO.
 
Code Injection in Windows
Code Injection in WindowsCode Injection in Windows
Code Injection in Windows
n|u - The Open Security Community
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
VeilFramework
 
PSR7 - interoperabilità HTTP
PSR7 - interoperabilità HTTPPSR7 - interoperabilità HTTP
PSR7 - interoperabilità HTTP
Massimiliano Arione
 
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleThreat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Dharmalingam Ganesan
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
Kapil Nagrale
 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreA Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
CTruncer
 
Pentester++
Pentester++Pentester++
Pentester++
CTruncer
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
Evgeni Tsonev
 

What's hot (20)

Binary art - Byte-ing the PE that fails you (extended offline version)
Binary art - Byte-ing the PE that fails you (extended offline version)Binary art - Byte-ing the PE that fails you (extended offline version)
Binary art - Byte-ing the PE that fails you (extended offline version)
 
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
 
0d1n
0d1n0d1n
0d1n
 
Snake bites : Python for Pentesters
Snake bites : Python for PentestersSnake bites : Python for Pentesters
Snake bites : Python for Pentesters
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
 
AFPS_2011
AFPS_2011AFPS_2011
AFPS_2011
 
Dynamic Binary Instrumentation
Dynamic Binary Instrumentation Dynamic Binary Instrumentation
Dynamic Binary Instrumentation
 
Raptor web application firewall
Raptor web application firewallRaptor web application firewall
Raptor web application firewall
 
Xdebug
XdebugXdebug
Xdebug
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-Framework
 
Python build your security tools.pdf
Python build your security tools.pdfPython build your security tools.pdf
Python build your security tools.pdf
 
Code Injection in Windows
Code Injection in WindowsCode Injection in Windows
Code Injection in Windows
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
 
PSR7 - interoperabilità HTTP
PSR7 - interoperabilità HTTPPSR7 - interoperabilità HTTP
PSR7 - interoperabilità HTTP
 
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleThreat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreA Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
 
Pentester++
Pentester++Pentester++
Pentester++
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacks
 

Viewers also liked

Static Analysis of PHP Code – IPC Berlin 2016
Static Analysis of PHP Code – IPC Berlin 2016Static Analysis of PHP Code – IPC Berlin 2016
Static Analysis of PHP Code – IPC Berlin 2016
Rouven Weßling
 
BSides Algiers - PHP Static Code Analysis - Abdeldjalil Belakhdar
BSides Algiers - PHP Static Code Analysis - Abdeldjalil BelakhdarBSides Algiers - PHP Static Code Analysis - Abdeldjalil Belakhdar
BSides Algiers - PHP Static Code Analysis - Abdeldjalil BelakhdarShellmates
 
Modern Static Code Analysis in PHP
Modern Static Code Analysis in PHPModern Static Code Analysis in PHP
Modern Static Code Analysis in PHP
Vladimir Reznichenko
 
2016 utme application analysis
2016 utme application analysis2016 utme application analysis
2016 utme application analysis
statisense
 
Rochelle_March_MBACapstone
Rochelle_March_MBACapstoneRochelle_March_MBACapstone
Rochelle_March_MBACapstoneRochelle March
 
SQADays19 - 50 Слайдов для повышения безопасности вашего сервиса
SQADays19 - 50 Слайдов для повышения безопасности вашего сервисаSQADays19 - 50 Слайдов для повышения безопасности вашего сервиса
SQADays19 - 50 Слайдов для повышения безопасности вашего сервиса
Konstantin Zavarov, ICP
 
Secure Code Reviews
Secure Code ReviewsSecure Code Reviews
Secure Code ReviewsMarco Morana
 
XSSの評価基準とRIPSプラグイン的なものを作った
XSSの評価基準とRIPSプラグイン的なものを作ったXSSの評価基準とRIPSプラグイン的なものを作った
XSSの評価基準とRIPSプラグイン的なものを作った
yamaguchi_2048
 
Построение процесса безопасной разработки - Стачка 2016
Построение процесса безопасной разработки - Стачка 2016Построение процесса безопасной разработки - Стачка 2016
Построение процесса безопасной разработки - Стачка 2016
Valery Boronin
 
Подходы к сигнатурному статическому анализу
Подходы к сигнатурному статическому анализуПодходы к сигнатурному статическому анализу
Подходы к сигнатурному статическому анализу
Positive Development User Group
 
SECON'2016. Бушмелев Юрий, Два титановых шарика
SECON'2016. Бушмелев Юрий, Два титановых шарикаSECON'2016. Бушмелев Юрий, Два титановых шарика
SECON'2016. Бушмелев Юрий, Два титановых шарика
SECON
 
Code review psyhology
Code review psyhologyCode review psyhology
Code review psyhology
Oleksiy Rezchykov
 
Построение Secure Development Lifecycle
Построение Secure Development Lifecycle Построение Secure Development Lifecycle
Построение Secure Development Lifecycle
Vlad Styran
 
Secure code
Secure codeSecure code
Secure code
ddeogun
 
Этичный хакинг или пентестинг в действии
Этичный хакинг или пентестинг в действииЭтичный хакинг или пентестинг в действии
Этичный хакинг или пентестинг в действии
SQALab
 
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
Rouven Weßling
 
ニューラルネットワークによる音声の分類
ニューラルネットワークによる音声の分類ニューラルネットワークによる音声の分類
ニューラルネットワークによる音声の分類yamaguchi_2048
 
Social Intelligence 2.0
Social Intelligence 2.0Social Intelligence 2.0
Social Intelligence 2.0
.comsulter
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 
The Business Analyst Role Within Solution Driven Projects
The Business Analyst Role Within Solution Driven Projects The Business Analyst Role Within Solution Driven Projects
The Business Analyst Role Within Solution Driven Projects
IIBA UK Chapter
 

Viewers also liked (20)

Static Analysis of PHP Code – IPC Berlin 2016
Static Analysis of PHP Code – IPC Berlin 2016Static Analysis of PHP Code – IPC Berlin 2016
Static Analysis of PHP Code – IPC Berlin 2016
 
BSides Algiers - PHP Static Code Analysis - Abdeldjalil Belakhdar
BSides Algiers - PHP Static Code Analysis - Abdeldjalil BelakhdarBSides Algiers - PHP Static Code Analysis - Abdeldjalil Belakhdar
BSides Algiers - PHP Static Code Analysis - Abdeldjalil Belakhdar
 
Modern Static Code Analysis in PHP
Modern Static Code Analysis in PHPModern Static Code Analysis in PHP
Modern Static Code Analysis in PHP
 
2016 utme application analysis
2016 utme application analysis2016 utme application analysis
2016 utme application analysis
 
Rochelle_March_MBACapstone
Rochelle_March_MBACapstoneRochelle_March_MBACapstone
Rochelle_March_MBACapstone
 
SQADays19 - 50 Слайдов для повышения безопасности вашего сервиса
SQADays19 - 50 Слайдов для повышения безопасности вашего сервисаSQADays19 - 50 Слайдов для повышения безопасности вашего сервиса
SQADays19 - 50 Слайдов для повышения безопасности вашего сервиса
 
Secure Code Reviews
Secure Code ReviewsSecure Code Reviews
Secure Code Reviews
 
XSSの評価基準とRIPSプラグイン的なものを作った
XSSの評価基準とRIPSプラグイン的なものを作ったXSSの評価基準とRIPSプラグイン的なものを作った
XSSの評価基準とRIPSプラグイン的なものを作った
 
Построение процесса безопасной разработки - Стачка 2016
Построение процесса безопасной разработки - Стачка 2016Построение процесса безопасной разработки - Стачка 2016
Построение процесса безопасной разработки - Стачка 2016
 
Подходы к сигнатурному статическому анализу
Подходы к сигнатурному статическому анализуПодходы к сигнатурному статическому анализу
Подходы к сигнатурному статическому анализу
 
SECON'2016. Бушмелев Юрий, Два титановых шарика
SECON'2016. Бушмелев Юрий, Два титановых шарикаSECON'2016. Бушмелев Юрий, Два титановых шарика
SECON'2016. Бушмелев Юрий, Два титановых шарика
 
Code review psyhology
Code review psyhologyCode review psyhology
Code review psyhology
 
Построение Secure Development Lifecycle
Построение Secure Development Lifecycle Построение Secure Development Lifecycle
Построение Secure Development Lifecycle
 
Secure code
Secure codeSecure code
Secure code
 
Этичный хакинг или пентестинг в действии
Этичный хакинг или пентестинг в действииЭтичный хакинг или пентестинг в действии
Этичный хакинг или пентестинг в действии
 
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
 
ニューラルネットワークによる音声の分類
ニューラルネットワークによる音声の分類ニューラルネットワークによる音声の分類
ニューラルネットワークによる音声の分類
 
Social Intelligence 2.0
Social Intelligence 2.0Social Intelligence 2.0
Social Intelligence 2.0
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review Process
 
The Business Analyst Role Within Solution Driven Projects
The Business Analyst Role Within Solution Driven Projects The Business Analyst Role Within Solution Driven Projects
The Business Analyst Role Within Solution Driven Projects
 

Similar to Dynamic PHP web-application analysis

Php7 extensions workshop
Php7 extensions workshopPhp7 extensions workshop
Php7 extensions workshop
julien pauli
 
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Valeriy Kravchuk
 
Dynamic tracing of MariaDB on Linux - problems and solutions (MariaDB Server ...
Dynamic tracing of MariaDB on Linux - problems and solutions (MariaDB Server ...Dynamic tracing of MariaDB on Linux - problems and solutions (MariaDB Server ...
Dynamic tracing of MariaDB on Linux - problems and solutions (MariaDB Server ...
Valeriy Kravchuk
 
"Развитие ветки PHP-7"
"Развитие ветки PHP-7""Развитие ветки PHP-7"
"Развитие ветки PHP-7"
Badoo Development
 
Linux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudLinux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloud
Andrea Righi
 
Is your code ready for PHP 7 ?
Is your code ready for PHP 7 ?Is your code ready for PHP 7 ?
Is your code ready for PHP 7 ?
Wim Godden
 
PHP QA Tools
PHP QA ToolsPHP QA Tools
PHP QA Tools
rjsmelo
 
More on bpftrace for MariaDB DBAs and Developers - FOSDEM 2022 MariaDB Devroom
More on bpftrace for MariaDB DBAs and Developers - FOSDEM 2022 MariaDB DevroomMore on bpftrace for MariaDB DBAs and Developers - FOSDEM 2022 MariaDB Devroom
More on bpftrace for MariaDB DBAs and Developers - FOSDEM 2022 MariaDB Devroom
Valeriy Kravchuk
 
PHP Development Tools
PHP Development ToolsPHP Development Tools
PHP Development Tools
Antony Abramchenko
 
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblick
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im ÜberblickEin Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblick
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblickrenebruns
 
More about PHP
More about PHPMore about PHP
More about PHP
Jonathan Francis Roscoe
 
2018 cosup-delete unused python code safely - english
2018 cosup-delete unused python code safely - english2018 cosup-delete unused python code safely - english
2018 cosup-delete unused python code safely - english
Jen Yee Hong
 
TWINS: OOP and FP - Warburton
TWINS: OOP and FP - WarburtonTWINS: OOP and FP - Warburton
TWINS: OOP and FP - Warburton
Codemotion
 
2019: A Local Hacking Odyssey - MITM attack against password manager @ BSides...
2019: A Local Hacking Odyssey - MITM attack against password manager @ BSides...2019: A Local Hacking Odyssey - MITM attack against password manager @ BSides...
2019: A Local Hacking Odyssey - MITM attack against password manager @ BSides...
Soya Aoyama
 
Php extensions workshop
Php extensions workshopPhp extensions workshop
Php extensions workshopjulien pauli
 
OpenERP Technical Memento
OpenERP Technical MementoOpenERP Technical Memento
OpenERP Technical MementoOdoo
 
The why and how of moving to PHP 5.5/5.6
The why and how of moving to PHP 5.5/5.6The why and how of moving to PHP 5.5/5.6
The why and how of moving to PHP 5.5/5.6
Wim Godden
 
Extending MariaDB with user-defined functions
Extending MariaDB with user-defined functionsExtending MariaDB with user-defined functions
Extending MariaDB with user-defined functions
MariaDB plc
 
Living With Legacy Code
Living With Legacy CodeLiving With Legacy Code
Living With Legacy Code
Rowan Merewood
 
Workflow story: Theory versus Practice in large enterprises by Marcin Piebiak
Workflow story: Theory versus Practice in large enterprises by Marcin PiebiakWorkflow story: Theory versus Practice in large enterprises by Marcin Piebiak
Workflow story: Theory versus Practice in large enterprises by Marcin Piebiak
NETWAYS
 

Similar to Dynamic PHP web-application analysis (20)

Php7 extensions workshop
Php7 extensions workshopPhp7 extensions workshop
Php7 extensions workshop
 
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
 
Dynamic tracing of MariaDB on Linux - problems and solutions (MariaDB Server ...
Dynamic tracing of MariaDB on Linux - problems and solutions (MariaDB Server ...Dynamic tracing of MariaDB on Linux - problems and solutions (MariaDB Server ...
Dynamic tracing of MariaDB on Linux - problems and solutions (MariaDB Server ...
 
"Развитие ветки PHP-7"
"Развитие ветки PHP-7""Развитие ветки PHP-7"
"Развитие ветки PHP-7"
 
Linux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudLinux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloud
 
Is your code ready for PHP 7 ?
Is your code ready for PHP 7 ?Is your code ready for PHP 7 ?
Is your code ready for PHP 7 ?
 
PHP QA Tools
PHP QA ToolsPHP QA Tools
PHP QA Tools
 
More on bpftrace for MariaDB DBAs and Developers - FOSDEM 2022 MariaDB Devroom
More on bpftrace for MariaDB DBAs and Developers - FOSDEM 2022 MariaDB DevroomMore on bpftrace for MariaDB DBAs and Developers - FOSDEM 2022 MariaDB Devroom
More on bpftrace for MariaDB DBAs and Developers - FOSDEM 2022 MariaDB Devroom
 
PHP Development Tools
PHP Development ToolsPHP Development Tools
PHP Development Tools
 
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblick
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im ÜberblickEin Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblick
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblick
 
More about PHP
More about PHPMore about PHP
More about PHP
 
2018 cosup-delete unused python code safely - english
2018 cosup-delete unused python code safely - english2018 cosup-delete unused python code safely - english
2018 cosup-delete unused python code safely - english
 
TWINS: OOP and FP - Warburton
TWINS: OOP and FP - WarburtonTWINS: OOP and FP - Warburton
TWINS: OOP and FP - Warburton
 
2019: A Local Hacking Odyssey - MITM attack against password manager @ BSides...
2019: A Local Hacking Odyssey - MITM attack against password manager @ BSides...2019: A Local Hacking Odyssey - MITM attack against password manager @ BSides...
2019: A Local Hacking Odyssey - MITM attack against password manager @ BSides...
 
Php extensions workshop
Php extensions workshopPhp extensions workshop
Php extensions workshop
 
OpenERP Technical Memento
OpenERP Technical MementoOpenERP Technical Memento
OpenERP Technical Memento
 
The why and how of moving to PHP 5.5/5.6
The why and how of moving to PHP 5.5/5.6The why and how of moving to PHP 5.5/5.6
The why and how of moving to PHP 5.5/5.6
 
Extending MariaDB with user-defined functions
Extending MariaDB with user-defined functionsExtending MariaDB with user-defined functions
Extending MariaDB with user-defined functions
 
Living With Legacy Code
Living With Legacy CodeLiving With Legacy Code
Living With Legacy Code
 
Workflow story: Theory versus Practice in large enterprises by Marcin Piebiak
Workflow story: Theory versus Practice in large enterprises by Marcin PiebiakWorkflow story: Theory versus Practice in large enterprises by Marcin Piebiak
Workflow story: Theory versus Practice in large enterprises by Marcin Piebiak
 

Dynamic PHP web-application analysis

  • 1. Dynamic PHP web-application analysis Arthur Gerkis Ruhr University Bochum HackPra 2012/2013
  • 2. Who am I? ○ independent computer security researcher - bug-hunter ○ in past doing web application security analysis and pentesting ○ author of several articles in russian IT- security printed magazine "Xakep" ○ senseless browser bug slayer 2
  • 3. Outline i. About dynamic analysis ii. Dynamic analysis today iii. PHP extension capabilities iv. PVT extension 3
  • 4. So, what was dynamic analysis about? i. About dynamic analysis
  • 5. Dynamic analysis DA is a properties inspection of running application: 1. prepare environment & run application 2. collect run-time data 3. analyse data In general used for: profiling, code coverage, tracing, etc. 5
  • 6. Why dynamic analysis? ○ operate with real data values - is known which function which arguments has, return values, etc. ○ avoid static analysis false positives (more efficient is a combination of DA & SA) ○ easier to analyse obfuscated code 6
  • 7. Why not dynamic analysis? ○ single dynamic analysis can not cover all code paths ○ can be slow - depends on implementation, computing powers, LoC ○ may depend on environment - OS, bits, PHP versions, etc. ○ may be dangerous to execute code without knowing what results will be (e.g. malicious) 7
  • 8. DA tools implementations (general) ● code instrumentation ○ source code ○ compile-time ○ execution/run-time ● patches and extensions for compiler or interpreter ● external (e.g. system) tools 8
  • 9. DA tools implementations (PHP) ● code instrumentation ○ source code (web-application) ○ compile-time ○ execution/run-time ● patches and extensions for compiler or interpreter ● external (e.g. system) tools 9
  • 10. State of PHP dynamic analysis as of today ii. Dynamic analysis today
  • 11. Tools - code instrumentation ○ PHP Vulnerability Hunter autosectools.com/PHP-Vulnerability-Scanner Author: John Leitch ○ Saner* iseclab.org/papers/oakland-saner.pdf Authors: Davide Balzarotti, Marco Cova, Vika Felmetsger, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, Giovanni Vigna ○ WAFA* research.cs.queensu.ca/~cordy/Papers/ACD_WSE09_WAFA.pdf Authors: Manar H. Alalfi, James R. Cordy, Thomas R. Dean ○ PHP Aspis https://github.com/jpapayan/aspis Authors: Dr Peter Pietzuch, Dr Matteo Migliavacca, Ioannis Papagiannis 11 * Tool was not found in public access
  • 12. Tools - PHP interpreters ○ Taint support for PHP https://wiki.php.net/rfc/taint Author: Wietse Venema 12
  • 14. Tools - PHP interpreters ○ Taint support for PHP https://wiki.php.net/rfc/taint Author: Wietse Venema ○ CORE Grasp grasp.coresecurity.com/ Author: CoreLabs ○ PHPrevent* cs.virginia.edu/nguyen/phprevent/ Authors: Anh Nguyen-Tuong, Salvatore Guarnieri, Doug Greene, Jeff Shirley, David Evans * Tool was not found in public access 14
  • 15. Tools - PHP extension ○ bytekit https://github.com/Tyrael/bytekit Author: Stefan Esser ○ evalhook php-security.org/2010/05/13/article-decoding-a-user-space-encoded-php-script/index.html Author: Stefan Esser ○ taint pecl.php.net/package/taint Author: Xinchen Hui ○ Dtrace pecl.php.net/package/DTrace Author: Wez Furlong 15
  • 16. Tools - external tools ○ strace - Linux, truss - Solaris/BSD, ktrace - OS X (< 10.5)/BSD ○ DTrace - OS X/Solaris/QNX/BSD ○ SystemTap, LTTng - Linux ○ gdb (use PHP's .gdbinit), any other debugger 16
  • 17. Tools - gdb example
  • 18. Tools - miscellaneous Xdebug +(KCachegrind, PHPUnit, php-code- coverage, NetBeans IDE), XHProf, pfff As well there should exist unknown tools - small, private and unreleased. 18
  • 19. Our choice - PHP extension ○ transparent to web-application - no influence on code and execution path ○ full control over web-application - dump values of variables, trace functions, taint variables, etc. 19
  • 20. Developing PHP extension? ○ no actual documentation - blog-posts, outdated book and couple of chapters: ○ Expert PHP and MySQL - Andrew Curioso, Ronald Bradford, Patrick Galbraith, 2010 (Chapter) ○ Extending and Embedding PHP - Sara Golemon, 2006 ○ Advanced PHP Programming - George Schlossnagle, 2004 (Chapter) ○ may be intimidating to follow PHP changes ○ up-to-date source of information are another extensions source code (Suhosin, bytekit, XDebug) ○ http://lxr.php.net/ - PHP source code search via OpenGrok 20
  • 21. What is a PHP extension capable of? iii. PHP extension capabilities
  • 22. Dissected PHP lifecycle PHP_MINIT_FUNCTION(foobar) { [...] orig_compile_string = zend_compile_string; zend_compile_string = foobar_compile_string; old_execute = zend_execute; zend_execute = foobar_execute; old_zend_execute_internal = zend_execute_internal; zend_execute_internal = foobar_execute_internal; return SUCCESS; } PHP_MSHUTDOWN_FUNCTION(foobar) { [...] zend_compile_string = orig_compile_string; zend_execute = old_execute; zend_execute_internal = old_zend_execute_internal; [...] return SUCCESS; } PHP_RINIT_FUNCTION(foobar) { [...] return SUCCESS; } PHP_RSHUTDOWN_FUNCTION(foobar) { [...] return SUCCESS; } 22
  • 23. Handle function entry and exit Register every executing function and have access to all data functions works with: ○ trace execution path and generate call graph later ○ understand application architecture ○ explore application executed paths and detect yet unexplored areas ○ intercept identifiers when passing data to any function 23
  • 24. Handle function entry and exit // execute_internal() doesn't catch nested internal function calls (calllbacks) static void foobar_execute_internal(zend_execute_data *execute_data_ptr, int return_value_used TSRMLS_DC) { [...] // Here Zend internal functions gets executed // Work with stuff like opcodes, variables, handle function entries. execute_internal(execute_data_ptr, return_value_used TSRMLS_CC); // Here is possible to handle function exits. } static void foobar_execute(zend_op_array *op_array TSRMLS_DC) { [...] // Here user functions gets executed // Work with stuff like opcodes, variables, handle function entries. old_execute(op_array TSRMLS_CC); // Here is possible to handle function exits. } 24
  • 25. Implement functions and classes Implementing own PHP internal classes and functions allow to extend PHP functionality for different use: ○ fighting with bottlenecks, optimize execution time ○ utilize OS-specific functionality ○ extend web-application capabilities ○ provide debugging and profiling facilities 25
  • 26. Work with opcode PHP allows complete control over every opcode: ○ dump opcodes on the fly and observe them later for low-level analysis (e.g. for obfuscated code) ○ set opcode handler for complete control over application 26
  • 27. Work with opcode static void php_taint_register_handlers(TSRMLS_D) { zend_set_user_opcode_handler(ZEND_ECHO, php_taint_echo_handler); [...] } static int php_taint_echo_handler(ZEND_OPCODE_HANDLER_ARGS) { zend_op *opline = execute_data->opline; [...] return ZEND_USER_OPCODE_DISPATCH; } PHP_MINIT_FUNCTION(foobar) { [...] php_taint_register_handlers(TSRMLS_C); return SUCCESS; } 27
  • 28. Hook dynamically evaluated strings Catch every dynamically executed string and log it - see what happens inside of ○ eval(), create_function() ○ assert(), ○ preg_replace() with "e" 28
  • 29. Hook dynamically evaluated strings static zend_op_array *evalhook_compile_string(zval *source_string, char *filename TSRMLS_DC) { [...] len = Z_STRLEN_P(source_string); copy = estrndup(Z_STRVAL_P(source_string), len); [...] return orig_compile_string(source_string, filename TSRMLS_CC); } 29
  • 30. Set Zend extension callbacks Zend provides possibility to set various handlers for more fine-grained control: ○ statement handler, allows: ○ single stepping through code ○ profiling ○ implement stepping debugger ○ function entry/exit handlers ○ op_array manipulation 30
  • 31. Set Zend extension callbacks // Set in our extension // Defined in Zend/zend_extensions.h struct _zend_extension { ZEND_DLEXPORT zend_extension zend_extension_entry = { char *name; "Foobar extension", char *version; char *author; FOOBAR_VERSION, char *URL; "Author", char *copyright; NULL, startup_func_t startup; "Copyright (c)", shutdown_func_t shutdown; NULL, // foobar_zend_startup activate_func_t activate; deactivate_func_t deactivate; NULL, // foobar_zend_shutdown NULL, // activate_func_t message_handler_func_t message_handler; NULL, // deactivate_func_t op_array_handler_func_t op_array_handler; NULL, // message_handler_func_t NULL, // op_array_handler_func_t statement_handler_func_t statement_handler; statement_handler, // statement_handler_func_t fcall_begin_handler_func_t fcall_begin_handler; fcall_end_handler_func_t fcall_end_handler; NULL, // fcall_begin_handler_func_t NULL, // fcall_end_handler op_array_ctor_func_t op_array_ctor; op_array_dtor_func_t op_array_dtor; NULL, // op_array_ctor_func_t NULL, // op_array_dtor_func_t int (*api_no_check)(int api_no); STANDARD_ZEND_EXTENSION_PROPERTIES int (*build_id_check)(const char* build_id); [...] }; }; 31
  • 32. Tasks for PHP extension ○ assist in debugging - XDebug, vld ○ hardening PHP - Suhosin ○ execution time optimization - APC, XCache ○ web-application security evaluation - bytekit, evalhook, taint ○ protective measures - Zend Guard, ionCube ○ etc. 32
  • 33. Introducing PVT iv. PVT extension
  • 34. New PHP dynamic analysis tool Named PVT - PHP Vulnerability Tracer: ○ the idea of PVT is to provide tools to assist in web-application security audit ○ the aim of PVT is to be transparent to web- application, fully-automated, easy to use and highly customizable - achieved via being PHP extension. 34
  • 35. PVT - Swiss knife ○ draws dynamic code execution graphs (allows code navigation) ○ hooks all eval'd strings ○ catches your marker in arguments of function or just every argument in every function ○ can dump chosen or all variables ○ opcode dumper for low-level analysis ○ settings for each module 35
  • 36. PVT - Swiss knife * namings may change later 36
  • 37. Sounds good? ○ may be slow as hell if you switch too many modules or run it on heavy web-application ○ works only on Linux* ○ works only on PHP 5.2/5.3 ○ may be not very comfortable in use - logs are plain text files, needs dot, requires Perl ... 37
  • 38. Statistics Statistics shown are for Wordpress 3.4. (opening simple pages like index.php) Title Time, seconds 1 Without PVT 0.14 2 All modules switched On 16.67 3 dump_ops = On 9.45 4 All modules On except dump_ops 6.45 5 catch_marker = On 4.79 6 dump_vars = On 1.18 7 trace_func = On 0.64 8 eval_hook = On 0.16 38
  • 39. Demo
  • 40. In perspective ○ speed optimization (priority) ○ add variable tracing ○ connect logs and graph ○ data tainting (?) ○ opcode graphs ○ convenient logs management ○ find and eliminate bugs You can help with ideas and bug reports! 40
  • 41. Acknowledgments ○ Stefan Esser ○ Vladimir Vorontsov 41
  • 42. References ○ https://github.com/ax330d/pvt ○ https://wiki.php.net/rfc/taint ○ https://wiki.php.net/internals/references ○ www.smartflow.org/aspis ○ grasp.coresecurity.com/ ○ www.cs.virginia.edu/phprevent/ ○ https://github.com/Tyrael/bytekit ○ http://www.cs.ucsb.edu/~rusvika/papers/ssp08_saner.pdf ○ research.cs.queensu.ca/~cordy/Papers/ACD_WSE09_WAFA.pdf ○ sebastian-bergmann.de/archives/871-bytekit-cli.html ○ solaris.reys.net/dtrace-php-scripts/ ○ solaris.reys.net/debugging-php-with-dtrace-part-2/ ○ https://blogs.oracle.com/shanti/entry/dtrace_support_for_php ○ wezfurlong.org/blog/2005/aug/dtracing-php-on-solaris/ ○ PHP Tainted variables: An idea whose time has come - Wietse Venema, 2008 ○ Static and Dynamic Analysis for PHP Security - V.C.Sreedhar, 2006 ○ Static and Dynamic Analysis at Ning - David Sklar, 2008 ○ Analysing PHP Code - Sebastian Bergmann, 2009 ○ PHP Extension Writing - Marcus Borger, Wez Furlong, Sara Golemon, 2005 42
  • 43. Questions? You can reach me on twitter.com/ax330d, or e-mail to user ax330d on the gmail server.