Dangling References in Multi-configuration and Dynamic PHP ...
Transcript of Dangling References in Multi-configuration and Dynamic PHP ...
Dangling References in Multi-configuration and Dynamic
PHP-Based Web Applications
Hung Nguyen, Hoan Nguyen, Tung Nguyen, Anh Nguyen, Tien N. NguyenIowa State University, USA
ASE 2013, Nov 11-15, 2013Palo Alto, California, USA
Dangling References
// PHP codeif ($page==‘home’ && $cmd==‘greetings’) { $message = ‘Hello, world!’;
}
if ($page==‘home’)echo $message;
DANGLING when $page == ‘home’ and $cmd != ‘greetings’
2
1234567
Empirical Study in Web Applications
1. Do dangling references exist? How many types are there?
2. What are the causes of such dangling references?
3. What are the types of failures that they cause?
3
function createPermissionControls() {…if ($this->targetObject->isNew()) { // C1
if (isset($icmsModuleConfig[‘…’])) { // C2$groups_value = $icmsModuleConfig[‘…’];
}
} else {$group_value = $this->targetObject->getGroupPerm(…);
}$groups_select = new XoopsFormSelect(…, $groups_value, 4, true);…
}
Case Study 1
4
$groups_value undefinedwhen (C1 && !C2)
ImpressCMS project at rev. 4700Dangling reference when (C1 && !C2)
$result = dbquery(“UPDATE …” . $_POST[‘news_thumb_w’] …)$result = dbquery(“UPDATE …” . $_POST[‘news_thumb_h] …)
echo “…<input … name=‘news_thumb_w’ …/>”;echo “…<input … name=‘news_thumb_h’ …/>”;
echo “…<input … name=‘news_thumb_w’ …/>”;echo “…<input … name=‘news_thumb_h’ …/>”;
Case Study 2
5
PhpFusion project at rev. 2600
danglingdangling
$result = dbquery(“UPDATE …” . $_POST[‘news_photo_w’] …)$result = dbquery(“UPDATE …” . $_POST[‘news_photo_h] …)
possibly copy-and-paste
embedded dangling reference
$result = dbquery(“SELECT …, u.user_groups, u.user_joinedFROM ” . DB_POSTS . “ …WHERE p.thread_id=‘” . $_GET[‘thread_id’] …
);
while ($data = dbarray($result)) {…echo …showdate(“shortdate”, $data[‘user_joined’])…;if (time() - $data[‘user_lastvisit’] < 180)
echo “…”;}
Case Study 3
6
PhpFusion project at rev. 2600
dangling
Empirical Study
7
System Start Date Candidate Revivions
Revs w/ Dang. Refs
Dangling References
PHP Embedded (HTML+JS+SQL)
Beehive Forum
04/2002 173 16 18 6ImpressCMS 12/2007 65 14 19 0MRBS 05/2000 26 13 29 0PHP-Fusion 03/2008 42 14 19 7PhpWiki 06/2000 37 14 21 1SquirrelMail 11/1999 47 17 23 0TikiWiki 10/2002 87 15 17 3
All 477 103 146 17
Causes & EffectsCauses
Missing instances when renaming entities
Errors due to copy-and-paste
Developers used an incorrect or mistyped entity
Misplaced ‘include’ statement of a file containing a declaration
Effects
Fatal errors and crashes
Security vulnerabilities, input validation bypass
Incorrect and unexpected behaviors
8
DRC’s Approach to detect dangling references
9
Challenges
PHP is a dynamic language
References embedded in PHP code
Cross-language references
JavaScript to HTML
PHP to HTML
PHP to SQL
10
Concepts
11
$script = “<script>function validate() {…}
</script>”;echo $script;…
if ($lang == ‘en’)$form = “<form … onsubmit=‘return validate();’>”;
else if ($lang == ‘de’)$form = “<form … onsubmit=‘return validate();’>”;
echo $form;
Entity(variable, function,…)
Declaration
Reference
Embedded entity
PHP string
Constraint
Entity Table
DRC’s Key Idea
12
PHP Decls/Refs
HTML/JS Decls/Refs
SQLDecls/Refs
Dangling Refs
Entity Extraction
Entity Matching
DRC’s Key Idea
13
Entity Type Decl/Ref Constraint
userid (L2) JS Refto HTML
Ref TRUE
userid (L6) HTML input Decl C1
userid (L8) HTML input Decl !C1 && C2
$script = “<script> …return document.loginform.userid != ‘’;
</script>”;echo $script; …if ($lang == ‘en’) // C1 $input = “<input name = ‘userid’ …>”;else if ($lang == ‘de’) // C2
$input = “<input name = ‘userid’ …>”;echo $input;
Entity Extraction
123456789
Dangling referenceif Constraint(ref) && !Constraint(decl)
Dangling Refs
Entity Matching
14
Entity Extraction
Entity Table
PHP Decls/Refs
HTML/JS Decls/Refs
SQLDecls/Refs
Dangling Refs
Entity Matching
DRC’s Approach
Entity Table
DRC’s Approach
15
PHP Decls/Refs
HTML/JS Decls/Refs
SQLDecls/Refs
D-Model
Dangling Refs
S1: PHP Entity Extraction
S2: Embedded Code Approximation
Entity MatchingS3: HTML/JS
Entity Extraction
S4: SQL Entity Extraction
Entity Table
DRC’s Approach
16
PHP Decls/Refs
HTML/JS Decls/Refs
SQLDecls/Refs
D-Model
Dangling Refs
S1: PHP Entity Extraction
S2: Embedded Code Approximation
S5: Entity MatchingS3: HTML/JS
Entity Extraction
S4: SQL Entity Extraction
PHP Entity ExtractionUsing symbolic execution (Nguyen et al., ASE 2011)
17
$script = “<script> …return document.loginform.userid != ‘’;
</script>”;…if ($lang == ‘en’) // C1 $input = “<input name = ‘ userid ’ …>”else if ($lang == ‘de’) // C2
$input = “<input name = ‘userid ’ …>”echo $input;
Entity Type Decl/Ref Constraint$input (L5) PHP Var Decl C1$input (L7) PHP Var Decl !C1 && C2$input (L8) PHP Var Ref TRUE
Symbolic execution
12345678
Entity Table
DRC’s Approach
18
PHP Decls/Refs
HTML/JS Decls/Refs
SQLDecls/Refs
D-Model
Dangling Refs
S1: PHP Entity Extraction
S2: Embedded Code Approximation
S5: Entity MatchingS3: HTML/JS
Entity Extraction
S4: SQL Entity Extraction
echo ‘<form name=“loginform” …>’;
if ($lang == ‘en’) // C $input = ‘User ID:’ . ‘<input name=“userid” …/>’;else // !C
$input = ‘Benutzer ID:’ . ‘<input name=“userid” …/>’;echo $input;
echo ‘</form>’;
D-Model Representing Client Code
19
123456789
Symbolic execution
SELECT
CONCAT
<form …>
User ID: <input name=“userid”…/>
CONCAT
</form>
Benutzer ID: <input name=…/>
CONCATC !C
<form name=“loginform” …>
Literal node
Entity Table
DRC’s Approach
20
PHP Decls/Refs
HTML/JS Decls/Refs
SQLDecls/Refs
D-Model
Dangling Refs
S1: PHP Entity Extraction
S2: Embedded Code Approximation
S5: Entity MatchingS3: HTML/JS
Entity Extraction
S4: SQL Entity Extraction
HTML Parsing on D-Model
21
<form … AttrVal
SELECT
CONCAT
<form …>
User ID: <input name=“userid”…/>
CONCAT
</form>
Benutzer ID: <input name=…/>
CONCAT!C
D-Model
User ID: <input name userid …</form>
Benutzer ID: <input name userid …AttrNameOpenTag
AttrValAttrNameOpenTagCloseTag
Text
OpenTag C
!CText
C
HTML/JS Entity Extraction
22
Extract entities
Entity Type Decl/Ref Constraint
userid HTML input Decl C
userid HTML input Decl !C
<form … AttrVal
User ID: <input name userid …</form>
Benutzer ID: <input name userid …AttrNameOpenTag
AttrValAttrNameOpenTagCloseTag
Text
OpenTag C
!CText
Entity Table
DRC’s Approach
23
PHP Decls/Refs
HTML/JS Decls/Refs
SQLDecls/Refs
D-Model
Dangling Refs
S1: PHP Entity Extraction
S2: Embedded Code Approximation
S5: Entity MatchingS3: HTML/JS
Entity Extraction
S4: SQL Entity Extraction
SQL Entity Extraction
24
Entity Name
Type Decl/Ref SQL query Constrainttype (L1) SQL Decl L1 TRUEtype (L3) SQL Decl L3 TRUEtype (L5) SQL Ref L1 TRUEtype (L6) SQL Ref L3 TRUE
L1: $result = mysql_query(“SELECT type FROM products WHERE pid = …”);L2: $product = mysql_fetch_array($result);
L3: $result = mysql_query(“SELECT name, type FROM vendors WHERE vid = …);L4: $vendor = mysql_fetch_array($result);
L5: echo ‘Product Type: ’ . $product[‘type’]L6: . ‘Vendor Type: ’ . $vendor[‘type’]
Extract entities
Entity Table
DRC’s Approach
25
PHP Decls/Refs
HTML/JS Decls/Refs
SQLDecls/Refs
D-Model
Dangling Refs
S1: PHP Entity Extraction
S2: Embedded Code Approximation
S5: Entity MatchingS3: HTML/JS
Entity Extraction
S4: SQL Entity Extraction
Entity Matching
26
Entity Type Decl/Ref Constraint
$form PHP Var Decl $lang == ‘en’
$form PHP Var Decl !($lang==‘en’) && $lang==‘de’
$form PHP Var Ref TRUE
All execution paths
$lang==‘en’
Entity MatchingGiven a reference r with constraint C(r)
Identify declarations d1, d2, …, dn and their constraints
Condition for dangling reference: C(r) ⌃ ⌐(C(d1) ⌵ C(d2) ⌵…⌵ C(dn))
Transforming predicates into boolean formulas !($lang==‘en’) && ($lang==‘de’)➜ !C1 && C2
27
All execution paths
C(r)
C(d2)
C(d1)
Region where r is dangling
Evaluation
Evaluation Results
29
System Correct Incorrect Missing Precision Recall NewBeehiveForum 22 12 4 65% 85% 2ImpressCMS 25 12 2 68% 93% 8
MRBS 50 14 5 78% 91% 26PHP-Fusion 51 23 0 69% 100% 25
PhpWiki 24 6 5 80% 83% 7SquirrelMail 26 8 4 76% 87% 7
TikiWiki 26 8 4 76% 87% 7All 221 91 25 71% 89% 83
Full results: http://home.engineering.iastate.edu/~hungnv/Research/DRC/
Dependent constraints
Approximation due to symbolic execution
Declarations created dynamically
Incorrect/Missing Cases
30
Conclusion Findings on dangling PHP and embedded references
DRC tool to detect dangling references with high accuracy
31
PHP entities
HTML entities
JS entities
SQL entities
Dangling Refs
Tool demo: http://home.engineering.iastate.edu/~hungnv/Research/DRC/