Dangling References in Multi-conﬁguration and Dynamic PHP ...

Dangling References in Multi-configuration and Dynamic

PHP-Based Web Applications

Hung Nguyen, Hoan Nguyen, Tung Nguyen, Anh Nguyen, Tien N. NguyenIowa State University, USA

ASE 2013, Nov 11-15, 2013Palo Alto, California, USA

Dangling References

// PHP codeif ($page==‘home’ && $cmd==‘greetings’) { $message = ‘Hello, world!’;

}

if ($page==‘home’)echo $message;

DANGLING when $page == ‘home’ and $cmd != ‘greetings’

2

1234567

Empirical Study in Web Applications

1. Do dangling references exist? How many types are there?

2. What are the causes of such dangling references?

3. What are the types of failures that they cause?

3

$result = dbquery(“UPDATE …” . $_POST[‘news_thumb_w’] …)$result = dbquery(“UPDATE …” . $_POST[‘news_thumb_h] …)

echo “…<input … name=‘news_thumb_w’ …/>”;echo “…<input … name=‘news_thumb_h’ …/>”;

echo “…<input … name=‘news_thumb_w’ …/>”;echo “…<input … name=‘news_thumb_h’ …/>”;

Case Study 2

5

PhpFusion project at rev. 2600

danglingdangling

$result = dbquery(“UPDATE …” . $_POST[‘news_photo_w’] …)$result = dbquery(“UPDATE …” . $_POST[‘news_photo_h] …)

possibly copy-and-paste

embedded dangling reference

$result = dbquery(“SELECT …, u.user_groups, u.user_joinedFROM ” . DB_POSTS . “ …WHERE p.thread_id=‘” . $_GET[‘thread_id’] …

);

while ($data = dbarray($result)) {…echo …showdate(“shortdate”, $data[‘user_joined’])…;if (time() - $data[‘user_lastvisit’] < 180)

echo “…”;}

Case Study 3

6

PhpFusion project at rev. 2600

dangling

Empirical Study

7

System Start Date Candidate Revivions

Revs w/ Dang. Refs

Dangling References

PHP Embedded (HTML+JS+SQL)

Beehive Forum

04/2002 173 16 18 6ImpressCMS 12/2007 65 14 19 0MRBS 05/2000 26 13 29 0PHP-Fusion 03/2008 42 14 19 7PhpWiki 06/2000 37 14 21 1SquirrelMail 11/1999 47 17 23 0TikiWiki 10/2002 87 15 17 3

All 477 103 146 17

Causes & EffectsCauses

Missing instances when renaming entities

Errors due to copy-and-paste

Developers used an incorrect or mistyped entity

Misplaced ‘include’ statement of a file containing a declaration

Effects

Fatal errors and crashes

Security vulnerabilities, input validation bypass

Incorrect and unexpected behaviors

8

DRC’s Approach to detect dangling references

9

Challenges

PHP is a dynamic language

References embedded in PHP code

Cross-language references

JavaScript to HTML

PHP to HTML

PHP to SQL

10

Concepts

11

$script = “<script>function validate() {…}

</script>”;echo $script;…

if ($lang == ‘en’)$form = “<form … onsubmit=‘return validate();’>”;

else if ($lang == ‘de’)$form = “<form … onsubmit=‘return validate();’>”;

echo $form;

Entity(variable, function,…)

Declaration

Reference

Embedded entity

PHP string

Constraint

Entity Table

DRC’s Key Idea

12

PHP Decls/Refs

HTML/JS Decls/Refs

SQLDecls/Refs

Dangling Refs

Entity Extraction

Entity Matching

DRC’s Key Idea

13

Entity Type Decl/Ref Constraint

userid (L2) JS Refto HTML

Ref TRUE

userid (L6) HTML input Decl C1

userid (L8) HTML input Decl !C1 && C2

$script = “<script> …return document.loginform.userid != ‘’;

</script>”;echo $script; …if ($lang == ‘en’) // C1 $input = “<input name = ‘userid’ …>”;else if ($lang == ‘de’) // C2

$input = “<input name = ‘userid’ …>”;echo $input;

Entity Extraction

123456789

Dangling referenceif Constraint(ref) && !Constraint(decl)

Dangling Refs

Entity Matching

14

Entity Extraction

Entity Table

PHP Decls/Refs

HTML/JS Decls/Refs

SQLDecls/Refs

Dangling Refs

Entity Matching

DRC’s Approach

Entity Table

DRC’s Approach

15

PHP Decls/Refs

HTML/JS Decls/Refs

SQLDecls/Refs

D-Model

Dangling Refs

S1: PHP Entity Extraction

S2: Embedded Code Approximation

Entity MatchingS3: HTML/JS

Entity Extraction

S4: SQL Entity Extraction

Entity Table

DRC’s Approach

16

PHP Decls/Refs

HTML/JS Decls/Refs

SQLDecls/Refs

D-Model

Dangling Refs



S5: Entity MatchingS3: HTML/JS

Entity Extraction


PHP Entity ExtractionUsing symbolic execution (Nguyen et al., ASE 2011)

17

$script = “<script> …return document.loginform.userid != ‘’;

</script>”;…if ($lang == ‘en’) // C1 $input = “<input name = ‘ userid ’ …>”else if ($lang == ‘de’) // C2

$input = “<input name = ‘userid ’ …>”echo $input;

Entity Type Decl/Ref Constraint$input (L5) PHP Var Decl C1$input (L7) PHP Var Decl !C1 && C2$input (L8) PHP Var Ref TRUE

Symbolic execution

12345678

Entity Table

DRC’s Approach

18

PHP Decls/Refs

HTML/JS Decls/Refs

SQLDecls/Refs

D-Model

Dangling Refs




Entity Extraction


echo ‘<form name=“loginform” …>’;

if ($lang == ‘en’) // C $input = ‘User ID:’ . ‘<input name=“userid” …/>’;else // !C

$input = ‘Benutzer ID:’ . ‘<input name=“userid” …/>’;echo $input;

echo ‘</form>’;

D-Model Representing Client Code

19

123456789

Symbolic execution

SELECT

CONCAT

<form …>

User ID: <input name=“userid”…/>

CONCAT

</form>

Benutzer ID: <input name=…/>

CONCATC !C

<form name=“loginform” …>

Literal node

Entity Table

DRC’s Approach

20

PHP Decls/Refs

HTML/JS Decls/Refs

SQLDecls/Refs

D-Model

Dangling Refs




Entity Extraction


HTML Parsing on D-Model

21

<form … AttrVal

SELECT

CONCAT

<form …>

User ID: <input name=“userid”…/>

CONCAT

</form>

Benutzer ID: <input name=…/>

CONCAT!C

D-Model

User ID: <input name userid …</form>

Benutzer ID: <input name userid …AttrNameOpenTag

AttrValAttrNameOpenTagCloseTag

Text

OpenTag C

!CText

C

HTML/JS Entity Extraction

22

Extract entities


userid HTML input Decl C

userid HTML input Decl !C

<form … AttrVal

User ID: <input name userid …</form>

Benutzer ID: <input name userid …AttrNameOpenTag

AttrValAttrNameOpenTagCloseTag

Text

OpenTag C

!CText

Entity Table

DRC’s Approach

23

PHP Decls/Refs

HTML/JS Decls/Refs

SQLDecls/Refs

D-Model

Dangling Refs




Entity Extraction


SQL Entity Extraction

24

Entity Name

Type Decl/Ref SQL query Constrainttype (L1) SQL Decl L1 TRUEtype (L3) SQL Decl L3 TRUEtype (L5) SQL Ref L1 TRUEtype (L6) SQL Ref L3 TRUE

L1: $result = mysql_query(“SELECT type FROM products WHERE pid = …”);L2: $product = mysql_fetch_array($result);

L3: $result = mysql_query(“SELECT name, type FROM vendors WHERE vid = …);L4: $vendor = mysql_fetch_array($result);

L5: echo ‘Product Type: ’ . $product[‘type’]L6: . ‘Vendor Type: ’ . $vendor[‘type’]

Extract entities

Entity Table

DRC’s Approach

25

PHP Decls/Refs

HTML/JS Decls/Refs

SQLDecls/Refs

D-Model

Dangling Refs




Entity Extraction


Entity Matching

26


$form PHP Var Decl $lang == ‘en’

$form PHP Var Decl !($lang==‘en’) && $lang==‘de’

$form PHP Var Ref TRUE

All execution paths

$lang==‘en’

Entity MatchingGiven a reference r with constraint C(r)

Identify declarations d1, d2, …, dn and their constraints

Condition for dangling reference: C(r) ⌃ ⌐(C(d1) ⌵ C(d2) ⌵…⌵ C(dn))

Transforming predicates into boolean formulas !($lang==‘en’) && ($lang==‘de’)➜ !C1 && C2

27

All execution paths

C(r)

C(d2)

C(d1)

Region where r is dangling

Evaluation

Evaluation Results

29

System Correct Incorrect Missing Precision Recall NewBeehiveForum 22 12 4 65% 85% 2ImpressCMS 25 12 2 68% 93% 8

MRBS 50 14 5 78% 91% 26PHP-Fusion 51 23 0 69% 100% 25

PhpWiki 24 6 5 80% 83% 7SquirrelMail 26 8 4 76% 87% 7

TikiWiki 26 8 4 76% 87% 7All 221 91 25 71% 89% 83

Full results: http://home.engineering.iastate.edu/~hungnv/Research/DRC/

http://home.engineering.iastate.edu/~hungnv/Research/DRC/

Dependent constraints

Approximation due to symbolic execution

Declarations created dynamically

Incorrect/Missing Cases

30

Conclusion Findings on dangling PHP and embedded references

DRC tool to detect dangling references with high accuracy

31

PHP entities

HTML entities

JS entities

SQL entities

Dangling Refs

Tool demo: http://home.engineering.iastate.edu/~hungnv/Research/DRC/

http://home.engineering.iastate.edu/~hungnv/Research/DRC/

Dangling References in Multi-conﬁguration and Dynamic PHP ...

Documents

Transcript of Dangling References in Multi-conﬁguration and Dynamic PHP ...