Ec (2); below are some of the program records in Pixy, mainly to be able to quickly understand program ideas and record them, otherwise, how can we do so many things on our minds. In some cases, it may be difficult for me to look at it. ProgramConverter-convert () & nbsp; Use PhpParser to create a parseTree, but this tree is only used here. Use this script ec (2); script
The following is a record of some programs in Pixy, mainly to get a quick understanding of program ideas and record them. Otherwise, how can we do so many things with my mind. In some cases, it may be difficult for me to look at it.
ProgramConverter
-Convert ()
First, use PhpParser to create a parseTree, but this tree is only used here. Use this tree, input file, and ProgramConverter object to create the TacConverter object baseTac, and then call baseTac. convert (). This baseTac is the TacConverter attribute returned by this object. Then, use baseTac. getIncludeNodes () to obtain the included files to be processed.
Enter the while LOOP, provided that the local variable goOn in the function is true and there is no "-w" parameter. This while loop is named (w1 *) and set goOn to false. If the linked list of the files to be processed is not empty, enter the second while loop (w2 *). Use the for loop to extract all the worker nodeinclude nodes separately. If this node needs to be skipped (skip), take the next node. If it does not directly include the file through a "constant, continue to take the next one. This display is not processed. If none of the above two conditions are met, call the include () method, return an IncStatus of the internal Enumeration type, reset the linked list to be processed, and continue w2 *. After processing with baseTac, if there is no non-literal primary des, it will jump out of w1 *. Otherwise, process non-literal deldes. (253: this. baseTac. backpatch ();). Use all methods obtained in baseTac, including user method and Main method calculation (259-260 ). Create an AliasAnalysis object and use it as the parameter to create a LiteralAnalysis object. Call analyze () to start analysis. Then, retrieve the list of included files set to be processed by the inclusion node, go to the for loop, and check them one by one. If the list has already been detected, skip it. Otherwise, it is the non-literal inclusion file name, processing by conditions. The returned value of this. include () method determines the direction of the for loop. Then, use this. baseTac. assignFunctions (), reset the list of contained items to be processed, and continue w1 *.
Remove all of the previously obtained list of files that may be useful. Set literalAnalysis to null to save memory. If you need to use AliasAnalysis, make the corresponding processing (361-364 rows). Otherwise, use baseTac to call replaceGlobals () and replace the local variables of all functions with the corresponding global variables, perform type analysis, which is similar to the literal Process Analysis on the front. Convert functions to worker node, and then output statistics. Release resources, call baseTac. addSuperGlobalElements () to add global elements, and sort nodes in reverse order.
-Include ()
Get the file to be included. If the file does not exist, return NOTFOUND. Otherwise, add the file to allFiles and add the included and contained files to includeGraph. If the file is added successfully, create parseTree for the contained file and create a TacConverter object, however, the objects here are only used to detect the include and add these nodeinclude to weComeAfterwards passed from convert () to be processed. In this way, goOn = true is used for loop detection.
Secondary edge
InEdges indicates a condition for determining nodeif, while outEdges indicates a result. It is a bit unclear about other nodes.
InterAnalysis
In this program, after the files are scanned for analysis, TacConverter is used to obtain the TacFunction, and then the worker node is obtained. A worker node corresponds to a Context, and the two constitute InteWorkListElemnt. In InterAnalysisInfo, each Cfgode corresponds to an InterAnalysisNode. In this node, the Context corresponding to the worker node previously corresponds to a LatticeElement, while the Latticelement stores the corresponding information respectively. For example, AliasLatticelement stores MustAliases and MayAliases, while DepLatticeElement stores TacPlace, DepSet, and Vatiable.
For test. php, transferfunction () is generated in ProgramConverter. convert (), and ConpositeTransferFunction is obtained in checker. analyzeTaint. At this time, the TransferFunction contained in each InterAnalysisNode is a fixed instance, so the following transfer method will call the corresponding instance method when calling. In this example, because TransferFunctionId. transfer () returns the input parameter itself, the outValue obtained after transfer is called is the same as the inValue. Only when the last three types of nodes exist in analyze (), the first type does not use outValue, and the second type directly uses outValue = inValue.
-InitGeneric ()
The length of interAnalysisInfo () is not clear. Using initTransferFunction () seems to be able to add data to genericAnalysisInfo. There are 23 in the test. However, interAnalysisInfo is also 23. Because of this, the two point to the same memory address and add content to genericAnalysisInfo, so that interAnalysisInfo has the same content.
-Analyze ()
This method mainly takes different measures for different nodes. Mainly divided into five types of nodes
-Define nodecall
-CfgNodeExit
-Define nodeif
-CfgNodeCallRet
-Others
Use inValue conversion to obtain outValue, and then obtain all outgoing edges of the node. Obtain the End node of each edge, that is, successor, the successor of the node, then, through the current context and the obtained outValue and successor, set a new PhiValue to analysisNode and add InterWorkListElement to workList. Here I understand that propagate generates an InterWorkListElement, because it is used in analyze.
At the beginning of analyze (), there was only one element in the workList, InterWorkListElement (this. mainHead, this. mainContext ).
The LatticeElement obtained through analysisNode in analyze () is a TypeLatticeElement in ProgramConverter. convert () for the first time by test. php, and all are deplatticeelements in analyzeTaint () in Checker. By calling the dump method, we can see that the first few results are that the placeToDep is empty, and then the entire Map is printed.
-Propagate (Context context, LatticeElement value, constraint node target)
In analyze (), most of the calls are (current context, outValue, successor)
Get the corresponding analysisNode in InterAnalysisInfo through target. If it is not null, use context to get the oldPhiValue of target. If oldPhiValue = null, set it to the initial value of all LatticElementd, which is actually null. If value = oldPhiValue, it indicates that the value has not changed and can be returned. Otherwise, use value and oldPhiValue in lattice to calculate a newPhiValue. If newPhiValue is different from oldPhiValue, set it to the target's Phivalue and add an InterWorkListElement in the workList for analyze ().
DepClient
-CollectSinks ()
For test0225.php, the number of functions detected by XSS is 2, but the number of sinks is 5, the number of functions detected by SQL is 2, and the number of sinks is 1.
First, all the tacfunctions are obtained through the depAnalysis instance, and then Cfg is obtained for each TacFunction, and then the worker node is sorted and detected one by one.
The resulting TacFunction has the following two types: _ main and foo, and contains 21 and 3 worker nodes. For XSS detection, there are five sinks, all of which are echo. No matter whether XSS is generated or not, they are returned as sinks.
-FindDangerousUninit (DepGraph relevant)
First, find the uninit nodes in relevant. The result shows that the last two returned results are empty in the five sinks of XSS in the previous method. For uninitNode that is not empty, it is to find its parent node Predecessor. If the parent node is not one, an exception is thrown. Otherwise, this parent node is taken out and two cases are studied:
-The depgrapw.node is directly identified as the edevil function.
-DepGraphNormalNode calls the initiallyTainted () method to view the returned value. If it is ALWAYS or IFRG, it is considered to be an edevil function and returned.
-InitiallyTainted (TacPlace place)
Here there are three scenarios for place:
-Constant (Constant) directly considers it impossible to be tainted and returns NEVER
-Variable (Variable) can be divided into two situations:
-Superglobals is considered as harmless in certain circumstances, and the rest may be harmful. For details, see DepClient. java.
-Non-superglobals is the same as above. But some are related to the "-g" option of the command line.
-Others considers it harmful.
TacConverter
-Start ()
Establish two slave nodes through the input PhpTree root, as the root and exit of Cfg, connect each node in the tree, and convert phptree to Cfg.
As for test0225.php mentioned above, the file is as follows:
Function foo ()
{
$ Var = $ _ GET [''evil ''];
Return $ var;
}
// $ A = $ _ GET [''evil ''];
$ B = foo ();
// $ A = 5;
// Echo $;
Echo $ B;
// $ A is 6 here
Echo $ _ GET [''a'];
Echo $ e;
$ X = explode (''_'', $ get );
Mysql_query ($ x [0]);
If (true) echo "ABCD ";
If ($ a = ''a' & $ c = ''d') echo "dfg ";
?>
<
