PHP automated white-box audit technology and implementation (1)

PHP automated white-box audit technology and implementation (1)

0x00 Preface

There are only a small number of open PHP automated auditing technical materials in China. In contrast, there have been excellent automated auditing implementations in foreign countries. For example, RIPS performs a series of code analysis based on the token stream. Traditional static analysis technologies, such as data stream analysis and pollution Propagation analysis, are rarely used in dynamic scripting language analysis such as PHP, but are key technical points in white box automation technology. Today, I will introduce my recent research and achievements. I hope more security researchers in China will devote their efforts to the meaningful field of PHP automated audit technology.

0x01 basic knowledge

There are many ways to implement automated auditing, such as using a regular expression rule repository for location matching. This method is the easiest, but the accuracy is the lowest. The most reliable approach is to design with knowledge in the field of static analysis technology. Generally, the process of static analysis security tools is mostly in the form:

The first thing we need to do in static analysis is to model the source code. To put it simply, we need to convert the source code of the string into an intermediate representation that facilitates subsequent vulnerability analysis, A group represents the data structure of the Code. In modeling, methods in the compilation technical field are generally used, such as lexical analysis to generate tokens, generate abstract syntax trees, and generate control flowcharts. The advantages and disadvantages of modeling work directly affect the effects of subsequent pollution Propagation analysis and data stream analysis.

Execution analysis combines security knowledge to analyze and handle vulnerabilities in the loaded code. Finally, the static analysis tool should generate judgment results to end the work at this stage.

0x02 Implementation ideas

After a period of effort, I and my friends have also roughly implemented a static analysis tool for automation. The specific implementation idea is to use static analysis technology. If you want to learn more about the implementation idea, you can read the previous article. In the tool, the automated audit process is as follows:

First, load all the PHP files in the project directory to be scanned entered by the user, and identify these PHP files. If the scanned PHP file is Main file, that is, the PHP file that actually processes the user request, then, vulnerability analysis is performed for this type of files. If it is not the Main file type, such as the class definition in the PHP project and the tool function definition file, skip this step and do not perform analysis.

Second, we will collect global data and define the class information in the project to be scanned, such as the file path of the class, the attributes of the class, the methods and parameters of the class. At the same time, a file summary is generated for each file. In the file summary, information about each value assignment statement is collected, as well as the purification information and encoding information of related variables in the value assignment statement.

After global initialization, compile the front-end module and use the open-source PHP-Parser tool to construct the abstract syntax tree (AST) for the PHP code for analysis. Based on AST, CFG is used to construct a control flow chart and generate abstract information of basic blocks in real time.

During frontend compilation, if a sensitive function is called, The system stops for pollution Propagation Analysis, inter-process analysis, and intra-process analysis to find the corresponding sensitive data. Then, based on the information collected during the data stream analysis process, the information is purified and the encoding information is judged to determine whether the vulnerability code is used.

If the vulnerability code is used in the previous step, the vulnerability report module is transferred to collect the vulnerability code segment. The basis of its implementation is to maintain a result set context object in the singleton mode in the system environment. If a vulnerability record is generated, it is added to the result set. After the results of the entire scanning project are completed, Smarty is used to output the result set to the front end, and the front end is used to visualize the scanning results.