dangling references in multi-configuration and dynamic php
TRANSCRIPT
![Page 1: Dangling References in Multi-configuration and Dynamic PHP](https://reader030.vdocument.in/reader030/viewer/2022012500/6179230f1bcb8a206f14fe66/html5/thumbnails/1.jpg)
Dangling References in Multi-configuration and Dynamic
PHP-Based Web Applications
Hung Nguyen, Hoan Nguyen, Tung Nguyen, Anh Nguyen, Tien N. NguyenIowa State University, USA
ASE 2013, Nov 11-15, 2013Palo Alto, California, USA
![Page 2: Dangling References in Multi-configuration and Dynamic PHP](https://reader030.vdocument.in/reader030/viewer/2022012500/6179230f1bcb8a206f14fe66/html5/thumbnails/2.jpg)
Dangling References
// PHP codeif ($page==‘home’ && $cmd==‘greetings’) { $message = ‘Hello, world!’;
}
if ($page==‘home’)echo $message;
DANGLING when $page == ‘home’ and $cmd != ‘greetings’
2
1234567
![Page 3: Dangling References in Multi-configuration and Dynamic PHP](https://reader030.vdocument.in/reader030/viewer/2022012500/6179230f1bcb8a206f14fe66/html5/thumbnails/3.jpg)
Empirical Study in Web Applications
1. Do dangling references exist? How many types are there?
2. What are the causes of such dangling references?
3. What are the types of failures that they cause?
3
![Page 4: Dangling References in Multi-configuration and Dynamic PHP](https://reader030.vdocument.in/reader030/viewer/2022012500/6179230f1bcb8a206f14fe66/html5/thumbnails/4.jpg)
function createPermissionControls() {…if ($this->targetObject->isNew()) { // C1
if (isset($icmsModuleConfig[‘…’])) { // C2$groups_value = $icmsModuleConfig[‘…’];
}
} else {$group_value = $this->targetObject->getGroupPerm(…);
}$groups_select = new XoopsFormSelect(…, $groups_value, 4, true);…
}
Case Study 1
4
$groups_value undefinedwhen (C1 && !C2)
ImpressCMS project at rev. 4700Dangling reference when (C1 && !C2)
![Page 5: Dangling References in Multi-configuration and Dynamic PHP](https://reader030.vdocument.in/reader030/viewer/2022012500/6179230f1bcb8a206f14fe66/html5/thumbnails/5.jpg)
$result = dbquery(“UPDATE …” . $_POST[‘news_thumb_w’] …)$result = dbquery(“UPDATE …” . $_POST[‘news_thumb_h] …)
echo “…<input … name=‘news_thumb_w’ …/>”;echo “…<input … name=‘news_thumb_h’ …/>”;
echo “…<input … name=‘news_thumb_w’ …/>”;echo “…<input … name=‘news_thumb_h’ …/>”;
Case Study 2
5
PhpFusion project at rev. 2600
danglingdangling
$result = dbquery(“UPDATE …” . $_POST[‘news_photo_w’] …)$result = dbquery(“UPDATE …” . $_POST[‘news_photo_h] …)
possibly copy-and-paste
embedded dangling reference
![Page 6: Dangling References in Multi-configuration and Dynamic PHP](https://reader030.vdocument.in/reader030/viewer/2022012500/6179230f1bcb8a206f14fe66/html5/thumbnails/6.jpg)
$result = dbquery(“SELECT …, u.user_groups, u.user_joinedFROM ” . DB_POSTS . “ …WHERE p.thread_id=‘” . $_GET[‘thread_id’] …
);
while ($data = dbarray($result)) {…echo …showdate(“shortdate”, $data[‘user_joined’])…;if (time() - $data[‘user_lastvisit’] < 180)
echo “…”;}
Case Study 3
6
PhpFusion project at rev. 2600
dangling
![Page 7: Dangling References in Multi-configuration and Dynamic PHP](https://reader030.vdocument.in/reader030/viewer/2022012500/6179230f1bcb8a206f14fe66/html5/thumbnails/7.jpg)
Empirical Study
7
System Start Date Candidate Revivions
Revs w/ Dang. Refs
Dangling References
PHP Embedded (HTML+JS+SQL)
Beehive Forum
04/2002 173 16 18 6ImpressCMS 12/2007 65 14 19 0MRBS 05/2000 26 13 29 0PHP-Fusion 03/2008 42 14 19 7PhpWiki 06/2000 37 14 21 1SquirrelMail 11/1999 47 17 23 0TikiWiki 10/2002 87 15 17 3
All 477 103 146 17
![Page 8: Dangling References in Multi-configuration and Dynamic PHP](https://reader030.vdocument.in/reader030/viewer/2022012500/6179230f1bcb8a206f14fe66/html5/thumbnails/8.jpg)
Causes & EffectsCauses
Missing instances when renaming entities
Errors due to copy-and-paste
Developers used an incorrect or mistyped entity
Misplaced ‘include’ statement of a file containing a declaration
Effects
Fatal errors and crashes
Security vulnerabilities, input validation bypass
Incorrect and unexpected behaviors
8
![Page 9: Dangling References in Multi-configuration and Dynamic PHP](https://reader030.vdocument.in/reader030/viewer/2022012500/6179230f1bcb8a206f14fe66/html5/thumbnails/9.jpg)
DRC’s Approach to detect dangling references
9
![Page 10: Dangling References in Multi-configuration and Dynamic PHP](https://reader030.vdocument.in/reader030/viewer/2022012500/6179230f1bcb8a206f14fe66/html5/thumbnails/10.jpg)
Challenges
PHP is a dynamic language
References embedded in PHP code
Cross-language references
JavaScript to HTML
PHP to HTML
PHP to SQL
10
![Page 11: Dangling References in Multi-configuration and Dynamic PHP](https://reader030.vdocument.in/reader030/viewer/2022012500/6179230f1bcb8a206f14fe66/html5/thumbnails/11.jpg)
Concepts
11
$script = “<script>function validate() {…}
</script>”;echo $script;…
if ($lang == ‘en’)$form = “<form … onsubmit=‘return validate();’>”;
else if ($lang == ‘de’)$form = “<form … onsubmit=‘return validate();’>”;
echo $form;
Entity(variable, function,…)
Declaration
Reference
Embedded entity
PHP string
Constraint
![Page 12: Dangling References in Multi-configuration and Dynamic PHP](https://reader030.vdocument.in/reader030/viewer/2022012500/6179230f1bcb8a206f14fe66/html5/thumbnails/12.jpg)
Entity Table
DRC’s Key Idea
12
PHP Decls/Refs
HTML/JS Decls/Refs
SQLDecls/Refs
Dangling Refs
Entity Extraction
Entity Matching
![Page 13: Dangling References in Multi-configuration and Dynamic PHP](https://reader030.vdocument.in/reader030/viewer/2022012500/6179230f1bcb8a206f14fe66/html5/thumbnails/13.jpg)
DRC’s Key Idea
13
Entity Type Decl/Ref Constraint
userid (L2) JS Refto HTML
Ref TRUE
userid (L6) HTML input Decl C1
userid (L8) HTML input Decl !C1 && C2
$script = “<script> …return document.loginform.userid != ‘’;
</script>”;echo $script; …if ($lang == ‘en’) // C1 $input = “<input name = ‘userid’ …>”;else if ($lang == ‘de’) // C2
$input = “<input name = ‘userid’ …>”;echo $input;
Entity Extraction
123456789
Dangling referenceif Constraint(ref) && !Constraint(decl)
Dangling Refs
Entity Matching
![Page 14: Dangling References in Multi-configuration and Dynamic PHP](https://reader030.vdocument.in/reader030/viewer/2022012500/6179230f1bcb8a206f14fe66/html5/thumbnails/14.jpg)
14
Entity Extraction
Entity Table
PHP Decls/Refs
HTML/JS Decls/Refs
SQLDecls/Refs
Dangling Refs
Entity Matching
DRC’s Approach
![Page 15: Dangling References in Multi-configuration and Dynamic PHP](https://reader030.vdocument.in/reader030/viewer/2022012500/6179230f1bcb8a206f14fe66/html5/thumbnails/15.jpg)
Entity Table
DRC’s Approach
15
PHP Decls/Refs
HTML/JS Decls/Refs
SQLDecls/Refs
D-Model
Dangling Refs
S1: PHP Entity Extraction
S2: Embedded Code Approximation
Entity MatchingS3: HTML/JS
Entity Extraction
S4: SQL Entity Extraction
![Page 16: Dangling References in Multi-configuration and Dynamic PHP](https://reader030.vdocument.in/reader030/viewer/2022012500/6179230f1bcb8a206f14fe66/html5/thumbnails/16.jpg)
Entity Table
DRC’s Approach
16
PHP Decls/Refs
HTML/JS Decls/Refs
SQLDecls/Refs
D-Model
Dangling Refs
S1: PHP Entity Extraction
S2: Embedded Code Approximation
S5: Entity MatchingS3: HTML/JS
Entity Extraction
S4: SQL Entity Extraction
![Page 17: Dangling References in Multi-configuration and Dynamic PHP](https://reader030.vdocument.in/reader030/viewer/2022012500/6179230f1bcb8a206f14fe66/html5/thumbnails/17.jpg)
PHP Entity ExtractionUsing symbolic execution (Nguyen et al., ASE 2011)
17
$script = “<script> …return document.loginform.userid != ‘’;
</script>”;…if ($lang == ‘en’) // C1 $input = “<input name = ‘ userid ’ …>”else if ($lang == ‘de’) // C2
$input = “<input name = ‘userid ’ …>”echo $input;
Entity Type Decl/Ref Constraint$input (L5) PHP Var Decl C1$input (L7) PHP Var Decl !C1 && C2$input (L8) PHP Var Ref TRUE
Symbolic execution
12345678
![Page 18: Dangling References in Multi-configuration and Dynamic PHP](https://reader030.vdocument.in/reader030/viewer/2022012500/6179230f1bcb8a206f14fe66/html5/thumbnails/18.jpg)
Entity Table
DRC’s Approach
18
PHP Decls/Refs
HTML/JS Decls/Refs
SQLDecls/Refs
D-Model
Dangling Refs
S1: PHP Entity Extraction
S2: Embedded Code Approximation
S5: Entity MatchingS3: HTML/JS
Entity Extraction
S4: SQL Entity Extraction
![Page 19: Dangling References in Multi-configuration and Dynamic PHP](https://reader030.vdocument.in/reader030/viewer/2022012500/6179230f1bcb8a206f14fe66/html5/thumbnails/19.jpg)
echo ‘<form name=“loginform” …>’;
if ($lang == ‘en’) // C $input = ‘User ID:’ . ‘<input name=“userid” …/>’;else // !C
$input = ‘Benutzer ID:’ . ‘<input name=“userid” …/>’;echo $input;
echo ‘</form>’;
D-Model Representing Client Code
19
123456789
Symbolic execution
SELECT
CONCAT
<form …>
User ID: <input name=“userid”…/>
CONCAT
</form>
Benutzer ID: <input name=…/>
CONCATC !C
<form name=“loginform” …>
Literal node
![Page 20: Dangling References in Multi-configuration and Dynamic PHP](https://reader030.vdocument.in/reader030/viewer/2022012500/6179230f1bcb8a206f14fe66/html5/thumbnails/20.jpg)
Entity Table
DRC’s Approach
20
PHP Decls/Refs
HTML/JS Decls/Refs
SQLDecls/Refs
D-Model
Dangling Refs
S1: PHP Entity Extraction
S2: Embedded Code Approximation
S5: Entity MatchingS3: HTML/JS
Entity Extraction
S4: SQL Entity Extraction
![Page 21: Dangling References in Multi-configuration and Dynamic PHP](https://reader030.vdocument.in/reader030/viewer/2022012500/6179230f1bcb8a206f14fe66/html5/thumbnails/21.jpg)
HTML Parsing on D-Model
21
<form … AttrVal
SELECT
CONCAT
<form …>
User ID: <input name=“userid”…/>
CONCAT
</form>
Benutzer ID: <input name=…/>
CONCAT!C
D-Model
User ID: <input name userid …</form>
Benutzer ID: <input name userid …AttrNameOpenTag
AttrValAttrNameOpenTagCloseTag
Text
OpenTag C
!CText
C
![Page 22: Dangling References in Multi-configuration and Dynamic PHP](https://reader030.vdocument.in/reader030/viewer/2022012500/6179230f1bcb8a206f14fe66/html5/thumbnails/22.jpg)
HTML/JS Entity Extraction
22
Extract entities
Entity Type Decl/Ref Constraint
userid HTML input Decl C
userid HTML input Decl !C
<form … AttrVal
User ID: <input name userid …</form>
Benutzer ID: <input name userid …AttrNameOpenTag
AttrValAttrNameOpenTagCloseTag
Text
OpenTag C
!CText
![Page 23: Dangling References in Multi-configuration and Dynamic PHP](https://reader030.vdocument.in/reader030/viewer/2022012500/6179230f1bcb8a206f14fe66/html5/thumbnails/23.jpg)
Entity Table
DRC’s Approach
23
PHP Decls/Refs
HTML/JS Decls/Refs
SQLDecls/Refs
D-Model
Dangling Refs
S1: PHP Entity Extraction
S2: Embedded Code Approximation
S5: Entity MatchingS3: HTML/JS
Entity Extraction
S4: SQL Entity Extraction
![Page 24: Dangling References in Multi-configuration and Dynamic PHP](https://reader030.vdocument.in/reader030/viewer/2022012500/6179230f1bcb8a206f14fe66/html5/thumbnails/24.jpg)
SQL Entity Extraction
24
Entity Name
Type Decl/Ref SQL query Constrainttype (L1) SQL Decl L1 TRUEtype (L3) SQL Decl L3 TRUEtype (L5) SQL Ref L1 TRUEtype (L6) SQL Ref L3 TRUE
L1: $result = mysql_query(“SELECT type FROM products WHERE pid = …”);L2: $product = mysql_fetch_array($result);
L3: $result = mysql_query(“SELECT name, type FROM vendors WHERE vid = …);L4: $vendor = mysql_fetch_array($result);
L5: echo ‘Product Type: ’ . $product[‘type’]L6: . ‘Vendor Type: ’ . $vendor[‘type’]
Extract entities
![Page 25: Dangling References in Multi-configuration and Dynamic PHP](https://reader030.vdocument.in/reader030/viewer/2022012500/6179230f1bcb8a206f14fe66/html5/thumbnails/25.jpg)
Entity Table
DRC’s Approach
25
PHP Decls/Refs
HTML/JS Decls/Refs
SQLDecls/Refs
D-Model
Dangling Refs
S1: PHP Entity Extraction
S2: Embedded Code Approximation
S5: Entity MatchingS3: HTML/JS
Entity Extraction
S4: SQL Entity Extraction
![Page 26: Dangling References in Multi-configuration and Dynamic PHP](https://reader030.vdocument.in/reader030/viewer/2022012500/6179230f1bcb8a206f14fe66/html5/thumbnails/26.jpg)
Entity Matching
26
Entity Type Decl/Ref Constraint
$form PHP Var Decl $lang == ‘en’
$form PHP Var Decl !($lang==‘en’) && $lang==‘de’
$form PHP Var Ref TRUE
All execution paths
$lang==‘en’
![Page 27: Dangling References in Multi-configuration and Dynamic PHP](https://reader030.vdocument.in/reader030/viewer/2022012500/6179230f1bcb8a206f14fe66/html5/thumbnails/27.jpg)
Entity MatchingGiven a reference r with constraint C(r)
Identify declarations d1, d2, …, dn and their constraints
Condition for dangling reference: C(r) ⌃ ⌐(C(d1) ⌵ C(d2) ⌵…⌵ C(dn))
Transforming predicates into boolean formulas !($lang==‘en’) && ($lang==‘de’)➜ !C1 && C2
27
All execution paths
C(r)
C(d2)
C(d1)
Region where r is dangling
![Page 28: Dangling References in Multi-configuration and Dynamic PHP](https://reader030.vdocument.in/reader030/viewer/2022012500/6179230f1bcb8a206f14fe66/html5/thumbnails/28.jpg)
Evaluation
![Page 29: Dangling References in Multi-configuration and Dynamic PHP](https://reader030.vdocument.in/reader030/viewer/2022012500/6179230f1bcb8a206f14fe66/html5/thumbnails/29.jpg)
Evaluation Results
29
System Correct Incorrect Missing Precision Recall NewBeehiveForum 22 12 4 65% 85% 2ImpressCMS 25 12 2 68% 93% 8
MRBS 50 14 5 78% 91% 26PHP-Fusion 51 23 0 69% 100% 25
PhpWiki 24 6 5 80% 83% 7SquirrelMail 26 8 4 76% 87% 7
TikiWiki 26 8 4 76% 87% 7All 221 91 25 71% 89% 83
Full results: http://home.engineering.iastate.edu/~hungnv/Research/DRC/
![Page 30: Dangling References in Multi-configuration and Dynamic PHP](https://reader030.vdocument.in/reader030/viewer/2022012500/6179230f1bcb8a206f14fe66/html5/thumbnails/30.jpg)
Dependent constraints
Approximation due to symbolic execution
Declarations created dynamically
Incorrect/Missing Cases
30
![Page 31: Dangling References in Multi-configuration and Dynamic PHP](https://reader030.vdocument.in/reader030/viewer/2022012500/6179230f1bcb8a206f14fe66/html5/thumbnails/31.jpg)
Conclusion Findings on dangling PHP and embedded references
DRC tool to detect dangling references with high accuracy
31
PHP entities
HTML entities
JS entities
SQL entities
Dangling Refs
Tool demo: http://home.engineering.iastate.edu/~hungnv/Research/DRC/