DOCSLIB.ORG

Experience Report: an Empirical Study of PHP Security Mechanism Usage

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Experience Report: An Empirical Study of PHP Security Mechanism Usage Johannes Dahse and Thorsten Holz Horst Görtz Institute for IT-Security (HGI) Ruhr-University Bochum, Germany {firstname.lastname}@rub.de ABSTRACT 1. INTRODUCTION The World Wide Web mainly consists of web applications Empirical studies of security vulnerabilities found in the written in weakly typed scripting languages, with PHP being last years [3, 7, 28, 31] indicate that web-related vulnera- the most popular language in practice. Empirical evidence bilities such as cross-site scripting (XSS) and SQL injection based on the analysis of vulnerabilities suggests that security (SQLi) are among the most common software flaws. In fact, is often added as an ad-hoc solution, rather than planning such vulnerabilities are more frequently detected in the re- a web application with security in mind during the design cent years than memory corruption vulnerabilities. This ob- phase. Although some best-practice guidelines emerged, no servation suggests that security is only added as an ad-hoc comprehensive security standards are available for develop- solution in web applications, rather than planning such ap- ers. Thus, developers often apply their own favorite security plications with security in mind during the design phase. mechanisms for data sanitization or validation to prohibit Although some best-practice guidelines on secure web pro- malicious input to a web application. gramming emerged (e.g., recommendations by OWASP [17]), In the context of our development of a new static code no comprehensive security standards are available for devel- analysis tool for vulnerability detection, we studied com- opers. This leads to the observation that each developer monly used input sanitization or validation mechanisms in applies his own favorite security mechanisms for data sani- 25 popular PHP applications. Our analysis of 2.5 million tization or validation. As a result, many programming pat- lines of code and over 26 thousand secured data flows pro- terns emerged for input sanitization (e.g., type casting, data vides a comprehensive overview of how developers utilize encoding, converting data to HTML entities, or prepared security mechanisms in practice regarding different markup statements) and input validation (e.g., type validation, for- contexts. In this paper, we discuss these security mecha- mat validation, or whitelisting). Each of these patterns has nisms in detail and reveal common pitfalls. For example, its own advantages and drawbacks, and programming mis- we found certain markup contexts and security mechanisms takes due to common pitfalls can still lead to vulnerabilities. more frequently vulnerable than others. Our empirical study As a side effect, this variety in security mechanisms leads to helps researchers, web developers, and tool developers to many false reports in static code analysis tools, which have focus on error-prone markup contexts and security mecha- to detect and analyze these security mechanisms precisely. nisms in order to detect and mitigate vulnerabilities. PHP is the most popular server-side scripting language on the Web, running on 82% of all websites [30]. It is a weakly Categories and Subject Descriptors typed language, meaning that a memory location can hold a value of every possible data type. In contrast to a strongly D.2.0 [Software Engineering]: General|protection mech- typed language, the weak typing in PHP implies that more anisms; D.2.8 [Software Engineering]: Metrics|complex- security checks have to be implemented by the developer to ity measures, product metrics ensure a safe usage in scenarios where only a specific data type is allowed. Furthermore, weak typing introduces oddi- General Terms ties when comparing data of different data types, leading to even more (potential) bugs or insecurities [18]. Security, Measurement Based on our experience in the development of a static code analysis tool for finding security vulnerabilities in mod- Keywords ern PHP applications [4{6], we collected typical program- Static analysis, input sanitization, input validation, PHP ming patterns used by developers to sanitize and validate data. In this paper, we provide a comprehensive empiri- Permission to make digital or hard copies of all or part of this work for cal analysis of the 20 different data sanitization and valida- personal or classroom use is granted without fee provided that copies are not tion mechanisms we found being used in web applications. made or distributed for profit or commercial advantage and that copies bear Furthermore, we also study common implementation pitfalls this notice and the full citation on the first page. Copyrights for components that lead to vulnerabilities in practice. We extended our pro- of this work owned by others than ACM must be honored. Abstracting with totype in order to enumerate the security mechanisms used credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request in PHP applications and applied it to 25 of the most pop- permissions from [email protected]. ular web applications. We analyzed more than 2.5 million ISSTA’15 , July 12–17, 2015, Baltimore, MD, USA lines of code and present an analysis of the detected security Copyright 2015 ACM 978-1-4503-3620-8/15/07 ...$15.00. patterns in more than 26 thousand data flows. Our analysis of the data stay intact, while only certain characters are re- helps to answer the following essential questions for PHP moved or replaced. This way, the application can proceed developers, code auditors, and static analysis engineers to with the sanitized data without a request for resubmission. refine the focus during vulnerability detection: In the following, we present several ways to sanitize data generically against all type of injection flaws, such as cross- • Q1: Which security mechanisms are available? site scripting [13] and SQL injection [8]. • Q2: Which pitfalls might these mechanisms imply? 2.1.1 Explicit Type Casting • Q3: Which security mechanisms are used how often in modern (web) applications? Numeric characters can be safely used in security sensi- tive string operations. To ensure only numeric characters, a • Q4: Which security mechanism is used to prevent string can be explicitly typecasted to a number by using the which vulnerability type in which markup context? typecast operator or built-in functions. • Q5: Which pitfalls occur in practice? 1 $var=(int)$var; // safe We believe that our work is of great value for designers of 2 $var= intval($var);// safe static code analysis tools, especially since the basic insights 3 settype($var, 'int');// safe can also be applied to programs implemented in other lan- Listing 1: Examples for explicit type casting. guages. Developers can understand how to use the correct sanitization and validation mechanism in which situation. All three operations in Listing 1 ensure a secure use of the variable regarding injection flaws. PHP uses duck typ- In summary, we make the following three contributions: $var ing to determine the integer value of a string. An empty and • We survey common mechanisms to sanitize and vali- non-empty string is typecasted to the number 0. However, date data in PHP applications and highlight the pit- if the string starts with a number (\123abc"), the number falls that can occur to answer questions Q1 and Q2. is used as result of the typecast (123 ). We will introduce pitfalls associated with duck typing later on. • We present our approach to enumerate these mecha- nisms via static code analysis techniques. 2.1.2 Implicit Type Casting • We evaluate our approach with 25 popular real-world Similar to an explicit typecast, an implicit type cast auto- applications. To the best of our knowledge, this is the matically occurs if data is used in mathematical operations. largest study on the usage of security mechanisms in Listing 2 shows an addition in line 1 in which $var is safely modern PHP applications. Based on this analysis, we typecasted to integer before a number is added. can answer research questions Q3 { Q5. 1 $var= $var + 1;// safe 2. TYPES OF SECURITY MECHANISMS 2 $var= $var++;// unsafe Web applications receive remotely supplied (and poten- Listing 2: Examples for implicit type casting. tially malicious) user data via HTTP request parameters. In contrast, the increment operator in line 2 performs no In PHP applications, user input is always received as data typecast and also works on strings. For example, the last of type string. If this input is processed in a security sen- character in the string aaa will be incremented to aab. Thus, sitive operation of the web application, a vulnerability can $var can still contain malicious characters. occur. For example, a dynamically built SQL query with embedded user input may lead to a SQL injection vulnera- 2.1.3 Formatting bility [8]. In order to prevent such a critical vulnerability, the Type casting is also performed by PHP's built-in format user input has to be sanitized or validated beforehand. For string functions. Different specifiers (beginning with a per- this purpose, a security mechanism is applied between the centage sign) can be used in a format string that determine user input (source) and the sensitive operation (sink) such the data type of the data they will be replaced with. An ex- that malicious data cannot reach the sensitive operation. ample is given in Listing 3 that uses the identifier %s (string) To study the variety of security mechanisms used by devel- and %d (numeric). opers in practice (Q1), we collected common types of mech- anisms we experienced in real-world applications during the 1 $var= sprintf("%s%d", $var1, $var2);// unsafe/ safe development of our static analysis tool [4{6]. Although the Listing 3: Sanitization with a format string function. possible ways of implementation are endless, our list cov- ers all different mechanisms we encountered.
Recommended publications
  • SEO Footprints

    SEO Footprints

    SEO Footprints Brought to you by: Jason Rushton Copyright 2013 Online - M a r k e t i n g - T o o l s . c o m Page 1 Use these “Footprints” with your niche specific keywords to find Backlink sources. Some of the footprints below have already been formed into ready made search queries. TIP* If you find a footprint that returns the results you are looking for, there is no need to use the rest in that section. For example if I am looking for wordpress sites that allow comments and the search query “powered by wordpress” “YOUR YOUR KEYWORDS” returns lots of results there is no need to use all of the others that target wordpress sites as a lot of them will produce similar results. I would use one or two from each section. You can try them out and when you find one you like add it to your own list of favourites. Blogs “article directory powered by wordpress” “YOUR YOUR KEYWORDS” “blog powered by wordpress” “YOUR YOUR KEYWORDS” “blogs powered by typepad” “YOUR YOUR KEYWORDS” “YOURYOUR KEYWORDS” inurl:”trackback powered by wordpress” “powered by blogengine net 1.5.0.7” “YOUR YOUR KEYWORDS” “powered by blogengine.net” “YOUR YOUR KEYWORDS” “powered by blogengine.net add comment” “YOUR YOUR KEYWORDS” “powered by typepad” “YOUR YOUR KEYWORDS” “powered by wordpress” “YOUR YOUR KEYWORDS” “powered by wordpress review theme” “YOUR YOUR KEYWORDS” “proudly powered by wordpress” “YOUR YOUR KEYWORDS” “remove powered by wordpress” “YOUR YOUR KEYWORDS” Copyright 2013 Online - M a r k e t i n g - T o o l s .
  • Mitigating SQL Injection Attacks on Legacy Web Applications

    Mitigating SQL Injection Attacks on Legacy Web Applications

    You shall not pass: Mitigating SQL Injection Attacks on Legacy Web Applications Rasoul Jahanshahi Adam Doupé Manuel Egele [email protected] [email protected] [email protected] Boston University Arizona State University Boston University ABSTRACT four most popular web apps (i.e., Wordpress, Joomla, Drupal, and SQL injection (SQLi) attacks pose a significant threat to the security Magento) increased by 267% compared to the prior year. of web applications. Existing approaches do not support object- There has been a great deal of research into identifying SQLi oriented programming that renders these approaches unable to vulnerabilities and defending against SQLi attacks on web apps. protect the real-world web apps such as Wordpress, Joomla, or Proposed approaches used various techniques such as static anal- Drupal against SQLi attacks. ysis [10, 11, 20, 22, 35], dynamic analysis [3, 6, 15, 21, 24, 25, 37], We propose a novel hybrid static-dynamic analysis for PHP or a mix of static-dynamic analysis [5, 17, 28]. While static analy- web applications that limits each PHP function for accessing the sis approaches can be promising, static analysis cannot determine database. Our tool, SQLBlock, reduces the attack surface of the whether input sanitization is performed correctly or not [34]. If the vulnerable PHP functions in a web application to a set of query sanitization function does not properly sanitize user-input, SQLi descriptors that demonstrate the benign functionality of the PHP attacks can still happen. Moreover, to the best of our knowledge, function. prior static analysis approaches for finding SQLi vulnerabilities in We implement SQLBlock as a plugin for MySQL and PHP.
  • Appendix a the Ten Commandments for Websites

    Appendix a the Ten Commandments for Websites

    Appendix A The Ten Commandments for Websites Welcome to the appendixes! At this stage in your learning, you should have all the basic skills you require to build a high-quality website with insightful consideration given to aspects such as accessibility, search engine optimization, usability, and all the other concepts that web designers and developers think about on a daily basis. Hopefully with all the different elements covered in this book, you now have a solid understanding as to what goes into building a website (much more than code!). The main thing you should take from this book is that you don’t need to be an expert at everything but ensuring that you take the time to notice what’s out there and deciding what will best help your site are among the most important elements of the process. As you leave this book and go on to updating your website over time and perhaps learning new skills, always remember to be brave, take risks (through trial and error), and never feel that things are getting too hard. If you choose to learn skills that were only briefly mentioned in this book, like scripting, or to get involved in using content management systems and web software, go at a pace that you feel comfortable with. With that in mind, let’s go over the 10 most important messages I would personally recommend. After that, I’ll give you some useful resources like important websites for people learning to create for the Internet and handy software. Advice is something many professional designers and developers give out in spades after learning some harsh lessons from what their own bitter experiences.
  • Snuffleupagus Documentation

    Snuffleupagus Documentation

    Snuffleupagus Documentation Release stable Sebastien Blot & Julien Voisin Aug 29, 2021 Contents 1 Documentation 3 1.1 Features..................................................3 1.2 Installation................................................ 11 1.3 Configuration............................................... 14 1.4 Download................................................. 22 1.5 Changelog................................................ 23 1.6 FAQ.................................................... 29 1.7 Propaganda................................................ 33 1.8 Cookies.................................................. 35 2 Greetings 39 i ii Snuffleupagus Documentation, Release stable Snuffleupagus is a PHP7+ and PHP8+ module designed to drastically raise the cost of attacks against websites. This is achieved by killing entire bug classes and providing a powerful virtual-patching system, allowing the administrator to fix specific vulnerabilities without having to touch the PHP code. Contents 1 Snuffleupagus Documentation, Release stable 2 Contents CHAPTER 1 Documentation 1.1 Features Snuffleupagus has a lot of features that can be divided in two main categories: bug-classes killers and virtual-patching. The first category provides primitives to kill various bug families (like arbitrary code execution via unserialize for example) or raise the cost of exploitation. The second category is a highly configurable system to patch functions in php itself. 1.1.1 Bug classes killed or mitigated system injections The system function executes an external
  • Locating Exploits and Finding Targets

    Locating Exploits and Finding Targets

    452_Google_2e_06.qxd 10/5/07 12:52 PM Page 223 Chapter 6 Locating Exploits and Finding Targets Solutions in this chapter: ■ Locating Exploit Code ■ Locating Vulnerable Targets ■ Links to Sites Summary Solutions Fast Track Frequently Asked Questions 223 452_Google_2e_06.qxd 10/5/07 12:52 PM Page 224 224 Chapter 6 • Locating Exploits and Finding Targets Introduction Exploits, are tools of the hacker trade. Designed to penetrate a target, most hackers have many different exploits at their disposal. Some exploits, termed zero day or 0day, remain underground for some period of time, eventually becoming public, posted to newsgroups or Web sites for the world to share. With so many Web sites dedicated to the distribution of exploit code, it’s fairly simple to harness the power of Google to locate these tools. It can be a slightly more difficult exercise to locate potential targets, even though many modern Web application security advisories include a Google search designed to locate potential targets. In this chapter we’ll explore methods of locating exploit code and potentially vulnerable targets.These are not strictly “dark side” exercises, since security professionals often use public exploit code during a vulnerability assessment. However, only black hats use those tools against systems without prior consent. Locating Exploit Code Untold hundreds and thousands of Web sites are dedicated to providing exploits to the gen- eral public. Black hats generally provide exploits to aid fellow black hats in the hacking community.White hats provide exploits as a way of eliminating false positives from auto- mated tools during an assessment. Simple searches such as remote exploit and vulnerable exploit locate exploit sites by focusing on common lingo used by the security community.
  • Arxiv:2102.03131V1 [Cs.CR] 5 Feb 2021 Extensions Are Available Within Systems Like Wordpress Or Called Joomla

    Arxiv:2102.03131V1 [Cs.CR] 5 Feb 2021 Extensions Are Available Within Systems Like Wordpress Or Called Joomla

    Over 100 Bugs in a Row: Security Analysis of the Top-Rated Joomla Extensions Marcus Niemietz, Mario Korth, Christian Mainka, Juraj Somorovsky fi[email protected] Hackmanit GmbH Abstract like WordPress and Joomla. There exists a family of tools Nearly every second website is using a Content Manage- which, inter alia, allow researchers and penetration testers to ment System (CMS) such as WordPress, Drupal, and Joomla. scan CMS software (e.g., WPScan [4], JoomScan [10]) for These systems help to create and modify digital data, typically well-known issues. Although community-based projects like within a collaborative environment. One common feature is to Joomla make use of tools like static source code scanners, it enrich their functionality by using extensions. Popular exten- seems to be a non-trivial task to detect well-known vulnerabil- sions allow developers to easily include payment gateways, ities such as XSS and SQLi, as shown by security researches backup tools, and social media components. multiple times [29]. To provide an example, Joomla intro- Due to the extended functionality, it is not surprising that duced the usage of the code analysis tool RIPS in June 2018 such an expansion of complexity implies a bigger attack sur- [7, 16]. Although RIPS is explicitly designed to detect web face. In contrast to CMS core systems, extensions are usu- vulnerabilities like XSS, Joomla has officially announced 30 ally not considered during public security audits. However, security vulnerabilities within the first half year of 2019, and a Cross-Site Scripting (XSS) or SQL injection (SQLi) at- 12 of them were XSS issues [17].
  • Snuffleupagus

    Snuffleupagus

    » SnuFfLEupAGus A ghostly elephant, in your php stack, killing bug classes, defeating attacks, and virtual-patching what is remaining. 1 / 106 » Bonjour 2 / 106 » I'm sorry 3 / 106 » Good evening We're glad to be here We're working at the same (French¹) company In the security team. It's called NBS System And it's a hosting company, you know, for websites. ¹ Hence our lovely accent. 4 / 106 » What are we trying to solve? We're hosting a lot of various php applications, using CMS written by super- duper creative people, and we'd like to prevent our customers from being pwned. 5 / 106 » What we were doing so far We have a lot of os-level hardening (grsecurity ♥) We have some custom IDS We have a (cool) WAF called naxsi But not everything is patchable with those, and we can not² touch the PHP code. ¹ And to be honest, we don't want to. 6 / 106 » Some words about php Its syntax draws upon C, Java, and Perl, and is easy to learn. The main goal of the language is to allow web developers to write dynamically generated web pages quickly, but you can do much more with PHP. — the php documentation 7 / 106 » Still words about php Well, there were other factors in play there. htmlspecialchars was a very early function. Back when PHP had less than 100 functions and the function hashing mechanism was strlen(). In order to get a nice hash distribution of function names across the various function name lengths names were picked specifically to make them fit into a specific length bucket.
  • Software Übersicht

    Software Übersicht

    Software Übersicht Serendipity WordPress eggBlog open Blog Nucleus CMS Pixie Blogs b2evolution Dotclear PivotX LifeType Textpattern Chyrp StatusNet Sharetronix Micro Blogs PageCookery Storytlr Zikula Concrete5 Mahara Xoops phpwcms Tribiq ocPortal CMS Made Simple ImpressCMS Joomla 2.5/Joomla 3.1 Contao Typo3 Website Baker SilverStripe Quick.cms sNews PyroCMS ImpressPages Portals/CMS Geeklog Redaxscript Pluck Drupal 7/Drupal 8 PHP-fusion BIGACE Mambo Silex Subrion PHP-nuke Saurus Monstra Pligg jCore Tiki Wiki CMS MODx Fork GroupWare e107 phpBB Phorum bbPress AEF PunBB Vanilla Forums XMB SMF FUDforum MyBB FluxBB miniBB Gallery Piwigo phpAlbum Image Galleries Coppermine Pixelpost 4images TinyWebGallery ZenPhoto Plogger DokuWiki PmWiki Wikis MediaWiki WikkaWiki Social Networking Dolphin Beatz Elgg Etano Jcow PeoplePods Oxwall Noahs Classifieds GPixPixel Ad Management OpenX OSClass OpenClassifieds WebCalendar phpScheduleIt Calenders phpicalendar ExtCalendar BlackNova Traders Word Search Puzzle Gaming Shadows Rising MultiPlayer Checkers phplist Webmail Lite Websinsta maillist OpenNewsletter Mails SquirrelMail ccMail RoundCube LimeSurvey LittlePoll Matomo Analytics phpESP Simple PHP Poll Open Web Analytics Polls and Surveys CJ Dynamic Poll Aardvark Topsites Logaholic EasyPoll Advanced Poll dotProject Feng Office Traq phpCollab eyeOSh Collabtive Project PHProjekt The Bug Genie Eventum Management ProjectPier TaskFreak FlySpray Mantis Bug tracker Mound Zen Cart WHMCS Quick.cart Magento Open Source Point of Axis osCommerce Sale TheHostingTool Zuescart
  • Pipenightdreams Osgcal-Doc Mumudvb Mpg123-Alsa Tbb

    Pipenightdreams Osgcal-Doc Mumudvb Mpg123-Alsa Tbb

    pipenightdreams osgcal-doc mumudvb mpg123-alsa tbb-examples libgammu4-dbg gcc-4.1-doc snort-rules-default davical cutmp3 libevolution5.0-cil aspell-am python-gobject-doc openoffice.org-l10n-mn libc6-xen xserver-xorg trophy-data t38modem pioneers-console libnb-platform10-java libgtkglext1-ruby libboost-wave1.39-dev drgenius bfbtester libchromexvmcpro1 isdnutils-xtools ubuntuone-client openoffice.org2-math openoffice.org-l10n-lt lsb-cxx-ia32 kdeartwork-emoticons-kde4 wmpuzzle trafshow python-plplot lx-gdb link-monitor-applet libscm-dev liblog-agent-logger-perl libccrtp-doc libclass-throwable-perl kde-i18n-csb jack-jconv hamradio-menus coinor-libvol-doc msx-emulator bitbake nabi language-pack-gnome-zh libpaperg popularity-contest xracer-tools xfont-nexus opendrim-lmp-baseserver libvorbisfile-ruby liblinebreak-doc libgfcui-2.0-0c2a-dbg libblacs-mpi-dev dict-freedict-spa-eng blender-ogrexml aspell-da x11-apps openoffice.org-l10n-lv openoffice.org-l10n-nl pnmtopng libodbcinstq1 libhsqldb-java-doc libmono-addins-gui0.2-cil sg3-utils linux-backports-modules-alsa-2.6.31-19-generic yorick-yeti-gsl python-pymssql plasma-widget-cpuload mcpp gpsim-lcd cl-csv libhtml-clean-perl asterisk-dbg apt-dater-dbg libgnome-mag1-dev language-pack-gnome-yo python-crypto svn-autoreleasedeb sugar-terminal-activity mii-diag maria-doc libplexus-component-api-java-doc libhugs-hgl-bundled libchipcard-libgwenhywfar47-plugins libghc6-random-dev freefem3d ezmlm cakephp-scripts aspell-ar ara-byte not+sparc openoffice.org-l10n-nn linux-backports-modules-karmic-generic-pae
  • In Support of DITA)

    In Support of DITA)

    Collaborative Focus Areas project (in support of DITA) In addition to the requirements already defined which are specific to this project, I have compiled a list of standard measures for evaluating any Free and Open Source Software (FOSS) technology. FOSS Technology Requirements 1. Community How viable is the community supporting the product? Are there independent contributors? How active are mailing lists, web sites? Is the community healthy, friendly and welcoming to newcomers? 2. Low Entry Barrier How easy is it to get started? Is the product a turn-key solution with immediate value after download? How consistent is the documentation, how hard is it to familiarize oneself with the codebase? 3. Product Maturity How robust is the underlying code? Are sound software engineering practices in use? Is the architecture clean and consistent? Are changes to the code regression-tested? 4. Industrial Strength How much does the product scale? How flexible and stable is the product, how well does it perform? Is it secure? 5. Off The Shelf Components How much does the product make use of standard components? Is the architecture modular to accomodate external code? 6. Feature Set Does the product have a conservative feature set, or does it have many bells and whistles? 7. Standards Compliance How much does the product use and interoperate with standards? 8. Usability Is the user interface understandable for non-technical persons? Is it consistent? Does it follow usability best practice? 9. Platform How well does the application fit into our infrastructure? 10. Security What is the profile and track record of the community vis-a-vis security best-practices? How often is the project listed in security vulnerability alerts, and what is the response time? 11.
  • A Static Vulnerability Analysis Tool for PHP

    A Static Vulnerability Analysis Tool for PHP

    PHPWander: A Static Vulnerability Analysis Tool for PHP Pavel Jurásek Thesis submitted for the degree of Master in Informatics: Programming and Networks 60 credits Department of Informatics Faculty of mathematics and natural sciences UNIVERSITY OF OSLO Spring 2018 PHPWander: A Static Vulnerability Analysis Tool for PHP Pavel Jurásek © 2018 Pavel Jurásek PHPWander: A Static Vulnerability Analysis Tool for PHP http://www.duo.uio.no/ Printed: Reprosentralen, University of Oslo PHPWander: A Static Vulnerability Analysis Tool for PHP Pavel Jurásek 16th May 2018 ii Contents 1 Introduction 1 I Background 3 2 Security vulnerabilities 5 2.1 Injections . .5 2.2 Cross-site scripting (XSS) . .6 2.3 Command injection . .7 2.4 Code injection . .7 2.5 Path traversal . .8 2.6 Other vulnerabilities . .8 3 PHP Language 9 3.1 History and description . .9 3.2 Typing . .9 3.3 Predefined variables . 10 3.4 Object-oriented aspects in PHP . 10 3.5 Class autoloading . 11 4 Static analysis 13 4.1 Data flow analysis . 13 4.2 Taint analysis . 14 4.2.1 Tainting method . 14 4.2.2 Control flow graphs . 14 4.3 Data flow sensitivities . 15 4.3.1 Flow sensitivity . 15 4.3.2 Context sensitivity . 16 4.4 SSA form . 16 4.5 Static analysis tools for PHP . 17 4.5.1 Code improvement tools . 17 4.5.2 Security checking tools . 18 II Development 19 5 Development phase 21 5.1 Architecture . 21 iii 5.2 Design decisions . 21 5.2.1 Configuration . 21 5.2.2 Software foundations . 23 5.2.3 Implementation details .
  • Openstackでnecが実現する 「OSSクラウド」の世界

    Openstackでnecが実現する 「OSSクラウド」の世界

    OpenStackでNECが実現する 「OSSクラウド」の世界 2013年3月12日 日本電気株式会社 プラットフォームマーケティング戦略本部 OSS推進室 技術主幹 高橋 千恵子 目次 ▐ OSSの動向 ▐ NECのOSS/Linux事業 ▐ OSSプラットフォームへの取り組み 高可用Linuxプラットフォーム OSSミドルウェアの活用 ▐ OSSクラウド OpenStackへの取り組み OSSクラウドソリューション ~沖縄クラウドサービス基盤~ OpenFlow+OpenStack ▐ 最後に ●本資料に掲載された社名、商品名は各社の商標または登録商標です。 Page 1 © NEC Corporation 2013 OSSの動向 Page 2 © NEC Corporation 2013 OSSコミュニティによるプロジェクト ▐ 全般 ・・・・・SaaS型アプリケーションが増加/著名OSSのベンダー配布、有償サポートや買収が進む OSS定点観測は、freecode.com にて実施。 ▐ インフラ系・・・仮想化やクラウド基盤関係のOSSが注目される/システム、ネット管理OSSの伸びがある サイトでの人気度(300以上)で順位付け。 OSSプロジェクトは2012.4時点で32.4万件。 ▐ デプロイメント系・・PostgreSQL、mySQLが高人気 これらのDB管理、DBクラスタリングOSSも伸びている ビジネス用途を中心に表示。 ▐ アプリ系・・・・SaaS型グループウェアOSS、ソフトウェア分類を越えた統合的な著名OSSの伸びがある コンシューマ・プライベート系は除く。 コンテンツアプリケーション •PHProject [GW] エンジニ コラボレーティブ •EGroupware CRM ERM SCM • Dokuwiki [Wiki] • jGnash アリング • WebGUI [CMF] • phpBB [GW] •OBM [GW] • Enterprise CRM and ア • Tiki Tiki CMS Groupware • ProcessMaker • CorneliOS [CMS] • Ariadne Groupware System • Task Juggler [PM] • Blender オペレーション • TinyMCE [DCM] • XODA • Simple Groupware [GW] プ • OpenWebMail[webmail]• Teamwork [GW] • Dolibarr • Achievo [PM] • mxGraph 製造管理 • Drupal [CMS] • mnoGoSerch • LedgerSMB • white_dune • eZpublish [publish FW]• Managing • ZIm [blog] • Plans [GW] • The Apache Open リ • Tine2.0 [CRM&GW] • GnuCash • Jgraph • OTRS • XWiki [Wiki] • Midgard • Zimbra [GW] for Business • Elastix • GroupOffice [GW] • Twiki [KB] • TUTOS[ERP&PM] • graphviz • FUDForum • OpenSearch Project コンシューマ 系 • SquirrelMail [Webmail] • Time Trex • BRL-CAD • Asterisk • Plone CMS Server • Citadel [bbs] •