ez.spikesource.com — July 2006

Spike PHP Security Audit launched!

A new open source tool to perform static security audit for php has been launched. This article describes the way it was developed.

Lights! Roll the drums!

A few days ago I launched my first open source project, it is called Spike PHP Security Audit. About the name, 'Spike' is for the company that pays my salary, and 'PHP Security Audit' is for what it somewhat does and what it strives to do.

I wrote the thing in less than 2 days! But that's nothing to boast about. It took me a month to push myself to write it in the first place. I had always wanted to write a PHP security audit tool, but I couldn't decide on the strategy. I was stuck considering a static analysis approach, or a runtime one. The later can possibly be more powerful, but it can be a huge undertaking.

My manager found a C based tool called RATS that was written in 2001. We like what it does, but we don't like the fact that it is not written in PHP. This forces PHP developers to depend on some other compiler. The real problem is that it is not easy to extend the tool as PHP evolves. As the language definition changes (PHP has changed since the launch of RATS), the parser needs to be rewritten. If we use PHP, we have the language definition for free! Nothing knows PHP like the original parser.

Let me describe what it does so that you can understand it. I hope that once you understand it, you'll feel comfortable to use it, and actually help to improve the tool. So here it is:

1. PHP has a built-in tokenizer that can parse PHP codes and tell you what kind of token the current one is. Using the tokenizer, you can ask PHP if you are seeing a variable, or encountering a class definition, etc.

2. It has a database of PHP functions that need extra care in using them. The current database is really a copy of the RATS database. We use it so that we can have a taste of how the code should run. I downloaded the full PHP manual. I scanned that there are at least 19 functions that come with cautions, and 1359 functions with warnings. It's obvious that the database can and should be improved.

3. PHP Security Audit's analyzer uses the tokenizer to move about the PHP code in question. Whenever it sees a function call, it checks if the call matches an entry in the database. If it does, then sends the finding to the reporter module.

4. The reporter then reports everything that it finds.

Pretty simple, right?! Please download it from http://developer.spikesource.com/projects/phpsecaudit and drop a note in the forum.:

Bookmark this post
Published: Friday, 7 July 2006 Tags: spikesource tools php web+development phpsecaudit

Comments

'Ezra Nugroho' left this comment on 31 Jul 06
Thank you very much! :)
'A visitor' left this comment on 29 Jul 06
Nice job! Hey, i dugg your project http://digg.com/security/Open_Source_Php_Security_Tool_to_Audit_Php_Applications

The Best Job

Definition of the best job from my CTO.

The best job in the world is the one you'd go to it even when you don't get paid for it -- Murugan Pal

.
Published: Thursday, 13 July 2006 Tags: quote spikesource thoughts

How to kill ideas

Ideas are like legends. If you stop talking about them, they will die naturally.


Ideas are like legends. If you stop talking about them, they will die naturally.

Published: Thursday, 20 July 2006 Tags: quote thoughts

phpSecAudit 0.23 Released!

I am glad to announce that phpSecAudit version 0.23 was released today. Apart from a minor improvement in the knowledge-base, the main focus of this release is to make this tool php 4 friendly. I hope you'd find this release useful. http://
I am glad to announce that phpSecAudit version 0.23 was released today.
Apart from a minor improvement in the knowledge-base, the main focus of this release is to make this tool php 4 friendly. 
I hope you'd find this release useful.

Change Log:
1. Modified  to be PHP 4 friendly.
2. Added a few functions to the knowledge-base: extract, shell_exec, pcntl_exec, exec.
3. Slightly improved the organization of the knowledge-base file (vuln_db.xml).

Known issues:
1. [Unverified], _getAllPhpFiles function may miss a few.
2. Tokenizer needs to be able to differentiate between a native function call and class method call of the same name, i.e. mail() and $class->mail().

http://developer.spikesource.com/projects/phpsecaudit/
Published: Monday, 31 July 2006 Tags: spikesource php phpsecaudit web+development