Dynamic PHP web-application analysis

Dynamic PHP web-application
analysis

Arthur Gerkis
Ruhr University Bochum
HackPra 2012/2013

Who am I?
○ independent computer security researcher -
bug-hunter
○ in past doing web application security
analysis and pentesting
○ author of several articles in russian IT-
security printed magazine "Xakep"
○ senseless browser bug slayer

2

Outline
i. About dynamic analysis
ii. Dynamic analysis today
iii. PHP extension capabilities
iv. PVT extension

3

So, what was dynamic
analysis about?
i. About dynamic analysis

Dynamic analysis
DA is a properties inspection of running
application:
1. prepare environment & run application
2. collect run-time data
3. analyse data

In general used for: profiling, code coverage,
tracing, etc.

5

Why dynamic analysis?
○ operate with real data values - is known
which function which arguments has, return
values, etc.
○ avoid static analysis false positives (more
efficient is a combination of DA & SA)
○ easier to analyse obfuscated code

6

Why not dynamic analysis?
○ single dynamic analysis can not cover all
code paths
○ can be slow - depends on implementation,
computing powers, LoC
○ may depend on environment - OS, bits, PHP
versions, etc.
○ may be dangerous to execute code without
knowing what results will be (e.g.
malicious)

7

DA tools implementations (general)
● code instrumentation
○ source code
○ compile-time
○ execution/run-time
● patches and extensions for compiler or
interpreter
● external (e.g. system) tools

8

DA tools implementations (PHP)
● code instrumentation
○ source code (web-application)
○ compile-time
○ execution/run-time
● patches and extensions for compiler or
interpreter
● external (e.g. system) tools

9

State of PHP dynamic
analysis as of today
ii. Dynamic analysis today

Tools - code instrumentation
○ PHP Vulnerability Hunter
autosectools.com/PHP-Vulnerability-Scanner
Author: John Leitch

○ Saner*
iseclab.org/papers/oakland-saner.pdf
Authors: Davide Balzarotti, Marco Cova, Vika Felmetsger, Nenad Jovanovic, Engin Kirda,
Christopher Kruegel, Giovanni Vigna

○ WAFA*
research.cs.queensu.ca/~cordy/Papers/ACD_WSE09_WAFA.pdf
Authors: Manar H. Alalﬁ, James R. Cordy, Thomas R. Dean

○ PHP Aspis
https://github.com/jpapayan/aspis
Authors: Dr Peter Pietzuch, Dr Matteo Migliavacca, Ioannis Papagiannis

11
* Tool was not found in public access

Tools - PHP interpreters
○ Taint support for PHP
https://wiki.php.net/rfc/taint
Author: Wietse Venema

12

Tools - PHP interpreters
○ Taint support for PHP
https://wiki.php.net/rfc/taint
Author: Wietse Venema

○ CORE Grasp
grasp.coresecurity.com/
Author: CoreLabs

○ PHPrevent*
cs.virginia.edu/nguyen/phprevent/
Authors: Anh Nguyen-Tuong, Salvatore Guarnieri, Doug Greene, Jeff Shirley, David Evans

* Tool was not found in public access 14

Tools - PHP extension
○ bytekit
https://github.com/Tyrael/bytekit
Author: Stefan Esser

○ evalhook
php-security.org/2010/05/13/article-decoding-a-user-space-encoded-php-script/index.html
Author: Stefan Esser

○ taint
pecl.php.net/package/taint
Author: Xinchen Hui

○ Dtrace
pecl.php.net/package/DTrace
Author: Wez Furlong

15

Tools - external tools
○ strace - Linux, truss - Solaris/BSD, ktrace -
OS X (< 10.5)/BSD
○ DTrace - OS X/Solaris/QNX/BSD
○ SystemTap, LTTng - Linux
○ gdb (use PHP's .gdbinit), any other
debugger

16

Tools - miscellaneous
Xdebug +(KCachegrind, PHPUnit, php-code-
coverage, NetBeans IDE), XHProf, pfff

As well there should exist unknown tools -
small, private and unreleased.

18

Our choice - PHP extension
○ transparent to web-application - no
influence on code and execution path
○ full control over web-application - dump
values of variables, trace functions, taint
variables, etc.

19

Developing PHP extension?
○ no actual documentation - blog-posts,
outdated book and couple of chapters:
○ Expert PHP and MySQL - Andrew Curioso, Ronald Bradford, Patrick
Galbraith, 2010 (Chapter)
○ Extending and Embedding PHP - Sara Golemon, 2006
○ Advanced PHP Programming - George Schlossnagle, 2004 (Chapter)
○ may be intimidating to follow PHP changes
○ up-to-date source of information are
another extensions source code (Suhosin,
bytekit, XDebug)
○ http://lxr.php.net/ - PHP source code search via OpenGrok

20

What is a PHP extension
capable of?
iii. PHP extension capabilities

Dissected PHP lifecycle
PHP_MINIT_FUNCTION(foobar)
{
[...]
orig_compile_string = zend_compile_string;
zend_compile_string = foobar_compile_string;

old_execute = zend_execute;
zend_execute = foobar_execute;

old_zend_execute_internal = zend_execute_internal;
zend_execute_internal = foobar_execute_internal;

return SUCCESS;
}

PHP_MSHUTDOWN_FUNCTION(foobar)
{
[...]
zend_compile_string = orig_compile_string;
zend_execute = old_execute;
zend_execute_internal = old_zend_execute_internal;
[...]
return SUCCESS;
}

PHP_RINIT_FUNCTION(foobar)
{
[...]
return SUCCESS;
}

PHP_RSHUTDOWN_FUNCTION(foobar)
{
[...]
return SUCCESS;
}

22

Handle function entry and exit
Register every executing function and have
access to all data functions works with:
○ trace execution path and generate call
graph later
○ understand application architecture
○ explore application executed paths and detect
yet unexplored areas
○ intercept identifiers when passing data
to any function

23

Handle function entry and exit
// execute_internal() doesn't catch nested internal function calls (calllbacks)
static void foobar_execute_internal(zend_execute_data *execute_data_ptr, int return_value_used
TSRMLS_DC)
{
[...]
// Here Zend internal functions gets executed
// Work with stuff like opcodes, variables, handle function entries.
execute_internal(execute_data_ptr, return_value_used TSRMLS_CC);
// Here is possible to handle function exits.
}

static void foobar_execute(zend_op_array *op_array TSRMLS_DC)
{
[...]
// Here user functions gets executed
// Work with stuff like opcodes, variables, handle function entries.
old_execute(op_array TSRMLS_CC);
// Here is possible to handle function exits.
}

24

Implement functions and classes
Implementing own PHP internal classes and
functions allow to extend PHP functionality for
different use:
○ fighting with bottlenecks, optimize
execution time
○ utilize OS-specific functionality
○ extend web-application capabilities
○ provide debugging and profiling facilities

25

Work with opcode
PHP allows complete control over every
opcode:
○ dump opcodes on the fly and observe
them later for low-level analysis (e.g. for
obfuscated code)
○ set opcode handler for complete control
over application

26

Work with opcode
static void php_taint_register_handlers(TSRMLS_D) {
zend_set_user_opcode_handler(ZEND_ECHO, php_taint_echo_handler);
[...]
}

static int php_taint_echo_handler(ZEND_OPCODE_HANDLER_ARGS) {
zend_op *opline = execute_data->opline;
[...]
return ZEND_USER_OPCODE_DISPATCH;
}

PHP_MINIT_FUNCTION(foobar)
{
[...]
php_taint_register_handlers(TSRMLS_C);

return SUCCESS;
}

27

Hook dynamically evaluated strings
Catch every dynamically executed string and
log it - see what happens inside of
○ eval(), create_function()
○ assert(),
○ preg_replace() with "e"

28

Hook dynamically evaluated strings
static zend_op_array *evalhook_compile_string(zval *source_string, char *filename TSRMLS_DC)
{
[...]
len = Z_STRLEN_P(source_string);
copy = estrndup(Z_STRVAL_P(source_string), len);
[...]
return orig_compile_string(source_string, filename TSRMLS_CC);
}

29

Set Zend extension callbacks
Zend provides possibility to set various
handlers for more fine-grained control:
○ statement handler, allows:
○ single stepping through code
○ profiling
○ implement stepping debugger
○ function entry/exit handlers
○ op_array manipulation

30

Set Zend extension callbacks
// Set in our extension // Defined in Zend/zend_extensions.h
struct _zend_extension {
ZEND_DLEXPORT zend_extension zend_extension_entry = { char *name;
"Foobar extension", char *version;
char *author;
FOOBAR_VERSION,
char *URL;
"Author", char *copyright;
NULL,
startup_func_t startup;
"Copyright (c)", shutdown_func_t shutdown;
NULL, // foobar_zend_startup activate_func_t activate;
deactivate_func_t deactivate;
NULL, // foobar_zend_shutdown
NULL, // activate_func_t message_handler_func_t message_handler;
NULL, // deactivate_func_t
op_array_handler_func_t op_array_handler;
NULL, // message_handler_func_t
NULL, // op_array_handler_func_t statement_handler_func_t statement_handler;
statement_handler, // statement_handler_func_t fcall_begin_handler_func_t fcall_begin_handler;
fcall_end_handler_func_t fcall_end_handler;
NULL, // fcall_begin_handler_func_t
NULL, // fcall_end_handler op_array_ctor_func_t op_array_ctor;
op_array_dtor_func_t op_array_dtor;
NULL, // op_array_ctor_func_t
NULL, // op_array_dtor_func_t int (*api_no_check)(int api_no);
STANDARD_ZEND_EXTENSION_PROPERTIES int (*build_id_check)(const char* build_id);
[...]
}; };

31

Tasks for PHP extension
○ assist in debugging - XDebug, vld
○ hardening PHP - Suhosin
○ execution time optimization - APC, XCache
○ web-application security evaluation -
bytekit, evalhook, taint
○ protective measures - Zend Guard, ionCube
○ etc.

32

Introducing PVT
iv. PVT extension

New PHP dynamic analysis tool
Named PVT - PHP Vulnerability Tracer:
○ the idea of PVT is to provide tools to assist
in web-application security audit
○ the aim of PVT is to be transparent to web-
application, fully-automated, easy to use
and highly customizable - achieved via
being PHP extension.

34

PVT - Swiss knife
○ draws dynamic code execution graphs
(allows code navigation)
○ hooks all eval'd strings
○ catches your marker in arguments of
function or just every argument in every
function
○ can dump chosen or all variables
○ opcode dumper for low-level analysis
○ settings for each module

35

PVT - Swiss knife

* namings may change later 36

Sounds good?
○ may be slow as hell if you switch too many
modules or run it on heavy web-application
○ works only on Linux*
○ works only on PHP 5.2/5.3
○ may be not very comfortable in use - logs
are plain text files, needs dot, requires Perl
...

37

Statistics
Statistics shown are for Wordpress 3.4. (opening simple pages like index.php)

Title Time, seconds

1 Without PVT 0.14

2 All modules switched On 16.67

3 dump_ops = On 9.45

4 All modules On except dump_ops 6.45

5 catch_marker = On 4.79

6 dump_vars = On 1.18

7 trace_func = On 0.64

8 eval_hook = On 0.16

38

In perspective
○ speed optimization (priority)
○ add variable tracing
○ connect logs and graph
○ data tainting (?)
○ opcode graphs
○ convenient logs management
○ find and eliminate bugs

You can help with ideas and bug reports!

40

Acknowledgments
○ Stefan Esser
○ Vladimir Vorontsov

41

References
○ https://github.com/ax330d/pvt
○ https://wiki.php.net/rfc/taint
○ https://wiki.php.net/internals/references
○ www.smartflow.org/aspis
○ grasp.coresecurity.com/
○ www.cs.virginia.edu/phprevent/
○ https://github.com/Tyrael/bytekit
○ http://www.cs.ucsb.edu/~rusvika/papers/ssp08_saner.pdf
○ research.cs.queensu.ca/~cordy/Papers/ACD_WSE09_WAFA.pdf
○ sebastian-bergmann.de/archives/871-bytekit-cli.html
○ solaris.reys.net/dtrace-php-scripts/
○ solaris.reys.net/debugging-php-with-dtrace-part-2/
○ https://blogs.oracle.com/shanti/entry/dtrace_support_for_php
○ wezfurlong.org/blog/2005/aug/dtracing-php-on-solaris/
○ PHP Tainted variables: An idea whose time has come - Wietse Venema, 2008
○ Static and Dynamic Analysis for PHP Security - V.C.Sreedhar, 2006
○ Static and Dynamic Analysis at Ning - David Sklar, 2008
○ Analysing PHP Code - Sebastian Bergmann, 2009
○ PHP Extension Writing - Marcus Borger, Wez Furlong, Sara Golemon, 2005

42

Questions?
You can reach me on twitter.com/ax330d, or
e-mail to user ax330d on the gmail server.

Dynamic PHP web-application analysis

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Dynamic PHP web-application analysis (20)

Dynamic PHP web-application analysis