PHPrevent

From Dependability

Automatically Hardening Web Applications

Contents 1 Research Summary 2 Tutorials 3 People 3.1 Principal Investigators 3.2 Students 4 Papers 5 Talks 6 Related Projects by the PIs 7 Download

Research Summary

Developing secure web applications is a difficult task even for expert programmers. The simple and natural ways of creating a web application are prone to SQL injection attacks and cross-site scripting attacks as well as other less common vulnerabilities. In response, many tools have been developed for detecting or mitigating common web application vulnerabilities. Unfortunately, existing techniques either require effort from the site developer or are prone to false positives.

The PHPrevent project seeks to provide a fully automated approach to securely hardening web applications. It is based on enhancing traditional taint mode analysis by precisely tracking taintedness of data and checking specifically for dangerous content only in parts of commands and output that came from untrustworthy sources. Unlike previous work in which everything that is derived from tainted input is tainted, our approach precisely tracks taintedness within data values. This enables us to precisely check and filter for malicious inputs and dramaticaly reduce the rate of false positives.

While the concept of precise tainting is applicable to many environments, we have chosen to focus on PHP due to its growing market acceptance (PHP is currently installed with 50% of all Apache servers.)

Tutorials

• Installing PHPrevent

• Additional PHP functions
• Changes to the PHP interpreter

• Demonstrating prevention of attacks with PHPrevent

People

Principal Investigators

• David Evans (University of Virginia)
• Anh Nguyen-Tuong (University of Virginia)

Students

• Salvatore Guarnieri
• Jeffrey Shirley
• Doug Greene

Papers

Automatically Hardening Web Applications Using Precise Tainting

Anh Nguyen-Tuong, Salvatore Guarnieri, Doug Greene, Jeff Shirley, David Evans.

Twentieth IFIP International Information Security Conference (SEC 2005).

30 May - 1 June 2005, Chiba, Japan. (PDF, 12 pages)

Talks

Automatically Hardening Web Applications Using Precise Tainting (PPT)

(Salvatore Guarnieri). IFIP Security 2005, Chiba, Japan. June 1 2005.

Related Projects by the PIs

• Genesis: Security through Diversity
• IPA — Inexpensive Program Analysis
• Physicrypt — Physical Cryptography and Security Group
• Swarm Computing

Download

The source code is available for download to researchers. Please contact nguyen@cs.virginia.edu for information.