PHP static code analysis method based on taint analysis

A static code and taint analysis technology, applied in the field of network security, can solve problems such as inability to correctly identify, inability to adapt to new version of PHP syntax features, new feature false positives, etc.

Pending Publication Date: 2021-12-24
CHINA YOUKE COMM TECH
View PDF0 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0005] Generally speaking, although there are already PHP vulnerability analysis tools in the industry, most of the current source code analysis tools have fallen into the situation of stopping updating, and can no longer adapt to the grammatical features of the current new version of PHP.
This leads to incorrect identification of vulnerabilities introduced from new features and false positives for new features

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • PHP static code analysis method based on taint analysis
  • PHP static code analysis method based on taint analysis
  • PHP static code analysis method based on taint analysis

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0027] The technical solution of the present invention will be specifically described below in conjunction with the accompanying drawings.

[0028] A PHP static code analysis method based on taint analysis in the present invention, firstly, lexical analysis and syntax analysis are performed on PHP static code, and an abstract syntax tree corresponding to the code is constructed; secondly, the abstract syntax tree is divided into different sub-functions, and the taint is used The analysis technology marks the tainted data flow in each function; finally, according to the nature of the parameters of the confluence point of the tainted data flow, it is determined whether there is a vulnerability.

[0029] Based on a PHP static code analysis method based on taint analysis of the present invention, the present invention realizes a PHP static code vulnerability detection prototype tool based on taint analysis, that is, the static code analysis tool is introduced into the coding stage,...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention relates to a PHP static code analysis method based on taint analysis. The method comprises the following steps: firstly, performing lexical analysis and grammatical analysis on PHP static codes, and constructing an abstract syntax tree corresponding to the codes; secondly, segmenting the abstract syntax tree into different sub-functions, and marking taint data streams in each function by using a taint analysis technology; and finally, judging whether a vulnerability exists or not according to the convergent point parameter property of the taint data stream. In addition, when the taint data stream is marked, the variable range is narrowed by limiting the data type of the newly added variable, and the vulnerability false alarm rate is reduced by combining measures such as conditions when the safety threat function is utilized. According to the method, automatic tool vulnerability detection can be achieved, and under the condition that no branch exists in the code, vulnerability detection of the Web application can be completed more efficiently and more accurately.

Description

technical field [0001] The invention relates to the field of network security, in particular to a static code analysis method for PHP based on stain analysis. Background technique [0002] For code auditing, the current mainstream is divided into black box testing and white box testing. The biggest difference between the two testing methods is whether the audit system can obtain the source code of the target system. In black-box testing, the audit system does not know the source code of the target, and it treats the target program as a black box without considering the internal structure and logic of the target program. The audit system determines whether there is a loophole by continuously changing the input data and obtaining the output of the program or its working status. Since each test results in abnormal results through certain data, black-box testing is a testing method with a low false positive rate, but its detection coverage for vulnerabilities depends on the ca...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/56G06F21/57
CPCG06F21/563G06F21/577
Inventor 符德霖陈春陈立虹庄荣南
Owner CHINA YOUKE COMM TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap