I like to point to a tool that will be useful for developing my application: Pixy. This tool takes the same approach that I want to take to return feedback about vulnerabilities in PHP-applications. If you have read my application you probably took a look at it already.
For those who did not, here is a tiny overview. The PHP-files are parsed by JFlex and Cup to construct a parse tree. This tree is transformed into a linear form resembling three-acces code. This is the form on which the flow-sensitive, interprocedural, context-sensitive analysis is conducted. For more details I recommend reading the short paper.
Pixy performs well, but has at least one major limitation, it does not support the object-oriented features of PHP. The online services of the scouts organisation of the Netherlands are almost completely OO, but cannot be scanned. I hope to solve this limitation with my solution.
The advantage of Pixy is that it uses the original Flex and Bison specifications. Stratego requires a SDF, so let's get started!
1 comment:
It is a good idea to take a look at the design and implementation of some other static analysis tools as well, in particular recently FindBugs and PMD have become popular. FindBugs does a mixture of bytecode and source-code analysis (mostly bytecode), whereas PMD works on source code. You can probably find some ideas there for bugs you would like to find in PHP, and also their implementation in both tools might already given an impression of how much work this will be for each particular bugs (so that you can do some easy ones first). Both tools have clear problems with concisely traversing an abstract syntax tree, which is exactly the thing Stratego is good at :).
Post a Comment