research-article

Code Reuse Attacks in PHP: Automated POP Chain Generation

Authors:

Johannes Dahse,

Thorsten HolzAuthors Info & Claims

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

Pages 42 - 53

https://doi.org/10.1145/2660267.2660363

Published: 03 November 2014 Publication History

Abstract

Memory corruption vulnerabilities that lead to control-flow hijacking attacks are a common problem for binary executables and such attacks are known for more than two decades. Over the last few years, especially code reuse attacks attracted a lot of attention. In such attacks, an adversary does not need to inject her own code during the exploitation phase, but she reuses existing code fragments (so called gadgets) to build a code chain that performs malicious computations on her behalf. Return-oriented programming (ROP) is a well-known technique that bypasses many existing defenses. Surprisingly, code reuse attacks are also a viable attack vector against web applications.

In this paper, we study code reuse attacks in the context of PHP-based web applications. We analyze how PHP object injection (POI) vulnerabilities can be exploited via property-oriented programming (POP) and perform a systematic analysis of available gadgets in common PHP applications. Furthermore, we introduce an automated approach to statically detect POI vulnerabilities in object-oriented PHP code. Our approach is also capable of generating POP chains in an automated way. We implemented a prototype of the proposed approach and evaluated it with 10 well-known applications. Overall, we detected 30 new POI vulnerabilities and 28 new gadget chains.

References

[1]

Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., and Vigna, G. Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In IEEE Symposium on Security and Privacy (2008).

Digital Library

[2]

Barth, A., Weinberger, J., and Song, D. Cross-Origin JavaScript Capability Leaks: Detection, Exploitation, and Defense. In USENIX Security Symposium (2009), pp. 187--198.

Digital Library

[3]

Bletsch, T., Jiang, X., Freeh, V. W., and Liang, Z. Jump-oriented Programming: A New Class of Code-reuse Attack. In ACM Symposium on Information, Computer and Communications Security (ASIACCS) (2011).

Digital Library

[4]

Bodden, E., Sewe, A., Sinschek, J., Oueslati, H., and Mezini, M. Taming Reflection: Aiding Static Analysis in the Presence of Reflection and Custom Class Loaders. In Proceedings of the 33rd International Conference on Software Engineering (2011), ICSE'11, pp. 241--250.

Digital Library

[5]

Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., and Winandy, M. Return-oriented programming without returns. In ACM Conference on Computer and Communications Security (CCS) (2010).

Digital Library

[6]

Dahse, J., and Holz, T. Simulation of Built-in PHP Features for Precise Static Code Analysis. In Symposium on Network and Distributed System Security (NDSS) (2014).

[7]

Dahse, J., and Holz, T. Static Detection of Second-Order Vulnerabilities in Web Applications. In USENIX Security Symposium (2014).

Digital Library

[8]

Dean, J., Grove, D., and Chambers, C. Optimization of Object-oriented Programs using Static Class Hierarchy Analysis. In ECOOP'95 Object-Oriented Programming, 9th European Conference, Aarhus, Denmark, August 7--11, 1995 (1995), Springer, pp. 77--101.

Digital Library

[9]

Esser, S. Shocking News in PHP Exploitation. In Power of Community (POC) (2009).

[10]

Esser, S. Utilizing Code Reuse Or Return Oriented Programming in PHP Applications. In BlackHat USA(2010).

[11]

Guarnieri, S., and Livshits, V. B. GATEKEEPER: Mostly Static Enforcement ofSecurity and Reliability Policies for JavaScript Code. In USENIX Security Symposium (2009), pp. 151{168.

Digital Library

[12]

Guarnieri, S., Pistoia, M., Tripp, O., Dolby, J., Teilhet, S., and Berg, R. Saving the World Wide Web from Vulnerable JavaScript. In Proceedings of the 2011 International Symposium on Software Testing and Analysis (2011), ACM, pp. 177--187.

Digital Library

[13]

Halfond, W. G., Viegas, J., and Orso, A. A Classification of SQL Injection Attacks and Countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering (2006).

[14]

Hills, M., Klint, P., and Vinju, J. An Empirical Study of PHP Feature Usage. In International Symposium on Software Testing and Analysis (ISSTA) (2013).

Digital Library

[15]

Huang, Y.-W., Yu, F., Hang, C., Tsai, C.-H., Lee, D.-T., and Kuo, S.-Y. Securing Web Application Code by Static Analysis and Runtime Protection. In International Conference on the World Wide Web (WWW) (2004).

Digital Library

[16]

Hund, R., Holz, T., and Freiling, F. C. Return-oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms. In USENIX Security Symposium (2009).

Digital Library

[17]

Jang, D., and Choe, K.-M. Points-to analysis for JavaScript. In Proceedings of the 2009 ACM Symposium on Applied Computing (2009), ACM, pp. 1930--1937.

Digital Library

[18]

Jovanovic, N., Kruegel, C., and Kirda, E. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper). In IEEE Symposium on Security and Privacy (2006).

Digital Library

[19]

Klein, A. Cross-Site Scripting Explained. Sanctum White Paper (2002).

[20]

Kneuss, E., Suter, P., and Kuncak, V. Phantm: PHP Analyzer for Type Mismatch. In ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE) (2010).

Digital Library

[21]

Krahmer, S. x86--64 Buffer Overflow Exploits and the Borrowed Code Chunks Exploitation Technique. http://users.suse.com/~krahmer/no-nx.pdf, 2005.

[22]

Livshits, B., Whaley, J., and Lam, M. S. Reflection Analysis for Java. In Proceedings of the Third Asian Conference on Programming Languages and Systems (2005), APLAS'05, pp. 139--160.

Digital Library

[23]

Livshits, V. B., and Lam, M. S. Finding Security Vulnerabilities in Java Applications with Static Analysis. In USENIX Security Symposium (2005).

Digital Library

[24]

Madsen, M., Livshits, B., and Fanning, M. Practical Static Analysis of JavaScript Applications in the Presence of Frameworks and Libraries. In Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering (2013), ESEC/FSE 2013, ACM, pp. 499--509.

Digital Library

[25]

Milanova, A., Rountev, A., and Ryder, B. G. Parameterized Object Sensitivity for Points-to and Side-effect Analyses for Java. ACM SIGSOFT Software Engineering Notes 27, 4 (2002), 1--11.

Digital Library

[26]

MITRE. Common Vulnerabilities and Exposures (CVE). http://cve.mitre.org/, as of May 2014.

[27]

Roemer, R., Buchanan, E., Shacham, H., and Savage, S. Return-Oriented Programming: Systems, Languages, and Applications. ACM Transactions on Information and System Security 15, 1 (Mar. 2012).

Digital Library

[28]

Schwartz, E. J., Avgerinos, T., and Brumley, D. All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask). In IEEE Symposium on Security and Privacy (2010).

Digital Library

[29]

Schwartz, E. J., Avgerinos, T., and Brumley, D. Q: Exploit Hardening Made Easy. In USENIX Security Symposium (2011).

Digital Library

[30]

Smaragdakis, Y., Bravenboer, M., and Lhot--ak, O. Pick Your Contexts Well: Understanding Object-sensitivity. ACM SIGPLAN Notices 46, 1 (2011), 17--30.

Digital Library

[31]

Snow, K. Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., and Sadeghi, A.-R. Just-in-Time Code Reuse: On the Effectiveness of Fine-grained Address Space Layout Randomization. In IEEE Symposium on Security and Privacy (2013).

Digital Library

[32]

Solar Designer. Getting around non-executable stack (and fix). http://seclists.org/bugtraq/1997/Aug/63, as of May 2014.

[33]

Son, S., and Shmatikov, V. SAFERPHP: Finding Semantic Vulnerabilities in PHP Applications. In ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS) (2011).

Digital Library

[34]

Sridharan, M., Artzi, S., Pistoia, M., Guarnieri, S., Tripp, O., and Berg, R. F4F: Taint Analysis of Framework-based Web Applications. ACM SIGPLAN Notices 46, 10 (2011), 1053--1068.

Digital Library

[35]

Sridharan, M., Dolby, J., Chandra, S., Schäfer, M., and Tip, F. Correlation Tracking for Points-to Analysis of JavaScript. In ECOOP 2012--Object-Oriented Programming. Springer, 2012, pp. 435--458.

Digital Library

[36]

Sundaresan, V., Hendren, L., Razafimahefa, C., Vallee-Rai, R., Lam, P., Gagnon, E., and Godin, C. Practical Virtual Method Call Resolution for Java. ACM SIGPLAN Notices 35, 10 (2000), 264--280.

Digital Library

[37]

Szekeres, L., Payer, M., Wei, T., and Song, D. SoK: Eternal War in Memory. In IEEE Symposium on Security and Privacy (2013).

Digital Library

[38]

The PHP Group. PHP: Autoloading Classes. http://php.net/manual/language.oop5.autoload.php, as of May 2014.

[39]

The PHP Group. PHP: Magic Methods.http://php.net/manual/language.oop5.magic.php, as of May 2014.

[40]

Tripp, O., Pistoia, M., Fink, S. J., Sridharan, M., and Weisman, O. TAJ: Effective Taint Analysis of Web Applications. ACM Sigplan Notices 44, 6 (2009), 87{97.

Digital Library

[41]

van der Veen, V., Dutt-Sharma, N., Cavallaro, L., and Bos, H. Memory Errors: The Past, the Present, and the Future. In Symposium on Recent Advances in Intrusion Detection (RAID) (2012).

Digital Library

[42]

W3Techs. Usage of Content Management Systems for Websites. http://w3techs.com/technologies/ overview/content_management/all, as of May 2014.

[43]

W3Techs. Usage of Server-side Programming Languages for Websites. http://w3techs.com/ technologies/overview/programming_language/all, as of May 2014.

[44]

Wasserman, G., and Su, Z. Static Detection of Cross-Site Scripting Vulnerabilities. In International Conference on Software Engineering (ICSE) (2008).

Digital Library

[45]

Wassermann, G., and Su, Z. Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. In ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI) (2007).

Digital Library

[46]

Xie, Y., and Aiken, A. Static Detection of Security Vulnerabilities in Scripting Languages. In USENIX Security Symposium (2006).

Digital Library

Cited By

Cornelissen EShcherbakov MBalliu MBalzarotti DXu W(2024)GHUNTERProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699107(3693-3710)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699107
Troppmann DFass AStaicu CFilkov VRay BZhou M(2024)Typed and Confused: Studying the Unexpected Dangers of Gradual TypingProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695549(1858-1870)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695549
Shcherbakov MMoosbrugger PBalliu MChua TNgo CKa-Wei Lee RKumar RLauw H(2024)Unveiling the Invisible: Detection and Evaluation of Prototype Pollution Gadgets with Dynamic Taint AnalysisProceedings of the ACM Web Conference 202410.1145/3589334.3645579(1800-1811)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645579
Show More Cited By

Index Terms

Code Reuse Attacks in PHP: Automated POP Chain Generation
1. Theory of computation
  1. Semantics and reasoning
    1. Program reasoning
      1. Program analysis
    2. Program semantics

Recommendations

A Generic Technique for Automatically Finding Defense-Aware Code Reuse Attacks
CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

Code reuse attacks have been the subject of a substantial amount of research during the past decade. This research largely resulted from early work on Return-Oriented Programming (ROP), which showed that the then newly proposed Non-Executable Memory (NX)...
Scriptless attacks: Stealing more pie without touching the sill
Web Application Security Web @ 25

Due to their high practical impact, Cross-Site Scripting (XSS) attacks have attracted a lot of attention from the members of security community worldwide. In the same way, a plethora of more or less effective defense techniques have been proposed, ...
Code-reuse attacks: new frontiers and defenses

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

November 2014

1592 pages

ISBN:9781450329576

DOI:10.1145/2660267

General Chair:
Gail-Joon Ahn
Arizona State University, USA
,
Program Chairs:
Moti Yung
Google -- Columbia University, USA
,
Ninghui Li
Purdue University, USA

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 November 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'14

Sponsor:

SIGSAC

CCS'14: 2014 ACM SIGSAC Conference on Computer and Communications Security

November 3 - 7, 2014

Arizona, Scottsdale, USA

Acceptance Rates

CCS '14 Paper Acceptance Rate 114 of 585 submissions, 19%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

32
Total Citations
View Citations
1,071
Total Downloads

Downloads (Last 12 months)60
Downloads (Last 6 weeks)7

Reflects downloads up to 24 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Cornelissen EShcherbakov MBalliu MBalzarotti DXu W(2024)GHUNTERProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699107(3693-3710)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699107
Troppmann DFass AStaicu CFilkov VRay BZhou M(2024)Typed and Confused: Studying the Unexpected Dangers of Gradual TypingProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695549(1858-1870)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695549
Shcherbakov MMoosbrugger PBalliu MChua TNgo CKa-Wei Lee RKumar RLauw H(2024)Unveiling the Invisible: Detection and Evaluation of Prototype Pollution Gadgets with Dynamic Taint AnalysisProceedings of the ACM Web Conference 202410.1145/3589334.3645579(1800-1811)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645579
Shi YZhang YBai TZhang LTan XYang MChua TNgo CKa-Wei Lee RKumar RLauw H(2024)RecurScan: Detecting Recurring Vulnerabilities in PHP Web ApplicationsProceedings of the ACM Web Conference 202410.1145/3589334.3645530(1746-1755)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645530
Liu ZAn KCao Y(2024)Undefined-oriented Programming: Detecting and Chaining Prototype Pollution Gadgets in Node.js Template Engines for Malicious Consequences2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00121(4015-4033)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00121
Kree LHelmke RWinter E(2024)Using Semgrep OSS to Find OWASP Top 10 Weaknesses in PHP Applications: A Case StudyDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-031-64171-8_4(64-83)Online publication date: 9-Jul-2024
https://doi.org/10.1007/978-3-031-64171-8_4
Xu YZhang MWang XChen JLiang RZhen YZhen C(2024)A Review of Code Vulnerability Detection Techniques Based on Static AnalysisComputational and Experimental Simulations in Engineering10.1007/978-3-031-44947-5_21(251-272)Online publication date: 25-Jan-2024
https://doi.org/10.1007/978-3-031-44947-5_21
Shcherbakov MBalliu MStaicu CCalandrino JTroncoso C(2023)Silent springProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620546(5521-5538)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620546
Yuan YLu YZhu KHuang HYu LZhao J(2023)A Static Detection Method for SQL Injection Vulnerability Based on Program TransformationApplied Sciences10.3390/app13211176313:21(11763)Online publication date: 27-Oct-2023
https://doi.org/10.3390/app132111763
Srivastava PToffalini FVorobyov KGauthier FBianchi APayer MChandra SBlincoe KTonella P(2023)Crystallizer: A Hybrid Path Analysis Framework to Aid in Uncovering Deserialization VulnerabilitiesProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3611643.3616313(1586-1597)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3611643.3616313
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten