For information on exhibition and sponsorship opportunities at the conference, contact Sharon Cordesse at firstname.lastname@example.org.
For media-related inquiries, contact Maureen Jennings at email@example.com.
To stay abreast of conference news and to receive email notification when registration opens, please sign up for the OSCON newsletter (login required).
View a complete list of OSCON 2008 Contacts
Auditing large PHP codebases for potential security weaknesses is very time consuming, but in reality, only some lines in the application need individual attention. You want to see where untrusted input can propagate taint within the application. In complex logic that might mean chasing many possible execution paths. Using an automatic tool to try to follow these paths without running all possible input variations is called static analyis.
There have been a few attempts at PHP static analysis tools with varying degrees of completion. The Taint tool allows the PHP engine to do as much as possible, then cuts in at the last stage to analyze the compiled opcodes and trace possible flow of execution.
The opcodes do give you a very detailed, concrete view of what will happen when your code runs … if you can read them.
Given that there are very few people in the world who can read them intuitively, and only a slightly larger group that want to, most people need a tool to help.
The Taint tool presents opcodes in a readable way, making it clear what lines of source got compiled into specific opcodes. It also performs a static analysis on the code, following the opcodes to attempt to trace all possible code branches and mark lines that tainted data can be passed to.
As a side benefit, having a readable view of the underlying opcodes could give you insight that could help with debugging or fine-grained optimization.
In this talk we will look at and trace the opcodes that result from a variety of short PHP scripts, and see how they show where security problems could result.
Luke Welling is from Melbourne, Australia, but currently lives near Washington, DC, where he ekes out a living as a security nerd at OmniTI. He sees lots of good PHP and bad PHP, and tries to write more good than bad. Over the last decade, he has applied PHP in many places where it was intended, and in many places where it was never meant to go. With his wife Laura, he wrote the bestselling book PHP and MySQL Web Development and often speaks about PHP at conferences and user groups. His hobbies include riding his horses and sticking Splayds in toasters, although he has not yet attempted to do both at once.