Framework for Static Analysis of PHP Applications

Authors David Hauzar, Jan Kofron

Thumbnail PDF


  • Filesize: 1.61 MB
  • 23 pages

Document Identifiers

Author Details

David Hauzar
Jan Kofron

Cite AsGet BibTex

David Hauzar and Jan Kofron. Framework for Static Analysis of PHP Applications. In 29th European Conference on Object-Oriented Programming (ECOOP 2015). Leibniz International Proceedings in Informatics (LIPIcs), Volume 37, pp. 689-711, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2015)


Dynamic languages, such as PHP and JavaScript, are widespread and heavily used. They provide dynamic features such as dynamic type system, virtual and dynamic method calls, dynamic includes, and built-in dynamic data structures. This makes it hard to create static analyses, e.g., for automatic error discovery. Yet exploiting errors in such programs, especially in web applications, can have significant impacts. In this paper, we present static analysis framework for PHP, automatically resolving features common to dynamic languages and thus reducing the complexity of defining new static analyses. In particular, the framework enables defining value and heap analyses for dynamic languages independently and composing them automatically and soundly. We used the framework to implement static taint analysis for finding security vulnerabilities. The analysis has revealed previously unknown security problems in real application. Comparing to existing state-of-the-art analysis tools for PHP, it has found more real problems with a lower false-positive rate.
  • Static analysis
  • abstract interpretation
  • dynamic languages
  • PHP
  • security


  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    PDF Downloads


  1. P. Cousot and R. Cousot. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In POPL'77, pages 238-252. ACM, 1977. Google Scholar
  2. Bruno Dufour, Barbara G. Ryder, and Gary Sevitsky. Blended analysis for performance understanding of framework-based applications. In ISSTA'07, pages 118-128. ACM, 2007. Google Scholar
  3. Manuel Fähndrich and Francesco Logozzo. Static contract checking with abstract interpretation. In FoVeOOS'10, LNCS, pages 10-30. Springer-Verlag, 2011. Google Scholar
  4. Asger Feldthaus, Todd Millstein, Anders Møller, Max Schäfer, and Frank Tip. Tool-supported refactoring for javascript. In OOPSLA'11, pages 119-138. ACM, 2011. Google Scholar
  5. Asger Feldthaus and Anders Møller. Semi-automatic rename refactoring for javascript. In OOPSLA'13, pages 323-338. ACM, 2013. Google Scholar
  6. Pietro Ferrara. Generic combination of heap and value analyses in abstract interpretation. In VMCAI'05, LNCS, pages 302-321. Springer-Verlag, 2014. Google Scholar
  7. Seth Fogie, Jeremiah Grossman, Robert Hansen, Anton Rager, and Petko D. Petkov. XSS Attacks: Cross Site Scripting Exploits and Defense. Syngress, May 2007. Google Scholar
  8. Zhoulai Fu. Modularly combining numeric abstract domains with points-to analysis, and a scalable static numeric analyzer for java. In VMCAI'05, LNCS, pages 282-301. Springer-Verlag, 2014. Google Scholar
  9. Denis Gopan, Frank DiMaio, Nurit Dor, Thomas W. Reps, and Shmuel Sagiv. Numeric domains with summarized dimensions. In TACAS'04, LNCS, pages 512-529. Springer-Verlag, 2004. Google Scholar
  10. David Hauzar and Jan Kofroň. Weverca., 2014.
  11. David Hauzar, Jan Kofroň, and Pavel Baštecký. Data-flow analysis of programs with associative arrays. In ESSS'14, EPTCS, pages 56-70. Open Publishing Association, 2014. Google Scholar
  12. Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, Der-Tsai Lee, and Sy-Yen Kuo. Securing web application code by static analysis and runtime protection. In WWW'04, pages 40-52. ACM, 2004. Google Scholar
  13. Simon Holm Jensen, Peter A. Jonsson, and Anders Møller. Remedying the eval that men do. In ISSTA 2012, pages 34-44. ACM, 2012. Google Scholar
  14. Simon Holm Jensen, Anders Møller, and Peter Thiemann. Type analysis for JavaScript. In SAS'09, volume 5673 of LNCS. Springer-Verlag, August 2009. Google Scholar
  15. Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In SP'06: Proceedings of the 2006 IEEE Symposium on Security and Privacy, pages 258-263, Washington, DC, USA, 2006. IEEE Computer Society. Google Scholar
  16. Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In SP'06, pages 258-263. IEEE Computer Society, 2006. Google Scholar
  17. Etienne Kneuss, Philippe Suter, and Viktor Kuncak. Runtime instrumentation for precise flow-sensitive type analysis. In RV'10, LNCS, pages 300-314. Springer-Verlag, 2010. Google Scholar
  18. Ondrej Lhoták and Kwok-Chiang Andrew Chung. Points-to analysis with efficient strong updates. In POPL'11, pages 3-16, New York, NY, USA, 2011. ACM. Google Scholar
  19. Antoine Miné. Field-sensitive value analysis of embedded c programs with union types and pointer arithmetics. In LCTES'06, pages 54-63. ACM, 2006. Google Scholar
  20. Flemming Nielson, Hanne R. Nielson, and Chris Hankin. Principles of Program Analysis. Springer-Verlag New York, Inc., Secaucus, NJ, USA, 1999. Google Scholar
  21. Manu Sridharan, Shay Artzi, Marco Pistoia, Salvatore Guarnieri, Omer Tripp, and Ryan Berg. F4f: Taint analysis of framework-based web applications. In OOPSLA'11, pages 1053-1068. ACM, 2011. Google Scholar
  22. Manu Sridharan, Julian Dolby, Satish Chandra, Max Schäfer, and Frank Tip. Correlation tracking for points-to analysis of javascript. In ECOOP'12: Proceedings of the 26th European Conference on Object-Oriented Programming, Lecture Notes in Computer Science, pages 435-458, Berlin, Heidelberg, 2012. Springer-Verlag. Google Scholar
  23. Manu Sridharan, Julian Dolby, Satish Chandra, Max Schäfer, and Frank Tip. Correlation tracking for points-to analysis of javascript. In ECOOP'12, LNCS, pages 435-458. Springer-Verlag, 2012. Google Scholar
  24. Omer Tripp, Marco Pistoia, Patrick Cousot, Radhia Cousot, and Salvatore Guarnieri. Andromeda: Accurate and scalable security analysis of web applications. In FASE'13, LNCS, pages 210-225. Springer-Verlag, 2013. Google Scholar
  25. Arnaud Venet. Towards the integration of symbolic and numerical static analysis. In VSTTE 2005, LNCS, pages 227-236. Springer-Verlag, 2005. Google Scholar
  26. Gary Wassermann and Zhendong Su. Sound and precise analysis of web applications for injection vulnerabilities. In PLDI'07, pages 32-41. ACM, 2007. Google Scholar
  27. Gary Wassermann and Zhendong Su. Static detection of cross-site scripting vulnerabilities. In ICSE'08, pages 171-180. ACM, 2008. Google Scholar
  28. Shiyi Wei and Barbara G. Ryder. Practical blended taint analysis for javascript. In ISSTA 2013, pages 336-346. ACM, 2013. Google Scholar
  29. Shiyi Wei and Barbara G. Ryder. State-sensitive points-to analysis for the dynamic behavior of javascript objects. In ECOOP 2014, volume 8586 of LNCS, pages 1-26. Springer Berlin Heidelberg, 2014. Google Scholar
  30. Yichen Xie and Alex Aiken. Static detection of security vulnerabilities in scripting languages. In USENIX-SS'06. USENIX Association, 2006. Google Scholar