Supporting PHP dynamic analysis in PHP AiR
Pages 37 - 38
Abstract
The PHP AiR framework is currently being developed to support software metrics, empirical software engineering, and program analysis for real-world PHP systems. While most of the work on program analysis has focused on static analysis, to help address the dynamic nature of the language we have also started to extend PHP AiR with support for dynamic program analysis. This extended abstract highlights two parts of this support: integration with xdebug for trace analysis, and instrumentation of an open-source PHP interpreter with a focus on supporting string origins, allowing us to explore how strings are created in security-sensitive areas such as database calls and HTML generation.
References
[1]
S. Artzi, A. Kiezun, J. Dolby, F. Tip, D. Dig, A. M. Paradkar, and M. D. Ernst. Finding Bugs in Dynamic Web Applications. In Proceedings of ISSTA 2008, pages 261–272. ACM, 2008.
[2]
P. Biggar. Design and Implementation of an Ahead-of-Time Compiler for PHP. PhD thesis, Trinity College Dublin, April 2010.
[3]
M. Furr, J. hoon (David) An, and J. S. Foster. Profile-Guided Static Typing for Dynamic Scripting Languages. In Proceedings of OOPSLA 2009, pages 283–300. ACM, 2009.
[4]
M. Furr, J. hoon (David) An, J. S. Foster, and M. W. Hicks. Static Type Inference for Ruby. In Proceedings of SAC 2009, pages 1859–1866. ACM, 2009.
[5]
M. Hills. Variable Feature Usage Patterns in PHP. In Proceedings of ASE 2015, IEEE, 2015. To Appear.
[6]
M. Hills. Evolution of Dynamic Feature Usage in PHP. In Proceedings of SANER 2015, pages 525–529. IEEE, 2015.
[7]
M. Hills and P. Klint. PHP AiR: Analyzing PHP systems with Rascal. In Proceedings of CSMR-WCRE 2014, pages 454–457. IEEE, 2014.
[8]
M. Hills, P. Klint, and J. J. Vinju. An Empirical Study of PHP Feature Usage: A Static Analysis Perspective. In Proceedings of ISSTA 2013, pages 325–335. ACM, 2013.
[9]
M. Hills, P. Klint, and J. J. Vinju. Static, Lightweight Includes Resolution for PHP. In Proceedings of ASE 2014, pages 503– 514. ACM, 2014.
[10]
P. Inostroza, T. van der Storm, and S. Erdweg. Tracing Program Transformations with String Origins. In Proceedings of ICMT 2014, volume 8568 of LNCS, pages 154–169. Springer, 2014.
[11]
P. Klint, T. van der Storm, and J. Vinju. EASY Metaprogramming with Rascal. In Post-Proceedings of GTTSE 2009, volume 6491 of LNCS, pages 222–289. Springer, 2011.
[12]
K.-K. Ma, Y. P. Khoo, J. S. Foster, and M. Hicks. Directed Symbolic Execution. In Proceedings of SAS 2011, volume 6887 of LNCS, pages 95–111. Springer, 2011.
[13]
C. Mulder. Reducing Dynamic Feature Usage in PHP Code. Master’s thesis, University of Amsterdam, 2013.
[14]
C. Nagy, L. Meurice, and A. Cleve. Where Was This SQL Query Executed? A Static Concept Location Approach. In Proceedings of SANER 2015, pages 580–584. IEEE, 2015.
[15]
N. Noughi and A. Cleve. Conceptual Interpretation of SQL Execution Traces for Program Comprehension. In Proceedings of PCODA 2015, pages 19–24. IEEE, 2015.
[16]
I. Rucareanu. PHP: Securing Against SQL Injection. Master’s thesis, University of Amsterdam, 2013.
[17]
A. van Deursen, P. Klint, and F. Tip. Origin Tracking. Journal of Symbolic Computation, 15(5/6):523–545, 1993.
[18]
H. Zhao, I. Proctor, M. Yang, X. Qi, M. Williams, Q. Gao, G. Ottoni, A. Paroski, S. MacVicar, J. Evans, and S. Tu. The HipHop Compiler for PHP. In Proceedings of OOPSLA 2012, pages 575–586. ACM, 2012.
[19]
Introduction Execution Tracing with xdebug Integration with Quercus
Index Terms
- Supporting PHP dynamic analysis in PHP AiR
Comments
Information & Contributors
Information
Published In
Copyright © 2015 Owner/Author.
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 26 October 2015
Check for updates
Author Tags
Qualifiers
- Extended-abstract
Conference
SPLASH '15
Sponsor:
SPLASH '15: Conference on Systems, Programming, Languages, and Applications: Software for Humanity
October 26, 2015
PA, Pittsburgh, USA
Upcoming Conference
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 194Total Downloads
- Downloads (Last 12 months)5
- Downloads (Last 6 weeks)0
Reflects downloads up to 20 Feb 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in