TChecker: Precise Static Inter-Procedural Analysis for Detecting Taint-Style Vulnerabilities in PHP Applications
TChecker is a static taint analysis tool for PHP applications. The key idea in TChecker is to iteratively construct call graph and precisely perform inter-procedural taint analysis. TChecker found 18 new vulnerabilities and two CVEs (CVE-2022-35212, CVE-2022-35213) were assigned.
Run php-cs-fixer (https://github.com/PHP-CS-Fixer/PHP-CS-Fixer) to fix the coding styles.
Run phpjoern (https://github.com/malteskoruppa/phpjoern) to generate the node file and edge file for a PHP application.
TCheker is developed atop an old version of Joern.
# use gradle to install joern/tchecker
bash build.sh
- Use PHPJoern to generate nodes.csv and rels.csv.
cd phpjoern/
# generate nodes.csv and rels.csv
./php2ast TargetPHPApplication/
- Run TChecker to generate call graph
cp phpjoern/*.csv tchecker/
cd tchecker/
./phpast2cpg TargetPHPApplication
# This assumes the csv files are in the same directory
# Note that he call graph (call_graph.csv) is also generated in the current directory.
Please contact chluo@cse.cuhk.edu.hk for any questions.
@inproceedings{luo2022tchecker,
title={TChecker: Precise Static Inter-Procedural Analysis for Detecting Taint-Style Vulnerabilities in PHP Applications},
author={Luo, Changhua and Li, Penghui and Meng, Wei},
booktitle={Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security},
pages={2175--2188},
year={2022}
}