write some definition or other things in common

susi

the empire of an area can find from a paper's relate work.

Discover of Vulnerabilities in PHP Code

2004(进入PHP5)

(这个人应该是最早研究动态网页漏洞自动化的，他的文章参考里很多文章可以看看，他是如何过渡过来的。)

• Y.Huang et al - Securing web application code by static analysis and runtime protection.
• Y.Huang et al - Verifying web applications using bounded model checking.

2005(引入PDO)

2006

(出现了两个工具，经常被提到， 尤其是Pixy)

• Xie and Aiken - Static detection of security vulnerabilities in scripting languages.
• Jovanovic et al - Pixy: A static analysis tool for detecting web application vulnerabilities.(Pixy)

2007

• Wasserman and Z. Su - Sound and precise analysis of web applications for injection vulnerabilities.

2008(PHP5成熟)

• Wassermann and Z.Su - Static detection of cross-site script in vulnerabilities.
• D.Balzarotti et al - Saner: Composing static and dynamic analysis to validate sanitization in web applications.

2009

• Fang Yu - Generating Vulnerability Signatures for String Manipulating Programs Using Automata-based Forward and Backward Symbolic Analyses

2010

• F.Yu - STRANGER: An automata-based string analysis tool for PHP.
• Jovanovic et al - Static analysis for detecting taint-style vulnerabilities in web applications.

2014

(Dash和他的RIPS出现了，这个时间点也是PHP5的出现)

• Dash and Holz - Simulation of built-in PHP features for precise static code analysis.(RIPS)
• Hauzar, D., & Kofron, J. (2014). WeVerca: Web Applications Verification for PHP. SEFM.

2015

• Dash and Holz - Static detection of second-order vulnerabilities in web applications.（RIPS2）
• O.Olivo et al - Detecting and exploiting second-order denial-of-service vulnerabilities in web applications.
• Nunes, Paulo Jorge Costa et al. - phpSAFE: A Security Analysis Tool for OOP Web Application Plugins.（支持OOP）

2016

• Fang Yu - Optimal Sanitization Synthesis for Web Application Vulnerability Repair

2017

• Backes, M., Rieck, K., Skoruppa, M., Stock, B., & Yamaguchi, F. (2017). Efficient and Flexible Discovery of PHP Application Vulnerabilities. 2017 IEEE European Symposium on Security and Privacy (EuroS&P), 334-349.

2018

• Alhuzali, Abeer et al. “NAVEX: Precise and Scalable Exploit Generation for Dynamic Web Applications.” USENIX Security Symposium (2018).

Hi iohehe! 无意间看到了你的博客，目前我也在学习PHP程序分析相关的东西，可以加个好友交流一下么？

• the dragon book

in the tainted point(or flow) analysis we may define these below:

• Source point: the source data input into the code, which can be potentially controlled by the users or the environment. those can be considered as a taint

• Sink: locations of those places where the consumed data must not be tainted.

the code property graph is a point that can use in the code static analysis, and it can use the AST, CFG, and PDG in one graph, it can also use in the detecting vulnerability in the PHP. it would be good at doing that.

At first, you must know why to use this graph, for example, why use PDG, what the difference between PDG and CFG?

samely, the PDG and CFG maybe have the same node, as a statement.