Bugtraq mailing list archives
Re: PHP security (or the lack thereof)
From: Crispin Cowan <crispin () novell com>
Date: Fri, 23 Jun 2006 13:16:03 -0700
nabiy () hotmail com wrote:
Trying to make the language 'safe' won't fix it because the language is not the problem. The real problem is the way PHP is presented to most new developers. PHP has been introduced as a tool for the web developer. As a language its goal is "to allow web developers to write dynamically generated pages quickly." ( http://www.php.net/manual/en/faq.general.php ). The focus then is to enable the web developer by giving him the tools he needs to create dynamic content, with as little hassle as possible. The web developer need only read a short tutorial ( http://www.php.net/manual/en/tutorial.php ) and he is ready to read, understand and implement the ideas presented in the various example scripts on PHP.net. Unfortunately this situation leaves the web developer uninformed and unprepared to face the hostile environment that is the net.
That is a fascinating perspective. Web developers who work with static content (HTML and images, etc.) is pretty secure: the security threat amounts to Apache configuration (directory browsing and htpasswd stuff) and it is pretty difficult for an attacker to corrupt static content by way of the content. Dynamic content, while not inherently dangerous, becomes dangerous when you hand the web developer a Turing-complete language. Suddenly the exact behavior of the web site under arbitrary input becomes undecidable. Programmers (mostly) know this. Security developers (should) know this. Web artists may have just been introduced to programming to get their web site to be dynamic. There are two possible approaches to fixing this. One, as nabiy suggests, is to change how PHP is presented to web developers. Label it as a chain saw, and point out that chain saws don't know the difference between "log" and "leg" :) The other is to contrive a language that is both sufficient for dynamic web content development, and also *not* Turing-complete. I have no idea what such a language might look like, or even whether the intersection of these two requirements is the null set. For more on Turing completeness and security, consider coming to USENIX Security 2006 and see my talk on this topic "Turing Around the Security Problem" http://www.usenix.org/events/sec06/tech/#thurs Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com
Current thread:
- Re: PHP security (or the lack thereof), (continued)
- Re: PHP security (or the lack thereof) Neil Neely (Jun 19)
- Re: PHP security (or the lack thereof) john mullee (Jun 23)
- Re: PHP security (or the lack thereof) Darren Reed (Jun 26)
- Re: PHP security (or the lack thereof) Ronald Chmara (Jun 27)
- Re: PHP security (or the lack thereof) Tonnerre Lombard (Jun 28)
- Re: PHP security (or the lack thereof) Darren Reed (Jun 28)
- Re: PHP security (or the lack thereof) Darren Reed (Jun 26)
- Re: PHP security (or the lack thereof) Steven M. Christey (Jun 17)
- Re: PHP security (or the lack thereof) Alan J Rosenthal (Jun 21)
- Re: PHP security (or the lack thereof) Geo. (Jun 23)
- Re: Re: PHP security (or the lack thereof) nabiy (Jun 23)
- Re: PHP security (or the lack thereof) Crispin Cowan (Jun 23)
- Re: PHP security (or the lack thereof) Daniel Hulme (Jun 26)
- Re: PHP security (or the lack thereof) Tobias J. Kreidl (Jun 26)
- Re: PHP security (or the lack thereof) Glynn Clements (Jun 27)
- Re: PHP security (or the lack thereof) Ronald Chmara (Jun 26)
- RE: PHP security (or the lack thereof) Geo. (Jun 26)
- Re: PHP security (or the lack thereof) Paul Schmehl (Jun 26)
- RE: PHP security (or the lack thereof) Geo. (Jun 28)
- Re: PHP security (or the lack thereof) Matthias Kestenholz (Jun 26)
- RE: PHP security (or the lack thereof) Geo. (Jun 27)
- Re: PHP security (or the lack thereof) Crispin Cowan (Jun 23)
- Re: PHP security (or the lack thereof) Mrten (Jun 26)