|
|
BugTraq
Re: Re: PHP security (or the lack thereof) Jun 21 2006 11:52PM nabiy hotmail com (2 replies) Re: PHP security (or the lack thereof) Jun 24 2006 05:07AM Ronald Chmara (ron Opus1 COM) (1 replies) RE: PHP security (or the lack thereof) Jun 26 2006 04:06PM Geo. (geoincidents nls net) (3 replies) Re: PHP security (or the lack thereof) Jun 26 2006 05:45PM Paul Schmehl (pauls utdallas edu) (1 replies) Re: PHP security (or the lack thereof) Jun 26 2006 05:32PM Matthias Kestenholz (lists spinlock ch) (1 replies) RE: PHP security (or the lack thereof) Jun 27 2006 11:41AM Geo. (geoincidents nls net) (1 replies) Securing PHP or finding PHP alternatives (was: PHP security (orthe lack thereof)) Jul 08 2006 02:48AM Gezim Hoxha (gezimetc shaw ca) (4 replies) Re: Securing PHP or finding PHP alternatives Jul 11 2006 06:21AM Michael Shigorin (mike osdn org ua) Re: Securing PHP or finding PHP alternatives (was: PHP security (or the lack thereof)) Jul 10 2006 08:37PM Meet Myself on the Internet (me arteabstracta net) Re: Securing PHP or finding PHP alternatives (was: PHP security (orthe lack thereof)) Jul 10 2006 07:25PM Matthias Kestenholz (lists spinlock ch) Re: Securing PHP or finding PHP alternatives Jul 10 2006 05:37PM Crispin Cowan (crispin novell com) (2 replies) Re: Securing PHP or finding PHP alternatives Jul 11 2006 02:50PM Sheryl Coppenger (gubydala his com) (2 replies) Re: Securing PHP or finding PHP alternatives Jul 18 2006 09:35PM Michael Cordover (michael cordover gmail com) Re: Securing PHP or finding PHP alternatives Jul 11 2006 07:54AM SkyFlash (webmaster hackquest de) (1 replies) |
|
Privacy Statement |
> Trying to make the language 'safe' won't fix it because the language is not the problem. The real problem is the way PHP is presented to most new developers.
>
>
> PHP has been introduced as a tool for the web developer. As a language its goal is "to allow web developers to write dynamically generated pages quickly." ( http://www.php.net/manual/en/faq.general.php ). The focus then is to enable the web developer by giving him the tools he needs to create dynamic content, with as little hassle as possible. The web developer need only read a short tutorial ( http://www.php.net/manual/en/tutorial.php ) and he is ready to read, understand and implement the ideas presented in the various example scripts on PHP.net. Unfortunately this situation leaves the web developer uninformed and unprepared to face the hostile environment that is the net.
>
That is a fascinating perspective.
Web developers who work with static content (HTML and images, etc.) is
pretty secure: the security threat amounts to Apache configuration
(directory browsing and htpasswd stuff) and it is pretty difficult for
an attacker to corrupt static content by way of the content.
Dynamic content, while not inherently dangerous, becomes dangerous when
you hand the web developer a Turing-complete language. Suddenly the
exact behavior of the web site under arbitrary input becomes
undecidable. Programmers (mostly) know this. Security developers
(should) know this. Web artists may have just been introduced to
programming to get their web site to be dynamic.
There are two possible approaches to fixing this. One, as nabiy
suggests, is to change how PHP is presented to web developers. Label it
as a chain saw, and point out that chain saws don't know the difference
between "log" and "leg" :)
The other is to contrive a language that is both sufficient for dynamic
web content development, and also *not* Turing-complete. I have no idea
what such a language might look like, or even whether the intersection
of these two requirements is the null set.
For more on Turing completeness and security, consider coming to USENIX
Security 2006 and see my talk on this topic "Turing Around the Security
Problem" http://www.usenix.org/events/sec06/tech/#thurs
Crispin
--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/
Director of Software Engineering, Novell http://novell.com
[ reply ]