Commit a36c4be4 authored by AbiusX's avatar AbiusX
Browse files

made several minor typo fixes

parent 675e52f8
No preview for this file type
...@@ -137,16 +137,17 @@ The rationale behind counterfactual execution and cooperative isolated execution ...@@ -137,16 +137,17 @@ The rationale behind counterfactual execution and cooperative isolated execution
%autoload_php:https://www.php.net/autoload %autoload_php:https://www.php.net/autoload
\noindent \noindent
{\bf Autoloading Classes (or Autoloaders).} {\bf Autoloading Classes (Autoloaders).}
Autoloaders~\cite{autoload_php} are a PHP feature that enables for classes and interfaces to be automatically loaded if they are not yet defined. Autoloaders~\cite{autoload_php} are a PHP feature that enable classes and interfaces to be automatically loaded if they are not yet defined.
%are invoked when an object is instantiated for which the class is not yet defined. %are invoked when an object is instantiated for which the class is not yet defined.
It finds the respective source code file that contains the class definition and include it into the program, allowing the class definition to exist prior to object instantiation. Autoloaders find the respective source code file that contains the class definition and include it into the program, allowing the class definition to exist prior to object instantiation.
Many real-world PHP applications (e.g., Joomla and Wordpress) pervasively use autoloaders. For example, Joomla has 2,476 PHP source code files, but only 23 are statically loaded via {\tt include} and {\tt require} statements, meaning that the majorify of files are included with a dynamic include call (e.g., autoloaders). %Our analysis shows that Joomla mainly uses 3 autoloader functions. Many real-world PHP applications (e.g., Joomla and Wordpress) pervasively use autoloaders.
As noted in Section~\ref{section:eval_detection_precision}, Joomla has 2,476 PHP source code files, but only 522 are statically loaded via {\tt include} and {\tt require} statements, meaning that the majority of files are included with a dynamic include call (e.g., autoloaders). %Our analysis shows that Joomla mainly uses 3 autoloader functions.
Specifically, Joomla has 4 polymorphic classes for web session handling, respectively relying on files, databases (e.g., MySQL~\cite{mysql}), in-memory stores (e.g., Memcached~\cite{memcached}, Redis~\cite{redis}) and native PHP sessions. Specifically, Joomla has 4 polymorphic classes for web session handling, respectively relying on files, databases (e.g., MySQL~\cite{mysql}), in-memory stores (e.g., Memcached~\cite{memcached}, Redis~\cite{redis}) and native PHP sessions.
%Depending on application configurations (usually loaded from the database, but also configurable via text files), Joomla constructs a dynamic class name and instantiates the object for session handling. %Depending on application configurations (usually loaded from the database, but also configurable via text files), Joomla constructs a dynamic class name and instantiates the object for session handling.
Depending on application configurations, Joomla constructs a dynamic class name of one of the 4 polymorphic classes and instantiates the object for session handling. Depending on application configurations, Joomla constructs a dynamic class name of one of the 4 polymorphic classes and instantiates the object for session handling.
The constructed dynamic class name is processed by the autoloader to include a PHP file for the class. % a file path within Joomla's directory, and included automatically. The constructed dynamic class name is processed by the autoloader to include a PHP source code file for the class. % a file path within Joomla's directory, and included automatically.
Without knowing the configuration parameter, an analysis engine is likely to miss a large portion of the code (e.g., the session handler classes), leading to an under-approximation of the analysis results (e.g., breaking many features of the program). Without knowing the configuration parameter, an analysis engine is likely to miss a large portion of the code (e.g., the session handler classes), leading to an under-approximation of the analysis results (e.g., breaking many features of the program).
...@@ -169,12 +170,14 @@ The plugins are simply copied inside the application directory, and their initia ...@@ -169,12 +170,14 @@ The plugins are simply copied inside the application directory, and their initia
%Wordpress also utilizes observer pattern extensively, and many of its core functions are \emph{pluggable}~\cite{https://codex.wordpress.org/Pluggable_Functions}, i.e., if a plugin defines the function first, the Wordpress core code will simply skip the function definition and use the plugged version provided by the plugin. This allows plugins to easily modify the behavior of the core Wordpress application, e.g., how the body of a content is converted from text to HTML. %Wordpress also utilizes observer pattern extensively, and many of its core functions are \emph{pluggable}~\cite{https://codex.wordpress.org/Pluggable_Functions}, i.e., if a plugin defines the function first, the Wordpress core code will simply skip the function definition and use the plugged version provided by the plugin. This allows plugins to easily modify the behavior of the core Wordpress application, e.g., how the body of a content is converted from text to HTML.
Wordpress introduces \emph{pluggable functions}~\cite{wordpress_pluggable} to facilitate plugin developments. Wordpress introduces \emph{pluggable functions}~\cite{wordpress_pluggable} to facilitate plugin developments.
Pluggable functions let you override certain core functions via plugins, meaning that their definitions can be overriden by a plugin dynamically. Pluggable functions let you override certain core functions via plugins, meaning that their definitions can be overriden by a plugin dynamically.
For instance, there are many plugins that override Wordpress's text to HTML conversion functions, allowing users to fine-tune and modify this conversion process. $\square$ %In such instances, the definition of the function is guarded by a call to \code{function\_exists()} function, which returns true if the function has been previously defined, allowing the plugin to define the function first, and making the core Wordpress code to ignore its own definition. For instance, there are many plugins that override Wordpress's
email sending functions, allowing users to modify the contents of emails sent. $\square$
%In such instances, the definition of the function is guarded by a call to \code{function\_exists()} function, which returns true if the function has been previously defined, allowing the plugin to define the function first, and making the core Wordpress code to ignore its own definition.
%An analysis engine that simply uses the original function available in the core Wordpress will not be able to uncover application behavior properly, and analysis engines that use weak updates and symbolic execution, will find both colliding definitions (if not more). %An analysis engine that simply uses the original function available in the core Wordpress will not be able to uncover application behavior properly, and analysis engines that use weak updates and symbolic execution, will find both colliding definitions (if not more).
The prevalent usage of autoloaders and plugins in PHP applications motivate us to propose counterfactual execution aided by cooperative isolation. The prevalent usage of autoloaders and plugins in PHP applications motivate us to propose counterfactual execution aided by cooperative isolation.
The dynamic function names, file names and class names are discovered in different isolated executions (many of which are counterfactual), and shared with others via cooperative isolation. For example, if an isolated execution attempts to run a pluggable function \code{parse\_body} which is not yet defined, instead of terminating, \sysname creates a new isolated execution with a borrwed function definition from another isolated executions to continue the execution. The dynamic function names, file names and class names are discovered in different isolated executions (many of which are counterfactual), and shared with others via cooperative isolation. For example, if an isolated execution attempts to run a pluggable function \code{wp\_mail} which is not yet defined, instead of terminating, \sysname creates a new isolated execution with a borrowed function definition from another isolated execution to continue the execution.
\ifextra \ifextra
\smallskip \smallskip
...@@ -197,11 +200,11 @@ A possible reason may be that incorrect states often crash with fatal errors, re ...@@ -197,11 +200,11 @@ A possible reason may be that incorrect states often crash with fatal errors, re
\subsection{Measuring Code Coverage Improvement} \subsection{Measuring Code Coverage Improvement}
Table~\ref{table:coverage-table} shows code coverage results of scanning Wordpress and Joomla with dynamic analysis, multi-path exploration (our implementation) and counterfactual execution with cooperative isolated execution. Table~\ref{table:coverage-table} shows code coverage results of scanning Wordpress and Joomla with dynamic analysis, multi-path exploration (our implementation) and counterfactual execution with cooperative isolated execution.
In this experiment, code coverage is measured via covered lines of code divided by total lines of code in the program. If there are dynamically generated code (e.g., via {\tt eval()}), we count them. Hence, code coverage can go beyond 100\%. In this experiment, code coverage is measured via covered lines of code divided by total lines of code in the program. If there is dynamically generated code (e.g., via {\tt eval()}), we count it. Hence, code coverage can go beyond 100\%.
Observe that cooperative isolated execution is crucial in discovering more code. In particular, it achieves 25.6\% and 19\% more code coverage than multi-path exploration scheme without cooperative isolated execution for Wordpress and Joomla respectively. Observe that cooperative isolated execution is crucial in discovering more code. In particular, it achieves 25.6\% and 19\% more code coverage than multi-path exploration scheme without cooperative isolated execution for Wordpress and Joomla respectively.
% %
Cooperative isolated execution increases analysis time by about 10\% (57s and 40s for Wordpress and Joomla respectively). We argue that 10\% time overhead is reasonable as it improves more than 20\% of code coverage. Cooperative isolated execution increases analysis time by about 10\% (57s and 40s for Wordpress and Joomla respectively), and increases code coverage by more than 20\%.
%Observe that multi-path exploration scheme without cooperative isolated execution covers only 7\% more compared to the vanila dynamic analysis. %Observe that multi-path exploration scheme without cooperative isolated execution covers only 7\% more compared to the vanila dynamic analysis.
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment