PHPIL: Fuzzing the PHP Interpreter with Custom Bytecode

摘要

We aim to fuzz the PHP interpreter to search for bugs which may or may not be able to compromise the security of the interpreter and the system it is running on. In our research we propose to implement a fuzzing framework for the standard implementation of the PHP interpreter. What makes our fuzzer different from other PHP interpreter fuzzers is the ability to create syntactically and semantically correct code samples. We found in our research that most of the available PHP interpreter fuzzers, although able to create syntactically correct code samples, are unable to produce semantic correctness. We created our own intermediate language composed of custom opcodes, which is used by the code generator to generate the code samples. Code generator is governed by the rules which make sure that the resulting code follows the PHP syntax and symmetric conventions. The mutator is driven by the code generator and it performs the mutation on the generated intermediate language. We created a corpus which is used to store the desired code samples on which further mutations can be performed. Thus new inputs are generated by performing mutations to the code which increases the coverage, thus maximizing the chances of finding vulnerabilities. The lifter lifts the mutated intermediate language sample to the php code before feeding to the interpreter. The execution of the php code sample is monitored for any unexpected behaviour of the interpreter. A report is formed in case of any unexpected behaviour.