Sandboxing Code Execution Functions in the PHP Interpreter


Betreuer: Andre Pawlowski

Beginn: as soon as possible

Weitere Details:


Remote code execution vulnerabilities are a constant issue in web frameworks. An attacker is able to inject her own code into code execution functions like eval() or system() and is therefore able to exploit the system. One study about Node.js modules found that about 20% of all tested modules use (directly or indirectly) code execution functions.

The aim of this thesis is to sandbox code execution functions in the PHP interpreter. In order to prevent a static analysis gap in the PHP code of the web framework and therefore guarantee sandboxing, the corresponding function in the PHP interpreter should be hooked. The difference between benign and malicious input into these functions should be learned during runtime. The paper "Synode: Understanding and Automatically Preventing Injection Attacks on Node.js" which was published recently did something similar in a static matter and is a good starting point to gather ideas.

Tasks that need to be solved include:

  • Familiarize with PHP interpreter.
  • Finding security relevant sinks in PHP interpreter.
  • Comparing strings and find a way to devise rules.



  • Familiarity with C programming.