Skip to content
/ SymWP Public

SymWP, a concolic analysis framework designed specifically for WordPress plugin security. SymWP integrates an off-the-shelf symbolic execution engine and targets the PHP interpreter, allowing it to analyze plugin behavior at a semantic level with minimal human intervention.

2 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

TaiYou-TW/SymWP

BranchesTags

Repository files navigation

SymWP

Structure

  • WordPress/
    • submodule: WordPress
  • env-builder/
    • docker files and configs to build environment for S2E
  • harnesses/
    • harnesses for analysis
  • patches/
    • patches for submodules
  • php-src/
    • submodule: php-src
  • s2e/
    • plugins/
      • source code for S2E plugins
    • templates/
      • templates for S2E env
  • scripts/
    • automations scripts
  • sqlite-database-integration/
    • submodule: sqlite-database-integration

How to build SymWP?

Our project only support Ubuntu 22.04, and we recommend run it in our env-builder. Please look at env-builder/docker-compose.yml.

You should install S2E first, you can read their documentation here.

Now, you should have a s2e folder at ~/s2e.

Next, let's build SymWP:

git clone --recursive https://github.com/TaiYou-TW/SymWP.git

# Patch sqlite-database-integration plugin
cd SymWP/sqlite-database-integration
git apply ../patches/sqlite-database-integration.patch
cd ../

# Copy sqlite-database-integration plugin to WordPress
cp -r sqlite-database-integration ./WordPress/wp-content/plugins/

# Patch WordPress
cd WordPress
git apply ../patches/WordPress.patch
cd ../

# Manually compile php-src
cd php-src
git apply ../patches/php.patch
sudo apt install -y pkg-config build-essential autoconf bison re2c libxml2-dev libsqlite3-dev
./buildconf
./configure CFLAGS="-no-pie" CXXFLAGS="-no-pie" CPPFLAGS="-no-pie" --enable-debug
make -j4
cd ../

# Copy our files to S2E folder
cp -r WordPress/ ../s2e/
cp harnesses/wordpress-loader.php ../s2e/
cp scripts/*.{php,py} ../s2e/
cp s2e/templates/bootstrap_template.sh ../s2e/
cp s2e/plugins/* ../s2e/source/s2e/libs2eplugins/src/s2e/Plugins/

# Active s2e env if you haven't
source ../s2e-env/venv/bin/activate

# Build S2E again to activate our plugins
patch ../s2e/source/s2e/libs2eplugins/src/CMakeLists.txt < ./patches/CMakeLists.patch
cd ../s2e/
s2e build

# Download the plugin
wget https://downloads.wordpress.org/plugin/custom-404-pro.3.2.7.zip
unzip custom-404-pro.3.2.7.zip

# Set env
export SYMWP_PHP=/home/s2e/php-src/sapi/cli/php # absolute path of compiled PHP

# Start testing!
./pipeline_runner.py custom-404-pro # `-h` to see help

About

SymWP, a concolic analysis framework designed specifically for WordPress plugin security. SymWP integrates an off-the-shelf symbolic execution engine and targets the PHP interpreter, allowing it to analyze plugin behavior at a semantic level with minimal human intervention.

Topics

wordpress-plugin symbolic-execution content-management-system web-application-security concolic-execution dynamic-taint-analysis plugin-vulnerability

Resources

Readme
Activity

Stars

2 stars

Watchers

2 watching

Forks

2 forks
Report repository

Contributors 2

  •  
  •  

Languages