I attended a session this morning called "PHP Taint Tool: It Ain't a Parser" by Luke Welling. Luke introduced a tool he's working on at OmniTI that is designed to assist in sniffing out where the potential for untrusted input is handled. From the session description:

... You want to see where untrusted input can propagate taint within the application. In complex logic that might mean chasing many possible execution paths. Using an automatic tool to try to follow these paths without running all possible input variations is called static analyis. ... The Taint tool allows the PHP engine to do as much as possible, then cuts in at the last stage to analyze the compiled opcodes and trace possible flow of execution.

The Taint tool presents opcodes in a readable way, making it clear what lines of source got compiled into specific opcodes. It also performs a static analysis on the code, following the opcodes to attempt to trace all possible code branches and mark lines that tainted data can be passed to.

Essentially, the tool uses the parts of the PHP engine to compile PHP code to opcodes, and then tracks where data comes and goes, and highlights the code that handles data that *could* be tainted--that is, input from the user either by POST or GET parameters.  This provides a facility for a developer to identify the lines that they should closely review to ensure that they are not accidentally introducing security holes (like cross-site-scripting opportunities). 

Now, it's not-quite-ready for prime-time, but it's getting close, and the folks over at OmniTI intend to release it as open source when they are ready.  When this gets released, I'll be really excited, as it looks like it could be really good for hunting down security holes.

I also attended Rasmus Lerdorf's (the Yahoo PHP guy) tutorial on "PHP: Architecture, Scalability, and Security" that was really quite good too, and he demonstrated a tool (the name of which I can't remember now...grrr) that they have at Yahoo that he points to a web page, and it starts throwing a large library of strings that may uncover security problems, but it does it from the client side.  Unfortunately, he's not releasing it, not because he doesn't want to let folks find and fix their bugs, but because the release of a such a tool could bring about Internet Armageddon--it would likely find exploitable problems in the vast majority of the Internet. 

Both approaches to finding application holes are useful, and it's clear from both talks that this is still a really large problem that developers need to address.

(I've had a problem with spam comments; I'll be addressing that soon, so if you see comments turned off you can drop me a email: garretts...at...microsoft...dot...com)

This week I'm at OSCON in Portland, OR. I like what their site says about it:

"OSCON is the crossroads of all things open source, bringing together the best, brightest, and most interesting people to explore what's new, and to champion the cause of open principles and open source adoption across the computing industry."

It really is exactly that. It seems like I've met so many people here, and have had so many great conversations, it's like time slows right down, and the universe is conspiring to squeeze everything it can into just a few days.

I'm having a great time here, and with so much going on, I feel like a kid in a candy store. The biggest trouble I'm having is picking what sessions I want to attend, as there is just so many worth while.  However, given the work I'm currently doing with PHP, I think I'll stick pretty close to the PHP related sessions for the most part.

The last couple of years, Microsoft has had a fair number of people here, and this year is no exception. I keep bumping into people I know... Hey, if you're reading this, and you see me, stop and say hello!

You can recognize me by my picture.

Ever notice how folks who blog sporadically (uh, like me!) always apologize for not blogging for a while, and then re-affirm their dedication to blogging regularly? And often, accompanying their apology, is also a reason. I was going to "Blame it on the Rain" but the very thought of quoting Milli Vanilli makes me shudder.

So, instead, Patty gets to explain it for me.  Well, now that I think about it, it really doesn't explain anything. But I was listening to that song last night, and the lyrics stuck in my head.

..... Aaaaaanyway...

The worst part about not blogging for weeks on end is that I can't just ramble on as if you know what I've been up to for the last last few weeks, but I'll try to catch ya up:

Over the last several weeks, I've been moving my focus from doing "Program Management" tasks to more "Software Developer" tasks. You see, during the last year, I've discovered that I'm a Developer. Deep down, that's what I do best. Focusing in that direction is already paying off, and I'm finding that I'm accomplishing far more than I had before.

So, rather than focus on simply facilitating, I've been actually compiling, debugging, coding... aaaahhh. It's so nice.

And the best part: all the work that I'm doing is dedicated to getting Apache and PHP working much better on the Windows platform. I may just possibly have the absolute best job at Microsoft.

(Don't forget the updated .sig...)