Article: Virtual Meta-Scripting Bytecode for PHP and JavaScript

May 31st, 2010

As a last minute addition to the Month of PHP Security we present an article by Ben Fuhrmannek about virtual meta-scripting bytecode for PHP and JavaScript.

Ben Fuhrmannek, 2010-05-31

Abstract
Both PHP and JavaScript are frequently being targeted for exploiting web applications. This article elaborates on the idea of building a set of virtual machines on top of each programming language. As a result a single type of bytecode can be executed by both VMs. Particular emphasis is put on designing virtual machines to be most suitable for code obfuscation in a post exploitation scenario.

[PDF Article]

Artur Ejsmont

Sorry to say that but im really not convinced.

Security by obscurity is not the way to go as i see it (its just my personal opinion). I guess it can be added as extra measure but there are tons of complications on the way with project like this. To name a few You hit performance, cross browser and cross platform barriers, obfuscation will introduce errors which will be very difficult to spot. You have to learn/use yet another syntax/tool with all its tricks and pitfalls etc.

I think i would not be comfortable to use such tool unless its a huge project lead by zend or so : )

The idea that sounds interesting though is to have a interpreter or VM (whatever) to have same script ran in JS and PHP for simple things like form validation etc. You can have a look at DWR for java ... its quite nice.

Art

the Month of PHP Security

Imprint

Month of PHP Bugs

Sponsors

Links

Article: Virtual Meta-Scripting Bytecode for PHP and JavaScript