Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SUHOSIN - PHP's safety net

SUHOSIN - PHP's safety net

These are the slides to a talk I gave at the Berlin PHP Usergroup on the 7th of February, 2012.

Till Klampaeckel

February 08, 2012

More Decks by Till Klampaeckel

Other Decks in Programming


  1. • up until PHP 5.1.6 (Not binary-compatible.) • engine protection

    (buffer overflows, format string attacks) • runtime protection (remote include exploits, function black- and whitelists, ...) • filters (filtering input, request vars, limits, upload file protection) • logging with alerts (where, when) to syslog, error_log, external scripts •configuration (global and user-specific) HARDENING-PATCH BY STEFAN ESSER
  2. •A patch (engine protection) •A PHP extension (runtime, filters, logging,

    configuration) •Use one, or both! •For PHP up to 5.3.9 •Compatible with 3rd-party-extension! WHAT IS SUHOSIN
  3. SETUP All steps are available online. http://www.hardened-php.net/suhosin/how_to_install_or_upgrade.html • Requires “root”.

    • Patch if you build your own PHP. (run make test) • Extension installs like any other. (but without pecl)
  4. • Not a PHP-only problem! (Yay node.js, yay Java!) •

    CVE-2011-4885 • Overload/crash any server by making it process 1000s of entries in a list. • Try $_POST or $_REQUEST! (Works up to PHP 5.3.8) HASH DOS
  5. UPDATE? • PHP 5.3.9 was released to “fix” HASH DOS.

    • New directive max_input_vars! • Profit?
  6. LIFE COULD BE EASY Suhosin fixed HASH DOS a long

    time ago. suhosin.post.max_vars suhosin.request.max_vars suhosin.post.max_value_length suhosin.request.max_value_length Four configuration settings is all it takes.
  7. SUMMARY? • Suhosin offers plenty of work-arounds • “Quick-fixes” to

    current issues • Prevention • Test your application with suhosin.simulation
  8. DRAWBACKS • More maintenance. (Patching PHP sucks. Building custom extensions

    also – kind of.) • Probably performance. (There is a 8% hit if you do lots of recursive function calls, but probably less in your application.) • Lots of drama.
  9. BUT WAIT • Please (, please, please) update your PHP.

    • Run your test suite against release candidates and betas. • Report bugs, and send patches. • Contribute.