$30 off During Our Annual Pro Sale. View Details »

SUHOSIN - PHP's safety net

SUHOSIN - PHP's safety net

These are the slides to a talk I gave at the Berlin PHP Usergroup on the 7th of February, 2012.

Till Klampaeckel

February 08, 2012
Tweet

More Decks by Till Klampaeckel

Other Decks in Programming

Transcript

  1. 수호신

    View Slide

  2. SUHOSIN
    PHP’s safety net

    View Slide

  3. Till Klampäckel
    PHP since php/fi
    EasyBib.com
    Open Source (github.com/till)

    View Slide

  4. A BOOK ON
    COUCHDB
    http://www.couchdb-book.com

    View Slide

  5. • up until PHP 5.1.6 (Not binary-compatible.)
    • engine protection (buffer overflows, format string attacks)
    • runtime protection (remote include exploits, function black- and whitelists, ...)
    • filters (filtering input, request vars, limits, upload file protection)
    • logging with alerts (where, when) to syslog, error_log, external scripts
    •configuration (global and user-specific)
    HARDENING-PATCH
    BY STEFAN ESSER

    View Slide

  6. •A patch (engine protection)
    •A PHP extension (runtime, filters, logging, configuration)
    •Use one, or both!
    •For PHP up to 5.3.9
    •Compatible with 3rd-party-extension!
    WHAT IS SUHOSIN

    View Slide

  7. SETUP
    All steps are available online.
    http://www.hardened-php.net/suhosin/how_to_install_or_upgrade.html
    • Requires “root”.
    • Patch if you build your own PHP. (run make test)
    • Extension installs like any other. (but without pecl)

    View Slide

  8. • Not a PHP-only problem! (Yay node.js, yay Java!)
    • CVE-2011-4885
    • Overload/crash any server by making it process 1000s of
    entries in a list.
    • Try $_POST or $_REQUEST! (Works up to PHP 5.3.8)
    HASH DOS

    View Slide

  9. UPDATE?
    • PHP 5.3.9 was released to “fix” HASH DOS.
    • New directive max_input_vars!
    • Profit?

    View Slide

  10. PHP 5.3.9
    • New vulnerability in max_input_vars!
    • All backports are vulnerable.
    • PHP 5.3.10?

    View Slide

  11. MAYBE. :)
    Fool me once, don’t fool me twice.

    View Slide

  12. LIFE COULD BE EASY
    Suhosin fixed HASH DOS a long time ago.
    suhosin.post.max_vars
    suhosin.request.max_vars
    suhosin.post.max_value_length
    suhosin.request.max_value_length
    Four configuration settings is all it takes.

    View Slide

  13. SUMMARY?
    • Suhosin offers plenty of work-arounds
    • “Quick-fixes” to current issues
    • Prevention
    • Test your application with suhosin.simulation

    View Slide

  14. DRAWBACKS
    • More maintenance. (Patching PHP sucks. Building custom extensions also – kind of.)
    • Probably performance. (There is a 8% hit if you do lots of recursive function calls, but probably less in your application.)
    • Lots of drama.

    View Slide

  15. BUT WAIT
    • Please (, please, please) update your PHP.
    • Run your test suite against release candidates and betas.
    • Report bugs, and send patches.
    • Contribute.

    View Slide

  16. FIN
    http://till.klampaeckel.de/blog
    @klimpong

    View Slide