Suhosin Explained
Suhosin |
Suhosin |
Licence: | PHP License |
Author: | Stefan Esser |
Latest Release Date: | May 21, 2015 |
Latest Release Version: | 0.9.38 |
Released: | October 2, 2006 |
Platform: | PHP |
Programming Language: | C |
Discontinued: | yes |
Suhosin (Korean: 수호신, pronounced as /ko/, meaning "guardian angel") is an open source patch for PHP and also a PHP extension, written by the German company Sektion Eins. The patch and the extension are two independent parts, that can be used separately or in combination. "The goal behind Suhosin is to be a safety net that protects servers from insecure PHP coding practices."[1]
Suhosin also reduces the "attackable surface" that PHP adds to a Web Server through function whitelists, resource limits, transparent session and cookie encryption, binary content filter, logging and various other protections.[2] This reduces the risk of deploying previously deemed unsafe PHP programs and protects against known and unknown attacks.
Features
While the original patch included several low-level memory-related hardenings, those features aren't present in the modules, but most of them have been upstreamed into PHP.
- Cookies encryption: to mitigate XSS-based cookies stealing, the cookies are encrypted, so an attacker could not get their values, and they are tied to the user-agent and part of the IP address of the user, making a stolen cookie unusable by the attacker.
- Inclusion protection: Uploaded and remote files can't be included, mitigating arbitrary file inclusion attacks.
- Disabling common code execution vectors: the eval keyword isn't a real function in PHP, thus it can't be disabled with the disable_function directive, but Suhosin added this possibility, and also allowing to disable the infamous /e operator for the preg_replace function that can lead to arbitrary code execution.
- Protection against infinite recursion: PHP has a documented behavior of yielding a segmentation fault error upon infinite recursion. Since this is a memory-safety issue, Suhosin will make the application gracefully exit once a maximum level of recursion has been met.
- Granular function white/black-list: the disabled_function directive of PHP isn't granular at all, Suhosin provides a white and black-list mechanism for functions, on a per virtual-host and folder basis.
- Black-list against sensitive variable names: Suhosin will drop GET, POST, COOKIE variables with global reserved variable names following names, like GLOBALS, _COOKIE, _ENV, _FILES, _GET, _POST,…
- File upload hardening: Suhosin supports calling scripts upon file-upload, allowing things like automatic anti-virus scanning upon upload. It can also prevent ELF files, binary files,…
- Custom actions upon violation: blocking violating variables, send a specific HTTP response code, issue a redirection or even execute another PHP script.
- Extensive logging: multiple log devices, logging offending filename and the line number, the IP address of the attacker, even behind reverse proxies.
Distribution with operating systems
In some Linux distributions, notably Debian in versions up to 6.x ("Squeeze") and Gentoo Linux, it was shipped by default with both patch and extension. Suhosin was removed from Debian as of version 7 (Wheezy) but reappeared in the current development branch.[3]
It is activated by default in Mac OS X Server.
As of PHP 5.4, openSUSE dropped the Suhosin patch, but maintains a port of the Suhosin extension.[4]
FreeBSD 10.1 maintains the Suhosin extension in its ports collection.
Development history and legacy
Suhosin was first released in 2006,[5] and targeted PHP 5.2.0. The last release of the hardening patch happened a couple of months after the release of the module.[6] The last news article on the official website is from 2007, and no activity occurred in the code repository from May 2012 until February 2014. This led some distributions to consider the Suhosin project dead, until some people from the community started to contribute back to it, circa 2014.[7] There is no plan[8] to upstream features into PHP.
In November 2015, suhosin7 was created,[9] to provide similar hardening features to PHP7 but failed to gain momentum among the community.[10] The Snuffleupagus project aims at being its successor, for PHP7 and onwards.
See also
References
- Chapter 13, Securing PHP Web Applications by Tricia Ballad; William Ballad Publisher: Addison-Wesley Professional, Web
- http://suhosin.org/stories/feature-list.html Official Feature List
- https://packages.debian.org/sid/php5-suhosin Overview of package php5-suhosin in Debian sid
- http://lists.opensuse.org/opensuse-factory/2013-07/msg00030.html Mailinglist Archive: opensuse-factory (418 mails)
- Web site: Hardened-PHP Project - PHP Security - News. hardened-php.net. 2017-01-18.
- News: Download. SektionEins. 2014-06-11. SUHOSIN. en. 2017-01-18.
- Web site: sektioneins/suhosin. GitHub. en. 2017-01-18.
- Web site: 'Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds' - MARC]. marc.info. 2018-02-25.
- Web site: first commit · sektioneins/suhosin7@aee7faf. GitHub. en. 2017-01-18.
- Web site: sektioneins/suhosin7. GitHub. en. 2017-01-18.
External links