Suhosin Explained

Suhosin
Suhosin
Licence:PHP License
Author:Stefan Esser
Latest Release Date:May 21, 2015
Latest Release Version:0.9.38
Released:October 2, 2006
Platform:PHP
Programming Language:C
Discontinued:yes

Suhosin (Korean: 수호신, pronounced as /ko/, meaning "guardian angel") is an open source patch for PHP and also a PHP extension, written by the German company Sektion Eins. The patch and the extension are two independent parts, that can be used separately or in combination. "The goal behind Suhosin is to be a safety net that protects servers from insecure PHP coding practices."[1]

Suhosin also reduces the "attackable surface" that PHP adds to a Web Server through function whitelists, resource limits, transparent session and cookie encryption, binary content filter, logging and various other protections.[2] This reduces the risk of deploying previously deemed unsafe PHP programs and protects against known and unknown attacks.

Features

While the original patch included several low-level memory-related hardenings, those features aren't present in the modules, but most of them have been upstreamed into PHP.

Distribution with operating systems

In some Linux distributions, notably Debian in versions up to 6.x ("Squeeze") and Gentoo Linux, it was shipped by default with both patch and extension. Suhosin was removed from Debian as of version 7 (Wheezy) but reappeared in the current development branch.[3]

It is activated by default in Mac OS X Server.

As of PHP 5.4, openSUSE dropped the Suhosin patch, but maintains a port of the Suhosin extension.[4]

FreeBSD 10.1 maintains the Suhosin extension in its ports collection.

Development history and legacy

Suhosin was first released in 2006,[5] and targeted PHP 5.2.0. The last release of the hardening patch happened a couple of months after the release of the module.[6] The last news article on the official website is from 2007, and no activity occurred in the code repository from May 2012 until February 2014. This led some distributions to consider the Suhosin project dead, until some people from the community started to contribute back to it, circa 2014.[7] There is no plan[8] to upstream features into PHP.

In November 2015, suhosin7 was created,[9] to provide similar hardening features to PHP7 but failed to gain momentum among the community.[10] The Snuffleupagus project aims at being its successor, for PHP7 and onwards.

See also

References

  1. Chapter 13, Securing PHP Web Applications by Tricia Ballad; William Ballad Publisher: Addison-Wesley Professional, Web
  2. http://suhosin.org/stories/feature-list.html Official Feature List
  3. https://packages.debian.org/sid/php5-suhosin Overview of package php5-suhosin in Debian sid
  4. http://lists.opensuse.org/opensuse-factory/2013-07/msg00030.html Mailinglist Archive: opensuse-factory (418 mails)
  5. Web site: Hardened-PHP Project - PHP Security - News. hardened-php.net. 2017-01-18.
  6. News: Download. SektionEins. 2014-06-11. SUHOSIN. en. 2017-01-18.
  7. Web site: sektioneins/suhosin. GitHub. en. 2017-01-18.
  8. Web site: 'Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds' - MARC]. marc.info. 2018-02-25.
  9. Web site: first commit · sektioneins/suhosin7@aee7faf. GitHub. en. 2017-01-18.
  10. Web site: sektioneins/suhosin7. GitHub. en. 2017-01-18.

External links