Suhosin

Suhosin (Korean 수호신, Korean pronunciation:

Suhosin also reduces the "attackable surface" that PHP adds to a Web Server through function whitelists, resource limits, transparent session and cookie encryption, binary content filter, logging and various other protections.^[2] This reduces the risk of deploying previously deemed unsafe PHP programs and protects against known and unknown attacks.

Features

While the original patch included several low-level memory-related hardenings, those features aren't present in the modules, but most of them have been upstreamed into PHP.

• Cookies encryption: to mitigate XSS-based cookies stealing, the cookies are encrypted, so an attacker could not get their values, and they are tied to the user-agent and part of the IP address of the user, making a stolen cookie unusable by the attacker.
• Inclusion protection: Uploaded and remote files can't be included, mitigating arbitrary file inclusion attacks.
• Disabling common code execution vectors: the eval keyword isn't a real function in PHP, thus it can't be disabled with the disable_function directive, but Suhosin added this possibility, and also allowing to disable the infamous /e operator for the preg_replace function that can lead to arbitrary code execution.
• Protection against
  infinite recursion: PHP has a documented behavior of yielding a segmentation fault
  error upon infinite recursion. Since this is a memory-safety issue, Suhosin will make the application gracefully exit once a maximum level of recursion has been met.
• Granular function white/black-list: the disabled_function directive of PHP isn't granular at all, Suhosin provides a white and black-list mechanism for functions, on a per virtual-host and folder basis.
• Black-list against sensitive variable names: Suhosin will drop GET, POST, COOKIE variables with global reserved variable names following names, like GLOBALS, _COOKIE, _ENV, _FILES, _GET, _POST,…
• File upload hardening: Suhosin supports calling scripts upon file-upload, allowing things like automatic
  ELF
  files, binary files,…
• Custom actions upon violation: blocking violating variables, send a specific HTTP response code, issue a redirection or even execute another PHP script.
• Extensive logging: multiple log devices, logging offending filename and the line number, the IP address of the attacker, even behind reverse proxies.

Distribution with operating systems

In some Linux distributions, notably Debian in versions up to 6.x ("Squeeze") and Gentoo Linux, it was shipped by default with both patch and extension. Suhosin was removed from Debian as of version 7 (Wheezy) but reappeared in the current development branch.^[3]

It is activated by default in Mac OS X Server.

As of PHP 5.4, openSUSE dropped the Suhosin patch, but maintains a port of the Suhosin extension.^[4]

FreeBSD 10.1 maintains the Suhosin extension in its ports collection.

Development history and legacy

Suhosin was first released in 2006,^[5] and targeted PHP 5.2.0. The last release of the hardening patch happened a couple of months after the release of the module.^[6] The last news article on the official website is from 2007,^[5] and no activity occurred in the code repository from May 2012 until February 2014. This led some distributions to consider the Suhosin project dead, until some people from the community started to contribute back to it, circa 2014.^[7] There is no plan^[8] to upstream features into PHP.

In November 2015, suhosin7 was created,^[9] to provide similar hardening features to PHP7 but failed to gain momentum among the community.^[10] The Snuffleupagus project aims at being its successor, for PHP7 and onwards.

See also

• PHP

References

External links

• Official website
• Suhosin on GitHub

This security software article is a stub. You can help Wikipedia by expanding it.

• v
• t
• e