2019-07-17 Suhosin is back!
Overwhelmingly marvellous news: Suhosin-NG was accepted for the 2019-04 open call from NLnet.
When it comes to important ideas that can help improve our society, there really are no boundaries. The challenge is to turn those opportunities into reality. Great ideas just come, but they are gone in a breeze as well. Lets make good use of them.
Suhosin (pronounced 'su-ho-shin') is an advanced protection system for PHP installations. It is designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against buffer overflows or format string vulnerabilities and the second part is a powerful PHP extension that implements numerous other protections.
Since the release of PHP 7.0 in December 2015 the internet community has been desperately hoping to get the protection of the Suhosin PHP extension for their freshly baked PHP 7 installation. There was a first attempt to port Suhosin to PHP 7 conveniently named "Suhosin7". Unfortunately the Suhosin7 development stagnated increasingly and eventually came to an end during the alpha stage.
A few years later in 2017 another project called Snuffleupagus (or "SP" for short, because nobody really knows how to pronounce "Snuffleupagus" in Central Europe) took the opportunity and implemented a powerful PHP protection system. And they did excellent work. Why this project has not gotten the attention that Suhosin did back with PHP 5 is unclear to me, but this is about to change drastically.
The Suhosin-NG project will improve upon SP by integrating a number of old and new ideas over the next couple of months. If all goes according to plan, most ideas will be sent as Github pull-requests to the upstream SP project and hopefully get integrated.
Who is behind Suhosin-NG?
The original Suhosin project was developed and maintained for years at SektionEins. For more than a decade we have been well known in the internet and web community for our expertise in web application security audits -- source code audits, penetration testing, infrastructure analysis, training and consulting. More than a few projects were released as open source software over the years including Suhosin (the PHP hardening extension), PCC (PHP secure configuration checker), scd-pkcs-11 (PKCS#11 provider with smart card support via GnuPG) and other mind-blowing projects.
Suhosin-NG: The grand plan
Here is a sneak preview of upcoming milestones:
- Setup and get started: In order to be as transparent as possible and provide the most value for the internet, Suhosin-NG needs some infrastructure setup. Also the internet should be made aware of NLnet/SektionEins collaboration and some details about the project itself.
- Research and Brainstorming (and collecting ideas): We have collected a few ideas about how to harden web applications during our work on web application audits. In order to get even more up to date, a selective code review of PHP 7 will spark the creativity and provide the necessary insight into new Suhosin-NG features.
- SP code review: Do a code review with security flaws in mind. We are writing security software, so the more eyes the better. If we happen to uncover ways to improve SP, there will be patches.
- SP limitation testing: According to the SP documentation it is currently not possible to "hook every language construct“. A few more unit tests will uncover just how effective SP can protect against weird or uncommon language constructs.
- SP Configuration Defaults: With disable_function rules SP provides a very powerful and versatile tool to restrict PHP’s function calls. This milestone should provide a reasonable default configuration for SP by mimicking suhosin’s feature set.
- Simplify SP configuration: Configuring protections against security threats is an expert task. It should be possible for the average sysadmin to configure SP in a secure way with as little effort as possible.
- Automate SP configuration checks: There is no easy way to check SP rules for semantic errors. This milestone provides a way to perform „unit tests“ on SP configuration rules.
- Integrate php.ini protection: A lot of security flaws can be prevented by restricting the php.ini configuration. The PHP secure configuration checker (PCC) already provides reasonable checks for php.ini. SP should be able to provide runtime restrictions to php.ini configuration based on PCC rules.
- Suhosin feature backports to SP: SP provides matching features for most but not all of Suhosin’s features. The goal should be to provide SP with some of the missing features.
- Implementation of Ideas and new Features: Implement hardening ideas from the milestone „Research and Brainstorming“, as well as community ideas provided via Github issue tracker.
- Porting and packaging: All new tools should be packaged for numerous operating systems.
- WCAG (Accessibility), Security Scan and Wrap Up: The software should be checked for accessibility and security. Also, there may be other open issues from the community, which have to be addressed.
Nothing is absolutely set in stone. If you happen to have a great idea on how to improve PHP security, please feel free to leave a comment in the Issue tracker.
This news page will be updated on a regular basis every few weeks. Also, check out our social media presence: @suhosin on Twitter.