Title: Killing php bug classes at berlinsides Date: 2017-06-05 13:50 Last week-end, I gave with [blotus](https://blot.me/) and [bui](http://memze.ro/) a talk at [BerlinSides](https://berlinsides.org) about a nice project called [Snuffleupagus](https://en.wikipedia.org/wiki/Mr._Snuffleupagus). Since you can get the (redacted) slides [here]({static}/files/sp_berslindes2017.pdf), I won't repeat their content here, except the most prominent features: ### We're killing the following bug classes: - Unserialize-based code execution - Cookie-stealing XSS - Weak entropy generation via `rand` and `mt_rand` - External Entities XXE - Overly permissives `chmod` - `mail`-related RCE ### We're making persistence and exploitation harder By allowing the following filters on function execution, by explicit value or regexp: - Complete path of the filename - Hash of the filename - Name of the function - Return value of the function - Any parameter of the function, even in nested arrays - The name of the namespace the function belongs to - The name of the class the function (yes, methods are functions in php) belongs to - Log or/and dump the request if a rule matched, allowing you to harvest free vulnerabilities ### We also provide various hardening measures Either natively as an option, or in the set of default rules: - Forbidding execution of writeable files - Calling a program upon script upload to take the decision to quarantine it or not - Detection of suspicious calls, like `ini_get(open_basedir')` or `is_callable("system")` - Detection of `mysql_query` errors We have more mitigations and bug-classes slaughter planned (sloppy comparisons, SQLI, …), and odds are that we'll publish a paper along with the project. We're planning to open-source it in a couple of weeks, feel free to shoot us an email at the address mentioned in the slides (or to idle on [#websec](irc://overthewire.net/websec)) if you want to be part of the alpha. About BerlinSides, as usual, the talks were mostly interesting and varied: an introduction to the [hardenedbsd]( https://hardenedbsd.org/ ) project, exploitation of hardware older than me, partial-emulation assisted fuzzing of embedded device (by someone from the [tasteless](https://tasteless.eu/) ctf team), functional programming (with a pen on a real overhead-projector), interesting réflexions on type-safety, … and the mandatory talk about how broken the *IoT* is. Kudos to [aluc](https://twitter.com/thealuc) for organizing it every year.