LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Hardened PHP

[Posted May 18, 2004 by corbet]

The Hardened PHP project has recently announced its existence; naturally, a Gentoo package is already available. The PHP language is highly popular for the creation of web applications, but it has long suffered from a reputation for poor security. This reputation is perhaps not entirely fair; the number of sites which have actually been compromised as a result of PHP vulnerabilities is small. Nonetheless, PHP has tended to have more holes than it really should, given its wide deployment. Hardened PHP is attempting to address that problem by adding patches to the language implementation which close off a number of potential security problems.

Those interested in the actual changes being made can learn more on this page. These changes include:

  • The addition of "canaries" to the internal memory manager. PHP uses a variant of malloc() which tracks all allocated memory, making it easy to reclaim everything after the completion of a web request. The Hardened PHP patch adds special, random values at the beginning and end of each allocated block and checks to see whether those values have been overwritten when the memory is freed. These checks should help defend against bugs in the PHP system which allow heap overflow attacks.

  • Canaries are also added to PHP's internal linked list structures.

  • The "%n" format specifier has been removed from (some of) PHP's internal string printing functions in an attempt to head off certain types of format string attacks.

  • The PHP include directive has some additional restrictions which prevent the inclusion of program text from remote sources.

  • Checks are made for strings with embedded NULL characters.

This effort is worthy and worthwhile, but it is also inadequate for a couple of reasons. Exploitable buffer overflows in PHP are relatively rare; instead, PHP programs tend to suffer from different classes of vulnerabilities, such as cross-site scripting, SQL injection, and command injection. A truly hardened PHP would attempt to address these problems through tighter restrictions on what scripts can do and enforced checking of input strings.

The fact that there needs to be a "hardened PHP" project in the first place is also a bad sign, unless this project is simply a staging area for patches on their way into the mainline. PHP is used to implement an unbelievable number of web sites; any vulnerabilities in PHP put vast numbers of systems at risk. Security should be at the top of the PHP project's goals; every PHP installation should be hardened. The Hardened PHP project is a good thing; lets hope its work is quickly picked up by the main PHP distribution.

(Log in to post comments)

Hardened PHP

Posted May 20, 2004 10:43 UTC (Thu) by zmi (guest, #4829) [Link]

It would be good to have "variable protection". I mean, that it should
not be allowed to use variables that have not been initialized before.
E.g. this:

$var=<input from website>
// Here comes a mistyped $varr
if ($varr == <security checks>) { remove hackers code }
sql_insert("$var");

And suddenly you did *not* check $var for malicious input. If undefined
variables would not be allowed, but generate an error instead,
everything would be fine. I did not find such a function in normal PHP,
so maybe it would be good to exist in hardened-PHP.

Hardened PHP

Posted May 30, 2004 21:32 UTC (Sun) by robinv (guest, #21952) [Link]

Develop with E_NOTICE, then you'll get warnings when you try to read from a variable that hasn't yet been assigned.

-robin

Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds