The Hardened PHP project
recently announced its existence; naturally, a Gentoo
is already available. The PHP language is highly popular for
the creation of web applications, but it has long suffered from a
reputation for poor security. This reputation is perhaps not entirely
fair; the number of sites which have actually been compromised as a result
of PHP vulnerabilities is small. Nonetheless, PHP has tended to have more
holes than it really should, given its wide deployment.
Hardened PHP is attempting to address that
problem by adding patches to the language implementation which close off a
number of potential security problems.
Those interested in the actual changes being made can learn more on
this page. These changes include:
- The addition of "canaries" to the internal memory manager. PHP uses a
variant of malloc() which tracks all allocated memory, making
it easy to reclaim everything after the completion of a web request. The
Hardened PHP patch adds special, random values at the beginning and
end of each allocated block and checks to see whether those values
have been overwritten when the memory is freed. These checks should
help defend against bugs in the PHP system which allow heap overflow
- Canaries are also added to PHP's internal linked list structures.
- The "%n" format specifier has been removed from (some of)
PHP's internal string printing functions in an attempt to head off
certain types of format string attacks.
- The PHP include directive has some additional restrictions
which prevent the inclusion of program text from remote sources.
- Checks are made for strings with embedded NULL characters.
This effort is worthy and worthwhile, but it is also inadequate for a
couple of reasons. Exploitable buffer overflows in PHP are relatively
rare; instead, PHP programs tend to suffer from different classes of
vulnerabilities, such as cross-site scripting, SQL injection, and command
injection. A truly hardened PHP would attempt to address these problems
through tighter restrictions on what scripts can do and enforced checking
of input strings.
The fact that there needs to be a "hardened PHP" project in the first place
is also a bad sign, unless this project is simply a staging area for
patches on their way into the mainline. PHP is used to implement an
unbelievable number of web sites; any vulnerabilities in PHP put vast
numbers of systems at risk. Security should be at the top of the PHP
project's goals; every PHP installation should be hardened. The
Hardened PHP project is a good thing; lets hope its work is quickly picked
up by the main PHP distribution.
to post comments)