We're dealing with PHP code for most of ToolsLib services, which means that despite the efforts in writing a secure code we still have to regularly mitigate CVE found in PHP components. While we have been very reactive to apply fixes, it's better if we can take pro-active measures.
Luckily, fine people from NBS-Systems are working on Snuffleupagus, a PHP extension to higher the cost of exploiting these vulnerabilities. We've been testing it for some time now and we will deploy it very soon to protect all our services.
Snuffleupagus is a PHP7+ open-source extension which takes a set of rules to apply to each request, and choose whether to drop, allow, dump or simulate them, in a way to make it possible to kill a whole class of bug at once, system/mail injections, session-cookie stealing using XSS, various unserialize jokes, ..
These rules allow to control what is allowed or not at different levels, including:
- functions ;
- arguments values, types ;
- filenames, hash ;
- callstack ;
- returned values
For instance, this rule would have killed the CVE-2016-10074 and most of the mail-related RCE:
sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();
An entry in the PHP logfile is written everytime a request is catched, making it possible to plug a monitoring system to send alerts when certain types of rules are triggered, which is what we've set up. This is particularly great to catch potential 0-days in a very short notice!
To begin with, a good start is to play with the provided script to generate an appropriate whitelist of suspicious but legit functions used by your application. From there, it's possible to build new rules and adapt it fully to cover your needs.
We've deployed Snuffleupagus in our staging environment for some time now, without major issues (some annoying still exist but those are being fixed). We continue the tests on a non-production environment for some time, but we're feeling confident to deploy it very soon. We are also testing its integration with our alerting system in a way to send notifications everytime an interesting exploit tentative is catched to warn us as soon as possible and take appropriate and proactive actions.
Snuffleupagus has proved to be a very valuable tool so far. Its integration is a major improvement for the security of all the services that we provide, and we deeply care to keep our data safe especially the one of our users who trust us millions times each month.
Read more with NBS-Systems official blog post!