1FAQ
2===
3
4General
5-------
6
7What is Snuffleupagus?
8""""""""""""""""""""""
9
10Snuffleupagus is a `PHP7+ <http://php.net/manual/en/migration70.php>`_
11module designed to drastically raise the cost of attacks against websites. This is achieved
12by killing entire bug classes and providing a powerful virtual-patching system,
13allowing the administrator to fix specific vulnerabilities without having to touch the PHP code.
14
15
16Where does the name *Snuffleupagus* come from?
17""""""""""""""""""""""""""""""""""""""""""""""
18
19  Aloysius Snuffleupagus, more commonly known as Mr. Snuffleupagus,
20  or Snuffy for short, is one of the characters on Sesame Street,
21  the educational television program for young children.
22
23  He was created as a woolly mammoth without tusks or (visible) ears,
24  and has a long thick pointed tail, similar in shape to that of a dinosaur
25  or other reptile. He has long thick brown hair and a trunk, or "snuffle",
26  that drags along the ground. He is Big Bird's best friend and
27  has a baby sister named Alice. He also attends "Snufflegarten".
28
29  --- `Wikipedia <https://en.wikipedia.org/wiki/Mr._Snuffleupagus>`_
30
31
32Why is Snuffleupagus called Snuffleupagus?
33""""""""""""""""""""""""""""""""""""""""""
34
35Like PHP's `ElePHPant <https://secure.php.net/elephpant.php>`_,
36we thought that using an elephant as a mascot would be a great idea.
37
38
39Who are you and why did you write Snuffleupagus?
40""""""""""""""""""""""""""""""""""""""""""""""""
41
42The project started at `NBS System <https://nbs-system.com/en/>`__,
43a web hosting company (meaning that we're dealing with PHP code all day long),
44with a strong focus on security. We do have several layers of hardening
45(`kernel <https://grsecurity.net/>`_, `WAF <https://naxsi.org>`_,
46`IDS <https://en.wikipedia.org/wiki/Intrusion_detection_system>`_, etc),
47but we had nothing for PHP7.
48
49Nowadays, Snuffleupagus is maintained by Julien (`jvoisin <https://dustri.org>`__) Voisin.
50
51
52Why not Suhosin?
53""""""""""""""""
54
55We're huge fans of `Suhosin <https://suhosin.org>`_, unfortunately:
56
57- it doesn't work very well on PHP7
58- it has some oudated features and misses new ones
59- it doesn't cope very well with our various industrialization needs
60- it has some shortcomings by design
61
62We're using the `disable_function <https://secure.php.net/manual/en/ini.core.php#ini.disable-functions>`_
63directive, but unfortunately, it doesn't provide enough usable granularity (guess how many CMSs are using
64the `system <https://secure.php.net/manual/en/function.system.php#refsect1-function.system-notes>`_
65function to perform various mandatory maintenance tasks).
66
67This is why we decided to write our own hardening module, in the spirit of Suhosin,
68with virtual-patching support, as well as other cool new features.
69
70
71What license is Snuffleupagus released under and why?
72"""""""""""""""""""""""""""""""""""""""""""""""""""""
73
74Snuffleupagus is licensed under the `LGPL <https://www.gnu.org/copyleft/lesser.html>`_
75was developed by the fine people from `NBS System <https://nbs-system.com/>`__,
76and is maintained by Julien (jvoisin) Voisin.
77
78We chose the LGPL because we don't care that much how you're using Snuffleupagus,
79but we'd like to force people to make their improvements/contributions
80available to everyone.
81
82
83What is the different between SNuffleupaugs and a (WAF) like ModSecurity?
84"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
85
86`ModSecurity <https://modsecurity.org/>`__ and the other `Web Application
87Firewall (WAF) <https://en.wikipedia.org/wiki/Web_application_firewall>`__ are
88working by inspecting the http traffic. Snuffleupagus being a PHP module, is
89operating directly inside your website's code, with a lesser overhead, as well
90as a better understanding of what is currently happening inside your
91application.
92
93
94Should I use Snuffleupagus?
95"""""""""""""""""""""""""""
96
97Yes.
98
99Even if you're not using the virtual-patching capabilities, Snuffleupagus comes
100with various passive features that won't break your website while killing numerous vulnerabilities.
101
102Please keep in mind that you are not only protecting yourself and your users/customers,
103but also other people on the internet that might be attacked by your server if
104it becomes compromised.
105
106How mature is this project?
107"""""""""""""""""""""""""""
108
109This project has been floating around since early 2016 and we did the first commit
110the 28ᵗʰ of December of the same year. It's currently stable,
111and is usable and used in production.
112
113Are you saying that PHP isn't secure?
114"""""""""""""""""""""""""""""""""""""
115
116We don't like PHP's approach of security; namely (sometimes) adding warnings
117in the documentation and trusting the developer to not do any mistake,
118instead of focusing on the root cause and killing the
119bug class once and for all.
120
121Moreover, it seems that the current attitude toward security in the PHP world
122is to `blame the user <https://externals.io/message/100147>`_ instead of acknowledging
123issues, as stated in their `documentation <https://wiki.php.net/security#not_a_security_issue>`_.
124We do think that a security issue that "requires the use of code or settings known to be insecure"
125is still a security issue, and should be treated as such.
126
127We don't have the pretension to state that Snuffleupagus will magically solve
128all your security issues, but we believe that it might definitely help.
129
130
131Sounds great, but is it working?
132""""""""""""""""""""""""""""""""
133
134We've been using it in production since a couple of years, and it thwarted
135numerous known and unknown attacks. If you want some evidences, one of the
136developer published in June 2019 a `blogpost
137<https://dustri.org/b/snuffleupagus-versus-recent-high-profile-vulnerabilities.html>`__
138showcasing how efficient Snuffleupagus was versus *major* web
139vulnerabilities from 2018/2019.
140
141
142Why should I send you bugs, security issues and patches?
143"""""""""""""""""""""""""""""""""""""""""""""""""""""""""
144Snuffleupagus is an open-source security software, by reporting (or fixing)
145bugs, or implementing new features, you are helping others to protect themselves.
146
147We're also firm believers in the *Beerbounty* system:
148we are happy to offer you beers when/if we ever meet if you helped the project in
149any way. If you don't like beer, we're sure that we'll find something else,
150don't worry.
151
152
153Installation and configuration
154------------------------------
155
156Can snuffleupagus break my application?
157"""""""""""""""""""""""""""""""""""""""
158Yes.
159
160Some options won't break anything, like :ref:`harden-rand <harden-rand-feature>`,
161but some like :ref:`global_strict <global-strict-feature>`
162or overly-restrictive :ref:`virtual-patching<virtual-patching-feature>`
163rules might pretty well break your website.
164It's up to you to configure Snuffleupagus accordingly to your needs.
165
166You can also enable the ``simulation`` mode on features that you're not sure about,
167to see what snuffleupagus would do to your application, before activating them for good.
168
169How can I find out the problem when my application breaks?
170""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
171
172By checking the logs; Snuffleupagus systematically prefix them with ``[snuffleupagus]``.
173
174
175Does Snuffleupagus run on Windows?
176""""""""""""""""""""""""""""""""""
177No idea, feel free to `try <https://github.com/jvoisin/snuffleupagus/issues/2>`_.
178
179
180Does Snuggleupagus run on `HHVM <http://hhvm.com/>`_?
181"""""""""""""""""""""""""""""""""""""""""""""""""""""
182No it doesn't, since `HHVM's API <https://github.com/facebook/hhvm/wiki/Extension-API>`_
183is really different from PHP7's one. We're not currently planning to rewrite
184Snuffleupagus to support it.
185
186Will Snuffleupagus run on my old PHP 5?
187"""""""""""""""""""""""""""""""""""""""
188No.
189
190Since PHP5 `is deprecated since the end of 2018 <http://php.net/supported-versions.php>`_,
191you should think about moving to PHP7. You can (and should) use
192`Suhosin <https://suhosin.org>`_ in the meantime.
193
194Help and support
195----------------
196
197I found a security issue
198""""""""""""""""""""""""
199If you believe you have found a security issue affecting Snuffleupagus,
200then we would be more than happy to hear from you!
201
202We promise to treat any reported issue seriously and,
203if the investigation confirms it affects Snuffleupagus,
204to patch it within a reasonable time,
205release a public announcement that describes the issue,
206discuss potential impact of the vulnerability,
207reference applicable patches or workarounds,
208and credit the discoverer.
209
210Please do send a mail to [Julien (jvoisin) Voisin](https://dustri.org) should
211you find a security issue.
212
213
214I found a bug. How can I report it?
215"""""""""""""""""""""""""""""""""""
216We do have an issue tracker on `Github <https://github.com/jvoisin/snuffleupagus/issues>`_.
217Please make sure to include as much information as possible when reporting your issue,
218such as your operating system, your version of PHP 7, your version of Snuffleupagus,
219your logs, the problematic php code, the request, a brief description, … long story short,
220give us everything that you can.
221
222If you're feeling extra-nice, you can try to :ref:`debug it yourself <debug>`,
223it's not that hard.
224
225Where can I find even more help?
226""""""""""""""""""""""""""""""""
227The :doc:`configuration page <config>` might be what you're looking for.
228If you're adventurous, you can also check the `issue tracker <https://github.com/jvoisin/snuffleupagus/issues/?q=is%3Aissue>`_
229(make sure to check the `closed issues <https://github.com/jvoisin/snuffleupagus/issues?q=is%3Aissue+is%3Aclosed>`_ too).
230
231
232Unimplemented mitigations and abandoned ideas
233---------------------------------------------
234
235Constant time comparisons
236"""""""""""""""""""""""""
237We didn't manage to perform time-based side-channel attacks on strings
238against real world PHP application, and the results that we gathered on
239tailored test cases weren't concluding: for simplicity's sake, we chose
240to not implement a mitigation against this class of attacks.
241
242We would be happy to be proven wrong, and reconsider implementing this feature,
243if someone can manage to get better results than us.
244
245The possibility of having this natively in PHP has
246`been discussed <https://marc.info/?l=php-internals&m=141692988212413&w=2>`_,
247but as 2017, nothing has been merged yet.
248
249Nop'ing function execution
250""""""""""""""""""""""""""
251
252Snuffleupagus can be configured to either *allow* or *drop* the execution of
253particular functions and optionally *log* and *dump* them, but it doesn't
254provide any mechanism to *nop* their execution.
255
256We thought about adding this, but didn't for several reasons:
257
258- What should the return value of a *nop'ed* function be?
259- It would add confusion between ``drop``, ``nop`` and ``log``.
260- Usually, when a specific function is called, either it's a dangerous one
261  and you want to stop the execution immediately, or you want to let it
262  continue and log it. There isn't really any middle-ground, or at least we
263  failed to find any.
264