1FAQ 2=== 3 4General 5------- 6 7What is Snuffleupagus? 8"""""""""""""""""""""" 9 10Snuffleupagus is a `PHP7+ <http://php.net/manual/en/migration70.php>`_ 11module designed to drastically raise the cost of attacks against websites. This is achieved 12by killing entire bug classes and providing a powerful virtual-patching system, 13allowing the administrator to fix specific vulnerabilities without having to touch the PHP code. 14 15 16Where does the name *Snuffleupagus* come from? 17"""""""""""""""""""""""""""""""""""""""""""""" 18 19 Aloysius Snuffleupagus, more commonly known as Mr. Snuffleupagus, 20 or Snuffy for short, is one of the characters on Sesame Street, 21 the educational television program for young children. 22 23 He was created as a woolly mammoth without tusks or (visible) ears, 24 and has a long thick pointed tail, similar in shape to that of a dinosaur 25 or other reptile. He has long thick brown hair and a trunk, or "snuffle", 26 that drags along the ground. He is Big Bird's best friend and 27 has a baby sister named Alice. He also attends "Snufflegarten". 28 29 --- `Wikipedia <https://en.wikipedia.org/wiki/Mr._Snuffleupagus>`_ 30 31 32Why is Snuffleupagus called Snuffleupagus? 33"""""""""""""""""""""""""""""""""""""""""" 34 35Like PHP's `ElePHPant <https://secure.php.net/elephpant.php>`_, 36we thought that using an elephant as a mascot would be a great idea. 37 38 39Who are you and why did you write Snuffleupagus? 40"""""""""""""""""""""""""""""""""""""""""""""""" 41 42The project started at `NBS System <https://nbs-system.com/en/>`__, 43a web hosting company (meaning that we're dealing with PHP code all day long), 44with a strong focus on security. We do have several layers of hardening 45(`kernel <https://grsecurity.net/>`_, `WAF <https://naxsi.org>`_, 46`IDS <https://en.wikipedia.org/wiki/Intrusion_detection_system>`_, etc), 47but we had nothing for PHP7. 48 49Nowadays, Snuffleupagus is maintained by Julien (`jvoisin <https://dustri.org>`__) Voisin. 50 51 52Why not Suhosin? 53"""""""""""""""" 54 55We're huge fans of `Suhosin <https://suhosin.org>`_, unfortunately: 56 57- it doesn't work very well on PHP7 58- it has some oudated features and misses new ones 59- it doesn't cope very well with our various industrialization needs 60- it has some shortcomings by design 61 62We're using the `disable_function <https://secure.php.net/manual/en/ini.core.php#ini.disable-functions>`_ 63directive, but unfortunately, it doesn't provide enough usable granularity (guess how many CMSs are using 64the `system <https://secure.php.net/manual/en/function.system.php#refsect1-function.system-notes>`_ 65function to perform various mandatory maintenance tasks). 66 67This is why we decided to write our own hardening module, in the spirit of Suhosin, 68with virtual-patching support, as well as other cool new features. 69 70 71What license is Snuffleupagus released under and why? 72""""""""""""""""""""""""""""""""""""""""""""""""""""" 73 74Snuffleupagus is licensed under the `LGPL <https://www.gnu.org/copyleft/lesser.html>`_ 75was developed by the fine people from `NBS System <https://nbs-system.com/>`__, 76and is maintained by Julien (jvoisin) Voisin. 77 78We chose the LGPL because we don't care that much how you're using Snuffleupagus, 79but we'd like to force people to make their improvements/contributions 80available to everyone. 81 82 83What is the different between SNuffleupaugs and a (WAF) like ModSecurity? 84""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 85 86`ModSecurity <https://modsecurity.org/>`__ and the other `Web Application 87Firewall (WAF) <https://en.wikipedia.org/wiki/Web_application_firewall>`__ are 88working by inspecting the http traffic. Snuffleupagus being a PHP module, is 89operating directly inside your website's code, with a lesser overhead, as well 90as a better understanding of what is currently happening inside your 91application. 92 93 94Should I use Snuffleupagus? 95""""""""""""""""""""""""""" 96 97Yes. 98 99Even if you're not using the virtual-patching capabilities, Snuffleupagus comes 100with various passive features that won't break your website while killing numerous vulnerabilities. 101 102Please keep in mind that you are not only protecting yourself and your users/customers, 103but also other people on the internet that might be attacked by your server if 104it becomes compromised. 105 106How mature is this project? 107""""""""""""""""""""""""""" 108 109This project has been floating around since early 2016 and we did the first commit 110the 28ᵗʰ of December of the same year. It's currently stable, 111and is usable and used in production. 112 113Are you saying that PHP isn't secure? 114""""""""""""""""""""""""""""""""""""" 115 116We don't like PHP's approach of security; namely (sometimes) adding warnings 117in the documentation and trusting the developer to not do any mistake, 118instead of focusing on the root cause and killing the 119bug class once and for all. 120 121Moreover, it seems that the current attitude toward security in the PHP world 122is to `blame the user <https://externals.io/message/100147>`_ instead of acknowledging 123issues, as stated in their `documentation <https://wiki.php.net/security#not_a_security_issue>`_. 124We do think that a security issue that "requires the use of code or settings known to be insecure" 125is still a security issue, and should be treated as such. 126 127We don't have the pretension to state that Snuffleupagus will magically solve 128all your security issues, but we believe that it might definitely help. 129 130 131Sounds great, but is it working? 132"""""""""""""""""""""""""""""""" 133 134We've been using it in production since a couple of years, and it thwarted 135numerous known and unknown attacks. If you want some evidences, one of the 136developer published in June 2019 a `blogpost 137<https://dustri.org/b/snuffleupagus-versus-recent-high-profile-vulnerabilities.html>`__ 138showcasing how efficient Snuffleupagus was versus *major* web 139vulnerabilities from 2018/2019. 140 141 142Why should I send you bugs, security issues and patches? 143""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 144Snuffleupagus is an open-source security software, by reporting (or fixing) 145bugs, or implementing new features, you are helping others to protect themselves. 146 147We're also firm believers in the *Beerbounty* system: 148we are happy to offer you beers when/if we ever meet if you helped the project in 149any way. If you don't like beer, we're sure that we'll find something else, 150don't worry. 151 152 153Installation and configuration 154------------------------------ 155 156Can snuffleupagus break my application? 157""""""""""""""""""""""""""""""""""""""" 158Yes. 159 160Some options won't break anything, like :ref:`harden-rand <harden-rand-feature>`, 161but some like :ref:`global_strict <global-strict-feature>` 162or overly-restrictive :ref:`virtual-patching<virtual-patching-feature>` 163rules might pretty well break your website. 164It's up to you to configure Snuffleupagus accordingly to your needs. 165 166You can also enable the ``simulation`` mode on features that you're not sure about, 167to see what snuffleupagus would do to your application, before activating them for good. 168 169How can I find out the problem when my application breaks? 170"""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 171 172By checking the logs; Snuffleupagus systematically prefix them with ``[snuffleupagus]``. 173 174 175Does Snuffleupagus run on Windows? 176"""""""""""""""""""""""""""""""""" 177No idea, feel free to `try <https://github.com/jvoisin/snuffleupagus/issues/2>`_. 178 179 180Does Snuggleupagus run on `HHVM <http://hhvm.com/>`_? 181""""""""""""""""""""""""""""""""""""""""""""""""""""" 182No it doesn't, since `HHVM's API <https://github.com/facebook/hhvm/wiki/Extension-API>`_ 183is really different from PHP7's one. We're not currently planning to rewrite 184Snuffleupagus to support it. 185 186Will Snuffleupagus run on my old PHP 5? 187""""""""""""""""""""""""""""""""""""""" 188No. 189 190Since PHP5 `is deprecated since the end of 2018 <http://php.net/supported-versions.php>`_, 191you should think about moving to PHP7. You can (and should) use 192`Suhosin <https://suhosin.org>`_ in the meantime. 193 194Help and support 195---------------- 196 197I found a security issue 198"""""""""""""""""""""""" 199If you believe you have found a security issue affecting Snuffleupagus, 200then we would be more than happy to hear from you! 201 202We promise to treat any reported issue seriously and, 203if the investigation confirms it affects Snuffleupagus, 204to patch it within a reasonable time, 205release a public announcement that describes the issue, 206discuss potential impact of the vulnerability, 207reference applicable patches or workarounds, 208and credit the discoverer. 209 210Please do send a mail to [Julien (jvoisin) Voisin](https://dustri.org) should 211you find a security issue. 212 213 214I found a bug. How can I report it? 215""""""""""""""""""""""""""""""""""" 216We do have an issue tracker on `Github <https://github.com/jvoisin/snuffleupagus/issues>`_. 217Please make sure to include as much information as possible when reporting your issue, 218such as your operating system, your version of PHP 7, your version of Snuffleupagus, 219your logs, the problematic php code, the request, a brief description, … long story short, 220give us everything that you can. 221 222If you're feeling extra-nice, you can try to :ref:`debug it yourself <debug>`, 223it's not that hard. 224 225Where can I find even more help? 226"""""""""""""""""""""""""""""""" 227The :doc:`configuration page <config>` might be what you're looking for. 228If you're adventurous, you can also check the `issue tracker <https://github.com/jvoisin/snuffleupagus/issues/?q=is%3Aissue>`_ 229(make sure to check the `closed issues <https://github.com/jvoisin/snuffleupagus/issues?q=is%3Aissue+is%3Aclosed>`_ too). 230 231 232Unimplemented mitigations and abandoned ideas 233--------------------------------------------- 234 235Constant time comparisons 236""""""""""""""""""""""""" 237We didn't manage to perform time-based side-channel attacks on strings 238against real world PHP application, and the results that we gathered on 239tailored test cases weren't concluding: for simplicity's sake, we chose 240to not implement a mitigation against this class of attacks. 241 242We would be happy to be proven wrong, and reconsider implementing this feature, 243if someone can manage to get better results than us. 244 245The possibility of having this natively in PHP has 246`been discussed <https://marc.info/?l=php-internals&m=141692988212413&w=2>`_, 247but as 2017, nothing has been merged yet. 248 249Nop'ing function execution 250"""""""""""""""""""""""""" 251 252Snuffleupagus can be configured to either *allow* or *drop* the execution of 253particular functions and optionally *log* and *dump* them, but it doesn't 254provide any mechanism to *nop* their execution. 255 256We thought about adding this, but didn't for several reasons: 257 258- What should the return value of a *nop'ed* function be? 259- It would add confusion between ``drop``, ``nop`` and ``log``. 260- Usually, when a specific function is called, either it's a dangerous one 261 and you want to stop the execution immediately, or you want to let it 262 continue and log it. There isn't really any middle-ground, or at least we 263 failed to find any. 264