Artificial truth

The more you see, the less you believe.

[archives] [latest] | [homepage] | [atom/rss]

Snuffleupagus 0.3.0 - Dentalium elephantinum
Wed 18 July 2018 — download

snuffleupagus logo

We just did a new release of Snuffleupagus, the 0.3.0, named Dentalium elephantinum, after the eponym species of scaphopod mollusc, that looks like a miniature elephant tusk.

It's the first release that I didn't do myself, letting the release manager seat to my colleague kkadosh, to reduce the bus factor.

Changelog

We have several new majors features, along with the usual bugfixes:

  • The previous version suffered from a memory leak that wasn't detected earlier, because we're using php-fpm where processes are recycled, instead of mod_php. This defect is now fixed.
  • Thanks to the amazing caillou, we now have literally zero impact on the performances (with the default ruleset) of your php process.
  • Encryption is now supported on session cookies, thanks to the stellar work of kkadosh
  • It's now possible to forbid most occurrences of type juggling, thanks to caillou.
  • Documentation improvement (yes, the documentation is versioned in git.)
  • The .filename() filter is now matching in the file where the function is called, and not in the one where it's declared anymore.
  • Two more language constructs, namely echo and print, can now be virtual-patched.
  • The logs format has been normalized a bit to be easier to parse.
  • Various obscure integer overflow were fixed. We don't think that they are exploitable, but heh, better safe than sorry.
  • As usual, code simplification/cleanup.

Benchmarks

All those benchmarks were done by caillou's on Joomla's testsuite, on a low-end laptop. They were done using the default set of rules. If you're writing stupid things with a lot of regexps involved, you might will of course experience overhead.

Impact of the rules

Previously, the rules where all stored in several linked lists. This is not the case anymore for rules that are matching on literal function name: they are now stored in a hash table, granting us a significant performance boost when processing a lot of rules.

number of rules time on 0.2.2 time on 0.3.0
25 0m 50s 0m 51s
50 0m 52s 0m 51s
100 0m 57s 0m 51s
500 1m 41s 0m 51s
1000 2m 55s 0m 53s
5000 15m 46s 0m 52s

CPU and memory impact

Those graphs are showcasing our now-fixed-memory-leak (look at the memory consumption for the 0.2.2), but more importantly, that we effectively have no noticeable impact on the CPU and memory consumption at all!

Snuffleupagus 0.2.2

Snuffleupagus 0.2.2

Snuffleupagus 0.3.0

Snuffleupagus 0.3.0

PHP without Snuffleupagus

PHP without Snuffleupagus

Pass the Salt

I gave along with smagnin and bui a talk at the very first edition of Pass the Salt. You can get the video here and the slides here.

It was a nice conference, with a large majority of interesting talk containing actionable bits: the theme being security and open-source, everything that was presented was openly available immediately to play with! I warmly recommend watching the other talks while waiting for the 2nd edition.

What's next

With the next minor release of PHP (7.3) that should happen somewhere before the end of the year, we'll need to make sure that Snuffleupagus is compatible with it, especially the samesite feature. We don't have many big issues remaining, but we do plan to fix them all anyway :)

If you want to help, we have some low hanging fruits just for you ♥

See you in your PHP stack!