Title: Snuffleupagus 0.3.0 - Dentalium elephantinum
Date: 2018-07-18 19:30

[![snuffleupagus logo]({static}/images/sp.png)](https://snuffleupagus.readthedocs.org)

We just did a new release of [Snuffleupagus](https://github.com/nbs-system/snuffleupagus/releases/tag/v0.3.0),
the `0.3.0`, named **Dentalium elephantinum**, after the eponym species of [scaphopod mollusc](https://en.wikipedia.org/wiki/Dentalium_elephantinum), that [looks like]( https://commons.wikimedia.org/wiki/File:Dentalium_elephantinum_IMG_5380_Beijing_Museum_of_Natural_History_-_NHM_of_Guangxi_-_Gulf_of_Tonkin_collection_-_Copy.jpg ) a miniature elephant tusk.

It's the first release that I didn't do myself, letting the release manager
seat to my colleague [kkadosh](https://kkado.sh/),
to reduce the [bus factor]( https://en.wikipedia.org/wiki/Bus_factor ).

# Changelog

We have several new majors features, along with the usual bugfixes:

- The [previous version]({filename}/php/snuffleupagus_0.2.2.md) suffered
  from a [memory leak](https://github.com/nbs-system/snuffleupagus/issues/192 )
	that wasn't detected earlier, because we're using `php-fpm` where processes are recycled,
	instead of `mod_php`. This defect is now fixed.
- Thanks to the amazing [caillou](https://github.com/xXx-caillou-xXx),
  we now have literally zero impact on the performances
	(with the default ruleset) of your php process.
- Encryption is now supported on [session cookies](
	https://secure.php.net/manual/en/features.cookies.php ), thanks to the
  stellar work of kkadosh
- It's now possible to forbid most occurrences of
  [type juggling](https://secure.php.net/manual/en/language.types.type-juggling.php),
	thanks to *caillou*.
- Documentation improvement (yes, the documentation is
  [versioned in git](https://github.com/nbs-system/snuffleupagus/tree/master/doc ).)
- The `.filename()` filter is now matching in the file where the function is
  called, and not in the one where it's declared anymore.
- Two more language constructs, namely `echo` and `print`, can now be virtual-patched.
- The logs format has been normalized a bit to be easier to parse.
- Various obscure integer overflow were fixed. We don't think that they are
	exploitable, but heh, better safe than sorry.
- As usual, code simplification/cleanup.

# Benchmarks

All those benchmarks were done by *caillou*'s on [Joomla's testsuite](
https://github.com/joomla/joomla-cms/tree/staging/tests/unit ), on a low-end
laptop. They were done using the [default set of rules](
https://github.com/nbs-system/snuffleupagus/blob/master/config/default.rules).
If you're writing stupid things with a lot of regexps involved, you <del>might</del>
will of course experience overhead.

## Impact of the rules

Previously, the rules where all stored in several linked lists.
This is not the case anymore for rules that are matching on literal function
name: they are now stored in a [hash
table](https://en.wikipedia.org/wiki/Hash_table), granting us a significant
performance boost when processing a lot of rules.


| number of rules | time on `0.2.2` | time on `0.3.0` |
| --------------- | --------------- | --------------- |
| 25              | 0m 50s          | 0m 51s          |
| 50              | 0m 52s          | 0m 51s          |
| 100             | 0m 57s          | 0m 51s          |
| 500             | 1m 41s          | 0m 51s          |
| 1000            | 2m 55s          | 0m 53s          |
| 5000            | 15m 46s         | 0m 52s          |


## CPU and memory impact

Those graphs are showcasing our now-fixed-memory-leak (look at the memory
consumption for the `0.2.2`), but more importantly,
that we effectively have no noticeable impact on the CPU and memory
consumption at all!

## Snuffleupagus 0.2.2
[![Snuffleupagus 0.2.2]({static}/images/snuffleupagus_0.2.2.png)]({static}/images/snuffleupagus_0.2.2.png)

## Snuffleupagus 0.3.0
[![Snuffleupagus 0.3.0]({static}/images/snuffleupagus_0.3.0.png)]({static}/images/snuffleupagus_0.3.0.png)

## PHP without Snuffleupagus 
[![PHP without Snuffleupagus]({static}/images/snuffleupagus_without.png)]({static}/images/snuffleupagus_without.png)


# Pass the Salt

I gave along with [smagnin](https://pike.tf) and [bui](http://memze.ro) a
talk at the very first edition
of [Pass the Salt]( https://2018.pass-the-salt.org/ ). You can get the video
[here](
https://passthesalt.ubicast.tv/videos/snuffleupagus-killing-bug-classes-and-virtual-patching-the-rest/
) and the slides [here]({static}/files/PTS2018_snuffleupagus.pdf ).

It was a nice conference, with a large majority of interesting talk containing
actionable bits: the theme being security **and** open-source, everything that
was presented was openly available immediately to play with!
I warmly recommend watching the 
[other talks]( https://passthesalt.ubicast.tv/channels/#2018 ) while waiting
for the 2<sup>nd</sup> edition.


# What's next

With the next minor release of PHP (`7.3`) that [should happen ]( https://wiki.php.net/todo/php73 )
somewhere before the end of the year, we'll need to make sure that
Snuffleupagus is compatible with it,
especially the [samesite feature](https://github.com/nbs-system/snuffleupagus/issues/177).
We don't have [many *big* issues]( https://github.com/nbs-system/snuffleupagus/issues )
remaining, but we do plan to fix them all anyway :)

If you want to help, we have some [low hanging fruits](
https://github.com/nbs-system/snuffleupagus/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22
) just for you ♥

See you in your PHP stack!
