PHP Security through Suhosin or Hardening Patch

By Angsuman Chakraborty, Gaea News Network
Monday, March 3, 2008

Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections.

Unlike the PHP Hardening-Patch Suhosin is binary compatible to normal PHP installation, which means it is compatible to 3rd party binary extension like ZendOptimizer.

- Suhosin site

Do you know about Suhosin? Have you used Suhosin or PHP Hardening Patch? Would you recommend it and what are the caveats, if any? Please let us know and discuss it in the forum.

March 29, 2009: 2:46 am

They’re basically the same thing. They provide a considerable level of protection against various kinds of attacks, buffer overflow attacks being on top of the list.
Beyond the default protection measures, it also enables you to easily block custom functions, which you see exploitable, via its configuration file.
As I’ve read lately, it also offers some level of protection for SQL functions (which is experimental at the point), but I’m not quite familiar with that aspect.

The main difference between the Hardened-PHP and Suhosin is that Suhosin is binary compaible with the default PHP executable.
So, as long as you go with Suhosin instead of Hardened-PHP (which may cause problems in some cases, like when you use a PHP accelerator, due to its incompatibility in binary level) you probably won’t even notice any difference.

By the way, if you work on a GNU/Linux distro like Debian or Ubuntu, you probably already have the Suhosin patch installed by default. In that case, all you need to do is to install the extension that enables the extra security measures, which by the way enable you to tweak with the specific security measures beyond the default protection.

will not be displayed