Yesterday I was able to take this picture of two of the guardian ghosts that are called Suhosin over here in Korea. This might help designing a long overdue logo for Suhosin.

• Fixed problem with suhosin.perdir
  Thanks to Hosteurope for tracking this down
• Fixed problems with ext/uploadprogress
  Reported by: Christian Stocker
• Added suhosin.srand.ignore and suhosin.mt_srand.ignore (default: on)
• Modified rand()/srand() to use the Mersenne Twister algorithm with separate state
• Added better internal seeding of rand() and mt_rand()

The last three items in the changelog mean that the randomness of PHP’s rand() and mt_rand() functions have been greatly improved over vanilla PHP. This means when the Suhosin extension is installed on a server all the attacks described in my previous blogpost about PHP’s random number generators are no longer possible. This adds another generic protection to kill a whole class of bugs at once.

As usual you can grab your copy at

http://www.suhosin.org/

Today I present the more interesting approach that I promised to publish after my webinar yesterday. This approach is based on the idea that SQL queries issued by an application always have a certain structure. This structure can be learned and remembered by MySQL-Proxy. Any SQL query that has a different structure can then be considered an attack.

Training Mode

The first Lua script learn_sql_queries.lua uses MySQL-Proxy’s read_query hook to catch COM_INIT_DB and COM_QUERY packets. COM_INIT_DB packets are issued when the database is changed and COM_QUERY packets contain normal queries.

When a change of database is detected a CREATE TABLE is injected into the communication to create a table called ‘allowed_queries’ in the newly selected database. This table consist of only on column called ‘query’. Within this column normalized queries are collected.

When a normal query is received it is first tokenized by MySQL-Proxy’s tokenizer. The tokens are then used to recreate a normalized version of the query where all data values are replaced by the ‘?’ placeholder. Additionally IN ( ?, ?, ?, …) statements are compressed to IN ( ? ) to allow arbitrary length IN value lists without having to learn all possibilities. The normalized query is then learned by inserting it into the table.

When all queries have been learned (maybe during development) the blocking mode can be started.

Blocking Mode

The second Lua script block_unknown_queries.lua also uses MySQL-Proxy’s read_query hook to catch COM_INIT_DB and COM_QUERY packets.

When a change of database is detected a SELECT statement is injected into the communication that loads the table ‘allowed_queries’ into a Lua-Table. The queries become the indices so that they can be found fast.

When a normal query is received it is first tokenized and normalized. The normalized Query is then searched in the Lua-Table which is just a key lookup. If the query is found in the table it is one of the known query structures that are allowed. The query is then executed as normally.

If the query is not found in the table it is either a query that was not learned by mistake or it is an SQL-Injection attack. The query is not executed and a database error “Possible SQL Injection” is returned.

Both proof of concept examples are released as GPL. Therefore feel free to modify them for your needs. You might prefer to just log SQL-Injection attempts instead of blocking them.

Is it?

Well not really, because there are still millions of servers running PHP 4 that haven’t upgraded to the faster, more stable and more secure PHP 5 and most of them will continue to use it. So PHP 4 will still be around a while.

However last night PHP 4.4.9 was released which is the final security update by the PHP development team. This means from now on not only normal support (which was dropped at the end of 2007) but also security support for PHP 4 has ended. It is therefore recommended to finally upgrade.

Because I know that upgrading is sometimes not that easy Suhosin will continue to support PHP 4 for a while. This means the current Suhosin-Patch 0.9.6 will be ported to PHP 4.4.9 and also the next release of Suhosin-Patch will still support recent PHP 4 versions. However at the end of 2008 I will also discontinue Suhosin-Patch for PHP 4 and new features to the Suhosin-Extension will only be implemented for PHP 5.

• Fixed PHP 4 compilation problem introduced in 0.9.24
• Fixed PHP 5.3 compilation problem
• Changed PHP default POST handler to PHP’s current handler

As usual you can grab your copy at

http://www.suhosin.org/

The flexibility of MySQL Proxy is based on the fact that every aspect is scriptable with Lua. Because I am new to MySQL Proxy and the Lua language I tried to implement a very simple script that waits for incoming SQL queries, tokenizes them and tries to detect SQL Injection heuristically by searching for certain disallowed SQL functions, databases, tables, statements or comments. When an SQL query is believed to contain an SQL injection is it not executed and a “Possible SQL injection” error is returned.

You can grab the detect_sql_injection.lua script at

http://www.suspekt.org/downloads/detect_sql_injection.lua.gz

If you are interested in this and german speaking you might also be interested in next week’s MySQL webinar “Bau sicherer LAMP Anwendungen” where I will not only discuss this little Lua script but also another one that implements SQL injection detection by query structure learning.

Today I start with announcing the Switch Table Extension that I released yesterday with a short announcement on the PHP Internals mailinglist. The purpose of this experimental extension is to speed up the execution of repeated switch() statements. To understand how this achieved and why this is necessary read the documentation here.