Snuffleupagus: killing bug classes and virtual patching the rest

Suhosin is a great php module, but unfortunately, it’s getting old, new ways have been found to compromise php applications, and some aren’t working anymore; and it doesn’t play well with the shiny new php7.

As a secure web-hosting company, we needed a reliable and future-proof solution to address the flow of new vulnerabilities that are published every day. This is why we developed Snuffleupagus, a new (and open-source!) php security model, that provides several features that we needed, like passively killing several php-specific bug classes, but also implementing virtual-patching at the PHP level, allowing to patch vulnerabilities in a precise, false-positive-free, ultra-low overhead way, without even touching the applications’ code.

https://github.com/nbs-system/snuffleupagus 

Julien ‘jvoisin’ Voisin 
Julien used to pwn and reverse things while contributing to radare2, he nowadays focus on protecting web applications while keeping his own bugs alive on websec.fr and writing stuff on dustri.org. 

Thibault ‘bui’ Koechlin 
Thibault used to write exploits for fun, he’s now CISO at NBS System, writing the naxsiWAF to prevent web pwning. 

Simon ‘piké’ Magnin-Feysot 
Simon is a pretty cool guy.