I am working on a PHP sandbox for the Honeypot web application. The PHP sandbox will parse a PHP file that may have been injected as part of the RFI attack. It should run the file in a safe environment and return the result by embedding the output of a PHP script. We hope to deceive the attacker, believing that this is the real answer and, thus, continue the next step of his attack.
To create the sandbox, we used Advance PHP Debugger (ADP). Using rename_function and override_function , vulnerable PHP functions have been rewritten. Some functions, such as exec , disk_free_space , have been rewritten to send fake responses. All other functions simply do not return anything. Here is a complete list of features that have been reviewed.
In addition, the input script file runs in the sandbox for no more than 10 seconds. After that, the entire sandbox process will be killed.
Is this list good enough? Does this mean that the sandbox is safe enough to become part of a web application?
Besides calls to blocking functions like this, are there more security measures that need to be taken?
After all, this is a honeypot. Therefore, we would like our answer to be as close as possible to the real answer. Thus, by blocking calls to DNS functions such as dns_check_record and gethostbyname , we limit the amount of execution for the script unnecessarily. (I'm not sure why they are present in the first place)
In short, I would like to know which items I should add / remove from the list.
Any other suggestions / tips on how to do this would be greatly appreciated.
source share