ZenIDS

Introspective intrusion detection system for PHP applications.

This repository contains the dynamically linked ZenIDS extension for the reference implementation of the PHP interpreter. This extension requires a slightly modified version of PHP, which can be found in the interp-opt branch of the zen-ids-php repository.

Build

1. Dependencies:

• interp-opt branch of the zen-ids-php repository
• interp-opt branch of this repository

2. Environment:

• Set $PHP_HOME to the top-level directory of the local zen-ids-php clone.
• Set $ZEN_IDS_HOME to the top-level directory of this repository.
• Set $ZEN_IDS_DATASETS to any directory where the profile data can be stored.
  • This location should have plenty of disk space for large applications and/or extensive profiling and monitoring.
  • Specifying a fast disk, especially an SSD, will improve overall performance.
• Set $ZEN_IDS_EVOLUTION to any directory where evolution metadata can be stored.
  • This location is less write-intensive than the dataset directory, but disk speed still may affect performance.

3. Build:

• cd opmon && $PHP_HOME/scripts/phpize && ./current-config && make -j && sudo make -j install
  • Use option current-config -d for a debug build.

Configure

1. cd $PHP_HOME && mkdir conf.d/ext && cp $ZEN_IDS_HOME/opmon.ini.default $PHP_HOME/conf.d/ext/opmon.ini
2. Add all the variables defined in the "Environment" section (above) to the PHP script /etc/apache2/envvars.

• To source a script that defines these variables, use syntax . /path/to/.zen-ids-rc.
• Note that the bash keyword source is not recognized in this file.

3. sudo chown -R www-data:www-data $ZEN_IDS_EVOLUTION (or whatever user is running your Apache HTTP server)

Application Deployment

ZenIDS identifies a deployed application by its top-level directory. Although it is possible for multiple applications to share a single set of PHP libraries, it is much more common for each application to provide its own libraries. Shared libraries will only cause problems for ZenIDS if the application uses library files as request entry points--i.e., a request specifically names a library file in the base part of the URL. Since this would be very strange, we do not currently support it.

Create a file opmon.site.roots in the webserver's public HTML directory and add the relative path to each application's top-level directory on a line by itself (not starting or ending with a /). For example, the following opmon.site.roots specifies an instance of DokuWiki, and instance of GitList, and an application occupying the web root URL (.):

.
dokuwiki
gitlist

For HTTP requests for files within the dokuwiki/ directory, ZenIDS will generate profile data in the directory $(select-run -w 1)/worker*/dokuwiki. Similar for gitlist. The profile directory for the root application will be named to match the public HTML directory name--for example, if the web root is /var/www/html, then the root application's profile data appears in $(select-run -w 1)/worker*/html. The worker* directory will be named to match the process name of the Apache fork that served the request.

Test

1. Add the scripts directory to the $PATH

• Same for all dependent projects and tool projects

1. Create a sample PHP file, e.g.:

• echo "<?php phpinfo(); ?>" > /var/www/html/info.php

2. Start apache

• To debug apache, use script adb

3. Load $host/info.php in a browser (or wget "http://$host/info.php")
4. Find the CFI profile generated by ZenIDS:

• ls -lh $(select-run -w 1)/*/unknown

Tools

1. Application profiles can be built with the Java tools in the zen-ids-profile project.

• In the paper, these are referred to as trusted profiles.
• See the next section on "Experiments" for details.

Experiments

See the experiment documentation.