I am working on a PHP sandbox for a Web Application Honeypot. The PHP sandbox will analyze a PHP file that may have been injected as part of an RFI attack. It should run the file in a safe environment and return the result, embedding the output of the PHP script. We hope to fool the attacker into believing that this is a genuine response and thus continue with the next step of his attack.

In order to build the sandbox, we used the Advance PHP Debugger (ADP). Using the rename_function and override_function, vulnerable PHP functions have been rewritten. Some functions such as exec,disk_free_space have been rewritten to send out fake replies. All the others function just return nothing. Here’s a complete list of the functions that have been considered.

Also, the input script is run only for a maximum of 10 seconds in the sandbox. After that, the entire sandbox process gets killed.

1. Is this list good enough? Does this make the sandbox secure enough to be made part of the web app?

2. Beside blocking function calls like this, are there anymore security measures that should be taken?

3. In the end, this is a honeypot. So, we would like our reply to be as close as possible to a real reply. So, by blocking DNS function calls like dns_check_record and gethostbyname are we restricting the scope of execution for the script unnecessarily. (I am not sure why they are present in the first place)

   In short, I would like to know what elements I should add/delete from the list.

4. Any other suggestions/advice on how to go about this will be highly appreciated.