Research phase

[osiyuk]

First things first

1. List and inspect the implementation of unsafe functions in PHP sources. Function called unsafe if it leads to producing system call. Context: PHP module that intercepts unsafe function calls needs to be embedded in those functions.
2. Inspect OPcache implementation. Context: PHP compiles script every time before execution. To implement mandatory access control with system performance in mind you need to understand mechanisms of fast script execution.
3. Inspect PHP module system PHP is not a Wordpress and doesn't have hooks to intercept any function, especially system function. We talking about a thing, that will be compiled directly into PHP binary. Like Nginx modules.
4. Examples of MVP malware in PHP To test ideas against them.

Challenges

1. PHP is written in C, modules for PHP is written in C, no big deal.
2. You have no other choices, but to compile some intercept code inside PHP
3. Hmm... ok. You want to put executable to /usr/sbin or what?
4. Configuration file parsing can be done in PHP itself. Tools for managing conf can be written in PHP or Python or similar tools.

Configuration files

You can start to include in the repository not only examples of malware but also examples of configuration files in a format that you prefer. Like this one

Conf parsing can be done in PHP or similar later in time after some examples done.

[osiyuk]

Oh, and also deep into mechanism of php-fpm How these processes work with scripts and opcache. I think first thing to do is to compile bare PHP without modules and see what source files are compiled into binary. Then add one module at a time and produce slices of sources, that belongs to different modules.