Sandboxing PHP Applications with Tailored System Call Allowlists


The main idea of software debloating is to reduce software's attack surface by removing pieces of code that are not required by users. In this study, we identify the current challenges with applying the principle of least privilege(PoLP) to interpreted PHP applications, and propose a novel generic approach to derive system-call policies automatically for individual interpreted programs. Our evaluation shows that Saphire can successfully prevents 21 historic remote code execution(RCE) exploits with negligible performance overhead (i.e., <2% in the worst case)

The paper is available at

  • The slides will be available after the presentation.

  • The video will be available on the Usenix website.


This system is comprised of three steps:

  • "Map built-in PHP functions to system-calls" In this step Saphire performs a static call-graph analysis over the PHP interpreter to create a mapping of PHP functions to system-calls. Saphire refines this mapping through a dynamic analysis over the PHP unit tests.
  • "Create system-call filters for web app" Saphire performs a static analysis to identify the PHP script's dependencies and determine the built-in PHP functions the interpreter can invoke while running scripts.
  • "Sandboxing the interpreter and web application" Saphire utilizes seccomp to deprivilege the PHP interpreter, before it executes a web app script. Saphire relies on a PHP extension to invoke Linux' seccomp upon each web requests.

Source Code

The source will be avaiable soon.


We are a team of security researchers at SecLab, Boston University (
For any queries or questions contact Alexander Bulekov at [email protected] or Rasoul Jahanshahi at [email protected]