Paragon Initiative Enterprises Blog

The latest information from the team that develops cryptographically secure PHP software.

A new PHAR Auditing Utility - Introducing Pharaoh

As part of our efforts to better our community, both online and offline, we built a new tool for examining the differences between two .phar files. We call it Pharaoh, and we just released its code on Github under the MIT License.

A new tool to audit your .phar files

Why Would Anyone Need Pharaoh?

Let's say the maintainers of a popular PHP project distributes their deliverable in a .phar file (PHP Archive). Furthermore, let's assume their download server (or one of their mirrors) gets hacked. The attackers succeed in replacing the .phar with an identical copy, save for a few extra lines of malicious code in the stub (the part that gets executed when you run a .phar from command line).

Pharaoh allows users to detect malicious tampering. All you have to do is follow these steps:

  1. Obtain the source code for the project. Check out the appropriate release tag, if need be.
  2. Obtain the sketchy .phar from the project website. Save it as foobar-untrusted.phar.
  3. Build a new .phar from the source code. Call it foobar-from-source.phar.
  4. Run pharaoh foobar-from-source.phar foobar-untrusted.phar

If you make it to step 4 and have worked with Git and PHP before, you should be able to quickly decide if the .phar you downloaded is legitimate or not.

We will be using Pharaoh to verify that .phar files can be built deterministically from their source code, and to ensure the copy we sign in the distributed ledger for ASGard contains no nasty surprises. We also imagine tools like Pharaoh could be instrumental for detecting targeted malware attacks against software developers in the wild as part of a threat intelligence framework.

About the Author

P.I.E. Staff

Paragon Initiative Enterprises

Paragon Initiative Enterprises is a Florida-based company that provides software consulting, application development, code auditing, and security engineering services. We specialize in PHP Security and applied cryptography.

Need Technology Consultants?

Will tomorrow bring costly and embarrassing data breaches? Or will it bring growth, success, and peace of mind?

Our team of technology consultants have extensive knowledge and experience with application security and web/application development.

We specialize in cryptography and secure PHP development.

Let's Work Together Towards Success

Our Security Newsletters

Want the latest from Paragon Initiative Enterprises delivered straight to your inbox? We have two newsletters to choose from.

The first mails quarterly and often showcases our behind-the-scenes projects.

The other is unscheduled and gives you a direct feed into the findings of our open source security research initiatives.

Quarterly Newsletter   Security Announcements