[Python-Dev] PEP 551: Security transparency in the Python runtime
Steven D'Aprano
steve at pearwood.info
Mon Aug 28 21:15:44 EDT 2017
Very nicely written. A few comments below.
On Mon, Aug 28, 2017 at 04:55:19PM -0700, Steve Dower wrote:
[...]
> This PEP describes additions to the Python API and specific behaviors
> for the
> CPython implementation that make actions taken by the Python runtime
> visible to
> security and auditing tools. The goals in order of increasing importance
[...]
Check your line lengths, I think they may be too long? (Or maybe my mail
client is set too short?)
[...]
> To summarize, defenders have a need to audit specific uses of Python in
> order to
> detect abnormal or malicious usage. Currently, the Python runtime does not
> provide any ability to do this, which (anecdotally) has led to organizations
> switching to other languages.
It would help if the PEP addressed the state of the art in other
languages.
[...]
> For example, ``sys.addaudithook()`` and ``sys.audit()`` should exist but
> may do
> nothing. This allows code to make calls to ``sys.audit()`` without having to
> test for existence, but it should not assume that its call will have any
> effect.
> (Including existence tests in security-critical code allows another
> vector to
> bypass auditing, so it is preferable that the function always exist.)
That suggests a timing attack to infer the existence of auditing.
A naive attempt:
from time import time
f = lambda: None
t = time()
f()
time_to_do_nothing = time() - t
audit = sys.audit
t = time()
audit()
time_to_do_audit = time() - t
if time_to_do_audit <= time_to_do_nothing:
do_something_bad()
This is probably too naive to work in real code, but the point is that
the attacker may be able to exploit timing differences in sys.audit and
related functions to infer whether or not auditing is enabled.
--
Steve
More information about the Python-Dev
mailing list