[Python-ideas] Executable space protection: NX bit,

Mark E. Haase mehaase at gmail.com
Tue Sep 4 09:55:16 EDT 2018 

Hey Wes, the checksec() function in PEDA that you cited has a standalone
version as well:

https://github.com/slimm609/checksec.sh

Running this on my Python (installed from Ubuntu package):

$ checksec --output json -f /usr/bin/python3.6 | python3 -m json.tool
{
    "file": {
        "relro": "partial",
        "canary": "yes",
        "nx": "yes",
        "pie": "no",
        "rpath": "no",
        "runpath": "no",
        "fortify_source": "yes",
        "fortified": "17",
        "fortify-able": "41",
        "filename": "/usr/bin/python3.6"
    }
}

My Python has pretty typical security mitigations. Most of these features
are determined at compile time, so you can try compiling Python yourself
with different compiler flags and see what other configurations are
possible. Some mitigations hurt performance and others may be incompatible
with Python itself. If you search on bugs.python.org you'll find a few
different issues on these topics.

On Mon, Sep 3, 2018 at 3:01 AM Wes Turner <wes.turner at gmail.com> wrote:

> Rationale
> =========
> - Separation of executable code and non-executable data is a good thing.
> - Additional security in Python is a good idea.
> - Python should support things like the NX bit to separate code and
> non-executable data.
>
> Discussion
> ==========
> How could Python implement support for the NX bit? (And/or additional
> modern security measures; as appropriate).
>
> What sort of an API would C extensions need?
>
> Would this be easier in PyPy or in CPython?
>
> - https://en.wikipedia.org/wiki/NX_bit
> - https://en.wikipedia.org/wiki/Executable_space_protection
>
> Here's one way to identify whether an executable supports NX:
> https://github.com/longld/peda/blob/e0eb0af4bcf3ee/peda.py#L2543
> _______________________________________________
> Python-ideas mailing list
> Python-ideas at python.org
> https://mail.python.org/mailman/listinfo/python-ideas
> Code of Conduct: http://python.org/psf/codeofconduct/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20180904/e280c4eb/attachment.html>

More information about the Python-ideas mailing list