auditing hooks and security
play

Auditing hooks and security transparency for CPython Steve Dower, - PowerPoint PPT Presentation

Mar 15, 2024 •280 likes •845 views

Auditing hooks and security transparency for CPython Steve Dower, Christian Heimes EuroPython 2019, Basel, Switzerland Auditing Hooks and Security Transparency for Python Why is SkelSec so sad? @zooba @christianheimes EuroPython 2019, Basel -

  1. Auditing hooks and security transparency for CPython Steve Dower, Christian Heimes EuroPython 2019, Basel, Switzerland

  2. Auditing Hooks and Security Transparency for Python Why is SkelSec so sad? @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 2

  3. Auditing Hooks and Security Transparency for Python @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 4

  4. Auditing Hooks and Security Transparency for Python We made SkelSec sad… and that should make you all happy @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 5

  5. Auditing Hooks and Security Transparency for Python Who are we? Steve Dower Christian Heimes • CPython core developer • CPython core developer • Author of PEP 578 • BDFL delegate for PEP 578 • @zooba • @christianheimes • (Also works at Microsoft) • (Also works at Red Hat) @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 6

  6. Auditing Hooks and Security Transparency for Python Today’s Agenda • What are audit hooks, and why would I use them? • Using audit hooks to improve security • Integration on Windows-based systems • Integration on Linux-based systems @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 7

  7. Auditing Hooks and Security Transparency for Python Runtime Audit Hooks (PEP 578) • One piece of a complete security solution • Provides low-level insight into runtime behaviour • Opening files • Connecting sockets • Compiling strings • By default, does nothing! • Designed for security engineers to plug into @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 8

  8. Auditing Hooks and Security Transparency for Python Python Security Engineer Checklist Install security updates Limit user accounts Install security updates! Use a firewall Install security updates!! Restrict package installation Install security updates!!! Think about maybe, possibly, using some Python audit hooks @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 9

  9. Auditing Hooks and Security Transparency for Python Listening to audit hooks int hook( import sys const char *event, PyObject *args, def hook(event, args): void *userData ) { print("Saw", event) printf("Saw %s\n", event); return 0; sys.addaudithook(hook) } PySys_AddAuditHook(hook, userData); @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 10

  10. Auditing Hooks and Security Transparency for Python Listening to audit hooks C - PySys_AddAuditHook() Python - sys.addaudithook() Pros: Pros: • Faster • Easy • Hard to bypass • Convenient Cons: Cons: • More complex • Per-subinterpreter • Requires custom Python • Slow @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 11

  11. Auditing Hooks and Security Transparency for Python What events should you expect? compile builtins.input import os.system exec glob.glob open socket.__new__ docs.python.org/3.8/library/audit_events.html @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 12

  12. Auditing Hooks and Security Transparency for Python What to do with an event? • Nothing • Log it • Abort it • Abort everything! Correct answer: log it @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 13

  13. Auditing Hooks and Security Transparency for Python If a tree falls in a forest… has it been logged? When an intruder is trying to get in, or is already in, you need to know Logging allows: • Retrospective analysis • Anomaly detection • Incident response Premature log filtering cripples your defence. Log everything. @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 14

  14. Auditing Hooks and Security Transparency for Python Creating audit events import sys PySys_Audit("module.event", sys.audit("module.event", "isO", a, b, c); a, b, c) Tips: • Prefer C call (PySys_Audit) when possible • Prefix with your module (import) name • Audit after validation, before execution @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 15

  15. Auditing Hooks and Security Transparency for Python The io.open_code() function • Code ≠ Data • Your OS kernel already does this for binaries, but not via open() import io io.open_code("file.py") Same as open(…, "rb") but can be hooked in C PyFile_SetOpenCodeHook(callback, user_data); @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 16

  16. Auditing Hooks and Security Transparency for Python Why would you hook io.open_code()? • Validate file attributes • Validate file contents • Exclusive file access • Return BytesIO instead of real file object Careful implementation required: • Cannot recurse (via PyImport_ImportModule) • Callers assume they’ll get a regular file object @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 18

  17. Auditing Hooks and Security Transparency for Python What else do you need to do? • Handle audit events • compile , exec – loading code not from files • open – loading other unexpected files • Disable launch options (in audit hook) • - c "…" – code in arguments • … | python3 – code from other shell commands • Force -E – ignore environment variables • Use good access control rules • $TEMPDIR / %TEMP% • $HOME / %USERPROFILE% @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 20

  18. Auditing Hooks and Security Transparency for Python Integrating with Windows @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 21

  19. github.com/zooba/spython Auditing Hooks and Security Transparency for Python Integrating with Windows • Windows Event Log • Catalog Signing • Windows Defender Application Control github.com/zooba/spython @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 22

  20. github.com/zooba/spython Auditing Hooks and Security Transparency for Python Windows Event Log @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 23

  21. github.com/zooba/spython Auditing Hooks and Security Transparency for Python @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 24

  22. github.com/zooba/spython Auditing Hooks and Security Transparency for Python Windows Event Log features • Event Log viewer • Event forwarding • Protected Event Logging • Clearing/modifying logs adds a new event @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 25

  23. github.com/zooba/spython Auditing Hooks and Security Transparency for Python static int hook_compile(const char *event, PyObject *args) { PyObject *code, *filename; const char *u8code = NULL, *u8filename = NULL; if (!EventEnabledIMPORT_COMPILE()) { return 0; } if (!PyArg_ParseTuple(args, "OO", &code, &filename)) { return -1; } u8code = PyUnicode_AsUTF8(code); u8filename = PyUnicode_AsUTF8(filename); EventWriteIMPORT_COMPILE(u8code, u8filename); return 0; } @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 26

  24. github.com/zooba/spython Auditing Hooks and Security Transparency for Python @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 28

  25. github.com/zooba/spython Auditing Hooks and Security Transparency for Python @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 29

  26. github.com/zooba/spython Auditing Hooks and Security Transparency for Python Signed Catalog Files @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 30

  27. github.com/zooba/spython Auditing Hooks and Security Transparency for Python Code Signing • Typical white-listing approach • Attaches a signed hash of the file to the file • Catalog signing signs a set of files • We can’t sign . py files, so we use .cat • Standard Python installers include a catalog file for all non-binaries @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 31

  28. github.com/zooba/spython Auditing Hooks and Security Transparency for Python @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 32

  29. github.com/zooba/spython Auditing Hooks and Security Transparency for Python static int verify_trust(HANDLE hFile) { static const GUID action = WINTRUST_ACTION_GENERIC_VERIFY_V2; BYTE hash[256]; wchar_t memberTag[256]; WINTRUST_CATALOG_INFO wci = { .cbStruct = sizeof(WINTRUST_CATALOG_INFO), if (!CryptCATAdminCalcHashFromFileHandle( .hMemberFile = hFile, hFile, &wci.cbCalculatedFileHash, hash, 0)) { .pbCalculatedFileHash = hash, return -1; .cbCalculatedFileHash = sizeof(hash), } .pcwszCatalogFilePath = wszCatalog, .pcwszMemberTag = memberTag, for (DWORD i = 0; i < wci.cbCalculatedFileHash; ++i) { }; swprintf(&memberTag[i*2], 3, L"%02X", hash[i]); WINTRUST_DATA wd = { } .cbStruct = sizeof(WINTRUST_DATA), .dwUIChoice = WTD_UI_NONE, HRESULT hr = WinVerifyTrust(NULL, (LPGUID)&action, &wd); .fdwRevocationChecks = WTD_REVOKE_WHOLECHAIN, if (FAILED(hr)) { .dwUnionChoice = WTD_CHOICE_CATALOG, PyErr_SetExcFromWindowsErr(PyExc_OSError); .pCatalog = &wci return -1; }; } return 0; } @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Auditing Chapter 25 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-1

Auditing Chapter 25 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-1

Auditing Chapter 25 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-1 Outline Overview What is auditing? What does an audit system look like? How do you design an auditing system? Auditing mechanisms

1.4k views • 88 slides
Automatic Placement of Authorization Hooks in the Linux Security Modules Framework Vinod

Automatic Placement of Authorization Hooks in the Linux Security Modules Framework Vinod

Automatic Placement of Authorization Hooks in the Linux Security Modules Framework Vinod Ganapathy vg@cs.wisc.edu University of Wisconsin, Madison Joint work with Trent Jaeger Somesh Jha tjaeger@cse.psu.edu jha@cs.wisc.edu Pennsylvania

604 views • 41 slides
D. Brent Sandy, Plowshares and Pruning Hooks: Rethinking the Language of Biblical Hooks:

D. Brent Sandy, Plowshares and Pruning Hooks: Rethinking the Language of Biblical Hooks:

D. Brent Sandy, Plowshares and Pruning Hooks: Rethinking the Language of Biblical Hooks: Rethinking the Language of Biblical Prophecy and Apocalyptic, Downers Grove, IL: InterVarsity Press, 2002 y , Plowshares and Pruning Hooks and the o

382 views • 10 slides
Security Audit Principles and Practices Logging and auditing are two of the most unpleasant

Security Audit Principles and Practices Logging and auditing are two of the most unpleasant

Security Audit Principles and Practices Logging and auditing are two of the most unpleasant chores facing information security professionals. Chapter 11 tedious, time-consuming, boring Lecturer: Pei-yih Ting 1 Overview Configuring Logging

401 views • 7 slides
Remarks on Auditing, Regulatory Auditing and Regulatory Auditing Strategy Prof. Dr. Horst

Remarks on Auditing, Regulatory Auditing and Regulatory Auditing Strategy Prof. Dr. Horst

Remarks on Auditing, Regulatory Auditing and Regulatory Auditing Strategy Prof. Dr. Horst Frankenberger University of Applied Sciences Lbeck SG 4: Auditing - Lbeck 16.09.2002 1 Remarks on Auditing, Regulatory Auditing and Regulatory

305 views • 16 slides
Auditing IoT Communications with TLS-RaR Judson Wilson, Henry Corrigan-Gibbs, Riad S. Wahby,

Auditing IoT Communications with TLS-RaR Judson Wilson, Henry Corrigan-Gibbs, Riad S. Wahby,

Auditing IoT Communications with TLS-RaR Judson Wilson, Henry Corrigan-Gibbs, Riad S. Wahby, Keith Winstein, Philip Levis, Dan Boneh Stanford University Auditing Standard Devices MITM Used for: security audit automated exfiltration

971 views • 64 slides
WAN HACKING with AutoHack - auditing security behind the firewall Alec Muffett Network Security

WAN HACKING with AutoHack - auditing security behind the firewall Alec Muffett Network Security

WAN-Hacking with AutoHack - Alec Muffett, USENIX Security Symposium 95 WAN HACKING with AutoHack - auditing security behind the firewall Alec Muffett Network Security Group Sun Microsystems Alec.Muffett@UK.Sun.COM alec@hicom.org

651 views • 9 slides
THE AUDITING OF SOCIAL ACCOUNTS SOME GENERAL CONSIDERATIONS INDEPENDENT AUDITING (with

THE AUDITING OF SOCIAL ACCOUNTS SOME GENERAL CONSIDERATIONS INDEPENDENT AUDITING (with

16/11/2012 THE AUDITING OF SOCIAL ACCOUNTS SOME GENERAL CONSIDERATIONS INDEPENDENT AUDITING (with certification) OF SOCIAL ACCOUNTS A DEBATE (CONSIDERING IN THIS CASE ONLY ITALY): A) ONLY VOLUNTARY B) COMPULSORY BY LAW 1

322 views • 7 slides
Auditing in the Public Interest Auditing in the Public Interest Victorian Government

Auditing in the Public Interest Auditing in the Public Interest Victorian Government

Victorian Auditor-Generals Office Auditing in the Public Interest Auditing in the Public Interest Victorian Government Solicitors Office Seminar 30 May 2007 Des Pearson - Auditor-General 1 Auditing in the Public Interest Personal

352 views • 20 slides
INNOVATIVE SOLUTIONS MEETING EXPECTATIONS Locations &amp; Projects Auditing Auditing

INNOVATIVE SOLUTIONS MEETING EXPECTATIONS Locations &amp; Projects Auditing Auditing

INNOVATIVE SOLUTIONS MEETING EXPECTATIONS Locations &amp; Projects Auditing Auditing and assurance plays a crucial part of ensuring the safety and integrity of any diving system as well as ensuring safe and efficient diving

185 views • 14 slides
OSINT tools for security auditing Open Source Intelligence with python tools Jos Manuel Ortega

OSINT tools for security auditing Open Source Intelligence with python tools Jos Manuel Ortega

OSINT tools for security auditing Open Source Intelligence with python tools Jos Manuel Ortega @jmortegac http://jmortega.github.io https://github.com/jmortega/osint_tools_security_auditing Agenda OSINT introduction Server

743 views • 62 slides
Why Data Auditing is Important Arizona State Public Health Laboratory April 2019 Objectives

Why Data Auditing is Important Arizona State Public Health Laboratory April 2019 Objectives

Why Data Auditing is Important Arizona State Public Health Laboratory April 2019 Objectives Define data auditing Explain the importance of data auditing Data Auditing What does data mean to you? What is data auditing? When

648 views • 33 slides
Auditing : the good, the bad and the ugly A. Feinberg 14 Sep 2017 1 I must pay a debt of

Auditing : the good, the bad and the ugly A. Feinberg 14 Sep 2017 1 I must pay a debt of

Auditing : the good, the bad and the ugly A. Feinberg 14 Sep 2017 1 I must pay a debt of gratitude to DeWitt Beeler, who in an article published in the 1999 May Issue of Quality Progress provided me with a fresh look at auditing and

557 views • 41 slides
How would the emerging technology affect the future of auditing? AC4342 Auditing S01 Group 4

How would the emerging technology affect the future of auditing? AC4342 Auditing S01 Group 4

How would the emerging technology affect the future of auditing? AC4342 Auditing S01 Group 4 54818800 CHAN Shu Wah 54791726 IP Sunny 54814013 WAN Chun Fai 54808805 YIU Ho Fung How would the emerging technology affect the future of

672 views • 54 slides
Auditing large-scale medical terminologies, with a focus on SNOMED CT Ronald Cornet PhD Dept.

Auditing large-scale medical terminologies, with a focus on SNOMED CT Ronald Cornet PhD Dept.

Auditing large-scale medical terminologies, with a focus on SNOMED CT Ronald Cornet PhD Dept. of Medical Informatics Academic Medical Center University of Amsterdam Outline Background Types of Auditing Logic-based Auditing

245 views • 21 slides
School Equipment Auditing System(SEAS) Mr.Anuwat Shutanaruk 5522800556 Mr.Thanapon Areewattana

School Equipment Auditing System(SEAS) Mr.Anuwat Shutanaruk 5522800556 Mr.Thanapon Areewattana

School Equipment Auditing System(SEAS) Mr.Anuwat Shutanaruk 5522800556 Mr.Thanapon Areewattana 5522791896 Objective To make auditing system more efficient we develop the new auditing system version. Motivation Old style of search or tracking

852 views • 8 slides
4B Geriatric Hip Fracture 6A Gastric Bypass Abdominal Laparoscopic Results Geriatric Hip

4B Geriatric Hip Fracture 6A Gastric Bypass Abdominal Laparoscopic Results Geriatric Hip

4B Geriatric Hip Fracture 6A Gastric Bypass Abdominal Laparoscopic Results Geriatric Hip Fracture Results Onset Refer to Attached Ofirmev Brochure

84 views • 5 slides
Strata: A Cross Media File System Youngjin Kwon , Henrique Fingler, Tyler Hunt, Simon Peter,

Strata: A Cross Media File System Youngjin Kwon , Henrique Fingler, Tyler Hunt, Simon Peter,

Strata: A Cross Media File System Youngjin Kwon , Henrique Fingler, Tyler Hunt, Simon Peter, Emmett Witchel, Thomas Anderson 1 Lets build a fast server NoSQL store, Database, File server, Mail server Requirements Small updates (1

1.07k views • 79 slides
Memory Accesses in Out-of-Order Execution Instructor: Nima Honarmand Spring 2015 :: CSE 502

Memory Accesses in Out-of-Order Execution Instructor: Nima Honarmand Spring 2015 :: CSE 502

Spring 2015 :: CSE 502 Computer Architecture Memory Accesses in Out-of-Order Execution Instructor: Nima Honarmand Spring 2015 :: CSE 502 Computer Architecture Big Picture I-cache Instruction Branch FETCH Flow Predictor

381 views • 19 slides
:: Privacy Pass :: Bypassing internet challenges anonymously Alex Davidson 1,3 Ian Goldberg 2

:: Privacy Pass :: Bypassing internet challenges anonymously Alex Davidson 1,3 Ian Goldberg 2

:: Privacy Pass :: Bypassing internet challenges anonymously Alex Davidson 1,3 Ian Goldberg 2 Nick Sullivan 3 George Tankersley 4 Filippo Valsorda 4 1 Royal Holloway, University of London 2 University of Waterloo 3 Cloudflare 4 Independent PETS

591 views • 55 slides
IX:$A$Protected$Dataplane$Opera3ng$ System$for$High$Throughput$and$ Low$Latency$ Adam%Belay

IX:$A$Protected$Dataplane$Opera3ng$ System$for$High$Throughput$and$ Low$Latency$ Adam%Belay

IX:$A$Protected$Dataplane$Opera3ng$ System$for$High$Throughput$and$ Low$Latency$ Adam%Belay ,$George$Prekas,$$ Samuel$Grossman,$Ana$Klimovic,$$ Christos$Kozyrakis,$Edouard$Bugnion$ HW$is$fast,$but$SW$is$a$BoLleneck$ $ $ 64Obyte$TCP$Echo:$

490 views • 24 slides
CIS 371 Computer Organization and Design Unit 9: Superscalar Pipelines Slides developed by Milo

CIS 371 Computer Organization and Design Unit 9: Superscalar Pipelines Slides developed by Milo

CIS 371 Computer Organization and Design Unit 9: Superscalar Pipelines Slides developed by Milo Martin &amp; Amir Roth at the University of Pennsylvania with sources that included University of Wisconsin slides by Mark Hill, Guri Sohi, Jim

818 views • 26 slides
So we broke all CSPs You won't guess what happened next! whoami and Past Work Michele

So we broke all CSPs You won't guess what happened next! whoami and Past Work Michele

So we broke all CSPs You won't guess what happened next! whoami and Past Work Michele Spagnuolo Senior Information Security Engineer rosettaflash.com bitiodine.net Recap what happened last year Summary CSP is mostly used to

591 views • 47 slides
Network stack challenges at increasing speeds The 100Gbit/s challenge Jesper Dangaard Brouer

Network stack challenges at increasing speeds The 100Gbit/s challenge Jesper Dangaard Brouer

Network stack challenges at increasing speeds The 100Gbit/s challenge Jesper Dangaard Brouer Red Hat inc. LinuxCon North America, Aug 2015 1/39 Challenge: 100Gbit/s around the corner Overview Understand 100Gbit/s challenge and time

784 views • 45 slides

More recommend