auditing hooks and security
play

Auditing hooks and security transparency for CPython Steve Dower, - PowerPoint PPT Presentation

Mar 15, 2024 •280 likes •845 views

Auditing hooks and security transparency for CPython Steve Dower, Christian Heimes EuroPython 2019, Basel, Switzerland Auditing Hooks and Security Transparency for Python Why is SkelSec so sad? @zooba @christianheimes EuroPython 2019, Basel -

  1. Auditing hooks and security transparency for CPython Steve Dower, Christian Heimes EuroPython 2019, Basel, Switzerland

  2. Auditing Hooks and Security Transparency for Python Why is SkelSec so sad? @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 2

  3. Auditing Hooks and Security Transparency for Python @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 4

  4. Auditing Hooks and Security Transparency for Python We made SkelSec sad… and that should make you all happy @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 5

  5. Auditing Hooks and Security Transparency for Python Who are we? Steve Dower Christian Heimes • CPython core developer • CPython core developer • Author of PEP 578 • BDFL delegate for PEP 578 • @zooba • @christianheimes • (Also works at Microsoft) • (Also works at Red Hat) @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 6

  6. Auditing Hooks and Security Transparency for Python Today’s Agenda • What are audit hooks, and why would I use them? • Using audit hooks to improve security • Integration on Windows-based systems • Integration on Linux-based systems @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 7

  7. Auditing Hooks and Security Transparency for Python Runtime Audit Hooks (PEP 578) • One piece of a complete security solution • Provides low-level insight into runtime behaviour • Opening files • Connecting sockets • Compiling strings • By default, does nothing! • Designed for security engineers to plug into @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 8

  8. Auditing Hooks and Security Transparency for Python Python Security Engineer Checklist Install security updates Limit user accounts Install security updates! Use a firewall Install security updates!! Restrict package installation Install security updates!!! Think about maybe, possibly, using some Python audit hooks @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 9

  9. Auditing Hooks and Security Transparency for Python Listening to audit hooks int hook( import sys const char *event, PyObject *args, def hook(event, args): void *userData ) { print("Saw", event) printf("Saw %s\n", event); return 0; sys.addaudithook(hook) } PySys_AddAuditHook(hook, userData); @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 10

  10. Auditing Hooks and Security Transparency for Python Listening to audit hooks C - PySys_AddAuditHook() Python - sys.addaudithook() Pros: Pros: • Faster • Easy • Hard to bypass • Convenient Cons: Cons: • More complex • Per-subinterpreter • Requires custom Python • Slow @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 11

  11. Auditing Hooks and Security Transparency for Python What events should you expect? compile builtins.input import os.system exec glob.glob open socket.__new__ docs.python.org/3.8/library/audit_events.html @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 12

  12. Auditing Hooks and Security Transparency for Python What to do with an event? • Nothing • Log it • Abort it • Abort everything! Correct answer: log it @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 13

  13. Auditing Hooks and Security Transparency for Python If a tree falls in a forest… has it been logged? When an intruder is trying to get in, or is already in, you need to know Logging allows: • Retrospective analysis • Anomaly detection • Incident response Premature log filtering cripples your defence. Log everything. @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 14

  14. Auditing Hooks and Security Transparency for Python Creating audit events import sys PySys_Audit("module.event", sys.audit("module.event", "isO", a, b, c); a, b, c) Tips: • Prefer C call (PySys_Audit) when possible • Prefix with your module (import) name • Audit after validation, before execution @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 15

  15. Auditing Hooks and Security Transparency for Python The io.open_code() function • Code ≠ Data • Your OS kernel already does this for binaries, but not via open() import io io.open_code("file.py") Same as open(…, "rb") but can be hooked in C PyFile_SetOpenCodeHook(callback, user_data); @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 16

  16. Auditing Hooks and Security Transparency for Python Why would you hook io.open_code()? • Validate file attributes • Validate file contents • Exclusive file access • Return BytesIO instead of real file object Careful implementation required: • Cannot recurse (via PyImport_ImportModule) • Callers assume they’ll get a regular file object @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 18

  17. Auditing Hooks and Security Transparency for Python What else do you need to do? • Handle audit events • compile , exec – loading code not from files • open – loading other unexpected files • Disable launch options (in audit hook) • - c "…" – code in arguments • … | python3 – code from other shell commands • Force -E – ignore environment variables • Use good access control rules • $TEMPDIR / %TEMP% • $HOME / %USERPROFILE% @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 20

  18. Auditing Hooks and Security Transparency for Python Integrating with Windows @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 21

  19. github.com/zooba/spython Auditing Hooks and Security Transparency for Python Integrating with Windows • Windows Event Log • Catalog Signing • Windows Defender Application Control github.com/zooba/spython @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 22

  20. github.com/zooba/spython Auditing Hooks and Security Transparency for Python Windows Event Log @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 23

  21. github.com/zooba/spython Auditing Hooks and Security Transparency for Python @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 24

  22. github.com/zooba/spython Auditing Hooks and Security Transparency for Python Windows Event Log features • Event Log viewer • Event forwarding • Protected Event Logging • Clearing/modifying logs adds a new event @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 25

  23. github.com/zooba/spython Auditing Hooks and Security Transparency for Python static int hook_compile(const char *event, PyObject *args) { PyObject *code, *filename; const char *u8code = NULL, *u8filename = NULL; if (!EventEnabledIMPORT_COMPILE()) { return 0; } if (!PyArg_ParseTuple(args, "OO", &code, &filename)) { return -1; } u8code = PyUnicode_AsUTF8(code); u8filename = PyUnicode_AsUTF8(filename); EventWriteIMPORT_COMPILE(u8code, u8filename); return 0; } @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 26

  24. github.com/zooba/spython Auditing Hooks and Security Transparency for Python @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 28

  25. github.com/zooba/spython Auditing Hooks and Security Transparency for Python @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 29

  26. github.com/zooba/spython Auditing Hooks and Security Transparency for Python Signed Catalog Files @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 30

  27. github.com/zooba/spython Auditing Hooks and Security Transparency for Python Code Signing • Typical white-listing approach • Attaches a signed hash of the file to the file • Catalog signing signs a set of files • We can’t sign . py files, so we use .cat • Standard Python installers include a catalog file for all non-binaries @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 31

  28. github.com/zooba/spython Auditing Hooks and Security Transparency for Python @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 32

  29. github.com/zooba/spython Auditing Hooks and Security Transparency for Python static int verify_trust(HANDLE hFile) { static const GUID action = WINTRUST_ACTION_GENERIC_VERIFY_V2; BYTE hash[256]; wchar_t memberTag[256]; WINTRUST_CATALOG_INFO wci = { .cbStruct = sizeof(WINTRUST_CATALOG_INFO), if (!CryptCATAdminCalcHashFromFileHandle( .hMemberFile = hFile, hFile, &wci.cbCalculatedFileHash, hash, 0)) { .pbCalculatedFileHash = hash, return -1; .cbCalculatedFileHash = sizeof(hash), } .pcwszCatalogFilePath = wszCatalog, .pcwszMemberTag = memberTag, for (DWORD i = 0; i < wci.cbCalculatedFileHash; ++i) { }; swprintf(&memberTag[i*2], 3, L"%02X", hash[i]); WINTRUST_DATA wd = { } .cbStruct = sizeof(WINTRUST_DATA), .dwUIChoice = WTD_UI_NONE, HRESULT hr = WinVerifyTrust(NULL, (LPGUID)&action, &wd); .fdwRevocationChecks = WTD_REVOKE_WHOLECHAIN, if (FAILED(hr)) { .dwUnionChoice = WTD_CHOICE_CATALOG, PyErr_SetExcFromWindowsErr(PyExc_OSError); .pCatalog = &wci return -1; }; } return 0; } @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 33

Recommend

Auditing Chapter 25 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-1

Auditing Chapter 25 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-1

Auditing Chapter 25 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-1 Outline Overview What is auditing? What does an audit system look like? How do you design an auditing system? Auditing mechanisms

1.4k views • 88 slides
Automatic Placement of Authorization Hooks in the Linux Security Modules Framework Vinod

Automatic Placement of Authorization Hooks in the Linux Security Modules Framework Vinod

Automatic Placement of Authorization Hooks in the Linux Security Modules Framework Vinod Ganapathy vg@cs.wisc.edu University of Wisconsin, Madison Joint work with Trent Jaeger Somesh Jha tjaeger@cse.psu.edu jha@cs.wisc.edu Pennsylvania

604 views • 41 slides
D. Brent Sandy, Plowshares and Pruning Hooks: Rethinking the Language of Biblical Hooks:

D. Brent Sandy, Plowshares and Pruning Hooks: Rethinking the Language of Biblical Hooks:

D. Brent Sandy, Plowshares and Pruning Hooks: Rethinking the Language of Biblical Hooks: Rethinking the Language of Biblical Prophecy and Apocalyptic, Downers Grove, IL: InterVarsity Press, 2002 y , Plowshares and Pruning Hooks and the o

382 views • 10 slides
Security Audit Principles and Practices Logging and auditing are two of the most unpleasant

Security Audit Principles and Practices Logging and auditing are two of the most unpleasant

Security Audit Principles and Practices Logging and auditing are two of the most unpleasant chores facing information security professionals. Chapter 11 tedious, time-consuming, boring Lecturer: Pei-yih Ting 1 Overview Configuring Logging

401 views • 7 slides
Remarks on Auditing, Regulatory Auditing and Regulatory Auditing Strategy Prof. Dr. Horst

Remarks on Auditing, Regulatory Auditing and Regulatory Auditing Strategy Prof. Dr. Horst

Remarks on Auditing, Regulatory Auditing and Regulatory Auditing Strategy Prof. Dr. Horst Frankenberger University of Applied Sciences Lbeck SG 4: Auditing - Lbeck 16.09.2002 1 Remarks on Auditing, Regulatory Auditing and Regulatory

305 views • 16 slides
Auditing IoT Communications with TLS-RaR Judson Wilson, Henry Corrigan-Gibbs, Riad S. Wahby,

Auditing IoT Communications with TLS-RaR Judson Wilson, Henry Corrigan-Gibbs, Riad S. Wahby,

Auditing IoT Communications with TLS-RaR Judson Wilson, Henry Corrigan-Gibbs, Riad S. Wahby, Keith Winstein, Philip Levis, Dan Boneh Stanford University Auditing Standard Devices MITM Used for: security audit automated exfiltration

971 views • 64 slides
WAN HACKING with AutoHack - auditing security behind the firewall Alec Muffett Network Security

WAN HACKING with AutoHack - auditing security behind the firewall Alec Muffett Network Security

WAN-Hacking with AutoHack - Alec Muffett, USENIX Security Symposium 95 WAN HACKING with AutoHack - auditing security behind the firewall Alec Muffett Network Security Group Sun Microsystems Alec.Muffett@UK.Sun.COM alec@hicom.org

651 views • 9 slides
THE AUDITING OF SOCIAL ACCOUNTS SOME GENERAL CONSIDERATIONS INDEPENDENT AUDITING (with

THE AUDITING OF SOCIAL ACCOUNTS SOME GENERAL CONSIDERATIONS INDEPENDENT AUDITING (with

16/11/2012 THE AUDITING OF SOCIAL ACCOUNTS SOME GENERAL CONSIDERATIONS INDEPENDENT AUDITING (with certification) OF SOCIAL ACCOUNTS A DEBATE (CONSIDERING IN THIS CASE ONLY ITALY): A) ONLY VOLUNTARY B) COMPULSORY BY LAW 1

322 views • 7 slides
Auditing in the Public Interest Auditing in the Public Interest Victorian Government

Auditing in the Public Interest Auditing in the Public Interest Victorian Government

Victorian Auditor-Generals Office Auditing in the Public Interest Auditing in the Public Interest Victorian Government Solicitors Office Seminar 30 May 2007 Des Pearson - Auditor-General 1 Auditing in the Public Interest Personal

352 views • 20 slides
INNOVATIVE SOLUTIONS MEETING EXPECTATIONS Locations &amp; Projects Auditing Auditing

INNOVATIVE SOLUTIONS MEETING EXPECTATIONS Locations &amp; Projects Auditing Auditing

INNOVATIVE SOLUTIONS MEETING EXPECTATIONS Locations &amp; Projects Auditing Auditing and assurance plays a crucial part of ensuring the safety and integrity of any diving system as well as ensuring safe and efficient diving

185 views • 14 slides
OSINT tools for security auditing Open Source Intelligence with python tools Jos Manuel Ortega

OSINT tools for security auditing Open Source Intelligence with python tools Jos Manuel Ortega

OSINT tools for security auditing Open Source Intelligence with python tools Jos Manuel Ortega @jmortegac http://jmortega.github.io https://github.com/jmortega/osint_tools_security_auditing Agenda OSINT introduction Server

743 views • 62 slides
Why Data Auditing is Important Arizona State Public Health Laboratory April 2019 Objectives

Why Data Auditing is Important Arizona State Public Health Laboratory April 2019 Objectives

Why Data Auditing is Important Arizona State Public Health Laboratory April 2019 Objectives Define data auditing Explain the importance of data auditing Data Auditing What does data mean to you? What is data auditing? When

648 views • 33 slides
Auditing : the good, the bad and the ugly A. Feinberg 14 Sep 2017 1 I must pay a debt of

Auditing : the good, the bad and the ugly A. Feinberg 14 Sep 2017 1 I must pay a debt of

Auditing : the good, the bad and the ugly A. Feinberg 14 Sep 2017 1 I must pay a debt of gratitude to DeWitt Beeler, who in an article published in the 1999 May Issue of Quality Progress provided me with a fresh look at auditing and

557 views • 41 slides
How would the emerging technology affect the future of auditing? AC4342 Auditing S01 Group 4

How would the emerging technology affect the future of auditing? AC4342 Auditing S01 Group 4

How would the emerging technology affect the future of auditing? AC4342 Auditing S01 Group 4 54818800 CHAN Shu Wah 54791726 IP Sunny 54814013 WAN Chun Fai 54808805 YIU Ho Fung How would the emerging technology affect the future of

672 views • 54 slides
Auditing large-scale medical terminologies, with a focus on SNOMED CT Ronald Cornet PhD Dept.

Auditing large-scale medical terminologies, with a focus on SNOMED CT Ronald Cornet PhD Dept.

Auditing large-scale medical terminologies, with a focus on SNOMED CT Ronald Cornet PhD Dept. of Medical Informatics Academic Medical Center University of Amsterdam Outline Background Types of Auditing Logic-based Auditing

245 views • 21 slides
School Equipment Auditing System(SEAS) Mr.Anuwat Shutanaruk 5522800556 Mr.Thanapon Areewattana

School Equipment Auditing System(SEAS) Mr.Anuwat Shutanaruk 5522800556 Mr.Thanapon Areewattana

School Equipment Auditing System(SEAS) Mr.Anuwat Shutanaruk 5522800556 Mr.Thanapon Areewattana 5522791896 Objective To make auditing system more efficient we develop the new auditing system version. Motivation Old style of search or tracking

852 views • 8 slides
1 State Single Audit Requirements In accordance with federal requirements, beginning in

1 State Single Audit Requirements In accordance with federal requirements, beginning in

Compliance Auditing Update Compliance Auditing Update NC Local Government Auditing, Reporting and Review NC Local Government Auditing, Reporting and Review June 14, 2016 June 14, 2016 Uniform Guidance Overview Course Objectives- Uniform

435 views • 25 slides
Automating security policies From deployment to auditing with Rudder Jonathan CLARKE

Automating security policies From deployment to auditing with Rudder Jonathan CLARKE

Automating security policies From deployment to auditing with Rudder Jonathan CLARKE jcl@normation.com Normation CC-BY-SA normation.com Who am I ? Jonathan Clarke Job: Co-founder and CTO at Normation Line of work:

282 views • 24 slides
Goals for Today Learning Objective: Understand the importance of auditing to computer

Goals for Today Learning Objective: Understand the importance of auditing to computer

Goals for Today Learning Objective: Understand the importance of auditing to computer security Explore Linux Audit Framework components Learn the gist of causal analysis of audit logs Announcements, etc: MP4 out! Due May 6th

661 views • 28 slides
Hooks &amp; Events Overview How Complex Systems Communicate 1 Jonathan Daggerhart Architect

Hooks &amp; Events Overview How Complex Systems Communicate 1 Jonathan Daggerhart Architect

Hooks &amp; Events Overview How Complex Systems Communicate 1 Jonathan Daggerhart Architect daggerhart daggerhart daggerhart daggerhart.com 2 Hooks &amp; Events: What Well Cover Event Systems in General What problems does it

665 views • 40 slides
Auditing SDGs SUSTAINABLE DEVELOPMENT GOALS What value do SAIs add to the implementation of

Auditing SDGs SUSTAINABLE DEVELOPMENT GOALS What value do SAIs add to the implementation of

SAIs making a difference by AUDITING Auditing SDGs SUSTAINABLE DEVELOPMENT GOALS What value do SAIs add to the implementation of Agenda 2030 ? Urge national governments into action if there isnt any. Independent oversight on the

203 views • 17 slides
1 Unless the People Have a Vision The Life of Frances Dancy Hooks (1927-2016) A

1 Unless the People Have a Vision The Life of Frances Dancy Hooks (1927-2016) A

1 Unless the People Have a Vision The Life of Frances Dancy Hooks (1927-2016) A Presentation for Womens History Month By Will Love, Collection Specialist The University of Memphis McWherter Library 225 Wednesday, March 23, 2016 3-4

318 views • 11 slides
Using Git Hooks to Help Your 40 40 40 Joo Santos Engineering Teams Work Software Engineer

Using Git Hooks to Help Your 40 40 40 Joo Santos Engineering Teams Work Software Engineer

255 105 0 149 149 149 225 225 225 68 84 106 84 28 0 0 0 153 65 0 102 Using Git Hooks to Help Your 40 40 40 Joo Santos Engineering Teams Work Software Engineer joao.santos@zalando.de Autonomously @joaomcsantos Europython 2015

511 views • 40 slides
Refactoring Into React Hooks Matteo Antony Mistretta Inglorious Coderz @antonymistretta Why

Refactoring Into React Hooks Matteo Antony Mistretta Inglorious Coderz @antonymistretta Why

Refactoring Into React Hooks Matteo Antony Mistretta Inglorious Coderz @antonymistretta Why They separate stateful logic They are composable functions They keep our component hierarchy flat They allow us to go fully functional They are now

681 views • 34 slides

More recommend