martes, septiembre 27, 2022
InicioHealthSecuring Python Code with Cython

Securing Python Code with Cython

[ad_1]

Due to the character of Python (interpreted language), securing the supply code is a difficult activity. In an effort to execute the supply code, it have to be obtainable in some kind.

All through this text, I’ll element the compiling modules with Cython methodology/answer to the problem of defending a Python-based codebase.

Cython is a static compiler for Python and Cython programming languages, it simplifies the job of writing Python C extensions. Cython permits us to compile Python code, the result’s dynamic libraries that can be utilized as python modules too.

The Cython import course of is as follows:

  • shared library (.so, .pyd)
  • python bytecode (.pyo, .pyc)
  • python file (.py)

So… what are the advantages of utilizing Cython compiled modules?

  • Binary modules will impose a a lot tougher activity to get the unique Python code, reverse engineering strategies have to be used to take action.
  • Cython generated C code might be modified to introduce adjustments, enhance safety, and many others.
  • GCC optimization flags can be utilized whereas compiling the library
  • Tracebacks gained’t reveal code, however simply line numbers (until disabled ).
  • Cython takes Python code and interprets it to C, which is then compiled by GCC (or comparable), the compiled code will run sooner than the pure Python model.

Let’s assessment the essential performance of Cython

Bear in mind the howdy.py script from the HashiCorp Vault Secret Supervisor article? Nicely, pulling secrets and techniques from HashiCorp Vault is nice however If you concentrate on it… if the person can entry/modify the code, he/she will be able to add a easy print assertion to disclose the secrets and techniques (verify strains #19 – #21)

import getpass
import hvac
​
VAULT_ADDR = 'http://127.0.0.1:8200'
VAULT_TOKEN = getpass.getpass('Hashicorp Vault Token ID: ')
​
shopper = hvac.Consumer()
shopper = hvac.Consumer(
url = VAULT_ADDR,
token = VAULT_TOKEN
)
​
response = shopper.secrets and techniques.kv.read_secret_version(path='ap')
​
client_id = response['data']['data']['client_id']
client_secret = response['data']['data']['client_secret']
repo_token = response['data']['data']['repo_token']
​
print("Consumer ID: " + client_id)
print("Consumer Secret: " + client_secret)
print("Repo Token: " + repo_token)

hmmm… We have to forestall others from modifying the file… let’s see how Cython will help with that.

1. For the sake of this POC, let’s go away the three print statements (strains #19 – #21). Ideally, these strains must be eliminated 😉

2. Be certain that to have the “python3-devel” package deal put in (e.g., sudo yum set up python3-devel)

3. Set up Cython- sudo pip3 set up Cython

$ sudo pip3 set up Cython
Gathering Cython
Downloading https://recordsdata.pythonhosted.org/packages/40/67/36322cf0387cf65e6be80ba2d9a33db227ecbc624902f0cb2e4bf456261f/Cython-0.29.23-cp38-cp38-manylinux1_x86_64.whl (1.9MB)
|████████████████████████████████| 1.9MB 23.3MB/s
Putting in collected packages: Cython
Efficiently put in Cython-0.29.23

4. Convert the python code into C code – cython howdy.py –embed (be aware: add –embed flag to create a standalone program. If –embed just isn’t used the c code won’t have a principal as it can imply to create a shared object slightly than a standalone executable. After the next command is issued and executed, a c supply file howdy.c must be created in the identical listing)

$ cython howdy.py -o cython.c
/usr/native/lib64/python3.8/site-packages/Cython/Compiler/Principal.py:369: FutureWarning: Cython directive 'language_level' not set, utilizing 2 for now (Py2). It will change in a later launch! File: /dwelling/ec2-user/howdy.py
tree = Parsing.p_module(s, pxd, full_module_name)

5. Compile the c code into an executable – gcc `python3-config –cflags –ldflags` howdy.c -o howdy (be aware: the embrace and library paths python have to be specified. The execution of the next command ought to create an executable file howdy. this shall be a distributable binary)

$ gcc `python3-config --cflags --ldflags` howdy.c -o howdy
$ [NO OUTPUT]

6. Verify the folder content material – ls -rtl 

$ ls -rtl
whole 276
-rw-rw-r--. 1 ec2-user ec2-user    545 Jul 11 16:06 howdy.py
-rw-rw-r--. 1 ec2-user ec2-user 139572 Jul 11 17:27 howdy.c
-rwxrwxr-x. 1 ec2-user ec2-user 132312 Jul 11 17:29 howdy

7. Run the howdy script – ./hello (when requested, enter the “Root Token” from HashiCorp Vault Secret Supervisor article, step #4)

$ ./howdy
Hashicorp Vault Token ID: [ --> Root Token: s.4Gl4TLJb1D82OWxxxxxxxxxx]
Consumer ID: 123456789
Consumer Secret: 987654321
Repo Token: a1b2c3d4e5

8. View the howdy file content material – cat howdy (be aware: file output was truncated)

$ cat howdy
ELF>?J@@?@8
@'&@@@@@h??@?@@@HUHU 0]0]`0]`?
?HX[cBE??j??@?@ Cֻ?|??V?T?????@?@ P?td`P`P@`P@??Q?tdR?td0]0]`0]`??/lib64/ld-linux-x86-64.so.2GNU?GNUGNU?M?;>P??¸ܿ???ȡX?d!
:?
@h`(?E@F @b`5`L@??F@<J?J@/?h`Q?Okay@ea@L@libpython3.6m.so.1.0_ITM_deregisterTMCloneTable__gmon_start___ITM_registerTMCloneTablelibpthread.so.0libdl.so.2libutil.so.1libm.so.6_PyThreadState_UncheckedGetPyFrame_NewPyEval_EvalFrameExPyObject_GetAttrPyObject_CallPyThreadState_Get_Py_CheckRecursionLimit_Py_CheckRecursiveCallPyErr_OccurredPyExc_SystemErrorPyErr_SetStringPyObject_GetAttrString_Py_NoneStructPyDict_SetItemStringPyExc_AttributeErrorPyErr_ExceptionMatchesPyErr_ClearPyExc_ImportErrorPyModule_NewObjectPyModule_GetDictPyDict_GetItemWithErrorPyTuple_PackPyExc_KeyErrorPyErr_SetObjectPyExc_NameErrorPyErr_Format_PyDict_GetItem_KnownHashPyList_NewPyDict_NewPyImport_ImportModuleLevelObjectPyExc_RuntimeErrorPyOS_snprintfPy_GetVersionPyErr_WarnExPyFrame_TypePyTuple_NewPyBytes_FromStringAndSizePyUnicode_FromStringAndSizePyImport_AddModulePyObject_SetAttrStringPyUnicode_InternFromStringPyUnicode_DecodePyObject_HashPyObject_SetAttrPyImport_GetModuleDictPyDict_GetItemStringPyDict_SetItem_PyObject_GetDictPtrPyObject_Not_Py_FalseStruct_Py_TrueStructPyUnicode_FromStringPyFunction_TypePyEval_EvalCodeExPyCFunction_TypePyDict_TypePyObject_GetItemPyNumber_AddPyUnicode_FromFormatPyCode_NewPyMem_MallocPyMem_ReallocPyTraceBack_HerePyModuleDef_InitPyModule_TypePyType_IsSubtypePyModule_ExecDefPyErr_PrintPy_FinalizeExPyMem_RawFreePy_InitializePy_SetProgramNamePySys_SetArgvlibc.so.6setlocalembrtowcmbstowcs__stack_chk_failstrdupstrlenmallocstderrfwrite__libc_start_mainfree_edata__bss_start_end__pyx_module_is_main_helloPyInit_hello_IO_stdin_used__data_start__libc_csu_init__libc_csu_finiquiBC_2.D1?1?A?D9?%D??)șA???Hc?H??D9}?H??A????Hc?H??D9}???AVI??AUI??ATI??USH??????H??1?L??H??H???????H??H??tGH?D 1?H?L9?}I?T?H?H??H????1?H???????E H?
I??u
[]AA]A^????H??H??I???O???L?%?9 ?H ???H A;AVAUATUSH?L???M??u
$3H??H??L??A??H???&????p ?V??P A?$?H?=????
@?H?=?%?{?????t?1??59?} ??????@$H??u#?|???H??H??u?H??8 H?5?%H?8????H??[]AA]A^?AVE??AUI??ATI??H??US?y???H??t5H;]8 H??1?A??tH??L??L????????H?
u)H?H???P0?H?08 ???H?8?]?????t?????1?[??]AA]A^???AUI??ATUSQ?$???H?PH??@ H??u H??@ ?"H9?tH?'8 H?%1?H?8?????H?-?B H??t H?E??H?5?%L??????I??H????H???A???I?
$H??u
wpercentL??L??H?s%?I?????xH???H? I?DL???P0H????H??????I??H????A?H?
u
H?H???P0ZH??[]AA]?USH??Q?-???H??H??ub?`???H??u[H?H?????t7?1??o???H??H??t7H??H?E6 H?8?e???H?

Final thoughts

This article attempts to find a solution to the problem. Cython seems like a promising option to consider. It is true that any user will have access to binaries that can be used to reverse engineer the application, but that’s going to take a good amount of time and work.

Disclaimers

  1. This article aims to cover the basic functionality of Cython.
  2. It’s also possible to combine the different approaches to provide an even more secure environment.
  3. Want to learn more about Cython? Please contact the Cross-Domain TAB team (mailto: xdc-amer-tab).

 


We’d love to hear what you think. Ask a question or leave a comment below.
And stay connected with Cisco DevNet on social!

LinkedIn | Twitter @CiscoDevNet | Facebook Developer Video Channel

 

Share:



[ad_2]

RELATED ARTICLES

DEJA UNA RESPUESTA

Por favor ingrese su comentario!
Por favor ingrese su nombre aquí