EuroPython 2019: Auditing hooks and security transparency for CPython

Transcript

1. Auditing hooks and security transparency for CPython Steve Dower, Christian

   Heimes EuroPython 2019, Basel, Switzerland

2. Auditing Hooks and Security Transparency for Python Why is SkelSec

   so sad? @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 2

3. Auditing Hooks and Security Transparency for Python @zooba @christianheimes EuroPython

   2019, Basel - 10 July 2019 4

4. Auditing Hooks and Security Transparency for Python We made SkelSec

   sad… and that should make you all happy @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 5

5. Auditing Hooks and Security Transparency for Python Who are we?

   Steve Dower • CPython core developer • Author of PEP 578 • @zooba • (Also works at Microsoft) Christian Heimes • CPython core developer • BDFL delegate for PEP 578 • @christianheimes • (Also works at Red Hat) @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 6

6. Auditing Hooks and Security Transparency for Python Today’s Agenda •

   What are audit hooks, and why would I use them? • Using audit hooks to improve security • Integration on Windows-based systems • Integration on Linux-based systems @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 7

7. Auditing Hooks and Security Transparency for Python Runtime Audit Hooks

   (PEP 578) • One piece of a complete security solution • Provides low-level insight into runtime behaviour • Opening files • Connecting sockets • Compiling strings • By default, does nothing! • Designed for security engineers to plug into @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 8

8. Auditing Hooks and Security Transparency for Python Python Security Engineer

   Checklist Install security updates Limit user accounts Install security updates! Use a firewall Install security updates!! Restrict package installation Install security updates!!! Think about maybe, possibly, using some Python audit hooks @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 9

9. Auditing Hooks and Security Transparency for Python Listening to audit

   hooks int hook( const char *event, PyObject *args, void *userData ) { printf("Saw %s\n", event); return 0; } PySys_AddAuditHook(hook, userData); import sys def hook(event, args): print("Saw", event) sys.addaudithook(hook) @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 10

10. Auditing Hooks and Security Transparency for Python Listening to audit

    hooks C - PySys_AddAuditHook() Pros: • Faster • Hard to bypass Cons: • More complex • Requires custom Python Python - sys.addaudithook() Pros: • Easy • Convenient Cons: • Per-subinterpreter • Slow @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 11

11. Auditing Hooks and Security Transparency for Python What events should

    you expect? @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 12 docs.python.org/3.8/library/audit_events.html builtins.input exec import glob.glob open socket.__new__ os.system compile

12. Auditing Hooks and Security Transparency for Python What to do

    with an event? • Nothing • Log it • Abort it • Abort everything! Correct answer: log it @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 13

13. Auditing Hooks and Security Transparency for Python If a tree

    falls in a forest… has it been logged? When an intruder is trying to get in, or is already in, you need to know Logging allows: • Retrospective analysis • Anomaly detection • Incident response Premature log filtering cripples your defence. Log everything. @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 14

14. Auditing Hooks and Security Transparency for Python Creating audit events

    PySys_Audit("module.event", "isO", a, b, c); import sys sys.audit("module.event", a, b, c) @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 15 Tips: • Prefer C call (PySys_Audit) when possible • Prefix with your module (import) name • Audit after validation, before execution

15. Auditing Hooks and Security Transparency for Python The io.open_code() function

    • Code ≠ Data • Your OS kernel already does this for binaries, but not via open() import io io.open_code("file.py") Same as open(…, "rb") but can be hooked in C PyFile_SetOpenCodeHook(callback, user_data); @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 16

16. Auditing Hooks and Security Transparency for Python Why would you

    hook io.open_code()? • Validate file attributes • Validate file contents • Exclusive file access • Return BytesIO instead of real file object Careful implementation required: • Cannot recurse (via PyImport_ImportModule) • Callers assume they’ll get a regular file object @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 18

17. Auditing Hooks and Security Transparency for Python What else do

    you need to do? • Handle audit events • compile, exec – loading code not from files • open – loading other unexpected files • Disable launch options (in audit hook) • -c "…" – code in arguments • … | python3 – code from other shell commands • Force -E – ignore environment variables • Use good access control rules • $TEMPDIR / %TEMP% • $HOME / %USERPROFILE% @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 20

18. Auditing Hooks and Security Transparency for Python Integrating with Windows

    @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 21

19. Auditing Hooks and Security Transparency for Python Integrating with Windows

    • Windows Event Log • Catalog Signing • Windows Defender Application Control github.com/zooba/spython @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 22 github.com/zooba/spython

20. Auditing Hooks and Security Transparency for Python Windows Event Log

    @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 23 github.com/zooba/spython

21. Auditing Hooks and Security Transparency for Python @zooba @christianheimes EuroPython

    2019, Basel - 10 July 2019 24 github.com/zooba/spython

22. Auditing Hooks and Security Transparency for Python Windows Event Log

    features • Event Log viewer • Event forwarding • Protected Event Logging • Clearing/modifying logs adds a new event @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 25 github.com/zooba/spython

23. Auditing Hooks and Security Transparency for Python static int hook_compile(const

    char *event, PyObject *args) { PyObject *code, *filename; const char *u8code = NULL, *u8filename = NULL; if (!EventEnabledIMPORT_COMPILE()) { return 0; } if (!PyArg_ParseTuple(args, "OO", &code, &filename)) { return -1; } u8code = PyUnicode_AsUTF8(code); u8filename = PyUnicode_AsUTF8(filename); EventWriteIMPORT_COMPILE(u8code, u8filename); return 0; } @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 26 github.com/zooba/spython

24. Auditing Hooks and Security Transparency for Python @zooba @christianheimes EuroPython

    2019, Basel - 10 July 2019 28 github.com/zooba/spython

25. Auditing Hooks and Security Transparency for Python @zooba @christianheimes EuroPython

    2019, Basel - 10 July 2019 29 github.com/zooba/spython

26. Auditing Hooks and Security Transparency for Python Signed Catalog Files

    @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 30 github.com/zooba/spython

27. Auditing Hooks and Security Transparency for Python Code Signing •

    Typical white-listing approach • Attaches a signed hash of the file to the file • Catalog signing signs a set of files • We can’t sign .py files, so we use .cat • Standard Python installers include a catalog file for all non-binaries @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 31 github.com/zooba/spython

28. Auditing Hooks and Security Transparency for Python @zooba @christianheimes EuroPython

    2019, Basel - 10 July 2019 32 github.com/zooba/spython

29. Auditing Hooks and Security Transparency for Python static int verify_trust(HANDLE

    hFile) { static const GUID action = WINTRUST_ACTION_GENERIC_VERIFY_V2; BYTE hash[256]; wchar_t memberTag[256]; WINTRUST_CATALOG_INFO wci = { .cbStruct = sizeof(WINTRUST_CATALOG_INFO), .hMemberFile = hFile, .pbCalculatedFileHash = hash, .cbCalculatedFileHash = sizeof(hash), .pcwszCatalogFilePath = wszCatalog, .pcwszMemberTag = memberTag, }; WINTRUST_DATA wd = { .cbStruct = sizeof(WINTRUST_DATA), .dwUIChoice = WTD_UI_NONE, .fdwRevocationChecks = WTD_REVOKE_WHOLECHAIN, .dwUnionChoice = WTD_CHOICE_CATALOG, .pCatalog = &wci }; if (!CryptCATAdminCalcHashFromFileHandle( hFile, &wci.cbCalculatedFileHash, hash, 0)) { return -1; } for (DWORD i = 0; i < wci.cbCalculatedFileHash; ++i) { swprintf(&memberTag[i*2], 3, L"%02X", hash[i]); } HRESULT hr = WinVerifyTrust(NULL, (LPGUID)&action, &wd); if (FAILED(hr)) { PyErr_SetExcFromWindowsErr(PyExc_OSError); return -1; } return 0; } @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 33 github.com/zooba/spython

30. Auditing Hooks and Security Transparency for Python static int verify_trust(HANDLE

    hFile) { static const GUID action = WINTRUST_ACTION_GENERIC_VERIFY_V2; BYTE hash[256]; wchar_t memberTag[256]; WINTRUST_CATALOG_INFO wci = { .cbStruct = sizeof(WINTRUST_CATALOG_INFO), .hMemberFile = hFile, .pbCalculatedFileHash = hash, .cbCalculatedFileHash = sizeof(hash), .pcwszCatalogFilePath = wszCatalog, .pcwszMemberTag = memberTag, }; WINTRUST_DATA wd = { .cbStruct = sizeof(WINTRUST_DATA), .dwUIChoice = WTD_UI_NONE, .fdwRevocationChecks = WTD_REVOKE_WHOLECHAIN, .dwUnionChoice = WTD_CHOICE_CATALOG, .pCatalog = &wci }; if (!CryptCATAdminCalcHashFromFileHandle( hFile, &wci.cbCalculatedFileHash, hash, 0)) { return -1; } for (DWORD i = 0; i < wci.cbCalculatedFileHash; ++i) { swprintf(&memberTag[i*2], 3, L"%02X", hash[i]); } HRESULT hr = WinVerifyTrust(NULL, &action, &wd); if (FAILED(hr)) { PyErr_SetExcFromWindowsErr(PyExc_OSError); return -1; } return 0; } WinVerifyTrust(NULL, &action, &wd) @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 34 github.com/zooba/spython

31. Auditing Hooks and Security Transparency for Python @zooba @christianheimes EuroPython

    2019, Basel - 10 July 2019 35 github.com/zooba/spython

32. Auditing Hooks and Security Transparency for Python @zooba @christianheimes EuroPython

    2019, Basel - 10 July 2019 36 github.com/zooba/spython

33. Auditing Hooks and Security Transparency for Python Windows Defender Application

    Control @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 37 github.com/zooba/spython

34. Auditing Hooks and Security Transparency for Python Windows Defender Application

    Control • Kernel enforced, configurable policy for allow/denying applications • Use signatures, catalogs, file names, paths, etc. • Integrated with event logging and detectors • Good feedback for users @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 38 github.com/zooba/spython

35. Auditing Hooks and Security Transparency for Python @zooba @christianheimes EuroPython

    2019, Basel - 10 July 2019 39 github.com/zooba/spython

36. Auditing Hooks and Security Transparency for Python @zooba @christianheimes EuroPython

    2019, Basel - 10 July 2019 40 github.com/zooba/spython

37. Auditing Hooks and Security Transparency for Python @zooba @christianheimes EuroPython

    2019, Basel - 10 July 2019 41 github.com/zooba/spython

38. Auditing Hooks and Security Transparency for Python @zooba @christianheimes EuroPython

    2019, Basel - 10 July 2019 42 github.com/zooba/spython

39. Auditing Hooks and Security Transparency for Python @zooba @christianheimes EuroPython

    2019, Basel - 10 July 2019 44 github.com/zooba/spython

40. Auditing Hooks and Security Transparency for Python @zooba @christianheimes EuroPython

    2019, Basel - 10 July 2019 45 github.com/zooba/spython

41. Auditing Hooks and Security Transparency for Python @zooba @christianheimes EuroPython

    2019, Basel - 10 July 2019 46 github.com/zooba/spython

42. Auditing Hooks and Security Transparency for Python Integrating with Linux

    @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 47

43. Auditing Hooks and Security Transparency for Python Integrating with Linux

    • DTrace / SystemTap • SysLog • io.open_code() @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 48

44. Auditing Hooks and Security Transparency for Python Prerequisites • Install

    security updates • Run as unprivileged user or drop capabilities (container) • Restrict write access • Enforce security policy: AppArmor, SELinux, TOMOYO • Configure system and central logging: syslog, rsyslog, journald @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 49

45. Auditing Hooks and Security Transparency for Python DTrace / SystemTap

    instrumentation # audit(str event, void *tuple) probe process("/usr/lib64/libpython3.8.*").mark("audit") { printf("%s\n", user_string($arg1)) } $ sudo stap audit.stp -c "python3.8 -c pass" ... cpython.run_command compile exec @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 50 More on DTrace and SystemTap tomorrow at 10:30am from Christian

46. Auditing Hooks and Security Transparency for Python Logging openlog(NULL, LOG_CONS|LOG_PERROR|LOG_PID,

    LOG_USER); syslog(LOG_CRIT, "spython critical failure: %s", msg); _exit(255); Configure your container runtime to forward syslog! @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 51

47. Auditing Hooks and Security Transparency for Python Simple proof-of-concept •

    Resolved file must be a regular file • Deny noexec filesystems (/proc, hardened /tmp) • Hash file content with OpenSSL • Use xattr (extended file attributes) to flag files and store hash io.open_code() on Linux @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 52 github.com/zooba/spython/tree/master/linux_xattr github.com/zooba/spython/tree/master/linux_xattr

48. Auditing Hooks and Security Transparency for Python Extended file attributes

    • Custom name/values pairs on files and directories • Namespaces: user, trusted, system, security • Access permission to “user” namespace is controlled by DAC. • Inspired by “Integrity Measurement Architecture” (IMA-appraisal) $ getfattr -d /usr/lib64/python3.8/os.py user.org.python.x-spython-hash="75454b1944227c1418473..." @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 53 github.com/zooba/spython/tree/master/linux_xattr

49. Auditing Hooks and Security Transparency for Python Example $ ./spython

    example.py Fatal Python error: init_import_size: Failed to import the site module Traceback (most recent call last): ... ValueError: File hash mismatch: /usr/lib64/python3.8/os.py (expected: '75454b...', got '31d6c3...') $ sudo python3.8 ./mkxattr.py --verbose Adding spython hash to '/usr/lib64/python3.8/os.py' Adding spython hash to '/usr/lib64/python3.8/__pycache__/os.cpython-38.pyc' $ ./spython example.py OK @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 54 github.com/zooba/spython/tree/master/linux_xattr

50. Auditing Hooks and Security Transparency for Python Example – mkxattr

    XATTR_NAME = b"user.org.python.x-spython-hash" for filename in LIST_OF_PY_FILES: hasher = hashlib.new("sha256") with open(filename, "rb") as f: hasher.update(f.read()) hexdigest = hasher.hexdigest().encode("ascii") os.setxattr(filename, xattr_name, hexdigest) @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 56 github.com/zooba/spython/tree/master/linux_xattr

51. Auditing Hooks and Security Transparency for Python Securing xattr •

    Store hash in restricted xattr namespace • Use signed hash • Block syscall (container policy, seccomp) prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); scmp_filter_ctx *ctx = seccomp_init(SCMP_ACT_ALLOW); // setxattr, fsetxattr, lsetxattr seccomp_rule_add(ctx, SCMP_ACT_KILL_PROCESS, SCMP_SYS(setxattr), 0); seccomp_load(ctx); @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 57 github.com/zooba/spython/tree/master/linux_xattr

52. Auditing Hooks and Security Transparency for Python Open issues and

    exploits • LD_PRELOAD • Open Container Image Format clobbers xattr in layers • github.com/opencontainers/image-spec/issues/503 • Modify code with /proc/self/mem • void *dlopen(const char *filename, int flags) • github.com/nullbites/SnakeEater • ... @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 58

53. Auditing Hooks and Security Transparency for Python O_MAYEXEC • GNU/Linux

    CLIP OS 4 • Articles and talks − Linux Security Summit Europe 2018 − Kernel Recipes 2018 − lwn.net/Articles/774676 @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 59

54. Auditing Hooks and Security Transparency for Python Summary • When

    your security is already good, audit hooks can make it better • Hooks provide transparency, not security • Enables use of OS technologies that was unavailable to Python • Install your security updates! @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 60

55. Auditing Hooks and Security Transparency for Python Resources • docs.python.org/3.8/library/sys.html#sys.audit

    • www.python.org/dev/peps/pep-0578/ • github.com/zooba/spython @zooba @christianheimes EuroPython 2019, Basel - 10 July 2019 61 Steve Dower @zooba Christan Heimes @christianheimes