Securing Python Code with Cython

By
admin
-
0
88

[ad_1]

Due to the character of Python (interpreted language), securing the supply code is a difficult activity. So as to execute the supply code, it have to be out there in some kind.
All through this text, I’ll element the compiling modules with Cython methodology/answer to the problem of defending a Python-based codebase.
Cython is a static compiler for Python and Cython programming languages, it simplifies the job of writing Python C extensions. Cython permits us to compile Python code, the result’s dynamic libraries that can be utilized as python modules too.
The Cython import course of is as follows:

shared library (.so, .pyd)
python bytecode (.pyo, .pyc)
python file (.py)

So… what are the advantages of utilizing Cython compiled modules?

Binary modules will impose a a lot tougher activity to get the unique Python code, reverse engineering methods have to be used to take action.
Cython generated C code could be modified to introduce adjustments, enhance safety, and so on.
GCC optimization flags can be utilized whereas compiling the library
Tracebacks gained’t reveal code, however simply line numbers (except disabled ).
Cython takes Python code and interprets it to C, which is then compiled by GCC (or related), the compiled code will run sooner than the pure Python model.

Let’s overview the essential performance of Cython
Bear in mind the howdy.py script from the HashiCorp Vault Secret Supervisor article? Nicely, pulling secrets and techniques from HashiCorp Vault is nice however If you consider it… if the consumer can entry/modify the code, he/she will be able to add a easy print assertion to disclose the secrets and techniques (examine traces #19 – #21)
import getpass
import hvac

VAULT_ADDR = ‘http://127.0.0.1:8200’
VAULT_TOKEN = getpass.getpass(‘Hashicorp Vault Token ID: ‘)

consumer = hvac.Consumer()
consumer = hvac.Consumer(
url = VAULT_ADDR,
token = VAULT_TOKEN
)

response = consumer.secrets and techniques.kv.read_secret_version(path=’ap’)

client_id = response[‘data’][‘data’][‘client_id’]
client_secret = response[‘data’][‘data’][‘client_secret’]
repo_token = response[‘data’][‘data’][‘repo_token’]

print(“Consumer ID: ” + client_id)
print(“Consumer Secret: ” + client_secret)
print(“Repo Token: ” + repo_token)
hmmm… We have to stop others from modifying the file… let’s see how Cython will help with that.
1. For the sake of this POC, let’s depart the three print statements (traces #19 – #21). Ideally, these traces ought to be eliminated 😉
2. Be sure to have the “python3-devel” package deal put in (e.g., sudo yum set up python3-devel)
3. Set up Cython- sudo pip3 set up Cython
$ sudo pip3 set up Cython
Accumulating Cython
Downloading https://recordsdata.pythonhosted.org/packages/40/67/36322cf0387cf65e6be80ba2d9a33db227ecbc624902f0cb2e4bf456261f/Cython-0.29.23-cp38-cp38-manylinux1_x86_64.whl (1.9MB)
|████████████████████████████████| 1.9MB 23.3MB/s
Putting in collected packages: Cython
Efficiently put in Cython-0.29.23
4. Convert the python code into C code – cython howdy.py –embed (observe: add –embed flag to create a standalone program. If –embed will not be used the c code won’t have a principal as it would imply to create a shared object moderately than a standalone executable. After the next command is issued and executed, a c supply file howdy.c ought to be created in the identical listing)
$ cython howdy.py -o cython.c
/usr/native/lib64/python3.8/site-packages/Cython/Compiler/Fundamental.py:369: FutureWarning: Cython directive ‘language_level’ not set, utilizing 2 for now (Py2). This may change in a later launch! File: /house/ec2-user/howdy.py
tree = Parsing.p_module(s, pxd, full_module_name)
5. Compile the c code into an executable – gcc `python3-config –cflags –ldflags` howdy.c -o howdy (observe: the embody and library paths python have to be specified. The execution of the next command ought to create an executable file howdy. this might be a distributable binary)
$ gcc `python3-config –cflags –ldflags` howdy.c -o howdy
$ [NO OUTPUT]
6. Examine the folder content material – ls -rtl 
$ ls -rtl
whole 276
-rw-rw-r–. 1 ec2-user ec2-user 545 Jul 11 16:06 howdy.py
-rw-rw-r–. 1 ec2-user ec2-user 139572 Jul 11 17:27 howdy.c
-rwxrwxr-x. 1 ec2-user ec2-user 132312 Jul 11 17:29 howdy
7. Run the howdy script – ./howdy (when requested, enter the “Root Token” from HashiCorp Vault Secret Supervisor article, step #4)
$ ./howdy
Hashicorp Vault Token ID: [ –> Root Token: s.4Gl4TLJb1D82OWxxxxxxxxxx]
Consumer ID: 123456789
Consumer Secret: 987654321
Repo Token: a1b2c3d4e5
8. View the howdy file content material – cat howdy (observe: file output was truncated)
$ cat howdy
ELF>?J@@?@8
@’&@@@@@h??@?@@@HUHU 0]0]`0]`?
?HX[cBE??j??@?@ Cֻ?|??V?T?????@?@ P?td`P`P@`P@??Q?tdR?td0]0]`0]`??/lib64/ld-linux-x86-64.so.2GNU?GNUGNU?M?;>P??¸ܿ???ȡX?d!
:?
@h`(?E@F @b`5`L@??F@<J?J@/?h`Q?Okay@ea@L@libpython3.6m.so.1.0_ITM_deregisterTMCloneTable__gmon_start___ITM_registerTMCloneTablelibpthread.so.0libdl.so.2libutil.so.1libm.so.6_PyThreadState_UncheckedGetPyFrame_NewPyEval_EvalFrameExPyObject_GetAttrPyObject_CallPyThreadState_Get_Py_CheckRecursionLimit_Py_CheckRecursiveCallPyErr_OccurredPyExc_SystemErrorPyErr_SetStringPyObject_GetAttrString_Py_NoneStructPyDict_SetItemStringPyExc_AttributeErrorPyErr_ExceptionMatchesPyErr_ClearPyExc_ImportErrorPyModule_NewObjectPyModule_GetDictPyDict_GetItemWithErrorPyTuple_PackPyExc_KeyErrorPyErr_SetObjectPyExc_NameErrorPyErr_Format_PyDict_GetItem_KnownHashPyList_NewPyDict_NewPyImport_ImportModuleLevelObjectPyExc_RuntimeErrorPyOS_snprintfPy_GetVersionPyErr_WarnExPyFrame_TypePyTuple_NewPyBytes_FromStringAndSizePyUnicode_FromStringAndSizePyImport_AddModulePyObject_SetAttrStringPyUnicode_InternFromStringPyUnicode_DecodePyObject_HashPyObject_SetAttrPyImport_GetModuleDictPyDict_GetItemStringPyDict_SetItem_PyObject_GetDictPtrPyObject_Not_Py_FalseStruct_Py_TrueStructPyUnicode_FromStringPyFunction_TypePyEval_EvalCodeExPyCFunction_TypePyDict_TypePyObject_GetItemPyNumber_AddPyUnicode_FromFormatPyCode_NewPyMem_MallocPyMem_ReallocPyTraceBack_HerePyModuleDef_InitPyModule_TypePyType_IsSubtypePyModule_ExecDefPyErr_PrintPy_FinalizeExPyMem_RawFreePy_InitializePy_SetProgramNamePySys_SetArgvlibc.so.6setlocalembrtowcmbstowcs__stack_chk_failstrdupstrlenmallocstderrfwrite__libc_start_mainfree_edata__bss_start_end__pyx_module_is_main_helloPyInit_hello_IO_stdin_used__data_start__libc_csu_init__libc_csu_finiquiBC_2.D1?1?A?D9?%D??)șA???Hc?H??D9}?H??A????Hc?H??D9}???AVI??AUI??ATI??USH??????H??1?L??H??H???????H??H??tGH?D 1?H?L9?}I?T?H?H??H????1?H???????E H?
I??u
[]AA]A^????H??H??I???O???L?%?9 ?H ???H A;AVAUATUSH?L???M??u
$3H??H??L??A??H???&????p ?V??P A?$?H?=????
@?H?=?%?{?????t?1??59?} ??????@$H??u#?|???H??H??u?H??8 H?5?%H?8????H??[]AA]A^?AVE??AUI??ATI??H??US?y???H??t5H;]8 H??1?A??tH??L??L????????H?
u)H?H???P0?H?08 ???H?8?]?????t?????1?[??]AA]A^???AUI??ATUSQ?$???H?PH??@ H??u H??@ ?”H9?tH?’8 H?%1?H?8?????H?-?B H??t H?E??H?5?%L??????I??H????H???A???I?
$H??u
wpercentL??L??H?s%?I?????xH???H? I?DL???P0H????H??????I??H????A?H?
u
H?H???P0ZH??[]AA]?USH??Q?-???H??H??ub?`???H??u[H?H?????t7?1??o???H??H??t7H??H?E6 H?8?e???H?
Final thoughts
This article attempts to find a solution to the problem. Cython seems like a promising option to consider. It is true that any user will have access to binaries that can be used to reverse engineer the application, but that’s going to take a good amount of time and work.
Disclaimers

This article aims to cover the basic functionality of Cython.
It’s also possible to combine the different approaches to provide an even more secure environment.
Want to learn more about Cython? Please contact the Cross-Domain TAB team (mailto: xdc-amer-tab).

 

We’d love to hear what you think. Ask a question or leave a comment below.And stay connected with Cisco DevNet on social!
LinkedIn | Twitter @CiscoDevNet | Facebook |  Developer Video Channel
 

Share:

[ad_2]