Friday, March 25, 2022
HomeCloud ComputingSecuring Python Code with Cython

Securing Python Code with Cython


Due to the character of Python (interpreted language), securing the supply code is a difficult activity. With a view to execute the supply code, it should be out there in some type.

All through this text, I’ll element the compiling modules with Cython technique/resolution to the problem of defending a Python-based codebase.

Cython is a static compiler for Python and Cython programming languages, it simplifies the job of writing Python C extensions. Cython permits us to compile Python code, the result’s dynamic libraries that can be utilized as python modules too.

The Cython import course of is as follows:

  • shared library (.so, .pyd)
  • python bytecode (.pyo, .pyc)
  • python file (.py)

So… what are the advantages of utilizing Cython compiled modules?

  • Binary modules will impose a a lot more durable activity to get the unique Python code, reverse engineering strategies should be used to take action.
  • Cython generated C code may be modified to introduce adjustments, enhance safety, and so forth.
  • GCC optimization flags can be utilized whereas compiling the library
  • Tracebacks received’t reveal code, however simply line numbers (except disabled ).
  • Cython takes Python code and interprets it to C, which is then compiled by GCC (or related), the compiled code will run quicker than the pure Python model.

Let’s overview the fundamental performance of Cython

Keep in mind the good day.py script from the HashiCorp Vault Secret Supervisor article? Nicely, pulling secrets and techniques from HashiCorp Vault is nice however If you concentrate on it… if the consumer can entry/modify the code, he/she will add a easy print assertion to disclose the secrets and techniques (examine traces #19 – #21)

import getpass
import hvac
​
VAULT_ADDR = 'http://127.0.0.1:8200'
VAULT_TOKEN = getpass.getpass('Hashicorp Vault Token ID: ')
​
shopper = hvac.Consumer()
shopper = hvac.Consumer(
url = VAULT_ADDR,
token = VAULT_TOKEN
)
​
response = shopper.secrets and techniques.kv.read_secret_version(path='ap')
​
client_id = response['data']['data']['client_id']
client_secret = response['data']['data']['client_secret']
repo_token = response['data']['data']['repo_token']
​
print("Consumer ID: " + client_id)
print("Consumer Secret: " + client_secret)
print("Repo Token: " + repo_token)

hmmm… We have to forestall others from modifying the file… let’s see how Cython can assist with that.

1. For the sake of this POC, let’s go away the three print statements (traces #19 – #21). Ideally, these traces ought to be eliminated 😉

2. Make certain to have the “python3-devel” package deal put in (e.g., sudo yum set up python3-devel)

3. Set up Cython- sudo pip3 set up Cython

$ sudo pip3 set up Cython
Accumulating Cython
Downloading https://recordsdata.pythonhosted.org/packages/40/67/36322cf0387cf65e6be80ba2d9a33db227ecbc624902f0cb2e4bf456261f/Cython-0.29.23-cp38-cp38-manylinux1_x86_64.whl (1.9MB)
|████████████████████████████████| 1.9MB 23.3MB/s
Putting in collected packages: Cython
Efficiently put in Cython-0.29.23

4. Convert the python code into C code – cython good day.py –embed (word: add –embed flag to create a standalone program. If –embed shouldn’t be used the c code is not going to have a predominant as it’s going to imply to create a shared object moderately than a standalone executable. After the next command is issued and executed, a c supply file good day.c ought to be created in the identical listing)

$ cython good day.py -o cython.c
/usr/native/lib64/python3.8/site-packages/Cython/Compiler/Major.py:369: FutureWarning: Cython directive 'language_level' not set, utilizing 2 for now (Py2). It will change in a later launch! File: /house/ec2-user/good day.py
tree = Parsing.p_module(s, pxd, full_module_name)

5. Compile the c code into an executable – gcc `python3-config –cflags –ldflags` good day.c -o good day (word: the embody and library paths python should be specified. The execution of the next command ought to create an executable file good day. this shall be a distributable binary)

$ gcc `python3-config --cflags --ldflags` good day.c -o good day
$ [NO OUTPUT]

6. Verify the folder content material – ls -rtl 

$ ls -rtl
whole 276
-rw-rw-r--. 1 ec2-user ec2-user    545 Jul 11 16:06 good day.py
-rw-rw-r--. 1 ec2-user ec2-user 139572 Jul 11 17:27 good day.c
-rwxrwxr-x. 1 ec2-user ec2-user 132312 Jul 11 17:29 good day

7. Run the good day script – ./hello (when requested, enter the “Root Token” from HashiCorp Vault Secret Supervisor article, step #4)

$ ./good day
Hashicorp Vault Token ID: [ --> Root Token: s.4Gl4TLJb1D82OWxxxxxxxxxx]
Consumer ID: 123456789
Consumer Secret: 987654321
Repo Token: a1b2c3d4e5

8. View the good day file content material – cat good day (word: file output was truncated)

$ cat good day
ELF>?J@@?@8
@'&@@@@@h??@?@@@HUHU 0]0]`0]`?
?HX[cBE??j??@?@ Cֻ?|??V?T?????@?@ P?td`P`P@`P@??Q?tdR?td0]0]`0]`??/lib64/ld-linux-x86-64.so.2GNU?GNUGNU?M?;>P??¸ܿ???ȡX?d!
:?
@h`(?E@F @b`5`L@??F@<J?J@/?h`Q?Okay@ea@L@libpython3.6m.so.1.0_ITM_deregisterTMCloneTable__gmon_start___ITM_registerTMCloneTablelibpthread.so.0libdl.so.2libutil.so.1libm.so.6_PyThreadState_UncheckedGetPyFrame_NewPyEval_EvalFrameExPyObject_GetAttrPyObject_CallPyThreadState_Get_Py_CheckRecursionLimit_Py_CheckRecursiveCallPyErr_OccurredPyExc_SystemErrorPyErr_SetStringPyObject_GetAttrString_Py_NoneStructPyDict_SetItemStringPyExc_AttributeErrorPyErr_ExceptionMatchesPyErr_ClearPyExc_ImportErrorPyModule_NewObjectPyModule_GetDictPyDict_GetItemWithErrorPyTuple_PackPyExc_KeyErrorPyErr_SetObjectPyExc_NameErrorPyErr_Format_PyDict_GetItem_KnownHashPyList_NewPyDict_NewPyImport_ImportModuleLevelObjectPyExc_RuntimeErrorPyOS_snprintfPy_GetVersionPyErr_WarnExPyFrame_TypePyTuple_NewPyBytes_FromStringAndSizePyUnicode_FromStringAndSizePyImport_AddModulePyObject_SetAttrStringPyUnicode_InternFromStringPyUnicode_DecodePyObject_HashPyObject_SetAttrPyImport_GetModuleDictPyDict_GetItemStringPyDict_SetItem_PyObject_GetDictPtrPyObject_Not_Py_FalseStruct_Py_TrueStructPyUnicode_FromStringPyFunction_TypePyEval_EvalCodeExPyCFunction_TypePyDict_TypePyObject_GetItemPyNumber_AddPyUnicode_FromFormatPyCode_NewPyMem_MallocPyMem_ReallocPyTraceBack_HerePyModuleDef_InitPyModule_TypePyType_IsSubtypePyModule_ExecDefPyErr_PrintPy_FinalizeExPyMem_RawFreePy_InitializePy_SetProgramNamePySys_SetArgvlibc.so.6setlocalembrtowcmbstowcs__stack_chk_failstrdupstrlenmallocstderrfwrite__libc_start_mainfree_edata__bss_start_end__pyx_module_is_main_helloPyInit_hello_IO_stdin_used__data_start__libc_csu_init__libc_csu_finiquiBC_2.D1?1?A?D9?%D??)șA???Hc?H??D9}?H??A????Hc?H??D9}???AVI??AUI??ATI??USH??????H??1?L??H??H???????H??H??tGH?D 1?H?L9?}I?T?H?H??H????1?H???????E H?
I??u
[]AA]A^????H??H??I???O???L?%?9 ?H ???H A;AVAUATUSH?L???M??u
$3H??H??L??A??H???&????p ?V??P A?$?H?=????
@?H?=?%?{?????t?1??59?} ??????@$H??u#?|???H??H??u?H??8 H?5?%H?8????H??[]AA]A^?AVE??AUI??ATI??H??US?y???H??t5H;]8 H??1?A??tH??L??L????????H?
u)H?H???P0?H?08 ???H?8?]?????t?????1?[??]AA]A^???AUI??ATUSQ?$???H?PH??@ H??u H??@ ?"H9?tH?'8 H?%1?H?8?????H?-?B H??t H?E??H?5?%L??????I??H????H???A???I?
$H??u
wpercentL??L??H?s%?I?????xH???H? I?DL???P0H????H??????I??H????A?H?
u
H?H???P0ZH??[]AA]?USH??Q?-???H??H??ub?`???H??u[H?H?????t7?1??o???H??H??t7H??H?E6 H?8?e???H?

Final thoughts

This article attempts to find a solution to the problem. Cython seems like a promising option to consider. It is true that any user will have access to binaries that can be used to reverse engineer the application, but that’s going to take a good amount of time and work.

Disclaimers

  1. This article aims to cover the basic functionality of Cython.
  2. It’s also possible to combine the different approaches to provide an even more secure environment.
  3. Want to learn more about Cython? Please contact the Cross-Domain TAB team (mailto: xdc-amer-tab).

 


We’d love to hear what you think. Ask a question or leave a comment below.
And stay connected with Cisco DevNet on social!

LinkedIn | Twitter @CiscoDevNet | Facebook Developer Video Channel

 

Share:



RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments