Securing Python Code with Cython

0
69


Due to the character of Python (interpreted language), securing the supply code is a difficult job. To be able to execute the supply code, it should be out there in some type.

All through this text, I’ll element the compiling modules with Cython technique/answer to the problem of defending a Python-based codebase.

Cython is a static compiler for Python and Cython programming languages, it simplifies the job of writing Python C extensions. Cython permits us to compile Python code, the result’s dynamic libraries that can be utilized as python modules too.

The Cython import course of is as follows:

  • shared library (.so, .pyd)
  • python bytecode (.pyo, .pyc)
  • python file (.py)

So… what are the advantages of utilizing Cython compiled modules?

  • Binary modules will impose a a lot tougher job to get the unique Python code, reverse engineering strategies should be used to take action.
  • Cython generated C code might be modified to introduce adjustments, enhance safety, and so on.
  • GCC optimization flags can be utilized whereas compiling the library
  • Tracebacks gained’t reveal code, however simply line numbers (except disabled ).
  • Cython takes Python code and interprets it to C, which is then compiled by GCC (or related), the compiled code will run sooner than the pure Python model.

Let’s evaluation the fundamental performance of Cython

Keep in mind the good day.py script from the HashiCorp Vault Secret Supervisor article? Properly, pulling secrets and techniques from HashiCorp Vault is nice however If you concentrate on it… if the person can entry/modify the code, he/she will add a easy print assertion to disclose the secrets and techniques (verify strains #19 – #21)

import getpass
import hvac
​
VAULT_ADDR = 'http://127.0.0.1:8200'
VAULT_TOKEN = getpass.getpass('Hashicorp Vault Token ID: ')
​
shopper = hvac.Shopper()
shopper = hvac.Shopper(
url = VAULT_ADDR,
token = VAULT_TOKEN
)
​
response = shopper.secrets and techniques.kv.read_secret_version(path='ap')
​
client_id = response['data']['data']['client_id']
client_secret = response['data']['data']['client_secret']
repo_token = response['data']['data']['repo_token']
​
print("Shopper ID: " + client_id)
print("Shopper Secret: " + client_secret)
print("Repo Token: " + repo_token)

hmmm… We have to stop others from modifying the file… let’s see how Cython might help with that.

1. For the sake of this POC, let’s go away the three print statements (strains #19 – #21). Ideally, these strains ought to be eliminated 😉

2. Make sure that to have the “python3-devel” bundle put in (e.g., sudo yum set up python3-devel)

3. Set up Cython- sudo pip3 set up Cython

$ sudo pip3 set up Cython
Amassing Cython
Downloading https://information.pythonhosted.org/packages/40/67/36322cf0387cf65e6be80ba2d9a33db227ecbc624902f0cb2e4bf456261f/Cython-0.29.23-cp38-cp38-manylinux1_x86_64.whl (1.9MB)
|████████████████████████████████| 1.9MB 23.3MB/s
Putting in collected packages: Cython
Efficiently put in Cython-0.29.23

4. Convert the python code into C code – cython good day.py –embed (observe: add –embed flag to create a standalone program. If –embed isn’t used the c code is not going to have a foremost as it can imply to create a shared object reasonably than a standalone executable. After the next command is issued and executed, a c supply file good day.c ought to be created in the identical listing)

$ cython good day.py -o cython.c
/usr/native/lib64/python3.8/site-packages/Cython/Compiler/Fundamental.py:369: FutureWarning: Cython directive 'language_level' not set, utilizing 2 for now (Py2). It will change in a later launch! File: /house/ec2-user/good day.py
tree = Parsing.p_module(s, pxd, full_module_name)

5. Compile the c code into an executable – gcc `python3-config –cflags –ldflags` good day.c -o good day (observe: the embrace and library paths python should be specified. The execution of the next command ought to create an executable file good day. this will probably be a distributable binary)

$ gcc `python3-config --cflags --ldflags` good day.c -o good day
$ [NO OUTPUT]

6. Test the folder content material – ls -rtl 

$ ls -rtl
whole 276
-rw-rw-r--. 1 ec2-user ec2-user    545 Jul 11 16:06 good day.py
-rw-rw-r--. 1 ec2-user ec2-user 139572 Jul 11 17:27 good day.c
-rwxrwxr-x. 1 ec2-user ec2-user 132312 Jul 11 17:29 good day

7. Run the good day script – ./hello (when requested, enter the “Root Token” from HashiCorp Vault Secret Supervisor article, step #4)

$ ./good day
Hashicorp Vault Token ID: [ --> Root Token: s.4Gl4TLJb1D82OWxxxxxxxxxx]
Shopper ID: 123456789
Shopper Secret: 987654321
Repo Token: a1b2c3d4e5

8. View the good day file content material – cat good day (observe: file output was truncated)

$ cat good day
ELF>?J@@?@8
@'&@@@@@h??@?@@@HUHU 0]0]`0]`?
?HX[cBE??j??@?@ Cֻ?|??V?T?????@?@ P?td`P`P@`P@??Q?tdR?td0]0]`0]`??/lib64/ld-linux-x86-64.so.2GNU?GNUGNU?M?;>P??¸ܿ???ȡX?d!
:?
@h`(?E@F @b`5`L@??F@<J?J@/?h`Q?Ok@ea@L@libpython3.6m.so.1.0_ITM_deregisterTMCloneTable__gmon_start___ITM_registerTMCloneTablelibpthread.so.0libdl.so.2libutil.so.1libm.so.6_PyThreadState_UncheckedGetPyFrame_NewPyEval_EvalFrameExPyObject_GetAttrPyObject_CallPyThreadState_Get_Py_CheckRecursionLimit_Py_CheckRecursiveCallPyErr_OccurredPyExc_SystemErrorPyErr_SetStringPyObject_GetAttrString_Py_NoneStructPyDict_SetItemStringPyExc_AttributeErrorPyErr_ExceptionMatchesPyErr_ClearPyExc_ImportErrorPyModule_NewObjectPyModule_GetDictPyDict_GetItemWithErrorPyTuple_PackPyExc_KeyErrorPyErr_SetObjectPyExc_NameErrorPyErr_Format_PyDict_GetItem_KnownHashPyList_NewPyDict_NewPyImport_ImportModuleLevelObjectPyExc_RuntimeErrorPyOS_snprintfPy_GetVersionPyErr_WarnExPyFrame_TypePyTuple_NewPyBytes_FromStringAndSizePyUnicode_FromStringAndSizePyImport_AddModulePyObject_SetAttrStringPyUnicode_InternFromStringPyUnicode_DecodePyObject_HashPyObject_SetAttrPyImport_GetModuleDictPyDict_GetItemStringPyDict_SetItem_PyObject_GetDictPtrPyObject_Not_Py_FalseStruct_Py_TrueStructPyUnicode_FromStringPyFunction_TypePyEval_EvalCodeExPyCFunction_TypePyDict_TypePyObject_GetItemPyNumber_AddPyUnicode_FromFormatPyCode_NewPyMem_MallocPyMem_ReallocPyTraceBack_HerePyModuleDef_InitPyModule_TypePyType_IsSubtypePyModule_ExecDefPyErr_PrintPy_FinalizeExPyMem_RawFreePy_InitializePy_SetProgramNamePySys_SetArgvlibc.so.6setlocalembrtowcmbstowcs__stack_chk_failstrdupstrlenmallocstderrfwrite__libc_start_mainfree_edata__bss_start_end__pyx_module_is_main_helloPyInit_hello_IO_stdin_used__data_start__libc_csu_init__libc_csu_finiquiBC_2.D1?1?A?D9?%D??)șA???Hc?H??D9}?H??A????Hc?H??D9}???AVI??AUI??ATI??USH??????H??1?L??H??H???????H??H??tGH?D 1?H?L9?}I?T?H?H??H????1?H???????E H?
I??u
[]AA]A^????H??H??I???O???L?%?9 ?H ???H A;AVAUATUSH?L???M??u
$3H??H??L??A??H???&????p ?V??P A?$?H?=????
@?H?=?%?{?????t?1??59?} ??????@$H??u#?|???H??H??u?H??8 H?5?%H?8????H??[]AA]A^?AVE??AUI??ATI??H??US?y???H??t5H;]8 H??1?A??tH??L??L????????H?
u)H?H???P0?H?08 ???H?8?]?????t?????1?[??]AA]A^???AUI??ATUSQ?$???H?PH??@ H??u H??@ ?"H9?tH?'8 H?%1?H?8?????H?-?B H??t H?E??H?5?%L??????I??H????H???A???I?
$H??u
wpercentL??L??H?s%?I?????xH???H? I?DL???P0H????H??????I??H????A?H?
u
H?H???P0ZH??[]AA]?USH??Q?-???H??H??ub?`???H??u[H?H?????t7?1??o???H??H??t7H??H?E6 H?8?e???H?

Final thoughts

This article attempts to find a solution to the problem. Cython seems like a promising option to consider. It is true that any user will have access to binaries that can be used to reverse engineer the application, but that’s going to take a good amount of time and work.

Disclaimers

  1. This article aims to cover the basic functionality of Cython.
  2. It’s also possible to combine the different approaches to provide an even more secure environment.
  3. Want to learn more about Cython? Please contact the Cross-Domain TAB team (mailto: xdc-amer-tab).

 


We’d love to hear what you think. Ask a question or leave a comment below.
And stay connected with Cisco DevNet on social!

LinkedIn | Twitter @CiscoDevNet | Facebook Developer Video Channel

 

Share: