Saiyang Gou <gousaiyang...@gmail.com> added the comment:
We understand that audit hooks should not be used to build a sandbox with
Python. It is natural for audit hooks to appear in CTF challenges though, as
many CTF challenges intentionally try to use a wrong way to secure a system
(and let players prove it wrong).
With that being said, audit hooks should still be robust, even for logging
purposes. We are no trying to prevent all kinds of malicious behaviors, but we
want to detect them *as much as possible*. If audit hooks can be easily removed
while triggering very few seemingly non-sensitive audit events (in this CTF
challenge, only "import gc" is triggered, which probably looks "no so
suspicious"), this allows attackers to hide details of further malicious
behavior without being audited, which violated the motivation of audit hooks
(to increase security transparency).
The recent gc patch introduced new events which will make the attack in that
CTF challenge look more suspicious. But probably it is still better to harden
the current data structure used to store per interpreter audit hooks. If an
attacker happens to gain a reference to the list holding the hooks (although
I'm not sure how that will still be possible without using `gc`), they can
easily remove the hooks at the Python language level. Probably a Python tuple
is already better than a Python list to store the hooks, since tuples are
immutable at the language level. Although that means we should build new a
tuple each time a new hook is added.
If the hook itself is fragile (e.g. a hook written in Python which relies on
global variables), it is a user fault. But if the hook function itself is good,
it shouldn't be too easy to remove. Any successful attempts to remove the hook
must have already "pwned" the Python interpreter (i.e. gained arbitrary memory
read/write or native code execution ability), either by using ctypes, by
open('/proc/self/mem'), by crafting bytecode (which triggers code.__new__) or
importing modules written in native code. (Overwriting hook.__code__ triggers
object.__setattr__.)
----------
nosy: +gousaiyang
_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue43438>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
