On 25Aug2017 1105, Christian Heimes wrote:
On 2017-08-24 19:13, Steve Dower wrote:
Hi security-sig,
Those of you who were at the PyCon US language summit this year (or who
saw the coverage at https://lwn.net/Articles/723823/) may recall that I
talked briefly about the ways Python is used by attackers to gain and/or
retain access to systems on local networks.
[...]
TODO - more hooks in ``_socket``, ``_ssl``, others?
Does it make sense to include mmap()? After all mmap can be used to
execute arbitrary machine code in memory.
Yes, absolutely. I think array and struct can too without having to go
through ctypes.
For the SSL module, what would you like to log? Server certs and
connection parameters (cipher suite)?
I've seen some samples of code that disable validation or use alternate
CA certs. Probably context creation is the most important aspect, since
I think a lot of the rest will be caught by the _socket module. There's
a good balance somewhere between collecting all network traffic (though
not necessarily keeping it anywhere) or none, but I'm not entirely sure
where that is yet.
I'll probably spend a day this weekend continuing to go through the
stdlib and see what I think should be included. No doubt we'll spend
time at the sprints arguing over specific items - I'm looking forward to
it :)
Cheers,
Steve
_______________________________________________
Security-SIG mailing list
Security-SIG@python.org
https://mail.python.org/mailman/listinfo/security-sig