@@ -294,6 +294,30 @@ An example usage of the API would look like:
294294 except Exception as e:
295295 print (f " Failed to execute code: { e} " )
296296
297+
298+ -----------------
299+
300+ To allow redistributors, system administrators, or users to disable this
301+ mechanism, several methods will be provided to control the behavior of the
302+ interpreter:
303+
304+ A new ``PYTHON_DISABLE_REMOTE_DEBUG `` environment variable will
305+ be provided to control the behaviour at runtime. If set to any value (including an empty string), the
306+ interpreter will ignore any attempts to attach a debugger using this mechanism.
307+
308+ This environment variable will be added together with a new ``-X disable-remote-debug ``
309+ flag to the Python interpreter to allow users to disable this feature at runtime.
310+
311+ Additionally a new ``--without-remote-debug `` flag will be added to the
312+ ``configure `` script to allow redistributors to build Python without support for
313+ remote debugging if they so desire.
314+
315+ A new flag indicating the status of remote debugging will be made available via
316+ the debug offsets so tools can query if a remote process has disabled the
317+ feature. This way, tools can offer a useful error message explaining why they
318+ won't work, instead of believing that they have attached and then never having
319+ their script run.
320+
297321
298322Backwards Compatibility
299323=======================
@@ -306,10 +330,14 @@ Security Implications
306330=====================
307331
308332This interface does not introduce new security concerns as it is only usable by
309- processes that can already write to arbitrary memory within your process and
333+ processes that can already write to arbitrary memory within a given process and
310334execute arbitrary code on the machine (in order to create the file containing
311335the Python code to be executed).
312336
337+ Furthermore, the execution of the code is gated by the interpreter's
338+ audit hooks, which can be used to monitor or prevent the execution of the code
339+ in sensitive environments.
340+
313341Existing operating system security mechanisms are effective for guarding
314342against attackers gaining arbitrary memory write access. Although the PEP
315343doesn't specify how memory should be written to the target process, in practice
@@ -368,6 +396,35 @@ proposed interface.
368396By maintaining compatibility with existing security frameworks, this design
369397ensures that adopting the new interface requires no changes to established.
370398
399+ Security scenarios
400+ ------------------
401+
402+ * For an external attacker, the ability to write to arbitrary memory in a
403+ process is already a severe security issue. This interface does not introduce
404+ any new attack surface, as the attacker would already have the ability to
405+ execute arbitrary code in the process. This interface behaves in exactly
406+ the same way as existing debuggers, and does not introduce any new additional
407+ security risks.
408+ * For an attacker who has gained arbitrary memory write access to a process but
409+ not arbitrary code execution, this interface does not allow them to escalate.
410+ The ability to calculate and write to specific memory locations is required,
411+ which is not available without compromising other machine resources that
412+ are external to the Python process.
413+
414+ Additionally, the fact that the code to be executed is gated by the interpreter's
415+ audit hooks means that the execution of the code can be monitored and controlled
416+ by system administrators. This means that even if the attacker has compromised the
417+ application **and the filesystem **, leveraging this interface for malicious
418+ purposes provides a very risky proposition for an attacker, as they risk
419+ exposing their actions to system administrators that could not only detect the
420+ attack but also take action to prevent it.
421+
422+ Finally, is important to note that if an attacker has arbitrary memory write
423+ access to a process and has compromised the filesystem, they can already
424+ escalate to arbitrary code execution using other existing mechanisms, so this
425+ interface does not introduce any new risks in this scenario.
426+
427+
371428How to Teach This
372429=================
373430
0 commit comments