From 94470ade7c539032e847d5a5eec3660cec64e335 Mon Sep 17 00:00:00 2001 From: Pablo Galindo Date: Sun, 15 Dec 2024 18:30:47 +0000 Subject: [PATCH 1/8] PEP 768: Expand the security considerations section Signed-off-by: Pablo Galindo --- peps/pep-0768.rst | 49 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/peps/pep-0768.rst b/peps/pep-0768.rst index 113db96096d..b005f5dd605 100644 --- a/peps/pep-0768.rst +++ b/peps/pep-0768.rst @@ -294,6 +294,24 @@ An example usage of the API would look like: except Exception as e: print(f"Failed to execute code: {e}") +Configuration API +----------------- + +To allow redistributors, system administrators, or users to disable this +mechanism, several methods will be provided to control the behavior of the +interpreter: + +A new environment ``PYTHON_DISABLE_REMOTE_DEBUGGING`` environment variable will +be provided to control the behaviour at runtime. If set to any value, the +interpreter will ignore any attempts to attach a debugger using this mechanism. + +This environment variable will be added together with a new ``-X disable-remote-debugging`` +flag to the Python interpreter to allow users to disable this feature at runtime. + +Additionally a new ``--without-remote-debugging`` flag will be added to the +``configure`` script to allow redistributors to build Python without support for +remote debugging if they so desire. + Backwards Compatibility ======================= @@ -310,6 +328,10 @@ processes that can already write to arbitrary memory within your process and execute arbitrary code on the machine (in order to create the file containing the Python code to be executed). +Furtermore, the execution of the code is done is gated by the interpreter's +audit hooks, which can be used to monitor and control the execution of the code +in sensitive environments. + Existing operating system security mechanisms are effective for guarding against attackers gaining arbitrary memory write access. Although the PEP doesn't specify how memory should be written to the target process, in practice @@ -368,6 +390,33 @@ proposed interface. By maintaining compatibility with existing security frameworks, this design ensures that adopting the new interface requires no changes to established. +Security scenarios +------------------ + +* For an external attacker, the ability to write to arbitrary memory in a + process is already a severe security issue. This interface does not introduce + any new attack surface, as the attacker would already have the ability to + execute arbitrary code in the process. This interface behaves in exactly + the same way as existing debuggers, and does not introduce any new additional + security risks. +* For an attacker who has gained arbitrary memory write access to a process but + not arbitrary code execution, this interface does not provide a way to escalate + to arbitrary code execution as long as the attacker has not gained control over + additional machine resources external to the program. + +Additionally, the fact that the code to be executed is gated by the interpreter's +audit hooks means that the execution of the code can be monitored and controlled +by system administrators. This means that even if the attacker has compromised the +application **and the filesystem**, leveraging this interface for malicious +purposes provides a very risky proposition for an attacker, as they risk +exposing their actions to system administrators that could not only detect the +attack but also take action to prevent it. Finally, is important to note that +if an attacker has arbitrary memory write access to a process and has compromised +the filesystem, they can already escalate to arbitrary code execution using +other existing mechanisms, so this interface does not introduce any new risks +in this scenario. + + How to Teach This ================= From 91ff7f5534e24a8c0ce91890a281024453ac7312 Mon Sep 17 00:00:00 2001 From: Pablo Galindo Salgado Date: Sun, 15 Dec 2024 20:08:18 +0000 Subject: [PATCH 2/8] Update pep-0768.rst Co-authored-by: Matt Wozniski --- peps/pep-0768.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/peps/pep-0768.rst b/peps/pep-0768.rst index b005f5dd605..b620fa0b429 100644 --- a/peps/pep-0768.rst +++ b/peps/pep-0768.rst @@ -328,7 +328,7 @@ processes that can already write to arbitrary memory within your process and execute arbitrary code on the machine (in order to create the file containing the Python code to be executed). -Furtermore, the execution of the code is done is gated by the interpreter's +Furthermore, the execution of the code is gated by the interpreter's audit hooks, which can be used to monitor and control the execution of the code in sensitive environments. From 6f5cc0b0349ee8f70492b261f83d7df74b6177e0 Mon Sep 17 00:00:00 2001 From: Pablo Galindo Salgado Date: Sun, 15 Dec 2024 20:08:24 +0000 Subject: [PATCH 3/8] Update pep-0768.rst Co-authored-by: Matt Wozniski --- peps/pep-0768.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/peps/pep-0768.rst b/peps/pep-0768.rst index b620fa0b429..7bff9084922 100644 --- a/peps/pep-0768.rst +++ b/peps/pep-0768.rst @@ -329,7 +329,7 @@ execute arbitrary code on the machine (in order to create the file containing the Python code to be executed). Furthermore, the execution of the code is gated by the interpreter's -audit hooks, which can be used to monitor and control the execution of the code +audit hooks, which can be used to monitor or prevent the execution of the code in sensitive environments. Existing operating system security mechanisms are effective for guarding From 98d4be3a064eccc603b6be88074664afb187279a Mon Sep 17 00:00:00 2001 From: Pablo Galindo Salgado Date: Sun, 15 Dec 2024 21:35:30 +0000 Subject: [PATCH 4/8] Update peps/pep-0768.rst --- peps/pep-0768.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/peps/pep-0768.rst b/peps/pep-0768.rst index 7bff9084922..1a48623154c 100644 --- a/peps/pep-0768.rst +++ b/peps/pep-0768.rst @@ -302,7 +302,7 @@ mechanism, several methods will be provided to control the behavior of the interpreter: A new environment ``PYTHON_DISABLE_REMOTE_DEBUGGING`` environment variable will -be provided to control the behaviour at runtime. If set to any value, the +be provided to control the behaviour at runtime. If set to any value (including an empty string), the interpreter will ignore any attempts to attach a debugger using this mechanism. This environment variable will be added together with a new ``-X disable-remote-debugging`` From 21dc62c82ee54988eb2d1ddc213893578011b40c Mon Sep 17 00:00:00 2001 From: Pablo Galindo Salgado Date: Sun, 15 Dec 2024 21:37:26 +0000 Subject: [PATCH 5/8] Update peps/pep-0768.rst --- peps/pep-0768.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/peps/pep-0768.rst b/peps/pep-0768.rst index 1a48623154c..d20d6eeb894 100644 --- a/peps/pep-0768.rst +++ b/peps/pep-0768.rst @@ -312,6 +312,8 @@ Additionally a new ``--without-remote-debugging`` flag will be added to the ``configure`` script to allow redistributors to build Python without support for remote debugging if they so desire. +A new flag indicating the status of remote debugging will be made available via the debug offsets so tools can query if a remote process has disabled the feature. This way, tools can offer a useful error message explaining why they won't work, instead of believing that they have attached and then never having their script run. T + Backwards Compatibility ======================= From 7c070c689ca79a586ec4a7276ffa62e94550fb09 Mon Sep 17 00:00:00 2001 From: Pablo Galindo Salgado Date: Sun, 15 Dec 2024 23:38:03 +0000 Subject: [PATCH 6/8] Update peps/pep-0768.rst Co-authored-by: Matt Wozniski --- peps/pep-0768.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/peps/pep-0768.rst b/peps/pep-0768.rst index d20d6eeb894..2fbfc4be40a 100644 --- a/peps/pep-0768.rst +++ b/peps/pep-0768.rst @@ -312,7 +312,7 @@ Additionally a new ``--without-remote-debugging`` flag will be added to the ``configure`` script to allow redistributors to build Python without support for remote debugging if they so desire. -A new flag indicating the status of remote debugging will be made available via the debug offsets so tools can query if a remote process has disabled the feature. This way, tools can offer a useful error message explaining why they won't work, instead of believing that they have attached and then never having their script run. T +A new flag indicating the status of remote debugging will be made available via the debug offsets so tools can query if a remote process has disabled the feature. This way, tools can offer a useful error message explaining why they won't work, instead of believing that they have attached and then never having their script run. Backwards Compatibility From 708775ce85f7f69631ebb4bd29f675a59b5b47a7 Mon Sep 17 00:00:00 2001 From: Pablo Galindo Salgado Date: Mon, 16 Dec 2024 13:18:47 +0000 Subject: [PATCH 7/8] Apply suggestions from code review Co-authored-by: Matt Wozniski Co-authored-by: Steve Dower --- peps/pep-0768.rst | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/peps/pep-0768.rst b/peps/pep-0768.rst index 2fbfc4be40a..85a690e3999 100644 --- a/peps/pep-0768.rst +++ b/peps/pep-0768.rst @@ -301,7 +301,7 @@ To allow redistributors, system administrators, or users to disable this mechanism, several methods will be provided to control the behavior of the interpreter: -A new environment ``PYTHON_DISABLE_REMOTE_DEBUGGING`` environment variable will +A new ``PYTHON_DISABLE_REMOTE_DEBUGGING`` environment variable will be provided to control the behaviour at runtime. If set to any value (including an empty string), the interpreter will ignore any attempts to attach a debugger using this mechanism. @@ -312,7 +312,11 @@ Additionally a new ``--without-remote-debugging`` flag will be added to the ``configure`` script to allow redistributors to build Python without support for remote debugging if they so desire. -A new flag indicating the status of remote debugging will be made available via the debug offsets so tools can query if a remote process has disabled the feature. This way, tools can offer a useful error message explaining why they won't work, instead of believing that they have attached and then never having their script run. +A new flag indicating the status of remote debugging will be made available via +the debug offsets so tools can query if a remote process has disabled the +feature. This way, tools can offer a useful error message explaining why they +won't work, instead of believing that they have attached and then never having +their script run. Backwards Compatibility @@ -402,9 +406,10 @@ Security scenarios the same way as existing debuggers, and does not introduce any new additional security risks. * For an attacker who has gained arbitrary memory write access to a process but - not arbitrary code execution, this interface does not provide a way to escalate - to arbitrary code execution as long as the attacker has not gained control over - additional machine resources external to the program. + not arbitrary code execution, this interface does not allow them to escalate. + The ability to calculate and write to specific memory locations is required, + which is not available without compromising other machine resources that + are external to the Python process. Additionally, the fact that the code to be executed is gated by the interpreter's audit hooks means that the execution of the code can be monitored and controlled @@ -412,7 +417,9 @@ by system administrators. This means that even if the attacker has compromised t application **and the filesystem**, leveraging this interface for malicious purposes provides a very risky proposition for an attacker, as they risk exposing their actions to system administrators that could not only detect the -attack but also take action to prevent it. Finally, is important to note that +attack but also take action to prevent it. + +Finally, is important to note that if an attacker has arbitrary memory write access to a process and has compromised the filesystem, they can already escalate to arbitrary code execution using other existing mechanisms, so this interface does not introduce any new risks From 026571ae6b2700fe5c824075f2bf36abd286e7e9 Mon Sep 17 00:00:00 2001 From: Pablo Galindo Date: Mon, 16 Dec 2024 13:23:55 +0000 Subject: [PATCH 8/8] Fix formatting and address review comments --- peps/pep-0768.rst | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/peps/pep-0768.rst b/peps/pep-0768.rst index 85a690e3999..32475ab76fc 100644 --- a/peps/pep-0768.rst +++ b/peps/pep-0768.rst @@ -301,14 +301,14 @@ To allow redistributors, system administrators, or users to disable this mechanism, several methods will be provided to control the behavior of the interpreter: -A new ``PYTHON_DISABLE_REMOTE_DEBUGGING`` environment variable will +A new ``PYTHON_DISABLE_REMOTE_DEBUG`` environment variable will be provided to control the behaviour at runtime. If set to any value (including an empty string), the interpreter will ignore any attempts to attach a debugger using this mechanism. -This environment variable will be added together with a new ``-X disable-remote-debugging`` +This environment variable will be added together with a new ``-X disable-remote-debug`` flag to the Python interpreter to allow users to disable this feature at runtime. -Additionally a new ``--without-remote-debugging`` flag will be added to the +Additionally a new ``--without-remote-debug`` flag will be added to the ``configure`` script to allow redistributors to build Python without support for remote debugging if they so desire. @@ -330,7 +330,7 @@ Security Implications ===================== This interface does not introduce new security concerns as it is only usable by -processes that can already write to arbitrary memory within your process and +processes that can already write to arbitrary memory within a given process and execute arbitrary code on the machine (in order to create the file containing the Python code to be executed). @@ -419,11 +419,10 @@ purposes provides a very risky proposition for an attacker, as they risk exposing their actions to system administrators that could not only detect the attack but also take action to prevent it. -Finally, is important to note that -if an attacker has arbitrary memory write access to a process and has compromised -the filesystem, they can already escalate to arbitrary code execution using -other existing mechanisms, so this interface does not introduce any new risks -in this scenario. +Finally, is important to note that if an attacker has arbitrary memory write +access to a process and has compromised the filesystem, they can already +escalate to arbitrary code execution using other existing mechanisms, so this +interface does not introduce any new risks in this scenario. How to Teach This