Auditing Hooks and Security Transparency for CPython

Explore the implementation of security transparency and auditing hooks in CPython with this EuroPython 2019 conference talk. Delve into the motivations behind Python Enhancement Proposals 551 and 578, which aim to detect and prevent anomalous or malicious use of Python. Learn about the concept of auditing hooks and verified open calls for reading code from files, set to be introduced in Python 3.8. Discover how these security enhancements can be integrated with Linux and Windows security frameworks to improve threat detection and prevention. Gain insights into the potential scope, limitations, and future implications of these security measures for the Python community. Examine practical examples, implementation details, and open issues surrounding this initiative to create a more secure Python interpreter while maintaining its usefulness for developers.

Intro
Today's Agenda
Runtime Audit Hooks (PED 578)
Python Security Engineer Checklist
Listening to audit hooks
What events should you expect?
What to do with an event?
Creating audit events
Why would you hook io.open_code()?
What else do you need to do?
Integrating with Windows
Windows Event Log features
Code Signing
Windows Defender Application Control
Integrating with Linux
Prerequisites
DTrace / System Tap instrumentation
io.open code() on Linux
Extended file attributes
Securing xattr
Open issues and exploits
Summary
Resources