As an Amazon Associate I earn from qualifying purchases from amazon.com

Securing Python Code with Cython


Due to the character of Python (interpreted language), securing the supply code is a difficult process. With a view to execute the supply code, it should be out there in some kind.

All through this text, I’ll element the compiling modules with Cython technique/resolution to the problem of defending a Python-based codebase.

Cython is a static compiler for Python and Cython programming languages, it simplifies the job of writing Python C extensions. Cython permits us to compile Python code, the result’s dynamic libraries that can be utilized as python modules too.

The Cython import course of is as follows:

  • shared library (.so, .pyd)
  • python bytecode (.pyo, .pyc)
  • python file (.py)

So… what are the advantages of utilizing Cython compiled modules?

  • Binary modules will impose a a lot more durable process to get the unique Python code, reverse engineering strategies should be used to take action.
  • Cython generated C code may be modified to introduce adjustments, enhance safety, and so forth.
  • GCC optimization flags can be utilized whereas compiling the library
  • Tracebacks received’t reveal code, however simply line numbers (until disabled ).
  • Cython takes Python code and interprets it to C, which is then compiled by GCC (or comparable), the compiled code will run sooner than the pure Python model.

Let’s evaluation the essential performance of Cython

Keep in mind the hey.py script from the HashiCorp Vault Secret Supervisor article? Nicely, pulling secrets and techniques from HashiCorp Vault is nice however If you consider it… if the consumer can entry/modify the code, he/she will be able to add a easy print assertion to disclose the secrets and techniques (verify strains #19 – #21)

import getpass
import hvac
​
VAULT_ADDR = 'http://127.0.0.1:8200'
VAULT_TOKEN = getpass.getpass('Hashicorp Vault Token ID: ')
​
shopper = hvac.Shopper()
shopper = hvac.Shopper(
url = VAULT_ADDR,
token = VAULT_TOKEN
)
​
response = shopper.secrets and techniques.kv.read_secret_version(path='ap')
​
client_id = response['data']['data']['client_id']
client_secret = response['data']['data']['client_secret']
repo_token = response['data']['data']['repo_token']
​
print("Shopper ID: " + client_id)
print("Shopper Secret: " + client_secret)
print("Repo Token: " + repo_token)

hmmm… We have to forestall others from modifying the file… let’s see how Cython may help with that.

1. For the sake of this POC, let’s depart the three print statements (strains #19 – #21). Ideally, these strains needs to be eliminated 😉

2. Be sure that to have the “python3-devel” package deal put in (e.g., sudo yum set up python3-devel)

3. Set up Cython- sudo pip3 set up Cython

$ sudo pip3 set up Cython
Amassing Cython
Downloading https://recordsdata.pythonhosted.org/packages/40/67/36322cf0387cf65e6be80ba2d9a33db227ecbc624902f0cb2e4bf456261f/Cython-0.29.23-cp38-cp38-manylinux1_x86_64.whl (1.9MB)
|████████████████████████████████| 1.9MB 23.3MB/s
Putting in collected packages: Cython
Efficiently put in Cython-0.29.23

4. Convert the python code into C code – cython hey.py –embed (observe: add –embed flag to create a standalone program. If –embed isn’t used the c code is not going to have a fundamental as it’ll imply to create a shared object slightly than a standalone executable. After the next command is issued and executed, a c supply file hey.c needs to be created in the identical listing)

$ cython hey.py -o cython.c
/usr/native/lib64/python3.8/site-packages/Cython/Compiler/Primary.py:369: FutureWarning: Cython directive 'language_level' not set, utilizing 2 for now (Py2). This can change in a later launch! File: /residence/ec2-user/hey.py
tree = Parsing.p_module(s, pxd, full_module_name)

5. Compile the c code into an executable – gcc `python3-config –cflags –ldflags` hey.c -o hey (observe: the embrace and library paths python should be specified. The execution of the next command ought to create an executable file hey. this might be a distributable binary)

$ gcc `python3-config --cflags --ldflags` hey.c -o hey
$ [NO OUTPUT]

6. Examine the folder content material – ls -rtl 

$ ls -rtl
whole 276
-rw-rw-r--. 1 ec2-user ec2-user    545 Jul 11 16:06 hey.py
-rw-rw-r--. 1 ec2-user ec2-user 139572 Jul 11 17:27 hey.c
-rwxrwxr-x. 1 ec2-user ec2-user 132312 Jul 11 17:29 hey

7. Run the hey script – ./hello (when requested, enter the “Root Token” from HashiCorp Vault Secret Supervisor article, step #4)

$ ./hey
Hashicorp Vault Token ID: [ --> Root Token: s.4Gl4TLJb1D82OWxxxxxxxxxx]
Shopper ID: 123456789
Shopper Secret: 987654321
Repo Token: a1b2c3d4e5

8. View the hey file content material – cat hey (observe: file output was truncated)

$ cat hey
ELF>?J@@?@8
@'&@@@@@h??@?@@@HUHU 0]0]`0]`?
?HX[cBE??j??@?@ Cֻ?|??V?T?????@?@ P?td`P`P@`P@??Q?tdR?td0]0]`0]`??/lib64/ld-linux-x86-64.so.2GNU?GNUGNU?M?;>P??¸ܿ???ȡX?d!
:?
@h`(?E@F @b`5`L@??F@<J?J@/?h`Q?Ok@ea@L@libpython3.6m.so.1.0_ITM_deregisterTMCloneTable__gmon_start___ITM_registerTMCloneTablelibpthread.so.0libdl.so.2libutil.so.1libm.so.6_PyThreadState_UncheckedGetPyFrame_NewPyEval_EvalFrameExPyObject_GetAttrPyObject_CallPyThreadState_Get_Py_CheckRecursionLimit_Py_CheckRecursiveCallPyErr_OccurredPyExc_SystemErrorPyErr_SetStringPyObject_GetAttrString_Py_NoneStructPyDict_SetItemStringPyExc_AttributeErrorPyErr_ExceptionMatchesPyErr_ClearPyExc_ImportErrorPyModule_NewObjectPyModule_GetDictPyDict_GetItemWithErrorPyTuple_PackPyExc_KeyErrorPyErr_SetObjectPyExc_NameErrorPyErr_Format_PyDict_GetItem_KnownHashPyList_NewPyDict_NewPyImport_ImportModuleLevelObjectPyExc_RuntimeErrorPyOS_snprintfPy_GetVersionPyErr_WarnExPyFrame_TypePyTuple_NewPyBytes_FromStringAndSizePyUnicode_FromStringAndSizePyImport_AddModulePyObject_SetAttrStringPyUnicode_InternFromStringPyUnicode_DecodePyObject_HashPyObject_SetAttrPyImport_GetModuleDictPyDict_GetItemStringPyDict_SetItem_PyObject_GetDictPtrPyObject_Not_Py_FalseStruct_Py_TrueStructPyUnicode_FromStringPyFunction_TypePyEval_EvalCodeExPyCFunction_TypePyDict_TypePyObject_GetItemPyNumber_AddPyUnicode_FromFormatPyCode_NewPyMem_MallocPyMem_ReallocPyTraceBack_HerePyModuleDef_InitPyModule_TypePyType_IsSubtypePyModule_ExecDefPyErr_PrintPy_FinalizeExPyMem_RawFreePy_InitializePy_SetProgramNamePySys_SetArgvlibc.so.6setlocalembrtowcmbstowcs__stack_chk_failstrdupstrlenmallocstderrfwrite__libc_start_mainfree_edata__bss_start_end__pyx_module_is_main_helloPyInit_hello_IO_stdin_used__data_start__libc_csu_init__libc_csu_finiquiBC_2.D1?1?A?D9?%D??)șA???Hc?H??D9}?H??A????Hc?H??D9}???AVI??AUI??ATI??USH??????H??1?L??H??H???????H??H??tGH?D 1?H?L9?}I?T?H?H??H????1?H???????E H?
I??u
[]AA]A^????H??H??I???O???L?%?9 ?H ???H A;AVAUATUSH?L???M??u
$3H??H??L??A??H???&????p ?V??P A?$?H?=????
@?H?=?%?{?????t?1??59?} ??????@$H??u#?|???H??H??u?H??8 H?5?%H?8????H??[]AA]A^?AVE??AUI??ATI??H??US?y???H??t5H;]8 H??1?A??tH??L??L????????H?
u)H?H???P0?H?08 ???H?8?]?????t?????1?[??]AA]A^???AUI??ATUSQ?$???H?PH??@ H??u H??@ ?"H9?tH?'8 H?%1?H?8?????H?-?B H??t H?E??H?5?%L??????I??H????H???A???I?
$H??u
wpercentL??L??H?s%?I?????xH???H? I?DL???P0H????H??????I??H????A?H?
u
H?H???P0ZH??[]AA]?USH??Q?-???H??H??ub?`???H??u[H?H?????t7?1??o???H??H??t7H??H?E6 H?8?e???H?

Final thoughts

This article attempts to find a solution to the problem. Cython seems like a promising option to consider. It is true that any user will have access to binaries that can be used to reverse engineer the application, but that’s going to take a good amount of time and work.

Disclaimers

  1. This article aims to cover the basic functionality of Cython.
  2. It’s also possible to combine the different approaches to provide an even more secure environment.
  3. Want to learn more about Cython? Please contact the Cross-Domain TAB team (mailto: xdc-amer-tab).

 


We’d love to hear what you think. Ask a question or leave a comment below.
And stay connected with Cisco DevNet on social!

LinkedIn | Twitter @CiscoDevNet | Facebook Developer Video Channel

 

Share:



We will be happy to hear your thoughts

Leave a reply

Dealssoreal
Logo
Enable registration in settings - general
Compare items
  • Total (0)
Compare
0
Shopping cart