CPython Core Security

Transcript

1. CPython Core Security lightning talk EuroPython 2014, Berlin

2. Christian Heimes professionally paranoid Python Core Committer [email protected] @ChristianHeimes

3. Python Security Response Team • Redhat • Google • ...

   • Ruby Core Developers • PHP Core Developers • ...

4. Coverity Scan Static Code Analyzer https://scan.coverity.com/projects/200

5. Open Source Defect Density By Project Size Line of Code

   (LOC) Defect Density Less than 100,000 0.35 100,000 to 499,999 0.5 500,000 to 1 million 0.7 More than 1 million 0.65
6. None

7. PEP 456 Secure and interchangeable hash algorithm Dan J. Bernstein's

   SipHash24 prevents hash collision DoS attacks (Python 3.4)

8. PEP 446 Newly Created File Descriptors Are Non-Inheritable FD_CLOEXEC (Python

   3.4)

9. Isolated Mode • #!/usr/bin/python -I • ignore PYTHON* env vars

   • don't load user's site-packages directory (PEP 370) • don't add current working directory to sys.path (Python 3.4)

10. os.urandom() • Windows: CryptGenRandom() • POSIX: /dev/urandom – optimized implementation

    with persistent file descriptor (Python 3.4) • Not yet: Linux's getrandom(2) syscall

11. import random • random uses Mersenne Twister • insecure, not

    a CPRNG • 624 consecutive output to get internal state!

12. hashlib.pbkdf2_hmac() • Secure password derivation function (Python 3.4) • Pure

    Python implementation • OpenSSL based implementation (without DoS vulnerability) Anybody should use PBKDF2, bcrypt or scrypt for passwords!

13. backports.pbkdf2 Implementation 1,000 chars input, 50k rounds of SHA-1 backports.pbkdf2

    (C) 0.310s backports.pbkdf2 (Python) 0.913s pbkdf2_ctypes 0.99.3 1.344s pbkdf2 1.3 6.450s Django 1.5.4 3.078s PyCrypto 2.6.1 10.274s

14. hmac • hmac.compare_digest() (Python 3.3) – constant timing comparison, –

    `userinput == secret` is insecure • hmac.new() (Python 3.4) – Default to MD5 is going to be deprecated – hmac.new("key", "message", "sha1")

15. TLS / SSL support in Python's stdlib

16. Sorry state before Python 3.4 • questionable default settings •

    no hostname verification in most stdlib modules • no server name indicator (SNI) in most stdlib modules • no access to root CA certs on Windows • no concept of validation purpose (X509v3 EKU)

17. Python 3.4 • SSLContext object define policies – verify_mode (CERT_REQUIRED)

    – verify_flags (e.g. CRL verification) – configure hostname verification – ciphers – TLS version – purpose (client or server validation) • hostname matched in SSLSocket.do_handshake() • all stdlib modules support SNI and `ssl_context` argument

18. ssl.create_default_context() • SSLContext with sensible and secure settings • loads

    system certs on most systems (Linux, BSD) • loads root CA certificates from Windows' Cert Store – use my wincertstore package for 2.4 to 3.3

19. Python 2.7 ???

20. PEP 466 Network Security Enhancements for Python 2.7.x security feature

    backports