Imagine you could run one single command on one computer at the NSA. You would probably run "python" to use its OS and network features undetected, just like real attackers do. If someone did it on your network, would you notice? PEP 551 makes it so that admins can audit Python and detect malicious use on their systems. This session will look at why we need it and how to use it.
The days of "software vulnerability" being a synonym for "buffer overflow" are over. Modern vulnerabilities are those that enable attackers to get into your network and stay in your network. Beyond simple bugs, any tool that can execute arbitrary code becomes a vulnerability - especially if you don't know when it is doing that. Python is a popular tool with attackers, in large part because it can download encrypted code, decrypt and execute it with a single line of code. And once that entire payload is running, nobody knows exactly what it is doing. PEP 551 adds a range of auditing hooks to the Python runtime, enabling system administrators to see into how it is being used. You can inspect every piece of code that is compiled and executed, intercept calls that modify trace functions, and collect information on code that uses native functions through ctypes. This session will look at why we need security transparency in Python. We will look at actual examples of malware written in Python, and see how the hooks provided by PEP 551 enable administrators to detect and prevent attacks on their systems.