Abstract
Python is a common used programming language in many environments, such as datacenter software, embedded programming or regular desktop computers, due to its dynamic and interpreted nature. Furthermore it is easy to write applications and test them because no recompilation is needed. At the heart of everything lies the Python interpreter which is responsible with converting input scripts into an platform-independent representation, called bytecode, and then executing them in a contained environment.
In this paper an in depth security analysis of the CPython interpreter is made. Also, a proof of concept general attack targeting the bytecode generation engine is presented and detailed. To emphasize the importance of the findings it also takes into consideration a study case on the OpenStack framework, that is widely used today in various Cloud deployments and as a software basis for many datacenters. It is chosen because it is implemented entirely in Python, rather easy to understand its internals and how to deploy it in real environments. The point made is that using our technique, or something similar, a malicious user can affect the good function of the framework, which translates into possible access gain over all the users data and applications that are stored in a Cloud environment.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Django Framework. https://www.djangoproject.com/
OpenStack Cloud Framework. http://www.openstack.org
Python Main Webpage. http://www.python.org
CPython Interpreter Source Code Repository. http://hg.python.org/cpython
Python Bytecode trust. https://utcc.utoronto.ca/cks/space/blog/python/BytecodeIsTrusted
Python Interpreter VM. https://doar-e.github.io/blog/2014/04/17/deep-dive-into-pythons-vm-story-of-load_const-bug/
https://utcc.utoronto.ca/cks/space/blog/python/WhyCPythonBytecode
Backdooring Python via PYC. http://secureallthethings.blogspot.ro/2015/11/backdooring-python-via-pyc-pi-wa-si_9.html
Reversing Python Object. https://www.virusbulletin.com/virusbulletin/2011/07/reversing-python-objects#id3072912
Python trojan proof of concept. https://github.com/jgeralnik/Pytroj
Python Bytecode Specification. https://www.python.org/dev/peps/pep-0339/
Python Bytecode disassembler module. https://docs.python.org/2/library/dis.html
Java Interpreter. https://www.java.com/en/
PHP Interpreter. http://php.net/
PHP OPcache. http://php.net/manual/en/book.opcache.php
Mirantis OpenStack. https://www.mirantis.com/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Pătraşcu, A., Popa, Ş. (2016). When Pythons Bite. In: Bica, I., Reyhanitabar, R. (eds) Innovative Security Solutions for Information Technology and Communications. SECITC 2016. Lecture Notes in Computer Science(), vol 10006. Springer, Cham. https://doi.org/10.1007/978-3-319-47238-6_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-47238-6_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-47237-9
Online ISBN: 978-3-319-47238-6
eBook Packages: Computer ScienceComputer Science (R0)