Language summit lightning talks

If you do fascist security moves like making /tmp, and other similar places to the extent they exist, be seperate fileystems and mounting it with the noexec option, then finding a writeable places to store a binary so can run it might be really difficult. Attempting to bypass noexec by using ld-linux.so.2 or ld-linux_x86_64.so.2 does not work. I don't need execute permission to run pure python malware. I could also run shell scripts too but the access I can get to system calls is much less, expecially on stripped down systems with everything not required removed.

In the case of python code I might suggest adding a signature and using a modified version of python which will only run signed scripts and check for execute permission first. Compling lots of things into C extensions using something like cython might make this a bit easier and more convincing. I have not met a corporate environment where python is banned but then I also have always had a C compiler and a job which involves writing non malicious python scripts.

Where I currently work even the production boxes have tools like gdb installed, which makes me think that somebody having a long and hard look at what is actually required and removing everything not required woud be really good idea. python would make the cut because quite a lot of things that should be present are actually written in python. I suspect that at least some of the other p* languages, which are currently installed, would not.