Two malicious Python libraries caught stealing SSH and GPG keys (ZDNet)
Two malicious Python libraries caught stealing SSH and GPG keys (ZDNet)
Posted Dec 5, 2019 16:58 UTC (Thu) by micka (subscriber, #38720)In reply to: Two malicious Python libraries caught stealing SSH and GPG keys (ZDNet) by rweikusat2
Parent article: Two malicious Python libraries caught stealing SSH and GPG keys (ZDNet)
"It's not possible to write C code with no security issue" is not the same as "only C code has security issues".
      Posted Dec 5, 2019 17:33 UTC (Thu)
                               by rweikusat2 (subscriber, #117920)
                              [Link] (7 responses)
       
 
     
    
      Posted Dec 5, 2019 18:42 UTC (Thu)
                               by Cyberax (✭ supporter ✭, #52523)
                              [Link] 
       
     
      Posted Dec 5, 2019 21:43 UTC (Thu)
                               by anselm (subscriber, #2796)
                              [Link] (5 responses)
       
This statement is true but the claim that it denies is a straw man. I don't think reasonable people would postulate that code written in a language like Python is automatically “safe”. It may avoid some of the more obvious traps and pitfalls of languages like C, but if anything, the example at hand illustrates that deliberately introducing malicious functionality to an otherwise innocuous software package works regardless of the programming language used. IOW, if you want to be secure against this type of attack, “a more restrictive runtime environment than what a typical C implementation provides” by itself isn't going to be sufficient, but we don't see anyone arguing that it is.
 
     
    
      Posted Dec 8, 2019 20:08 UTC (Sun)
                               by rweikusat2 (subscriber, #117920)
                              [Link] (4 responses)
       
Not explicitly, obviously. But implied every time this comes up. It's usually claimed that the problem is the programming language *and* *not* certain code written in it. 
> the example at hand illustrates that deliberately introducing malicious functionality to an otherwise innocuous software package  
That was supposed to be the point: There are a lot of way to cause damage via software and focussing on programming language implementations[*] will not necessarily avoid "damage". 
[*] There's actually nothing which would stop a conforming C implementation from doing array bounds checking, at least not theoretically: The C standard leaves the behaviour of out-of-bounds accesses undefined, hence, terminating a program via some signal in case of one would be perfectly acceptable. It's just the C implementations don't do that because "enable a user to implement his own memory management" is a C feature. The obvjous drawback of that is that users have to care more about memory management than when using a more restrictive language (in this respect), which probably isn't worth it on 'current' hardware in a lot of cases. 
     
    
      Posted Dec 8, 2019 21:10 UTC (Sun)
                               by Cyberax (✭ supporter ✭, #52523)
                              [Link] 
       
With Java or Python you really have to work hard to allow remote code execution, with C it's just a misplaced bounds check. 
     
      Posted Dec 13, 2019 14:25 UTC (Fri)
                               by dvdeug (guest, #10998)
                              [Link] (2 responses)
       
> It's just the C implementations don't do that because "enable a user to implement his own memory management" is a C feature. 
C implementations don't do bounds checking because C doesn't make it feasible to do that. There are many programmers who would use bounds checking in C if it could be as simple as adding -fbounds-checking to the command line. 
     
    
      Posted Dec 30, 2019 23:36 UTC (Mon)
                               by HelloWorld (guest, #56129)
                              [Link] (1 responses)
       
Well you pretty much can do that with -fsanitize=address, and yet not many people seem to be doing it.  
     
    
      Posted Dec 31, 2019 1:40 UTC (Tue)
                               by pabs (subscriber, #43278)
                              [Link] 
       
     
    Two malicious Python libraries caught stealing SSH and GPG keys (ZDNet)
      
Two malicious Python libraries caught stealing SSH and GPG keys (ZDNet)
      
Two malicious Python libraries caught stealing SSH and GPG keys (ZDNet)
      The notion that it must be safe to use code written in a language with a more restrictive runtime environment than what a typical C implementation provide is wrong.
Two malicious Python libraries caught stealing SSH and GPG keys (ZDNet)
      
>
> This statement is true but the claim that it denies is a straw man. I don't think reasonable people would postulate that code written > in a language like Python is automatically “safe”.
> works regardless of the programming language used. IOW, if you want to be secure against this type of attack, “a more restrictive 
> runtime environment than what a typical C implementation provides” 
Two malicious Python libraries caught stealing SSH and GPG keys (ZDNet)
      
Except that C is pretty much THE worst possible language. It allows vulnerabilities that are by far the most severe compared to other languages.
Two malicious Python libraries caught stealing SSH and GPG keys (ZDNet)
      
Two malicious Python libraries caught stealing SSH and GPG keys (ZDNet)
      
Two malicious Python libraries caught stealing SSH and GPG keys (ZDNet)
      
 
           