Securing python on Linux….

During the last few days I learned how to manage my way through the Python source code with some useful tools (IPython, DDD… – Thank you Jeff) and how to rebuild the new secured python interpreter.

After building Brett Cannon’s security work for securing the python interpreter on Linux, I got an error that cost me two days of debugging.

The error that I got from running the new “secure_python.exe” interpreter was: import of controlled_importlib failed!

Debugging the problem while stepping into python core functions started to look hopeless… So I decided that I should give a try and send an email to the one that actually wrote the code (make sense right?) but unfortunately I was answered that he has not touched that branch in about a year.

After googling the problem a while and reading some blogs I figured out that Brett Cannon actually used a Mac so why not giving a try and installing it on one. I headed to Keren Reid’s office and we tried together to install it on her machine. As expected it worked just fine…..

Trying to debug the error, and to understand from where the NULL that breaks everything is returned, started to seem like a trip to an infinite loop inside the deep Python source code of bytes set…… That why we decided to ask “the one that knows everyone”, Greg Wilson, what should we do next. Few seconds after asking him my mailbox had a new email waiting to be replied from David Wolever (that was staying in Brazil meanwhile…). David was so professional that in one hour he already analyzed the problem and told me what should be my next step. The problem was actually found where the functools library is imported (as the strace tool suggested) and an undefined symbol was found: PyExc_TypeError.

Meanwhile I didn’t notice that Jeff Balogh had tried to debug the problem himself and he actually got to the same conclusion but also to the solution.

Do you know the feeling of spending few days on a debugging a problem that could be solved in less than ten second?

Exactly, it is simpler than building Web-CAT:

Adding the “-Xlinker -export-dynamic” option while building secure_python.exe with gcc supplies system specific linker options which GCC does not know how to recognize. (sounds complicated? well, just add the option at the build_secure_python.sh file where secure_python.exe is built)

So after a lot of hours, a lot of source code and a lot of computer scientists, I can proudly announce:

And the winner is…………..

Jeff Balogh !!!!