Every Python user knows that you can execute code using
exec, but what about
str.format? This talk will take you on a walk through all the weird and wild ways that you can achieve code execution on a Python server (and trust me, I didn’t spoil the surprise by putting the weirdest ones in the description).
The talk should be equal parts practical and entertaining as we work through both real examples of code execution vulnerabilities found in running code as well as absurd remote code execution exploits. The talk will end on a practical note by explaining how Facebook detects and prevents the exploit vectors we discussed, using an open source Python Static Analyzer called Pysa.
DEF CON 2020
The Product Security teams at Facebook make extensive use of static analysis to find security vulnerabilities. We use systems like Zoncolan and the open source Python Static Analyzer (Pysa) on a daily basis. Using static analysis helped us find more than 1100 security bugs in 2018, accounting for more than a third of the bugs found by the application security team in that timeframe.
In this tutorial, we’ll cover the basics of static analysis, how to set up Pysa, and how you can write and run rules to identify vulnerabilities in your own codebase. We’ll also cover how Pysa deals with false positives and discuss its limitations as a tool. Each new concept you learn will immediately be reinforced by a practical exercise.
Attendees should leave this tutorial with all the tools they need to start applying static analysis to their Python projects at work and in open source.
A computer with Python, Pip, and Git is required for this workshop. Attendees will need to pip install pyre-check and set up a small sample project.