Securing Code with the Python Type System
Preventing security vulnerabilities often brings to mind heavyweight security tools. But what if it doesn’t have to be that way? What if you could use the concepts already built into Python to make your code incrementally more secure?
In this talk, we’ll see how Python types allow you to improve your project’s security incrementally. First, we’ll show how simple type annotations by themselves can prevent security-impacting logic errors. Second, we’ll see how you can prevent injection vulnerabilities such as SQL injection using a special type in your APIs (PEP 675). Next, we demonstrate how to leverage runtime type validation to securely deal with user-controlled data (such as HTTP requests). Finally, we show how types naturally enable powerful typing-based tools like Pysa and CodeQL to perform static taint flow analysis and catch complex vulnerabilities that span multiple functions. No security tool is a panacea, however, so we’ll also show you where typing and the tools that rely on it can fail.
USENIX Enigma 2022
Teaching and Old Dog New Tricks: Reusing Security Solutions in Novel Domains
The security industry has spent decades building up tooling and knowledge on how to detect flaws in software that lead to vulnerabilities. To detect a breadth of vulnerabilities, these tools are built to identify general patterns such as data following from a source to a sink. These generalized patterns also map to problems in domains a diverse as performance, compliance, privacy, and data abuse. In this talk, I’ll present a series of case studies to show how Meta engineers have applied our security tools to detect and prevent implementation flaws in domains such as these.
I’ll go deep on a case study showing how static taint flow analysis —a tool Meta first deployed for security purposes— helped us make sure we weren’t storing or misusing user locations when we launched Instagram Threads. Then, to show that that case study was not an isolated example, I’ll more quickly walk through a half dozen additional examples where tools from our Product Security team have been used to check for implementation flaws in other domains. Finally, we’ll discuss the limitations of this approach, stemming from the tools themselves, differing organizational structures, and the ever-present need for defense in depth.
By the end of this talk, you should walk away brimming with ideas on new applications for your organization’s existing security tooling.
Unexpected Execution: Wild Ways Code Execution can Occur in Python
Every Python user knows that you can execute code using
exec, but what about
str.format? This talk will take you on a walk through all the weird and wild ways that you can achieve code execution on a Python server (and trust me, I didn’t spoil the surprise by putting the weirdest ones in the description).
The talk should be equal parts practical and entertaining as we work through both real examples of code execution vulnerabilities found in running code as well as absurd remote code execution exploits. The talk will end on a practical note by explaining how Facebook detects and prevents the exploit vectors we discussed, using an open source Python Static Analyzer called Pysa.
DEF CON 2020
Applying Pysa to Identify Python Security Vulnerabilities
The Product Security teams at Facebook make extensive use of static analysis to find security vulnerabilities. We use systems like Zoncolan and the open source Python Static Analyzer (Pysa) on a daily basis. Using static analysis helped us find more than 1100 security bugs in 2018, accounting for more than a third of the bugs found by the application security team in that timeframe.
In this tutorial, we’ll cover the basics of static analysis, how to set up Pysa, and how you can write and run rules to identify vulnerabilities in your own codebase. We’ll also cover how Pysa deals with false positives and discuss its limitations as a tool. Each new concept you learn will immediately be reinforced by a practical exercise.
Attendees should leave this tutorial with all the tools they need to start applying static analysis to their Python projects at work and in open source.
A computer with Python, Pip, and Git is required for this workshop. Attendees will need to pip install pyre-check and set up a small sample project.
In support of this talk, I also authored a blog post for the Facebook Engineering Blog and gave an interview for ZDNet.