A new feature proposal for the Python programming language wants to add "transparency" to the runtime and let security and auditing tools view when Python may be running potentially dangerous operations.

In its current form, Python does not allow security tools to see what operations the runtime is performing. Unless one of those operations generates particular errors that may raise a sign of alarm, security and auditing tools are blind that an attacker may be using Python to carry out malicious operations on a system.

PEP-551 proposes two new APIs for Python

But in Python Enhancement Proposal 551 (PEP-551), Steve Dower, a core Python developer, has proposed the addition of two new APIs that will let security tools detect when Python is executing potentially dangerous operations.

"We propose two API changes to enable this: an Audit Hook and Verified Open Hook," Dower says. "Both are not set by default, and both require modifications to the entry point binary to enable any functionality."

The first of these, the Audit Hook API, will raise warning messages about certain type of Python operations.

"These operations are typically deep within the Python runtime or standard library, such as dynamic code compilation, module imports, DNS resolution, or use of certain modules such as ctypes," Dower says.

Security or audit tools may use these messages as warning flags that something suspicious is going on, and flag or stop the Python process from continuing, before real harm is done.

The second, the Verified Open Hook API, is a mechanism to let the Python runtime know what files it is permitted to execute or tamper with. Dower explains:

Most operating systems have a mechanism to distinguish between files that can be executed and those that can not. For example, this may be an execute bit in the permissions field, or a verified hash of the file contents to detect potential code tampering. These are an important security mechanism for preventing execution of data or code that is not approved for a given environment. Currently, Python has no way to integrate with these when launching scripts or importing modules.

Python's performance impact is negligible

Dower has proposed PEP-551, last year in August. Early tests suggest the performance impact of adding these two APIs is negligible, "with the vast majority of benchmarks showing between 1.05x faster to 1.05x slower" results.

Initial plans were to have PEP-551 ship with Python 3.7, scheduled for release in mid-June 2018, but the proposal did not make the final cut, according to a list of new features added for next month's release. This doesn't mean PEP-551 won't ship with a future version of Python.

Python is the second major scripting engine that is addressing the issue of "security optics" —the concept that programming and scripting runtimes should provide minimum transparency to aid prevention of bad behavior. Similar actions are being taken by Microsoft to make PowerShell more transparent to security tools.