Session
Schedule FOSDEM 2022
Python

Messing with unicode

A few possible attacks with unicode
D.python
Julin Shaji
<p>Let's look at a few 'tricks' with unicode that can make a program look like it's doing (or not doing, for that matter) something it doesn't. Based on the findings in a recent publication, these are well worth being aware of; both from a security point of view and for simply being on your guard against friends who may be trying to pull a prank on you :-D.</p> <p>These tricks are well suited for trojan attacks as it can be difficult to detect even with a manual code review thanks to aspects of unicode like bidirectional (bidi) control characters.</p>
The talk is based on some of the possibilites described in the paper "Trojan Source: Invisible vulnerabilities" by Nicholas Boucher and Ross Anderson of University of Cambridge. The implications of this work with regard to Python has been outlined in PEP 672. Examples of using/abusing unicode inlude: - Look-alike characters (homoglyphs) being used to make two different functions and make calls of one function look like that of the other (eg: Cyrillic е and Latin e are too similar for us to distinguish easily). - Use bidi control characters to make a part of the appear to be present when it's actually part of a comment. - Classic trick of naming files so that even an .exe file can look like a .pdf. - Use of invisible characters to make strings that look same when they aren't.

Additional information

Type devroom

More sessions

2/6/22
Python
Francesco Tisiot
D.python
<p>Apache Kafka is recognised as the best data streaming platform around, but it can be difficult to observe what is happening when you are just getting started with this excellent technology platform. In this session, you will get a tour of key Kafka features using the delightful web UI of Jupyter notebooks.</p> <p>Use the notebooks to see Kafka and Python in action, producing and consuming records. We’ll also cover how to get the best from your application by making good use of topic ...
2/6/22
Python
Sebastiaan Zeeff
D.python
<p>Driven by the immense popularity of asynchronous frameworks, such as FastAPI, asynchronous database support suddenly became a hot topic in the Python community. As talking to your database often forms a significant portion of the input and output of your application, it's important to do that asynchronously as well. With the release of version 1.4, SQLAlchemy added support for Asynchronous I/O for both its core and ORM features. This means that you can now use the popular SQL toolkit for ...
2/6/22
Python
Haki Benita
D.python
<p>Concurrency in web applications is so easy to get wrong, and so hard to identify and debug when it comes to bite you. In this talk I'm going to present common concurrency issues with even the simplest application, and suggest ways to identify and prevent them!</p>
2/6/22
Python
Jerry Pussinen
D.python
<p>Type hints are an essential part of modern Python. By combining type hints with a static type checker and libraries which enable runtime type checking, it is possible to achieve runtime type-safe Python applications.</p> <p>This talk discusses the motivation for extensive usage of type hints, how to gradually add types to existing projects, how to deal with untyped dependencies, and finally, how to achieve runtime type-safety without sacrificing performance.</p>
2/6/22
Python
Daniel Moura
D.python
<p><a href="https://github.com/dcmoura/spyql">SPyQL</a> is SQL with Python in the middle, an open-source project fully written in Python for making command-line data processing more intuitive, readable and powerful. Try mixing in the same pot: a SQL SELECT for providing the structure, Python expressions for defining transformations and conditions, the essence of awk as a data-processing language, and the JSON handling capabilities of jq.</p> <p>In this event I will describe the SPyQL language, ...
2/6/22
Python
Maarten De Paepe
D.python
<p>https://github.com/maarten-dp/mimics is a tool with the intention to defer actions done on objects or classes. These actions can then be executed at a later date when the subject, to which these actions should be applied to, is available. This is mostly a joke project with no real world applications, but it has some neat implementations showcasing the power of python.</p>
2/6/22
Python
Mehdi Raddadi
D.python
<p>When developing a plateform with a large code base, multiple Django applications in a monolith, feature flags are a must have to keep your release cycle short. Those allow teams to develop a feature throughout multiple releases without users being aware that this feature is under development. Shorter release cycle are still possible without hindering quality teams or users.</p> <p>At GitGuardian, we use feature flags for multiple purposes: distinguishing between code deployment and feature ...