Ensuring the Security of Open Python Projects: The Challenge of Assessing Potentially Destructive Functionality
Abstract
Open source software is widely used everywhere. Unfortunately, until recently, developers have not considered the need to monitor the security of the external projects they use. One can understand programmers: they would like to believe that if the source code is open, it has already been analyzed by automated means, and if it poses a security threat, the associated package will be removed. Unfortunately, this is not the case, and malicious functionality can exist in the form of an open project named to mimic a popular package for months. Malicious actors who add harmful packages to public code repositories pursue various selfish goals: theft of user accounts, file encryption with a ransom demand, unauthorized remote control of the device. This article discusses the problem of assessing potentially destructive functionality in open source software in Python. Various methods for assessing project security are discussed, including code and documentation analysis, code deobfuscation, developer reputation checks, and project dependency tracking. Attention is paid to the difficulties associated with determining the acceptability of certain functionality in a project in accordance with its tasks. A classification of functionality that falls under the definition of unsafe for the developer (for example, which can be a channel for sending information to a malicious actor) is provided. Existing approaches to code analysis are examined in detail, and the functional parts that can be described with their help are discussed.
Full Text:
PDF (Russian)References
Synopsis. [2023] Open Source Security and Risk Analysis Report. —online; accessed: 2023-02-15. — URL: https://www.synopsys.com/software-integrity/resources/analyst-reports/open-source-security-risk-analysis.html.
TIOBE. TIOBE Index for February 2023. — online; accessed: 2023-02-16. — URL: https://www.tiobe.com/tiobe-index/.
IEEE Spectrum. Top Programming Languages 2022. — online; accessed: 2023-02-17. — URL: https://spectrum.ieee.org/top-programming-languages-2022.
Kaplan B., Qian J. A survey on common threats in npm and pypi registries //Deployable Machine Learning for Security Defense: Second International Workshop, MLHat 2021, Virtual Event, August 15, 2021, Proceedings 2. – Springer International Publishing, 2021. – С. 132-156.
Encyclopedia by Kaspersky. Троянец-стилер (Trojan-PSW, Password Stealing Ware). — online; accessed: 2023-02-17. — URL: https://encyclopedia.kaspersky.ru/glossary/trojan-psw-psw-password-stealing-ware/.
Kaspersky Lab. Shifroval'shhiki – jeto ne pro vas. — online; accessed: 2023-02-17. — URL: https://noransom.kaspersky.ru/.
RusCrypto Conference, thematic section «Issledovanie i zashhita cifrovyh tehnologij». Tehnologija avtomatizirovannogo podhoda k revers-inzhiniringu obfuskatorov-pakerov vredonosnogo koda. — online; accessed: 2023-04-20. — URL: https://www.ruscrypto.ru/program/sections/s_4.html.l.
National Institute of Standards of Technology. National Vulnerability Database. — online; accessed: 2023-02-17. — URL: https://nvd.nist.gov/.
BleepingComputer. PyPI packages hijacked after developers fall for phishing emails. — online; accessed: 2023-02-17. — URL: https://www.bleepingcomputer.com/news/security/pypi-packages-hijacked-after-developers-fall-for-phishing-emails/.
Greiman V. Known Unknowns: The Inevitability of Cyber Attacks //European Conference on Cyber Warfare and Security. – 2023. – Т. 22. – №. 1. – С. 223-231.
National Vulnerability Database. CVE-2022-23812 Detail. — online; accessed: 2023-02-19. — URL: https://nvd.nist.gov/vuln/detail/CVE-2022-23812.
Vu D. L., Newman Z., Meyers J. S. Bad Snakes: Understanding and Improving Python Package Index Malware Scanning.
Python 3.10 Documentation. ast – Abstract Syntax Trees. — online; accessed: 2023-02-22. — URL: https://docs.python.org/3/library/ast.html.
Aloraini B. Towards Better Static Analysis Security Testing Methodologies. – 2020.
Python Institute – Open Educational & Development Group. Python® – the language of today and tomorrow. — online; accessed: 2023-02-24. — URL: https://pythoninstitute.org/about-python.
Cannon B., Smith N., Stufft D. Pep 518: specifying minimum build system requirements for python projects. – 2020.
Refbacks
- There are currently no refbacks.
Abava Кибербезопасность IT Congress 2024
ISSN: 2307-8162