A Large-Scale Security-Oriented Static Analysis of Python Packages in PyPI

Ruohonen, Jukka; Hjerppe, Kalle; Rindell, Kalle

doi:10.48550/arxiv.2107.12699

Cited by 2 publications

(7 citation statements)

References 35 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Ohm et al's study [20] explores the forms attacks can have on different registries. Others have focused on specific registries such as PyPI [1,3,25], or npm [34]. On one hand, mechanisms to understand the impact of malicious packages have been proposed [19,33].…”

Section: Related Workmentioning

confidence: 99%

Practical Automated Detection of Malicious npm Packages

Sejfia,

Schäfer

2022

Preprint

View full text Add to dashboard Cite

The npm registry is one of the pillars of the JavaScript and Type-Script ecosystems, hosting over 1.7 million packages ranging from simple utility libraries to complex frameworks and entire applications. Each day, developers publish tens of thousands of updates as well as hundreds of new packages. Due to the overwhelming popularity of npm, it has become a prime target for malicious actors, who publish new packages or compromise existing packages to introduce malware that tampers with or exfiltrates sensitive data from users who install either these packages or any package that (transitively) depends on them. Defending against such attacks is essential to maintaining the integrity of the software supply chain, but the sheer volume of package updates makes comprehensive manual review infeasible. We present Amalfi, a machine-learning based approach for automatically detecting potentially malicious packages comprised of three complementary techniques. We start with classifiers trained on known examples of malicious and benign packages. If a package is flagged as malicious by a classifier, we then check whether it includes metadata about its source repository, and if so whether the package can be reproduced from its source code. Packages that are reproducible from source are not usually malicious, so this step allows us to weed out false positives. Finally, we also employ a simple textual clone-detection technique to identify copies of malicious packages that may have been missed by the classifiers, reducing the number of false negatives. Amalfi improves on the state of the art in that it is lightweight, requiring only a few seconds per package to extract features and run the classifiers, and gives good results in practice: running it on 96287 package versions published over the course of one week, we were able to identify 95 previously unknown malware samples, with a manageable number of false positives. CCS CONCEPTS• Security and privacy → Malware and its mitigation.

show abstract

Section: Related Workmentioning

confidence: 99%

Practical Automated Detection of Malicious npm Packages

Sejfia,

Schäfer

2022

Preprint

View full text Add to dashboard Cite

show abstract

“…29 Vulnerable packages contain a flaw in their design, 30 unhandled code error, 31 or other bad practices that could be a future security risk. 32 , 33 Communities and commercial companies have vastly researched this widespread threat (e.g., Snyk and Mend). Usually this threat is based on common vulnerabilities and exposures (CVEs).…”

Section: Introductionmentioning

confidence: 99%

“…Studies have shown a rise in malicious functionalities appearing in public repositories and highly used packages. 32 , 36 , 37 These studies have shown that there are common injection methods for malicious actors to infect packages. As Ohm et al.…”

Section: Introductionmentioning

confidence: 99%

“…The irregularities can broadly be categorized into three main branches: coding style enforcement, reliability, and maintainability. 32 , 48 The security issues are mainly associated with the reliability domain, covering bug detection, 49 vulnerability detection, 50 and malware detection challenges. 51 , 52 In static analysis, the following techniques are commonly used to gather information regarding the detection mission.…”

Section: Introductionmentioning

confidence: 99%

“…48 Feature-based technique uses the occurrences count of known problematic functionalities. 32 , 56 For example, Patil and Patil 52 have constructed a classifier with a given labeled dataset and several features extracted (such as function appearances, length of the script) that can predict the maliciousness of a script. The main drawback of this technique is that it strongly binds with reversing research that points to features related to the attack, which may lead to detection overfitting the attacks that have been revealed and learned.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations