Package Analysis
The Package Analysis project analyses the capabilities of packages available on open source repositories. The project looks for behaviors that indicate malicious software:
- What files do they access?
- What addresses do they connect to?
- What commands do they run?
The project also tracks changes in how packages behave over time, to identify when previously safe software begins acting suspiciously.
This effort is meant to improve the security of open source software by detecting malicious behavior, informing consumers selecting packages, and providing researchers with data about the ecosystem.
This code is designed to work with the
Package Feeds project,
and originally started there.
For examples of what this project has detected, check out the
case studies.
How it works
The project's components are:
- A scheduler - creates jobs for the analysis worker from
Package Feeds.
- Analysis (one-shot analyze and worker) -
collects package behavior data through static and dynamic analysis of each
package.
- A loader - pushes the analysis results into BigQuery.
The goal is for all of these components to work together and provide extensible,
community-run infrastructure to study behavior of open source packages and to
look for malicious software. We also hope that the components can be used
independently, to provide package feeds or runtime behavior data for anyone
interested.
The Package Analysis project currently consists of the following pipeline:
- Package repositories are monitored for new packages.
- Each new package is scheduled to be analyzed by a pool of workers.
- A worker performs dynamic analysis of the package inside a sandbox.
- Results are stored and imported into BigQuery for inspection.
Sandboxing via gVisor containers ensures the packages are
isolated. Detonating a package inside the sandbox allows us to capture strace
and packet data that can indicate malicious interactions with the system as well
as network connections that can be used to leak sensitive data or allow remote
access.
Public Data
This data is available in the public BigQuery dataset.
Configuration
Configuration for these subprojects consist of a collection of environment
variables for the various endpoints. These endpoints are configured using
goclouddev compatible URL strings. In these cases, documentation will be linked
to and DRIVER-Constructor
sections should be ignored in favour of DRIVER
sections as these are appropriate to the configurations in place throughout
these subprojects. Note that not all drivers will be supported but they can be
added quite simply with a minor patch to the repository. See the addition of
kafka for scheduler in
one line.
An example of these variables can be found in the
e2e example docker-compose.
Analysis
OSSMALWARE_WORKER_SUBSCRIPTION
- Can be used to set the subscription URL for
the data coming out of scheduler. Values should follow
goclouddev subscriptions.
OSSF_MALWARE_ANALYSIS_RESULTS
- OPTIONAL: Can be used to set the bucket
URL to publish results to. Values should follow
goclouddev buckets.
OSSF_MALWARE_ANALYSIS_PACKAGES
- OPTIONAL: Can be used to set the bucket
URL to get custom uploaded packages from. Values should follow
goclouddev buckets.
OSSF_MALWARE_NOTIFICATION_TOPIC
- OPTIONAL: Can be used to set the topic URL to
publish messages for consumption after a new package analysis is complete. Values should follow
goclouddev publishing.
Scheduler
OSSMALWARE_WORKER_TOPIC
- Can be used to set the topic URL to publish data for
consumption by Analysis workers. Values should follow
goclouddev publishing.
OSSMALWARE_SUBSCRIPTION_URL
- Can be used to set the subscription URL for the
data coming out of package-feeds.
Values should follow
goclouddev subscriptions.
Local Analysis
To run the analysis code locally, the easiest way is to use the Docker image
ghcr.io/khulnasoft-lab/analysis
. This can be built with
make build_analysis_image
, or the public images can be used instead.
This container uses podman
to run a nested, sandboxed (gVisor) container for
analysis.
The commands below will dump the JSON results to /tmp/results
and full logs to /tmp/dockertmp
.
Live package
To run this on a live package (e.g. the latest version of the "Django" package on
pypi.org)
$ scripts/run_analysis.sh -ecosystem pypi -package Django
Or with a specific version
$ scripts/run_analysis.sh -ecosystem pypi -package Django -version 4.1.3
Local package
To run analysis on a local PyPi package named 'test',
located in local archive /path/to/test.whl
$ scripts/run_analysis.sh -ecosystem pypi -package test -local /path/to/test.whl
Docker notes
(Note: these options are handled by the scripts/run_analysis.sh
script).
--privileged
and a compatible filesystem are required to properly run nested
containers. -v /var/lib/containers:/var/lib/containers
is also used as it
allows caching the sandbox images and supports local developement.
Development
Testing
See sample_packages/README.md
for how to use a sample package that simulates malicious activity for testing purposes.
Required Dependencies
Contributing
If you want to get involved or have ideas you'd like to chat about, we discuss this project in the OSSF Securing Critical Projects Working Group meetings.
See the Community Calendar for the schedule and meeting invitations.