GoSurf is a tool that aims to analyze the potential attack surface of open-source Go packages and modules. It looks for occurrences of various features and constructs that could potentially introduce security risks, known as attack vectors.
gosurf.go
file is the entry point for the GoSurf tool, which allows you to analyze a Go module and identify all the defined attack vectors, effectively framing the attack surface through Abstract Syntax Tree (AST) analysis.To use the GoSurf tool, follow these steps:
# Clone the repository
git clone https://github.com/chains-project/GoSurf.git
# Navigate to the gosurf directory
cd gosurf
# Build the tool
go build
# Analyze the github.com/ethereum/go-ethereum module
./gosurf $GOPATH/pkg/mod/github.com/ethereum/go-ethereum@v1.13.14
The tool will analyze the specified module and its direct dependencies, identifying occurrences of the defined attack vectors, and print results on the CLI.
The top500/run_exp.go
script in the experiments folder allows for automating large-scale analysis on 500 Go (most imported) modules using the GoSurf library. To use this script, simply run:
cd experiments/top500
go run run_exp.go
The results for the analysis will be reported in the experiments/top500/results
folder in HTML format.
The popular10/run_exp.go
script in the experiments folder allows for customized analysis on a set of selected packages. To use this script, insert a list of "go_module_name version" entries in a text file.
Two experiments are pre-configured to run:
urls_exp1.txt
file. To run this experiment, execute cd experiments/popular10
go run run_exp.go exp1
urls_exp2.txt
file. To run this experiment, execute cd experiments/popular10
go run run_exp.go exp2
The results for the analysis will be reported in the experiments/popular10/results
folder in HTML format.
[!NOTE] These programs assume a Libraries.io API token stored in the environment variable
LIBRARIESIO_TOKEN
.