search

ossillate-inc / packj

Packj stops :zap: Solarwinds-, ESLint-, and PyTorch-like attacks by flagging malicious/vulnerable open-source dependencies ("weak links") in your software supply-chain
https://packj.dev
GNU Affero General Public License v3.0
623 stars 37 forks source link

Fine grained control at package level #28

Open S30tt opened 1 year ago

S30tt commented 1 year ago

Describe the solution you'd like I would like the ability to control/tune the audit alerts at a package level.

Additional context By placing a packj.yaml file at project level, I would like the ability to have a global set of audit alert config and then be able to override this for a particular package. This means we still get full audit alerting but can silence or tune the values for a package we have reviewed and trust. I guess this would need to be for a version or hash incase and updated version becomes malicious.

ashishbijlani commented 1 year ago

This is a good feature to support. Would love to get your code contributions to enable this.

avideci commented 1 year ago

Hey, I developed a toolkit just for that that utilizes eBPF and is tested on various use cases, Including runtime RCE. https://github.com/avilum/secimport

It is actually MITM between the interpreter and the kernel, and it is able to log and stop/kill the process in case of violation. The policy is defined in module level, and can be traced: https://github.com/avilum/secimport#the-solution

avideci commented 1 year ago 
modules:
  requests:
    destructive: true     # when true, secimport will kill on vilation instead of logging.
    syscall_allowlist:
      - fchmod
      - getentropy
      - getpgrp
      - getrlimit
...

that translates to:

...
    "/workspace/Python-3.10.0/Lib/logging/__init__.py": [
        " clock_gettime",
        " getpid",
        " write"
    ],
    "/workspace/Python-3.10.0/Lib/multiprocessing/process.py": [
        " getcwd",
        " getpid",
        " getrandom"
    ],
    "/workspace/Python-3.10.0/Lib/multiprocessing/util.py": [
        " prlimit64"
    ],
    "/workspace/Python-3.10.0/Lib/os.py": [
        " read"
    ],
    "/workspace/Python-3.10.0/Lib/platform.py": [
        " uname"
    ],
    "/workspace/Python-3.10.0/Lib/posixpath.py": [
        " close",
        " fstat",
        " getcwd",
        " getdents64",
        " openat"
    ],
    "/workspace/Python-3.10.0/Lib/random.py": [
        " getrandom"
    ],
...

And compiled into an eBPF program using bpftrace.

Everything can be done using secimport's CLI

ashishbijlani commented 1 year ago

Very cool! How does one generate an accurate allow-list?

KyeRussell commented 4 months ago

FWIW this in my eyes seems integral when actually applying this package to a codebase.

In reality, I may determine that it is OK for a particular dependency to e.g. make network calls, given the problem that it sets out to solve. Or I may determine that a particular dependency's "old/abandoned" status is OK, but may still care about it otherwise.