notes
packj
notes | packj | |
---|---|---|
9 | 38 | |
22 | 616 | |
- | 3.6% | |
0.0 | 7.2 | |
over 6 years ago | about 2 months ago | |
Python | ||
- | GNU Affero General Public License v3.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
notes
-
A Study of Malicious Code in PyPI Ecosystem
It's (partially) a fundamental problem with Python and most other programming languages. The majority of libraries don't need more authority than doing (some) computation, yet any Python script can access anything and everything by default.
https://en.wikipedia.org/wiki/Capability-based_security is the solution for this, yet Python will probably never be capable of this kind of internal encapsulation, it's too much of a fundamental change - and even if some sort of sandboxing ability is accomplished, creating separate/recursive sandboxes (needed when importing more, separate libraries) will probably require another interpreter instance (as with WebAssembly).
I hope current and future language designers will take this into account, and construct their compilers, virtual machines and interpreters accordingly. Python was created before the internet as we know it now existed, so perhaps its lack of security mechanisms shouldn't be surprising. But it and any new developments that fail to consider this aspect of computation will be fundamentally flawed from the beginning.
https://github.com/void4/notes/issues/41
-
The Insecurity Industry
Not if done correctly. Have a look at this link: https://github.com/void4/notes/issues/41
There is no issue with just limiting resources (unless there is unpredictable overhead). It doesn't have to be hardware resources either, it could be abstract/higher level resources like interpreter steps or managed memory slices.
I'm creating a series of VMs to show that this is possible, like rarVM, the recursively sandboxable virtual machine: https://esolangs.org/wiki/RarVM
Showcase: https://www.youtube.com/watch?v=MBymOp6bTII
When calling a function you can specify how many interpreter steps it can run until it aborts (and optionally gives you a continuation so you can "refill" and resume it later).
Stackless Python can do this too, but unfortunately due to the reasons discussed above will never be a safe language, this specific mechanism works only in trusted environments since the called function has the ambient authority to increase its own resource limits: https://stackless.readthedocs.io/en/2.7-slp/library/stackles...
-
SSL: Stupid Stack Language
Another approach would be to have a counter (or several) that limit the number of instruction steps, like the Stackless Python programming language (https://stackless.readthedocs.io/en/latest/library/stackless...) or the KeyKOS operating system (https://github.com/void4/notes/issues/41) did
- he hacked the database š±
-
An engineer wiring an early IBM computer, 1958. Photo by Berenice Abbott
Ann Hardy programmed one of the first mainframe operating systems, and certainly the most secure one: KeyKOS
-
I am planning on creating a programming language for my Informatics Bachelor Thesis. What are your ideas for such a project?
There are syntactic and semantic aspects. Personally, I think algebraic effect systems and capability security seem to be very worthwhile areas of research because they provide abilities and guarantees that just aren't possible with currently popular languages due to their architecture.
-
Incompatible Timesharing System
This might be of interest to you: "Why KeyKOS is fascinating" - https://github.com/void4/notes/issues/41
- Resource limited chess engine competition
- Resource limited chess engine competition using WebAssembly
packj
-
Rust Without Crates.io
Creator of Packj [1] here. How do you envision sandboxing/security policies will be specified? Per-lib policies when you've hundreds of dependencies will become overwhelming. Having built an eBPF-based sandbox [2], I anticipate that accuracy will be another challenge here: too restrictive will block functionality, too permissive defeats the purpose.
1. https://github.com/ossillate-inc/packj flags malicious/risky NPM/PyPI/RubyGems/Rust/Maven/PHP packages by carrying out static+dynamic+metadata analysis.
-
A Study of Malicious Code in PyPI Ecosystem
Cool project. How do you feel about projects like OpenSSF scorecards or even the checks that socket.dev do today on these packages to help determine risk?
https://github.com/ossillate-inc/packj/blob/main/.packj.yaml
Secondly, what about impersonation where attackers imitate a popular package and its respective metadata?
-
How to use Podman inside of a container
I built Packj [1] sandboxing for securing āpip/NPM installā. It uses strace for sandboxing and blocks access to sensitive files and limits traffic to known-good IP addresses.
1. https://github.com/ossillate-inc/packj
-
NPM Provenance Public Beta
Great work! This provenance check is going to be very valuable for enforcing supply-chain security. We are working on adding support to check for provenance in Packj.
1. https://github.com/ossillate-inc/packj flags risky/malicious NPM/PyPI/Ruby dependencies
-
Show HN: TypeScript Security Scanner
Cool project. Would love to integrate this in Packj [1] as one of the open-source SAST scanners. Will DM you.
1. https://github.com/ossillate-inc/packj flags malicious/risky open-source dependencies.
- Packj flags malicious/risky open-source packages
-
Show HN: Coder Guard ā Protect Your IDE from Malicious Extensions
Very cool! I've built something similar, but for packages: https://github.com/ossillate-inc/packj Would love to talk.
-
Ask HN: What Are You Working on This Year?
Working on a marketplace (based on Packj [1]) to allow open-source developers to make money by selling "assured" software artifacts.
1. Packj https://github.com/ossillate-inc/packj flags malicious and other "risky" open-source dependencies in your software supply chain.
-
Compromised PyTorch-nightly dependency chain December 30th, 2022
Iāve created Packj sandbox [1] for āsafe installationā of PyPI/NPM/Rubygems packages
1. https://github.com/ossillate-inc/packj
It DOES NOT require a VM/Container; uses strace. It shows you a preview of file system changes that installation will make and can also block arbitrary network communication during installation (uses an allow-list).
-
Vulnerability scanner written in Go that uses osv.dev data
Great to see a developer-friendly tool around OSV! Packj [1] uses OSV APIs to report vulnerable PyPI/NPM/Rubygems packages. Disclaimer: I built it.
1. https://github.com/ossillate-inc/packj flags malicious/risky packages.
What are some alternatives?
its - Incompatible Timesharing System
kubesploit - Kubesploit is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in Golang, focused on containerized environments.
sdf - Simple SDF mesh generation in Python
paperclips - Universal Paperclips mirror
ponyc - Pony is an open-source, actor-model, capabilities-secure, high performance programming language
meta - Meta discussions and unicorns. Not necessarily in that order.
cli - Command line interface for the Phylum API
maloss - Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages
roqr - QR codes that will rock your world
firejail - Linux namespaces and seccomp-bpf sandbox
djinn - Source code for the Djinn CI platform
ThunderCloud - Cloud Exploit Framework