Heuristic Static Analysis Tool GuardDog Used to Detect Several Malicious PyPi Packages – InfoQ.com

Learn the emerging software trends you should pay attention to. Attend online QCon Plus (Nov 30 – Dec 8, 2022). Register Now
Facilitating the Spread of Knowledge and Innovation in Professional Software Development

In this article, we introduce the topic of code obfuscation, with emphasis on string obfuscation. Obfuscation is an important practice to protect source code by making it unintelligible. Obfuscation is often mistaken with encryption, but they are different concepts. In the article we will present a number of techniques and approaches used to obfuscate data in a program.
In this podcast, Jim Barton explains some of the fundamentals of modern service meshes, and provides an overview of Istio Ambient Mesh and the benefits it will provide in the future.
Data transformation remains a continuous challenge in engineering and built upon manual toil. The open source utility Dynamo Data Transform was built to simplify and build safety and guardrails into data transformation for DynamoDB based systems––built upon a robust manual framework that was then automated and open sourced. This article discusses the challenges with Data Transformation.
Burnout is taking a toll on IT and creating serious skill shortages. How can you keep your IT team engaged, productive, and happy? Mindfulness and unstructured time are delivering tangible business benefits that positively impact the bottom line, all while driving worker satisfaction and well-being.
Ix-chel Ruiz discusses DevOps for Java developers.
Make the right decisions by uncovering how senior software developers at early adopter companies are adopting emerging trends. Register Now.
Learn how to implement and manage your API projects with a security strategy and a development mindset. Register Now.
Adopt the right emerging trends to solve your complex engineering challenges. Register Now.
Your monthly guide to all the topics, technologies and techniques that every professional needs to know about. Subscribe for free.
InfoQ Homepage News Heuristic Static Analysis Tool GuardDog Used to Detect Several Malicious PyPi Packages
Nov 23, 2022 1 min read
Sergio De Simone
GuardDog is new open source tool aimed at identifying malicious Python Packages using Sempreg and package metadata analysis. Thanks to a set of source code heuristics, GuardDog can detect malicious packages never seen before and has been used to identify several malicious PyPi packages in the wild.
DataDog, maker of GuardDog, reverse-engineered a number of known malicious PyPi packages to identify common attack vectors and techniques. These include mimicking a package name (typosquatting) or a maintainer's account or email domain to induce a victim to install that package; executing code at install time, especially in the post-install step, or downloading a second-stage executable; exfiltrating sensitive data, such as AWS access keys, and others.
GuardDog makes use of [static analysis] to identify malicious packages. […] To detect malicious behavior, we use a set of heuristics designed to capture the patterns we observed. These heuristics within GuardDog scan for suspicious patterns from two locations: the source code and the package metadata on PyPi.
GuardDog source-code heuristics are implemented as Semgrep rules and include the ability to detect command overwriting in setup.py to produce the execution of a system command; the attempt to execute Base64-encoded data or images using eval or exec; the attempt to execute a file downloaded from the Internet; the inclusion of any environment variable in the payload to an outgoing network request, which can be used to exfiltrate sensitive data; and the use of suspicious domains, including .xyz, .top, or shortened urls.
Specifically, GuardDog leverages Semgrep's intra-procedural taint tracking, which analyzes the flow of data through a program to identify cases where such data is not transformed or sanitized before reaching a vulnerable function.
Besides source code, GuardDog scans package metadata against another set of heuristics, including typosquatting, changes in a package maintainer's email, and missing package information.
GuardDog's ability to detect malicious packages has been tested by running it on PyPi, leading to the identification of a number of packages that used any of the techniques described above to run malicious code or steal sensitive data.
GuardDog can be installed using pip or downloaded from GitHub.

Becoming an editor for InfoQ was one of the best decisions of my career. It has challenged me and helped me grow in so many ways. We’d love to have more people join our team.

ScyllaDB is the database for data-intensive apps requiring high performance + low latency. Achieve extreme scale with the lowest TCO. Learn More.
A round-up of last week’s content on InfoQ sent out every Tuesday. Join a community of over 250,000 senior developers. View an example

We protect your privacy.
You need to Register an InfoQ account or or login to post comments. But there’s so much more behind being registered.
Get the most out of the InfoQ experience.
Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

A round-up of last week’s content on InfoQ sent out every Tuesday. Join a community of over 250,000 senior developers. View an example

We protect your privacy.
Real-world technical talks. No product pitches.
Practical ideas to inspire you and your team.
QCon Plus – Nov 30 – Dec 8, Online.

QCon Plus brings together the world’s most innovative senior software engineers across multiple domains to share their real-world implementation of emerging trends and practices.
Uncover emerging software trends and practices to solve your complex engineering challenges, without the product pitches.Save your spot now
InfoQ.com and all content copyright © 2006-2022 C4Media Inc. InfoQ.com hosted at Contegix, the best ISP we’ve ever worked with.
Privacy Notice, Terms And Conditions, Cookie Policy


Note that any programming tips and code writing requires some knowledge of computer programming. Please, be careful if you do not know what you are doing…

Post expires at 8:10pm on Saturday February 25th, 2023

Leave a Reply

Next Post

How technology can help redraw the supply chain map - Financial Times

Fri Nov 25 , 2022
We use cookies and other data for a number of reasons, such as keeping FT Sites reliable and secure, personalising content and ads, providing social media features and to analyse how our Sites are used. Lucy ColbackWe’ll send you a myFT Daily Digest email rounding up the latest Supply chains […]
%d bloggers like this: