Rubygems.org: Permission checking on new versions of popular gems

Created on 21 Aug 2019  Â·  7Comments  Â·  Source: rubygems/rubygems.org

Recently, popular libraries, such as bootstrap-sass, strong_password and rest-client, have been compromised to distribute malware. I notice that existing discussions are mainly talking about improving account security via MFA or notification, and there has been few proposal on improving the security of the ecosystem using code analysis tools. Therefore, I would like to share some ideas and thoughts on this.

Among the compromised popular libraries, they used a couple of interesting APIs: Base64.urlsafe_decode64, Net::HTTP.get, Thread.new and eval. These APIs can be used to perform suspicious activities such as code obfuscation, networking, process creation, code generation. The idea is that we can identify a list of sensitive APIs provided ruby interpreter, assign permissions to them. When new versions of popular gems are pushed, we can identify the permissions required by them and compare against the older versions. If permissions increase, we can take further actions, such as notify other maintainers or dependents etc.

The idea can be roughly separated into the following steps:

  1. manual framework API labeling and permission mapping
  2. AST parsing to identify use of framework APIs
  3. static type checking for instantiable APIs
  4. permission aggregation of dependencies, i.e. A depends on B => AllPermA = AllPermB ∪ PermA
  5. warn about permission increases across versions.

Please share your comments and ideas! I have done Step 1 & 2 & 4, but the code is mainly written in Python. I would like to share if this will be useful.

picture lingfennan
👎2 👍1

Most helpful comment

The attackers can make the fake download counts by themselves.

picture hsbt on 21 Aug 2019
👍2

All 7 comments

How define "popular gems"?

hsbt picture hsbt on 21 Aug 2019

I personally analyze all the gems and their versions. But for the community. Maybe something like downloads > 10K or 100K?

lingfennan picture lingfennan on 21 Aug 2019

The attackers can make the fake download counts by themselves.

hsbt picture hsbt on 21 Aug 2019
👍2

The current attacks can be classified into three categories: typosquatting, account hijacking, social engineering (inject malicious code/dependency). For typosquatting, attackers can do whatever they want (which is the case you are talking about). For the latter two, the idea is that attackers are trying to exploit the existing users of those packages. This proposed approach is trying to prevent the latter two categories.

lingfennan picture lingfennan on 21 Aug 2019
👍1

This seems way too difficult a task. The ruby philosophy is to enable people to do things; gems were created to distribute code.

Malicious people will always try to find ways to harm others and benefit from it. I do not think you can use automatic tools to discover all possibilities; it took real people to discover the abusive gems, and none of these have (yet?) affected any large gem either, yet restrictions e. g. such as added against typo-squatting, have affected and hindered real people before (see another issue here at github).

Plus ... I am not even sure how to take it... python tools that should check for malicious code in the rubygem ecosystem? I mean ... come on now ...

What is even meant with "permissions" - does this actually mean restrictions? How do you know which code is "suspicious", either? I mean we have to talk about specifics here. Typosquatting is somewhat simple to detect, more or less; account take over is harder to do something about (it may be useful to gather some statistics about the top 50 gems, within the next 6 months, whether any of them is affected by malicious code or attacks).

As for "social" engineering (nothing "social" about when you use another human being as honeypot to become a passive distributor of malicious code) - there have been prior discussions about ownership transfer etc... and notifying downstream users. If you look at rubygems.org, there are changes such as "pushed by xyz" and so forth, which may be useful if there is more than one author. This can be extended, perhaps use some karma system (although don't take me too literally here; it depends a lot on the design how useful it is. I don't consider the StackOverflow karmasystem to be very good, mostly because others can too easily impede others negatively, e. g. closing questions and so forth, but you get the general idea. I dare claim that malicious people are almost always those who have no proven track record of anything useful in a language community, but making things harder for genuine newcomers is also not a great idea, since you put down hurdles into adoption of a language. There are simple trade offs to be considered here, how open gems should be, the gems ecosystem etc... ).

I have not followed all discusions by the letter, but as far as I have understood it, the rubygems.org folks but also gem + bundler folks are thinking about making things better; and while matz has not commented on any of this (I think, at the least not in english issue trackers), I am quite certain he reads stuff and considers things too. But at the end of the day, there will never be 100% safety as long as trust has to be involved - one has to be suspicious about any code, even non-malicious code that is simply buggy and may do unwanted things.

rubyFeedback picture rubyFeedback on 23 Aug 2019

I agree with Ruian and think this research has merit.

rietta picture rietta on 5 Sep 2019

@lingfennan I've reached out to you privately via your gatech.edu e-mail. I would love to collaborate on this. I've made some progress identifying malicious gem candidates via metadata analysis.

rietta picture rietta on 5 Sep 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

coilysiren picture coilysiren  Â·  3Comments
m1kit picture m1kit  Â·  5Comments
localhostdotdev picture localhostdotdev  Â·  8Comments
nyaapa picture nyaapa  Â·  4Comments
nicolasleger picture nicolasleger  Â·  10Comments