Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New rule for "silent execution" of popen based on Pytorch attack. Some cleanup of processing whl files #116

Closed
wants to merge 4 commits into from
Closed

New rule for "silent execution" of popen based on Pytorch attack. Some cleanup of processing whl files #116

wants to merge 4 commits into from

Conversation

zmallen
Copy link
Contributor

@zmallen zmallen commented Jan 1, 2023
edited
Loading

On Dec 31 2022, pytorch maintainers published this post detailing a supply chain attack.

It primarily focused on using dependency confusion on how pip installs packages in a particular order. An internal package was used (triton), but someone registered triton on pypi.

It was a copypasta of triton with one additional __init__.py that dropped a binary and executed it.

Triage analysis here

This P/R adds a rule that "alerts" on this attack by looking for subprocess.FUNC(...,) with arguments that make it a "silent execution" to reduce false positives. I successfully tested this on the malicious package in the post and it found the malicious code!

I thought our code execution code would catch this, but we scoped it to setup.py to reduce false positives. I think /dev/nulling std* is a very specific pattern for malware, so I added it here.

image

@zmallen
use safe extract for local files. add .whl to local file extraction. …
544eadc 
…Update code-execution id to specify setup.py. Add new rule for silent-popens based on pytorch attack
@zmallen zmallen changed the title Add python version pin for poetry and update README New rule for "silent execution" of popen based on Pytorch attack. Some cleanup of processing whl files Jan 1, 2023
@christophetd christophetd self-requested a review January 3, 2023 10:44
@christophetd christophetd self-assigned this Jan 3, 2023
@christophetd
Copy link
Contributor

christophetd commented Jan 3, 2023
edited
Loading

Thanks for the PR, will

  • Slightly reword the description
  • Rebase the PR against the v1.0-rc branch

@christophetd
Copy link
Contributor

christophetd commented Jan 3, 2023
edited
Loading

Closing in favor of #119 that will be merged in v1.0-rc

@christophetd christophetd mentioned this pull request Jan 3, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@christophetd christophetd Awaiting requested review from christophetd

Assignees

@christophetd christophetd

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@zmallen @christophetd