Refine module-3 evaluation
Opened this issue · 1 comments
shreyas-sriram commented
There are some differences in the outputs between original package and candidate package. Not all of these might indicate a malicious behavior. So, how do we evaluate?
$ sudo python3 orchestrator.py -f sample.txt
[INFO] Running module 1 (candidate generator) for package: parker
[INFO] Running module 3 (dynamic analyzer) for package: parkr
{'dynamic_violations': ['{"DNS": {}, "files": {"/lib/x86_64-linux-gnu/libgcc_s.so.1": {"command": "import", "delete": false, "read": true, "write": false}, "/sys/devices/system/cpu": {"command": "import", "delete": false, "read": true, "write": false}, "/usr/local/bin/f2py": {"command": "install", "delete": false, "read": true, "write": true}, "/usr/local/bin/f2py3": {"command": "install", "delete": false, "read": true, "write": true}, "/usr/local/bin/f2py3.9": {"command": "install", "delete": false, "read": true, "write": true}}, "sockets": {}}']}
[INFO] Running module 3 (dynamic analyzer) for package: paker
{'dynamic_violations': ['{"DNS": {}, "files": {"./source/__init__.py": {"command": "install", "delete": false, "read": true, "write": false}, "source/LICENSE.txt": {"command": "install", "delete": false, "read": true, "write": false}, "source/MIT-License.txt": {"command": "install", "delete": false, "read": true, "write": false}, "source/MPL2-License.txt": {"command": "install", "delete": false, "read": true, "write": false}, "source/MemoryModule.c": {"command": "install", "delete": false, "read": true, "write": false}, "source/MemoryModule.h": {"command": "install", "delete": false, "read": true, "write": false}, "source/MyLoadLibrary.c": {"command": "install", "delete": false, "read": true, "write": false}, "source/MyLoadLibrary.h": {"command": "install", "delete": false, "read": true, "write": false}, "source/Python-dynload.h": {"command": "install", "delete": false, "read": true, "write": false}, "source/_memimporter.c": {"command": "install", "delete": false, "read": true, "write": false}, "source/actctx.c": {"command": "install", "delete": false, "read": true, "write": false}, "source/actctx.h": {"command": "install", "delete": false, "read": true, "write": false}, "source/python-dynload.c": {"command": "install", "delete": false, "read": true, "write": false}}, "sockets": {}}']}
[INFO] Running module 3 (dynamic analyzer) for package: larker
{'dynamic_violations': ['{"DNS": {}, "files": {"/usr/local/bin/2to3": {"command": "install", "delete": false, "read": true, "write": false}, "/usr/local/bin/idle": {"command": "install", "delete": false, "read": true, "write": false}, "/usr/local/bin/idle3": {"command": "install", "delete": false, "read": true, "write": false}, "/usr/local/bin/normalizer": {"command": "install", "delete": false, "read": true, "write": true}, "/usr/local/bin/pydoc": {"command": "install", "delete": false, "read": true, "write": false}, "/usr/local/bin/pydoc3": {"command": "install", "delete": false, "read": true, "write": false}, "/usr/local/bin/python": {"command": "install", "delete": false, "read": true, "write": false}, "/usr/local/bin/python-config": {"command": "install", "delete": false, "read": true, "write": false}, "/usr/local/bin/python3-config": {"command": "install", "delete": false, "read": true, "write": false}}, "sockets": {}}']}
[INFO] Running module 3 (dynamic analyzer) for package: parler
{'dynamic_violations': ['{"DNS": {}, "files": {}, "sockets": {}}']}
shreyas-sriram commented
This could be improved by going a step further and considering the similarities (not only the differences).
The idea is that, an ideal typosquatting package would be very similar to the original package, with minor differences.