Jump to content

Capslock: uma ferramenta para ajudar a compreender o que as dependências de um projecto podem fazer


Rui Carlos

Recommended Posts

A Google lançou recentemente a ferramenta Capslock, que permite compreender de que forma é que as dependências de um projecto estão a aceder às funcionalidades do sistema, como a rede ou ficheiros.  Isto deverá facilitar, por exemplo, a identificação de dependências maliciosas.

Os supply chain attacks são das coisas que mais me assustam, quer ao desenvolver aplicações, quer ao instalar aplicações de outros.  E tendo em conta as dificuldades que tenho tido em convencer colegas a minimizar as dependências dos projectos em que trabalho, este tipo de ferramenta parece-me algo com bastante potencial para detectar problemas.

Em certa medida, é uma abordagem alternativa/complementar às reproducible builds (recentemente referida aqui pelo @pwseo), e embora me pareça que esta ferramenta dá menos garantias, talvez tenha mais potencial de sucesso em termos de adopção por programadores.

Só é pena suportar apenas Go 😄 

 

Mais info: https://security.googleblog.com/2023/09/capslock-what-is-your-code-really.html

Citação

When you import a third party library, do you review every line of code? Most software packages depend on external libraries, trusting that those packages aren’t doing anything unexpected. If that trust is violated, the consequences can be huge—regardless of whether the package is malicious, or well-intended but using overly broad permissions, such as with Log4j in 2021. Supply chain security is a growing issue, and we hope that greater transparency into package capabilities will help make secure coding easier for everyone.

Avoiding bad dependencies can be hard without appropriate information on what the dependency’s code actually does, and reviewing every line of that code is an immense task.  Every dependency also brings its own dependencies, compounding the need for review across an expanding web of transitive dependencies. But what if there was an easy way to know the capabilities–the privileged operations accessed by the code–of your dependencies? 

Capslock is a capability analysis CLI tool that informs users of privileged operations (like network access and arbitrary code execution) in a given package and its dependencies. Last month we published the alpha version of Capslock for the Go language, which can analyze and report on the capabilities that are used beneath the surface of open source software. 

This CLI tool will provide deeper insights into the behavior of dependencies by reporting code paths that access privileged operations in the standard libraries. In upcoming versions we will add support for open source maintainers to prescribe and sandbox the capabilities required for their packages, highlighting to users what capabilities are present and alerting them if they change.

[...]

Link to comment
Share on other sites

Boa iniciativa. Na realidade, penso que seja complementar às reproducible builds, dado que se dirigem a problemas diferentes (que fazem parte de um todo assustador, infelizmente).

De facto é uma pena suportar apenas Go. A longo prazo, será mais difícil suportar esta ferramenta do que a iniciativa da GNU previamente falada, dado que na primeira teremos que constantemente actualizar a análise estática de todas as linguagens, enquanto que na segunda «basta» assegurar a verificação de hashes, independentemente do significado do código.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site you accept our Terms of Use and Privacy Policy. We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.