Automated security testing for open source libraries and applications.

Overview

License build Lines of code Stars

autovet continuously searches for security breaches in open source libraries and applications.


Recently processed packages

package version channel last check syscall coverage result

Motivation

Every time I update my Arch Linux systems, I'm impressed at the quantity of packages that have changed:

$ sudo pacman -Syu
:: Synchronizing package databases...
 core is up to date
 extra is up to date
 community is up to date
:: Starting full system upgrade...
resolving dependencies...
looking for conflicting packages...

Packages (48) cmake-3.24.0-1  libva-2.15.0-2  meson-0.63.1-2  python-3.10.6-1  rubygems-3.3.19-1  seabios-1.16.0-3 ...

Total Download Size:    63.81 MiB
Total Installed Size:  283.88 MiB
Net Upgrade Size:        2.81 MiB

:: Proceed with installation? [Y/n]

The question that should occur to any security-conscious person is: how can I trust all of these updates coming from thousands of developers around the world?

Sure, all updates are cryptographically signed to prove authenticity, but remember how that thwarted the SolarWinds attack? Yeah, it didn't.

And what if a developer goes rogue and decides to "cash out" on the popularity of their open-source project by sneaking a cryptocurrency wallet uploader into their next release? They'll definitely be caught, but maybe not before significant damage is done.

What we need is an automated first line of defense that can provide some shred of confidence that installing the latest version of supertuxcart isn't going to spawn a bitcoin miner in the background. Of course it'll never be possible to reach 100% confidence because security doesn't work like that, but something is better than nothing.

So that's exactly what autovet is designed to do. The best part is, you don't have to do anything to use it! autovet automatically processes packages as soon as they are released and creates issues on the appropriate repositories.

Why rebuilderd isn't enough

rebuilderd is a project that attempts to recreate official release artifacts from source to prove there were no unwelcome additions in the build process.

This is a valuable tool, but it can't catch compromises to the source code itself.

Dynamic Application Security Testing (DAST)

autovet runs programs in virtual machines of varying configurations and just watches what happens. It's not possible to find every compromise this way, but it certainly makes it more difficult for an attacker to slip in malicious code unnoticed.

System Calls

The most powerful indicator that autovet considers is the series of system calls that a program invokes during execution. (For this reason, autovet isn't effective on kernel modules).

For example, if an update to jq is somehow compromised and starts trying to open network sockets with connect(), we know something is very wrong. This kind of detection is possible because autovet knows approximately what system calls to expect according to the previous version of the program.

How do we know the previous version of the program isn't compromised as well? Currently it's just a manual step that happens when a package is first initialized. Someone has to look over the system call list to make sure it's reasonable for the particular program.

Evasion Tactics

Malware often tries to detect when it's under scrutiny and appear benign. autovet attempts to detect that detection and flags programs that seem to evade analysis.

You might also like...
Open source Rust implementation of the Witnet decentralized oracle protocol, including full node and wallet backend  👁️🦀
Open source Rust implementation of the Witnet decentralized oracle protocol, including full node and wallet backend 👁️🦀

witnet-rust is an open source implementation of the Witnet Decentralized Oracle Network protocol written in Rust. Components witnet-rust implements ma

An open source desktop wallet for nano and banano with end-to-end encrypted, on chain messaging using the dagchat protocol.
An open source desktop wallet for nano and banano with end-to-end encrypted, on chain messaging using the dagchat protocol.

An open source wallet with end-to-end encrypted, on chain messaging for nano and banano using the dagchat protocol.

An open source Rust high performance cryptocurrency trading API with support for multiple exchanges and language wrappers. written in rust(🦀) with ❤️

Les.rs - Rust Cryptocurrency Exchange Library An open source Rust high performance cryptocurrency trading API with support for multiple exchanges and

Torii ⛩️ is a simple, powerful and extensible open-source Internal Developer Portal

Torii ⛩️ Torii is a simple, powerful and extensible open-source Internal Developer Portal where developers can find all the tools and services they ne

Crates - A collection of open source Rust crates from iqlusion

iqlusion crates 📦 This repository contains a set of Apache 2.0-licensed packages (a.k.a. "crates") for the Rust programming language, contributed to

CKB's vm, based on open source RISC-V ISA

Nervos CKB VM About CKB VM CKB VM is a pure software implementation of the RISC-V instruction set used as scripting VM in CKB. Right now it implements

Outp0st is an open-source UI tool to enable next-level team collaboration on dApp development over Terra blockchain
Outp0st is an open-source UI tool to enable next-level team collaboration on dApp development over Terra blockchain

Outp0st is an open-source UI tool to enable next-level team collaboration on dApp development over Terra blockchain

Tradechain is an open source blockchain designed for fast trading & interoperability for new, existing assets

Tradechain is an open source blockchain designed for fast trading & interoperability for new, existing assets. Help build the future of trading with other Tradians.

Open-Source Gamestreaming SDK
Open-Source Gamestreaming SDK

RhinoStream SDK OpenSource AppStream SDK aims to be (or GameStream) equivalent of FFMpeg or GStreamer aimed for use by developers. Stats for 2560x1440

Open-source tool to enforce privacy & security best-practices on Windows and macOS, because privacy is sexy 🍑🍆

privacy-sexy Open-source tool to enforce privacy & security best-practices on Windows and MacOs, because privacy is sexy ?? ?? privacy-sexy is a data-

Subconscious Compute 3 Oct 20, 2022
Koofr Vault is an open-source, client-side encrypted folder for your Koofr cloud storage offering an extra layer of security for your most sensitive files.

Koofr Vault https://vault.koofr.net Koofr Vault is an open-source, client-side encrypted folder for your Koofr cloud storage offering an extra layer o

Koofr 12 Dec 30, 2022
An extensible open-source framework for creating private/permissioned blockchain applications

Exonum Status: Project info: Community: Exonum is an extensible open-source framework for creating blockchain applications. Exonum can be used to crea

Exonum 1.2k Jan 1, 2023
Open Protocol Indexer, OPI, is the best-in-slot open-source indexing client for meta-protocols on Bitcoin.

OPI - Open Protocol Indexer Open Protocol Indexer, OPI, is the best-in-slot open-source indexing client for meta-protocols on Bitcoin. OPI uses a fork

Best in Slot 33 Dec 16, 2023
An Ethereum 2.0 Emulator for Local Testing of Eth2 Applications

Mousse is an Ethereum 2.0 emulator for local testing of Eth2 applications (mainly Rollups). HTTP Server The REST API definition can be found in the ht

Mousse 46 Sep 10, 2022
An automated CLI tool that optimizes gas usage in Solidity smart contracts, focusing on storage and function call efficiency.

Solidity-Gas-Optimizoor An high performance automated CLI tool that optimizes gas usage in Solidity smart contracts, focusing on storage and function

Chia Yong Kang 10 Mar 11, 2024
Automated Solana tool for quick arbitrage, customizable, with real-time data and wallet integration. Trade responsibly.

Solana Arbitrage Trading Tool The Solana Arbitrage Trading Tool is an automated solution crafted to spot and capitalize on arbitrage opportunities wit

null 43 Mar 12, 2024
Simple automated proof assistant.

Esther is a work-in-progress, proof-of-concept automated theorem proof assistant based on Homotopy Type Theory. Acknowledgements Arend, Lean, Coq and

Aodhnait Étaín 5 Sep 14, 2021
A fast, simple and powerful open-source cross platform utility tool for generating strong, unique and random passwords

password-generator-pro A fast, simple and powerful open-source cross platform utility tool for generating strong, unique and random passwords. Feature

Sebastien Rousseau 3 Dec 16, 2022
HyperCube is a free and open source blockchain project for everyone to use.

XPZ Public Chain HyperCube is a free and open source blockchain project for everyone to use. 日本語 简体中文 正體中文 HyperCube Wiki Wha is HyperCube HyperCube i

null 949 Dec 31, 2022