Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Get rid of subprocess #7

Open
KOLANICH opened this issue Nov 22, 2021 · 2 comments
Open

Get rid of subprocess #7

KOLANICH opened this issue Nov 22, 2021 · 2 comments

Comments

@KOLANICH
Copy link

The mere presence of a module importing subprocess is a security issue because other backdoored modules can use it to evade static analysis
@ilanschnell
Copy link
Owner

Can you explain in more detail why this is a security issue? What do you mean by "other backdoored modules"? Thanks

@KOLANICH
Copy link
Author

KOLANICH commented Dec 12, 2021
edited
Loading

What do you mean by "other backdoored modules"? Thanks

When a module a uses a package subprocess directly, it is detected easily by static analysis. But when it imports perfect_hash, for static analysers it looks benign, they don't check interpackage control and data flows.

Can you explain in more detail why this is a security issue?

Not really a security issue within the package itself. It is more that python interpreter is flawed. I have an idea how to make it better, but any manual overrides of taints (absolutely necessary for practiaclly useful modules) will make all the proofs unsound.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@KOLANICH @ilanschnell