国家自然科学基金(62232016, 62102406); 中国科学院青年创新促进会项目
Python语言的开放性和易用性使其成为最常用的编程语言之一. 其形成的PyPI生态系统在为开发者提供便利的同时, 也成为攻击者进行漏洞攻击的重要目标. 在发现Python漏洞之后, 如何准确、全面地评估漏洞影响范围是应对Python漏洞的关键. 然而当前的Python漏洞影响范围评估方法主要依靠包粒度的依赖关系分析, 会产生大量误报; 现有的函数粒度的Python程序分析方法由于上下文不敏感等导致存在准确性问题, 应用于实际的漏洞影响范围评估也会产生误报. 提出一种基于静态分析的面向PyPI生态系统的漏洞影响范围评估方法PyVul++. 首先构建PyPI生态系统的索引, 然后通过漏洞函数识别发现受漏洞影响的候选包, 进一步通过漏洞触发条件验证漏洞包, 实现函数粒度的漏洞影响范围评估. PyVul++改进了Python代码函数粒度的调用分析能力, 在基于PyCG的测试集上的分析结果优于其他工具(精确率86.71%, 召回率83.20%). 通过PyVul++对10个Python CVE漏洞进行PyPI生态系统(
The openness and ease-of-use of Python make it one of the most commonly used programming languages. The PyPI ecosystem formed by Python not only provides convenience for developers but also becomes an important target for attackers to launch vulnerability attacks. Thus, after discovering Python vulnerabilities, it is critical to deal with Python vulnerabilities by accurately and comprehensively assessing the impact scope of the vulnerabilities. However, the current assessment methods of Python vulnerability impact scope mainly rely on the dependency analysis of packet granularity, which will produce a large number of false positives. On the other hand, existing Python program analysis methods of function granularity have accuracy problems due to context insensitivity and produce false positives when applied to assess the impact scope of vulnerabilities. This study proposes a vulnerability impact scope assessment method for the PyPI ecosystem based on static analysis, namely PyVul++. First, it builds the index of the PyPI ecosystem, then finds the candidate packets affected by the vulnerability through vulnerability function identification, and confirms the vulnerability packets through vulnerability trigger condition. PyVul++ realizes vulnerability impact scope assessment of function granularity, improves the call analysis of function granularity for Python code, and outperforms other tools on the PyCG benchmark (accuracy of 86.71% and recall of 83.20%). PyVul++ is used to assess the impact scope of 10 Python CVE vulnerabilities on the PyPI ecosystem (385855 packets) and finds more vulnerability packets and reduces false positives compared with other tools such as pip-audit. In addition, PyVul++ newly finds that 11 packets in the current PyPI ecosystem still have security issues of referencing unpatched vulnerable functions in 10 assessment experiments of Python CVE vulnerability impact scope.