https://github.com/chains-project/gosurf

Static analyzer to find locations to hide malicious code in Go

https://github.com/chains-project/gosurf

Science Score: 36.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
  • DOI references
    Found 3 DOI reference(s) in README
  • Academic publication links
    Links to: arxiv.org
  • Committers with academic emails
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (13.3%) to scientific vocabulary
Last synced: 10 months ago · JSON representation

Repository

Static analyzer to find locations to hide malicious code in Go

Basic Info
  • Host: GitHub
  • Owner: chains-project
  • Language: HTML
  • Default Branch: main
  • Homepage:
  • Size: 33 MB
Statistics
  • Stars: 4
  • Watchers: 6
  • Forks: 1
  • Open Issues: 5
  • Releases: 0
Created over 2 years ago · Last pushed almost 2 years ago
Metadata Files
Readme

README.md

# GoSurf 🏄

GoSurf is a tool that analyzes the potential attack surface of open-source Go packages and modules. It looks for occurrences of various features and constructs that could potentially introduce security risks, known as attack vectors.

See paper GoSurf: Identifying Software Supply Chain Attack Vectors in Go (SCORED 2024) (doi:10.1145/3689944.3696166)

Repository Structure

  • attack_vectors: This folder contains an analysis of 12 different attack vectors in Go, along with their respective proof-of-concept implementations.
  • experiments: This folder contains scripts and results for attack surface analysis of different Go modules.
    • popular10 contains experiments on the 10 most popular Go modules.
    • top500 contains experiments on the 500 most imported Go modules.
  • libs: This folder contains utility functions used by the GoSurf tool.
  • template: This folder contains HTML templates used by the experiment scripts to print results.
  • gosurf.go: The file gosurf.go file is the entry point for the GoSurf tool, which allows you to analyze a Go module and identify all the defined attack vectors, effectively framing the attack surface through Abstract Syntax Tree (AST) analysis.

Simple Usage

To use the GoSurf tool, follow these steps:

```bash

Clone the repository

git clone https://github.com/chains-project/GoSurf.git

Navigate to the gosurf directory

cd gosurf

Build the tool

go build

Analyze the github.com/ethereum/go-ethereum module

./gosurf $GOPATH/pkg/mod/github.com/ethereum/go-ethereum@v1.13.14

``` The tool will analyze the specified module and its direct dependencies, identifying occurrences of the defined attack vectors, and print results on the CLI.

Experiments

Analyze Top 500 most imported modules

The top500/run_exp.go script in the experiments folder allows for automating large-scale analysis on 500 Go (most imported) modules using the GoSurf library. To use this script, simply run:

bash cd experiments/top500 go run run_exp.go

The results for the analysis will be reported in the experiments/top500/results folder in HTML format.

Analyze custom list of modules

The popular10/run_exp.go script in the experiments folder allows for customized analysis on a set of selected packages. To use this script, insert a list of "gomodulename version" entries in a text file.

Two experiments are pre-configured to run:

  • Experiment 1: Analyzes 10 popular Go projects. The project names and versions are contained in the urls_exp1.txt file. To run this experiment, execute

bash cd experiments/popular10 go run run_exp.go exp1

  • Experiment 2: Performs a differential analysis over versions for a single Go project (Kubernetes). The project name and versions to be analyzed are contained in the urls_exp2.txt file. To run this experiment, execute

bash cd experiments/popular10 go run run_exp.go exp2

The results for the analysis will be reported in the experiments/popular10/results folder in HTML format.

[!NOTE] These programs assume a Libraries.io API token stored in the environment variable LIBRARIESIO_TOKEN.

Owner

  • Name: CHAINS research project at KTH Royal Institute of Technology
  • Login: chains-project
  • Kind: organization

"Consistent Hardening and Analysis of Software Supply Chains" at KTH, funded by SSF

GitHub Events

Total
  • Watch event: 8
Last Year
  • Watch event: 8

Committers

Last synced: over 1 year ago

All Time
  • Total Commits: 142
  • Total Committers: 3
  • Avg Commits per committer: 47.333
  • Development Distribution Score (DDS): 0.134
Past Year
  • Commits: 142
  • Committers: 3
  • Avg Commits per committer: 47.333
  • Development Distribution Score (DDS): 0.134
Top Committers
Name Email Commits
carminecesarano c****o@h****t 123
vivi365 v****0@g****m 18
Martin Monperrus m****s@g****g 1
Committer Domains (Top 20 + Academic)

Issues and Pull Requests

Last synced: over 1 year ago

All Time
  • Total issues: 4
  • Total pull requests: 8
  • Average time to close issues: N/A
  • Average time to close pull requests: 3 days
  • Total issue authors: 1
  • Total pull request authors: 1
  • Average comments per issue: 0.5
  • Average comments per pull request: 1.25
  • Merged pull requests: 6
  • Bot issues: 0
  • Bot pull requests: 0
Past Year
  • Issues: 4
  • Pull requests: 8
  • Average time to close issues: N/A
  • Average time to close pull requests: 3 days
  • Issue authors: 1
  • Pull request authors: 1
  • Average comments per issue: 0.5
  • Average comments per pull request: 1.25
  • Merged pull requests: 6
  • Bot issues: 0
  • Bot pull requests: 0
Top Authors
Issue Authors
Pull Request Authors
  • vivi365 (9)
Top Labels
Issue Labels
Pull Request Labels

Dependencies

attack_vectors/init_time/global_init/go.mod go
attack_vectors/init_time/init_func/go.mod go
attack_vectors/prebuild_time/generators/go.mod go
attack_vectors/prebuild_time/smoketest/go.mod go
attack_vectors/prebuild_time/testing/go.mod go
attack_vectors/runtime/assembly/go.mod go
attack_vectors/runtime/cgo/go.mod go
attack_vectors/runtime/constructors/factory_functions/go.mod go
attack_vectors/runtime/exec/exec_command/go.mod go
attack_vectors/runtime/interfaces/duck_typing/go.mod go
attack_vectors/runtime/interfaces/structural_typing/go.mod go
attack_vectors/runtime/reflection/reflection_usage/go.mod go
attack_vectors/runtime/reflection/unexported_type/go.mod go
go.mod go