Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clarify what is allowed and what is considered malicious. #381

Open
wants to merge 575 commits into
base: main
Choose a base branch
from

Conversation

calebbrown
Copy link
Contributor

Further clarify the specification of what is considered malicious for the repository.

This helps make decisions about true vs false positives easier to make.

README.md Outdated
- and either:
- when installed or used, would require some sort of incident response; or
- exfiltrates an identifier that can be directly used to launch an attack
against the victim (e.g. username for phishing or password bruteforcing)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor: you don't have to list out all the ways malicious software behaves, but these days I would say stealing browser cookies is pretty high on the list, maybe also installing a keylogger

README.md Outdated

- an open source package publicly available in a package registry
- and either:
- when installed or used, would require some sort of incident response; or
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor: definitions are hard, and I wouldn't call myself an expert here, but maybe something like "when installed or runs, tries to persist software on the machine unrelated to the advertised function of the package"

@calebbrown calebbrown requested a review from steiza October 1, 2024 23:26
Copy link
Member

@steiza steiza left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice - protestware is a good call-out as well

Copy link

@SecurityCRob SecurityCRob left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a great update. As I have cycles, I'll see if I have any wording bikeshedding I could contribute, but I think this is mvp as is


Obfuscation, debugger evasion, and other reverse engineering protection
techniques, are used by both developers seeking to protect their source code
and attackers seeking to evade detection.
Copy link

@bjorn3 bjorn3 Oct 4, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The crates.io usage policy forbids any content that

uses obfuscation to hide or mask functionality

which seems to suggest to me that even using obfuscation for protecting source code is considered unacceptable by crates.io (though may not considered malicious), not just if the obfuscation is done to hide malicious behavior.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants