PyXhon: Dynamic detection of security vulnerabilities in Python extensions

摘要

Python programming language supports third-party software extensions which are important for software prototype development. This paper presents a security enhancement plug-in PyXhon, that detects the security vulnerabilities and privacy leaks from third-party extensions. We propose the Function Oriented Analysis, which developers use to monitor all function-call procedures; dynamic Byte Instruction Trace Analysis, which infers the behaviors of importing modules and accessing private DLL; and security policies, which provides strategies to accept or reject extensions. These security mechanisms do not require Python language features so as to be completely transparent to Python applications. PyXhon could generate a violation report, which helps developers quickly locate and analyze suspect code of extensions. To demonstrate the usefulness of PyXhon, we have analyzed more than 30 popular Python third-party extensions. Our experiments show that, with the violations of some extensions, most third-party code respect the resources privilege.