List of software quality issues with the number of affected components.
category ALL
Policies
Info
Category
Problem
Address Space Layout Randomization (ASLR) is a vulnerability mitigation option that forces software components to load on a different memory base address each time they are used. This mitigation is detected as enabled, but rendered ineffective due to the lack of code relocations necessary for layout randomization. This issue is reported for native 32-bit applications that contain code and opt in to use ASLR. Reasons for relocation absence include forcing software component load on a fixed address, removing relocations post-build, and using non-ASLR-compliant executable packing solutions.
Prevalence in PyPI community
0 packages
found in
Top 100
0 packages
found in
Top 1k
10 packages
found in
Top 10k
161 packages
in community
Next steps
Review the programming language linker documentation.
In Microsoft VisualStudio, make sure the linker option /FIXED is disabled (set to OFF).
Problem
Sensitive executable memory regions should be kept as read-only to protect the integrity of trusted execution code flow paths. Imported function addresses are pointers to the symbols that implement the application-required functionality. If those pointers are changed by malicious code, execution paths can be redirected to unintended locations. Most modern programming language toolchains protect those memory regions appropriately. These issues are commonly reported for outdated linkers and non-compliant executable packing solutions.
Prevalence in PyPI community
15 packages
found in
Top 100
29 packages
found in
Top 1k
165 packages
found in
Top 10k
3.83k packages
in community
Next steps
Review the programming language linker options, and consider a build toolchain update.
Problem
Sensitive executable memory regions should be kept as read-only to protect the integrity of trusted execution code flow paths. Thread local storage (TLS) callbacks are pointers to code initialization and resource release functions. If those pointers are changed by malicious code, execution paths can be redirected to unintended locations. Most modern programming language toolchains protect those memory regions appropriately. These issues are commonly reported for outdated linkers and non-compliant executable packing solutions.
Prevalence in PyPI community
7 packages
found in
Top 100
16 packages
found in
Top 1k
121 packages
found in
Top 10k
3.03k packages
in community
Next steps
Review the programming language linker options, and consider a build toolchain update.
Problem
ASLR (address-space layout randomization) is a mitigation technique that increases the difficulty of performing buffer-overflow attacks that require the attacker to know the address of the program in memory. This is done by loading the program at a randomly selected address in the process' address space. ASLR-enabled kernels can choose a random load address only for position-independent executables and code.
Prevalence in PyPI community
3 packages
found in
Top 100
17 packages
found in
Top 1k
119 packages
found in
Top 10k
2.96k packages
in community
Next steps
To support ASLR, the program must be compiled as position-independent code. In most compilers, this is done by passing the corresponding position-independent flag, such as -fPIC for shared libraries or -fPIE for executables.
Problem
On Linux, external symbols are resolved via the procedure linkage table (PLT) and the global offset table (GOT). The global offset table is split into two tables - one for external data, and one for external functions. Without any protection, both are writable at runtime and thus leave the executable vulnerable to data overwrite attacks and pointer hijacking. Data overwrite attacks can be mitigated by using partial read-only relocations, while pointer hijacking can be mitigated with full read-only relocations. Both approaches have some drawbacks. Partial read-only relocations don't provide full protection, because the external function GOT remains writable. Full read-only relocations require that all external function symbols are resolved at load-time instead of during execution. This may increase loading time for large programs.
Prevalence in PyPI community
21 packages
found in
Top 100
95 packages
found in
Top 1k
405 packages
found in
Top 10k
3.91k packages
in community
Next steps
In most cases, it's recommended to use full read-only relocations (in GCC: -Wl,-z,relro,-z,now).
If the executable load-time is an issue, you should use partial read-only relocations.
Problem
Control Flow Guard (CFG/CFI) protects the code flow integrity by ensuring that indirect calls are made only to vetted functions. This mitigation protects dynamically resolved function targets by instrumenting the code responsible for transferring execution control. Because the code flow integrity is verified during runtime, malicious code is less likely to be able to hijack trusted execution paths.
Prevalence in PyPI community
29 packages
found in
Top 100
114 packages
found in
Top 1k
525 packages
found in
Top 10k
8.89k packages
in community
Next steps
It's highly recommended to enable this option for all software components used at security boundaries, or those that process user controlled inputs.
To enable this mitigation, refer to your programming language toolchain documentation.
In Microsoft VisualStudio, you can enable CFG mitigation by passing the /guard:cf parameter to the compiler and linker.
Problem
Digital signatures are applied to applications, packages and documents as a cryptographically secured authenticity record. Signatures verify the origin and the integrity of the object they apply to. The integrity validation relies on the cryptographic strength of the encryption and the hash verification algorithm. If either of the two is considered weak by current standards, there is a chance the signed object could be maliciously modified, without triggering the integrity failure check.
Prevalence in PyPI community
2 packages
found in
Top 100
15 packages
found in
Top 1k
100 packages
found in
Top 10k
1.8k packages
in community
Next steps
Create signatures with strong ECC key-length of at least 224 bits, or RSA key-length of at least 2048 bits, and use SHA256 as the hashing algorithm. While encryption key-length upgrade does require you to obtain a new certificate, the hashing algorithm can freely be selected during signing.
With Microsoft SignTool, you can specify the hashing algorithm using the /fd SHA256 parameter.
Problem
Debug databases are typically only used during software development. On Windows, they are usually files embedded into the executable (PDB), while on Linux, they're contained inside special executable sections. The databases contain private debug symbols that make it significantly easier to reverse-engineer a closed-source application. In some cases, having a debug database is equivalent to having access to the source code. Presence of debug databases could indicate that one or more software components have been built using a debug profile, instead of the release. Private debug databases can be embedded into software components by programming language tools.
Prevalence in PyPI community
27 packages
found in
Top 100
130 packages
found in
Top 1k
824 packages
found in
Top 10k
14.18k packages
in community
Next steps
To remediate this issue and remove private debugging information, refer to your programming language toolchain documentation.
Problem
Common compilers often embed source code information into executables for debugging purposes, usually by mapping symbols to source filenames or paths. While this is typically desirable in open-source software and standard tools, that information can be used to determine security weaknesses, code repository layout, trade secrets and similar sensitive information. Such symbols make it easier to reverse-engineer a closed source application.
Prevalence in PyPI community
27 packages
found in
Top 100
138 packages
found in
Top 1k
922 packages
found in
Top 10k
19.5k packages
in community
Next steps
Strip out such information in the linking phase by using compiler options like the -s flag in GCC, or in the post-build phase by using the strip tool.
Problem
Digital signatures are applied to applications, packages and documents as a cryptographically secured authenticity record. Signatures are made using digital certificates, which can either be purchased from certificate authorities or be self-issued. When a certificate is purchased from a certificate authority, the subject that requests it goes through an identity validation process. Depending on the certificate type, those checks can be basic or extended. Confirming the subject identity is a multi-step process, and the requesting subject can be mapped to its legal entity name only through extended validation of submitted documents. Extended identity validation typically costs more, and it takes longer for a certificate to be issued when this process is correctly followed.
Prevalence in PyPI community
3 packages
found in
Top 100
17 packages
found in
Top 1k
105 packages
found in
Top 10k
2.28k packages
in community
Next steps
Consider the benefits of acquiring extended validation certificates. Operating systems tend to be more trusting of software packages signed in this way. Certain security warnings and prompts might also be automatically suppressed. This reduces the number of support tickets for organizations that opt to use extended validation certificates.