Detecting Fake Proof-of-Concept Codes on GitHub Using Static Code Analysis
摘要
Proof-of-Concept (PoC) codes against vulnerabilities are widely available on various platforms including GitHub. Security researchers and vulnerability analysts can effectively use them for investigating vulnerabilities and creating attack signatures. However, various reports have warned the existence of fake PoC codes that aim to disguise themselves as legitimate PoC codes to make users execute malware like cryptojacking malware, infostealers, and bot malware. To prevent malware infections among users, it is desired to establish methods for automatically detecting fake PoC codes. One of existing studies has investigated fake PoC codes published on GitHub; however, its detection method for fake PoC codes produces many false positives because it only identifies potentially suspicious data like Base64-encoded strings using regular expressions without examining how such data is used within the code. In this paper, we design a novel detection method leveraging taint analysis, a type of static code analysis technique. Specifically, if a code contains potentially suspicious data, the data flows are inspected to detect code fragments that perform suspicious actions using the data, such as external communications or execution of obfuscated commands. By applying this method to PoC codes published on GitHub, we demonstrate that false positives can be reduced to less than 8.3% of those produced by the existing method.