Computer Science > Cryptography and Security
[Submitted on 11 Feb 2021]
Title:I Know What You Imported Last Summer: A study of security threats in thePython ecosystem
View PDFAbstract:The popularity of Python has risen rapidly over the past 15 years. It is a major language in some of the most exciting technologies today. This popularity has led to a large ecosystem of third-party packages available via the pip package registry which hosts more than 200,000 packages. These third-party packages can be reused by simply importing the package after installing using package managers like pip. The ease of reuse of third-party software comes with security risks putting millions of users in danger. In this project, we study the ecosystem to analyze this threat. The mature ecosystem of Python has multiple weak spots that we highlight in our project. First, we demonstrate how trivial it is to exploit the Python ecosystem. Then, we systematically analyze dependencies amongst packages, maintainers, and publicly reported security issues. Most attacks are possible only if users install malicious packages. We thus try to analyze and evaluate different methods used by attackers to force incorrect downloads. We quantify your ideas by estimating the potential threat that can be caused by exploiting a popular Python package. We also discuss methods used in the industry to defend against such attacks
References & Citations
Bibliographic and Citation Tools
Bibliographic Explorer (What is the Explorer?)
Litmaps (What is Litmaps?)
scite Smart Citations (What are Smart Citations?)
Code, Data and Media Associated with this Article
CatalyzeX Code Finder for Papers (What is CatalyzeX?)
DagsHub (What is DagsHub?)
Gotit.pub (What is GotitPub?)
Papers with Code (What is Papers with Code?)
ScienceCast (What is ScienceCast?)
Demos
Recommenders and Search Tools
Influence Flower (What are Influence Flowers?)
Connected Papers (What is Connected Papers?)
CORE Recommender (What is CORE?)
arXivLabs: experimental projects with community collaborators
arXivLabs is a framework that allows collaborators to develop and share new arXiv features directly on our website.
Both individuals and organizations that work with arXivLabs have embraced and accepted our values of openness, community, excellence, and user data privacy. arXiv is committed to these values and only works with partners that adhere to them.
Have an idea for a project that will add value for arXiv's community? Learn more about arXivLabs.