research-article

A look in the mirror: attacks on package managers

Authors:

John H. HartmanAuthors Info & Claims

CCS '08: Proceedings of the 15th ACM conference on Computer and communications security

Pages 565 - 574

https://doi.org/10.1145/1455770.1455841

Published: 27 October 2008 Publication History

Abstract

This work studies the security of ten popular package managers. These package managers use different security mechanisms that provide varying levels of usability and resilience to attack. We find that, despite their existing security mechanisms, all of these package managers have vulnerabilities that can be exploited by a man-in-the-middle or a malicious mirror. While all current package managers suffer from vulnerabilities, their security is also positively or negatively impacted by the distribution's security practices. Weaknesses in package managers are more easily exploited when distributions use third-party mirrors as official mirrors. We were successful in using false credentials to obtain an official mirror on all five of the distributions we attempted. We also found that some security mechanisms that control where a client obtains metadata and packages from may actually decrease security. We analyze current package managers to show that by exploiting vulnerabilities, an attacker with a mirror can compromise or crash hundreds to thousands of clients weekly. The problems we disclose are now being corrected by many different package manager maintainers.

References

[1]

Debian APT tool ported to Red Hat Linux. http://www.apt-get.org/.

[2]

APT-RPM. http://apt-rpm.org/.

[3]

Arch Linux (Don't Panic) Installation Guide. http://www.archlinux.org/static/docs/arch-install-guide.txt.

[4]

J. Byers, M. Luby, and M. Mitzenmacher. Accessing multiple mirror sites in parallel: using Tornado codes tospeed up downloads. INFOCOM'99. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. IEEE, 1, 1999.

[5]

J. Cappos, J. Samuel, S. Baker, and J. Hartman. A Look In the Mirror: Attacks on Package Managers. Technical Report TR-08-06, Department of Computer Science, University of Arizona, Jul 2008.

[6]

Introduction to Code Signing. http://msdn2.microsoft.com/en-us/library/ms537361.aspx.

[7]

A. Crooks. The netbsd update system. In ATEC '04: Proceedings of the USENIX Annual Technical Conference, pages 17--17, Berkeley, CA, USA, 2004. USENIX Association.

Digital Library

[8]

debsigs -- What is debsigs. http://linux.about.com/cs/linux101/g/debsigs.htm.

[9]

DistroWatch.com: Editorial: How Popular is a Distribution? http://distrowatch.com/weekly.php?issue=20070827#feature.

[10]

M. Domsch. Re: YUM security issues. https://www.redhat.com/archives/fedora-infrastructure-list/2008-July/m%sg00114.html.

[11]

man dpkg-sig. http://pwet.fr/man/linux/commandes/dpkg_sig.

[12]

R. Giobbi. Vulnerability Analysis Blog: Safely Using Package Managers. http://www.cert.org/blogs/vuls/2008/07/using_package_managers.html.

[13]

J. Hughes. HughesJR.com -- Attacks on Package Managers -- ummm. http://www.hughesjr.com/content/view/22/1/.

[14]

R.H. Johnson. {gentoo} Index of /users/robbat2/tree-signing-gleps. http://viewcvs.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing%-gleps/.

[15]

The KPackage Handbook. http://docs.kde.org/development/en/kdeadmin/kpackage/.

[16]

D. Mazières, M. Kaminsky, M.F. Kaashoek, and E. Witchel. Separating key management from file system security. In Proc. 17th SOSP, pages 124--139, Kiawah Island Resort, SC, Dec 1999.

Digital Library

[17]

D. Mazières and D. Shasha. Building secure file systems out of Byzantine storage. In PODC '02: Proceedings of the twenty-first annual symposium on Principles of distributed computing, pages 108--117, New York, NY, USA, 2002. ACM.

Digital Library

[18]

milw0rm -- exploits : vulnerabilities : videos : papers : shellcode. http://www.milw0rm.com.

[19]

Netcraft: Strong growth for Debian. http://news.netcraft.com/archives/2005/12/05/strong_growth_for_debian.%html.

[20]

K. Oppenheim and P. McCormick. Deployme: Tellme's Package Management and Deployment System. In Proc. 14th Systems Administration Conference (LISA '00), pages 187--196, New Orleans, LA, Dec 2000.

Digital Library

[21]

Gentoo-Portage. http://gentoo-portage.com/.

[22]

Installing Applications: Packages and Ports. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ports.html.

[23]

RPM Package Manager. http://www.rpm.org/.

[24]

P. Sharma, P. Shah, and S. Bhattacharya. Mirror hopping approach for selective denial of service prevention. Object-Oriented Real-Time Dependable Systems, 2003.(WORDS 2003). Proceedings of the Eighth International Workshop on, pages 200--208, 2003.

[25]

Slackware Package Management. http://www.slacksite.com/slackware/packages.html.

[26]

Stork. http://www.cs.arizona.edu/stork.

[27]

Synaptic Package Manager -- Home. http://www.nongnu.org/synaptic/.

[28]

URPMI. http://www.urpmi.org/.

[29]

dkpg-sig support wanted? http://nixforums.org/about101637-asc-15.html.

[30]

G. Wurster and P. van Oorschot. Self-Signed Executables: Restricting Replacement of Program Binaries by Malware. In 2nd USENIX Workshop on Hot Topics in Security, Boston, MA, Aug 2007.

Digital Library

[31]

YaST -- openSuSE. http://en.opensuse.org/YaST.

[32]

Yum: Yellow Dog Updater Modified. http://linux.duke.edu/projects/yum/.

Cited By

Malka JRoychoudhury APaiva AAbreu RStorey M(2024)Increasing trust in the open source supply chain with reproducible builds and functional package managementProceedings of the 2024 IEEE/ACM 46th International Conference on Software Engineering: Companion Proceedings10.1145/3639478.3639806(184-186)Online publication date: 14-Apr-2024
https://dl.acm.org/doi/10.1145/3639478.3639806
Moore MKuppusamy TCappos J(2023)Artemis: Defanging Software Supply Chain Attacks in Multi-repository Update SystemsProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627129(83-97)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627129
Wyss EDe Carli LDavidson DTorres-Arias SMelara MSimon LVasilakis NMoriarty K(2023)(Nothing But) Many Eyes Make All Bugs ShallowProceedings of the 2023 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3605770.3625216(53-63)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3605770.3625216
Show More Cited By

Index Terms

A look in the mirror: attacks on package managers
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Two simple attacks on Lin-Shen-Hwang's strong-password authentication protocol

In 2001, Lin, Sun, and Hwang proposed a strong-password authentication protocol, OSPA, which was later found to be vulnerable to a stolen-verifier attack and a man-in-the-middle attack. Recently, Lin, Shen, and Hwang [10] proposed an improved protocol ...
A Robust Remote User Authentication Scheme Using Smart Card
ISECS '09: Proceedings of the 2009 Second International Symposium on Electronic Commerce and Security - Volume 01

In 2008, Yoon et al. [25] presented three kinds of security attacks (YLY attacks for short) of a user authentication and key agreement scheme using smart cards in different scenarios. The YLY attacks are: perfect forward secrecy, the guessing attack, ...
Optimal periodic watermarking schedule for replay attack detection in cyber–physical systems
Abstract
We consider periodic watermarking scheduling for detecting discontinuous replay attacks in Cyber–Physical Systems (CPSs). The existing methods of imposing continuous watermarks on the nominal control inputs may result in the waste of control cost ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '08: Proceedings of the 15th ACM conference on Computer and communications security

October 2008

590 pages

ISBN:9781595938107

DOI:10.1145/1455770

General Chair:
Peng Ning
North Carolina State University, USA
,
Program Chairs:
Paul Syverson
Naval Research Laboratory, USA
,
Somesh Jha
University of Wisconsin, USA

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 October 2008

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS08

Sponsor:

CCS08: 15th ACM Conference on Computer and Communications Security 2008

October 27 - 31, 2008

Virginia, Alexandria, USA

Acceptance Rates

CCS '08 Paper Acceptance Rate 51 of 280 submissions, 18%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

41
Total Citations
View Citations
1,063
Total Downloads

Downloads (Last 12 months)76
Downloads (Last 6 weeks)2

Reflects downloads up to 12 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Malka JRoychoudhury APaiva AAbreu RStorey M(2024)Increasing trust in the open source supply chain with reproducible builds and functional package managementProceedings of the 2024 IEEE/ACM 46th International Conference on Software Engineering: Companion Proceedings10.1145/3639478.3639806(184-186)Online publication date: 14-Apr-2024
https://dl.acm.org/doi/10.1145/3639478.3639806
Moore MKuppusamy TCappos J(2023)Artemis: Defanging Software Supply Chain Attacks in Multi-repository Update SystemsProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627129(83-97)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627129
Wyss EDe Carli LDavidson DTorres-Arias SMelara MSimon LVasilakis NMoriarty K(2023)(Nothing But) Many Eyes Make All Bugs ShallowProceedings of the 2023 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3605770.3625216(53-63)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3605770.3625216
Basak Chowdhury AMahapatra ASoni DKarri R(2023)Fuzzing+Hardware Performance Counters-Based Detection of Algorithm Subversion Attacks on Postquantum Signature SchemesIEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems10.1109/TCAD.2022.315974942:2(384-396)Online publication date: Feb-2023
https://doi.org/10.1109/TCAD.2022.3159749
Gu YYing LPu YHu XChai HWang RGao XDuan H(2023)Investigating Package Related Security Threats in Software Registries2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179332(1578-1595)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179332
Ladisa PPlate HMartinez MBarais O(2023)SoK: Taxonomy of Attacks on Open-Source Software Supply Chains2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179304(1509-1526)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179304
Vu DNewman ZMeyers J(2023)Bad Snakes: Understanding and Improving Python Package Index Malware Scanning2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE)10.1109/ICSE48619.2023.00052(499-511)Online publication date: May-2023
https://doi.org/10.1109/ICSE48619.2023.00052
Li NWang SFeng MWang KWang MWang H(2023)MalWuKong: Towards Fast, Accurate, and Multilingual Detection of Malicious Code Poisoning in OSS Supply Chains2023 38th IEEE/ACM International Conference on Automated Software Engineering (ASE)10.1109/ASE56229.2023.00073(1993-2005)Online publication date: 11-Sep-2023
https://doi.org/10.1109/ASE56229.2023.00073
Solomon GZhang PBrooks RLiu Y(2023)A Secure and Cost-Efficient Blockchain Facilitated IoT Software Update FrameworkIEEE Access10.1109/ACCESS.2023.327289911(44879-44894)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3272899
Vaidya STorres-Arias SCappos JCurtmola R(2023)Bootstrapping Trust in Community Repository ProjectsSecurity and Privacy in Communication Networks10.1007/978-3-031-25538-0_24(450-469)Online publication date: 4-Feb-2023
https://doi.org/10.1007/978-3-031-25538-0_24
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents