A look in the mirror

Attacks on package managers

Justin Cappos, Justin Samuel, Scott Baker, John H. Hartman

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    This work studies time security of ten popular package managers. These package managers use different security mechanisms that provide varying levels of usability and resilience to attack. We find that, despite their existing security mnechanisms, all of these package managers have vulnerabilities that can be exploited by a man-in-the-middle or a malicious mirror. While all current package managers suffer frons vulnerabilities. their security is also positively or negatively impacted by the distribution's security practices. Weaknesses in package managers are more easily exploited when distributions use third-party nurrors as official mirrors. We were successful in using false credentials to obtain an official nurror on all five of the distributions we attempted. We also found that some security mechanisms that control where a client obtains metadata and packages frotn may actually decrease security. We analyze current package managers to show that by exploiting vulnerabilities, an attacker with a mirror can compromise or crash hundreds to thousands of clients weekly. The problemns we disclose are now being corrected by many different package manager maintainers.

    Original languageEnglish (US)
    Title of host publicationProceedings of the 15th ACM Conference on Computer and Communications Security, CCS'08
    Pages565-574
    Number of pages10
    DOIs
    StatePublished - 2008
    Event15th ACM conference on Computer and Communications Security, CCS'08 - Alexandria, VA, United States
    Duration: Oct 27 2008Oct 31 2008

    Other

    Other15th ACM conference on Computer and Communications Security, CCS'08
    CountryUnited States
    CityAlexandria, VA
    Period10/27/0810/31/08

    Fingerprint

    Mirrors
    Managers
    Time and motion study
    Metadata

    Keywords

    • Mirrors
    • Package managenient
    • Replay attack

    ASJC Scopus subject areas

    • Software
    • Computer Networks and Communications

    Cite this

    Cappos, J., Samuel, J., Baker, S., & Hartman, J. H. (2008). A look in the mirror: Attacks on package managers. In Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS'08 (pp. 565-574) https://doi.org/10.1145/1455770.1455841

    A look in the mirror : Attacks on package managers. / Cappos, Justin; Samuel, Justin; Baker, Scott; Hartman, John H.

    Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS'08. 2008. p. 565-574.

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Cappos, J, Samuel, J, Baker, S & Hartman, JH 2008, A look in the mirror: Attacks on package managers. in Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS'08. pp. 565-574, 15th ACM conference on Computer and Communications Security, CCS'08, Alexandria, VA, United States, 10/27/08. https://doi.org/10.1145/1455770.1455841
    Cappos J, Samuel J, Baker S, Hartman JH. A look in the mirror: Attacks on package managers. In Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS'08. 2008. p. 565-574 https://doi.org/10.1145/1455770.1455841
    Cappos, Justin ; Samuel, Justin ; Baker, Scott ; Hartman, John H. / A look in the mirror : Attacks on package managers. Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS'08. 2008. pp. 565-574
    @inproceedings{8ae4b0100011497b89e235cc9f939cb5,
    title = "A look in the mirror: Attacks on package managers",
    abstract = "This work studies time security of ten popular package managers. These package managers use different security mechanisms that provide varying levels of usability and resilience to attack. We find that, despite their existing security mnechanisms, all of these package managers have vulnerabilities that can be exploited by a man-in-the-middle or a malicious mirror. While all current package managers suffer frons vulnerabilities. their security is also positively or negatively impacted by the distribution's security practices. Weaknesses in package managers are more easily exploited when distributions use third-party nurrors as official mirrors. We were successful in using false credentials to obtain an official nurror on all five of the distributions we attempted. We also found that some security mechanisms that control where a client obtains metadata and packages frotn may actually decrease security. We analyze current package managers to show that by exploiting vulnerabilities, an attacker with a mirror can compromise or crash hundreds to thousands of clients weekly. The problemns we disclose are now being corrected by many different package manager maintainers.",
    keywords = "Mirrors, Package managenient, Replay attack",
    author = "Justin Cappos and Justin Samuel and Scott Baker and Hartman, {John H.}",
    year = "2008",
    doi = "10.1145/1455770.1455841",
    language = "English (US)",
    isbn = "9781595938107",
    pages = "565--574",
    booktitle = "Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS'08",

    }

    TY - GEN

    T1 - A look in the mirror

    T2 - Attacks on package managers

    AU - Cappos, Justin

    AU - Samuel, Justin

    AU - Baker, Scott

    AU - Hartman, John H.

    PY - 2008

    Y1 - 2008

    N2 - This work studies time security of ten popular package managers. These package managers use different security mechanisms that provide varying levels of usability and resilience to attack. We find that, despite their existing security mnechanisms, all of these package managers have vulnerabilities that can be exploited by a man-in-the-middle or a malicious mirror. While all current package managers suffer frons vulnerabilities. their security is also positively or negatively impacted by the distribution's security practices. Weaknesses in package managers are more easily exploited when distributions use third-party nurrors as official mirrors. We were successful in using false credentials to obtain an official nurror on all five of the distributions we attempted. We also found that some security mechanisms that control where a client obtains metadata and packages frotn may actually decrease security. We analyze current package managers to show that by exploiting vulnerabilities, an attacker with a mirror can compromise or crash hundreds to thousands of clients weekly. The problemns we disclose are now being corrected by many different package manager maintainers.

    AB - This work studies time security of ten popular package managers. These package managers use different security mechanisms that provide varying levels of usability and resilience to attack. We find that, despite their existing security mnechanisms, all of these package managers have vulnerabilities that can be exploited by a man-in-the-middle or a malicious mirror. While all current package managers suffer frons vulnerabilities. their security is also positively or negatively impacted by the distribution's security practices. Weaknesses in package managers are more easily exploited when distributions use third-party nurrors as official mirrors. We were successful in using false credentials to obtain an official nurror on all five of the distributions we attempted. We also found that some security mechanisms that control where a client obtains metadata and packages frotn may actually decrease security. We analyze current package managers to show that by exploiting vulnerabilities, an attacker with a mirror can compromise or crash hundreds to thousands of clients weekly. The problemns we disclose are now being corrected by many different package manager maintainers.

    KW - Mirrors

    KW - Package managenient

    KW - Replay attack

    UR - http://www.scopus.com/inward/record.url?scp=70349278544&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=70349278544&partnerID=8YFLogxK

    U2 - 10.1145/1455770.1455841

    DO - 10.1145/1455770.1455841

    M3 - Conference contribution

    SN - 9781595938107

    SP - 565

    EP - 574

    BT - Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS'08

    ER -