skip to main content
10.1145/1455770.1455841acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

A look in the mirror: attacks on package managers

Published: 27 October 2008 Publication History

Abstract

This work studies the security of ten popular package managers. These package managers use different security mechanisms that provide varying levels of usability and resilience to attack. We find that, despite their existing security mechanisms, all of these package managers have vulnerabilities that can be exploited by a man-in-the-middle or a malicious mirror. While all current package managers suffer from vulnerabilities, their security is also positively or negatively impacted by the distribution's security practices. Weaknesses in package managers are more easily exploited when distributions use third-party mirrors as official mirrors. We were successful in using false credentials to obtain an official mirror on all five of the distributions we attempted. We also found that some security mechanisms that control where a client obtains metadata and packages from may actually decrease security. We analyze current package managers to show that by exploiting vulnerabilities, an attacker with a mirror can compromise or crash hundreds to thousands of clients weekly. The problems we disclose are now being corrected by many different package manager maintainers.

References

[1]
Debian APT tool ported to Red Hat Linux. http://www.apt-get.org/.
[2]
APT-RPM. http://apt-rpm.org/.
[3]
Arch Linux (Don't Panic) Installation Guide. http://www.archlinux.org/static/docs/arch-install-guide.txt.
[4]
J. Byers, M. Luby, and M. Mitzenmacher. Accessing multiple mirror sites in parallel: using Tornado codes tospeed up downloads. INFOCOM'99. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. IEEE, 1, 1999.
[5]
J. Cappos, J. Samuel, S. Baker, and J. Hartman. A Look In the Mirror: Attacks on Package Managers. Technical Report TR-08-06, Department of Computer Science, University of Arizona, Jul 2008.
[6]
Introduction to Code Signing. http://msdn2.microsoft.com/en-us/library/ms537361.aspx.
[7]
A. Crooks. The netbsd update system. In ATEC '04: Proceedings of the USENIX Annual Technical Conference, pages 17--17, Berkeley, CA, USA, 2004. USENIX Association.
[8]
debsigs -- What is debsigs. http://linux.about.com/cs/linux101/g/debsigs.htm.
[9]
DistroWatch.com: Editorial: How Popular is a Distribution? http://distrowatch.com/weekly.php?issue=20070827#feature.
[10]
M. Domsch. Re: YUM security issues. https://www.redhat.com/archives/fedora-infrastructure-list/2008-July/m%sg00114.html.
[11]
man dpkg-sig. http://pwet.fr/man/linux/commandes/dpkg_sig.
[12]
R. Giobbi. Vulnerability Analysis Blog: Safely Using Package Managers. http://www.cert.org/blogs/vuls/2008/07/using_package_managers.html.
[13]
J. Hughes. HughesJR.com -- Attacks on Package Managers -- ummm. http://www.hughesjr.com/content/view/22/1/.
[14]
R.H. Johnson. {gentoo} Index of /users/robbat2/tree-signing-gleps. http://viewcvs.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing%-gleps/.
[15]
The KPackage Handbook. http://docs.kde.org/development/en/kdeadmin/kpackage/.
[16]
D. Mazières, M. Kaminsky, M.F. Kaashoek, and E. Witchel. Separating key management from file system security. In Proc. 17th SOSP, pages 124--139, Kiawah Island Resort, SC, Dec 1999.
[17]
D. Mazières and D. Shasha. Building secure file systems out of Byzantine storage. In PODC '02: Proceedings of the twenty-first annual symposium on Principles of distributed computing, pages 108--117, New York, NY, USA, 2002. ACM.
[18]
milw0rm -- exploits : vulnerabilities : videos : papers : shellcode. http://www.milw0rm.com.
[19]
Netcraft: Strong growth for Debian. http://news.netcraft.com/archives/2005/12/05/strong_growth_for_debian.%html.
[20]
K. Oppenheim and P. McCormick. Deployme: Tellme's Package Management and Deployment System. In Proc. 14th Systems Administration Conference (LISA '00), pages 187--196, New Orleans, LA, Dec 2000.
[21]
Gentoo-Portage. http://gentoo-portage.com/.
[22]
Installing Applications: Packages and Ports. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ports.html.
[23]
RPM Package Manager. http://www.rpm.org/.
[24]
P. Sharma, P. Shah, and S. Bhattacharya. Mirror hopping approach for selective denial of service prevention. Object-Oriented Real-Time Dependable Systems, 2003.(WORDS 2003). Proceedings of the Eighth International Workshop on, pages 200--208, 2003.
[25]
Slackware Package Management. http://www.slacksite.com/slackware/packages.html.
[26]
Stork. http://www.cs.arizona.edu/stork.
[27]
Synaptic Package Manager -- Home. http://www.nongnu.org/synaptic/.
[28]
URPMI. http://www.urpmi.org/.
[29]
dkpg-sig support wanted? http://nixforums.org/about101637-asc-15.html.
[30]
G. Wurster and P. van Oorschot. Self-Signed Executables: Restricting Replacement of Program Binaries by Malware. In 2nd USENIX Workshop on Hot Topics in Security, Boston, MA, Aug 2007.
[31]
YaST -- openSuSE. http://en.opensuse.org/YaST.
[32]
Yum: Yellow Dog Updater Modified. http://linux.duke.edu/projects/yum/.

Cited By

View all
  • (2024)A Comprehensive, Automated Security Analysis of the Uptane Automotive Over-the-Air Update FrameworkProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678927(594-612)Online publication date: 30-Sep-2024
  • (2024)Toward Understanding the Security of Plugins in Continuous Integration ServicesProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670366(482-496)Online publication date: 2-Dec-2024
  • (2024)Increasing trust in the open source supply chain with reproducible builds and functional package managementProceedings of the 2024 IEEE/ACM 46th International Conference on Software Engineering: Companion Proceedings10.1145/3639478.3639806(184-186)Online publication date: 14-Apr-2024
  • Show More Cited By

Index Terms

  1. A look in the mirror: attacks on package managers

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      CCS '08: Proceedings of the 15th ACM conference on Computer and communications security
      October 2008
      590 pages
      ISBN:9781595938107
      DOI:10.1145/1455770
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 27 October 2008

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. mirrors
      2. package management
      3. replay attack

      Qualifiers

      • Research-article

      Conference

      CCS08
      Sponsor:

      Acceptance Rates

      CCS '08 Paper Acceptance Rate 51 of 280 submissions, 18%;
      Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

      Upcoming Conference

      CCS '25

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)56
      • Downloads (Last 6 weeks)12
      Reflects downloads up to 17 Feb 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2024)A Comprehensive, Automated Security Analysis of the Uptane Automotive Over-the-Air Update FrameworkProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678927(594-612)Online publication date: 30-Sep-2024
      • (2024)Toward Understanding the Security of Plugins in Continuous Integration ServicesProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670366(482-496)Online publication date: 2-Dec-2024
      • (2024)Increasing trust in the open source supply chain with reproducible builds and functional package managementProceedings of the 2024 IEEE/ACM 46th International Conference on Software Engineering: Companion Proceedings10.1145/3639478.3639806(184-186)Online publication date: 14-Apr-2024
      • (2024)AAF-SCM: An Authenticated Framework for Supply Chain Management2024 International Conference on Intelligent Systems and Advanced Applications (ICISAA)10.1109/ICISAA62385.2024.10829139(1-4)Online publication date: 25-Oct-2024
      • (2023)Artemis: Defanging Software Supply Chain Attacks in Multi-repository Update SystemsProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627129(83-97)Online publication date: 4-Dec-2023
      • (2023)(Nothing But) Many Eyes Make All Bugs ShallowProceedings of the 2023 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3605770.3625216(53-63)Online publication date: 30-Nov-2023
      • (2023)Fuzzing+Hardware Performance Counters-Based Detection of Algorithm Subversion Attacks on Postquantum Signature SchemesIEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems10.1109/TCAD.2022.315974942:2(384-396)Online publication date: Feb-2023
      • (2023)Investigating Package Related Security Threats in Software Registries2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179332(1578-1595)Online publication date: May-2023
      • (2023)SoK: Taxonomy of Attacks on Open-Source Software Supply Chains2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179304(1509-1526)Online publication date: May-2023
      • (2023)Bad Snakes: Understanding and Improving Python Package Index Malware Scanning2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE)10.1109/ICSE48619.2023.00052(499-511)Online publication date: May-2023
      • Show More Cited By

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Figures

      Tables

      Media

      Share

      Share

      Share this Publication link

      Share on social media