ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
A look in the mirror: attacks on package managers
Full text PdfPdf (189 KB)
Source
Conference on Computer and Communications Security archive
Proceedings of the 15th ACM conference on Computer and communications security table of contents
Alexandria, Virginia, USA
SESSION: Attacks 2 table of contents
Pages 565-574  
Year of Publication: 2008
ISBN:978-1-59593-810-7
Authors
Justin Cappos  University of Arizona, Tucson, AZ, USA
Justin Samuel  University of Arizona, Tucson, AZ, USA
Scott Baker  University of Arizona, Tucson, AZ, USA
John H. Hartman  University of Arizona, Tucson, AZ, USA
Sponsors
ACM: Association for Computing Machinery
SIGSAC: ACM Special Interest Group on Security, Audit, and Control
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 17,   Downloads (12 Months): 258,   Citation Count: 0
Additional Information:

abstract   references   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1455770.1455841
What is a DOI?

ABSTRACT

This work studies the security of ten popular package managers. These package managers use different security mechanisms that provide varying levels of usability and resilience to attack. We find that, despite their existing security mechanisms, all of these package managers have vulnerabilities that can be exploited by a man-in-the-middle or a malicious mirror. While all current package managers suffer from vulnerabilities, their security is also positively or negatively impacted by the distribution's security practices. Weaknesses in package managers are more easily exploited when distributions use third-party mirrors as official mirrors. We were successful in using false credentials to obtain an official mirror on all five of the distributions we attempted. We also found that some security mechanisms that control where a client obtains metadata and packages from may actually decrease security. We analyze current package managers to show that by exploiting vulnerabilities, an attacker with a mirror can compromise or crash hundreds to thousands of clients weekly. The problems we disclose are now being corrected by many different package manager maintainers.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Debian APT tool ported to Red Hat Linux. http://www.apt-get.org/.
 
2
APT-RPM. http://apt-rpm.org/.
 
3
Arch Linux (Don't Panic) Installation Guide. http://www.archlinux.org/static/docs/arch-install-guide.txt.
 
4
J. Byers, M. Luby, and M. Mitzenmacher. Accessing multiple mirror sites in parallel: using Tornado codes tospeed up downloads. INFOCOM'99. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. IEEE, 1, 1999.
 
5
J. Cappos, J. Samuel, S. Baker, and J. Hartman. A Look In the Mirror: Attacks on Package Managers. Technical Report TR-08-06, Department of Computer Science, University of Arizona, Jul 2008.
 
6
Introduction to Code Signing. http://msdn2.microsoft.com/en-us/library/ms537361.aspx.
 
7
Alistair Crooks, The NetBSD update system, Proceedings of the annual conference on USENIX Annual Technical Conference, p.17-17, June 27-July 02, 2004, Boston, MA
 
8
debsigs -- What is debsigs. http://linux.about.com/cs/linux101/g/debsigs.htm.
 
9
DistroWatch.com: Editorial: How Popular is a Distribution? http://distrowatch.com/weekly.php?issue=20070827#feature.
 
10
M. Domsch. Re: YUM security issues... https://www.redhat.com/archives/fedora-infrastructure-list/2008-July/m%sg00114.html.
 
11
man dpkg-sig. http://pwet.fr/man/linux/commandes/dpkg_sig.
 
12
R. Giobbi. Vulnerability Analysis Blog: Safely Using Package Managers. http://www.cert.org/blogs/vuls/2008/07/using_package_managers.html.
 
13
J. Hughes. HughesJR.com -- Attacks on Package Managers -- ummm... http://www.hughesjr.com/content/view/22/1/.
 
14
R.H. Johnson. {gentoo} Index of /users/robbat2/tree-signing-gleps. http://viewcvs.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing%-gleps/.
 
15
The KPackage Handbook. http://docs.kde.org/development/en/kdeadmin/kpackage/.
16
David Mazières , Michael Kaminsky , M. Frans Kaashoek , Emmett Witchel, Separating key management from file system security, Proceedings of the seventeenth ACM symposium on Operating systems principles, p.124-139, December 12-15, 1999, Charleston, South Carolina, United States
17
David Mazières , Dennis Shasha, Building secure file systems out of byzantine storage, Proceedings of the twenty-first annual symposium on Principles of distributed computing, July 21-24, 2002, Monterey, California  [doi>10.1145/571825.571840]
 
18
milw0rm -- exploits : vulnerabilities : videos : papers : shellcode. http://www.milw0rm.com.
 
19
Netcraft: Strong growth for Debian. http://news.netcraft.com/archives/2005/12/05/strong_growth_for_debian.%html.
 
20
Kyle Oppenheim , Patrick McCormick, Deployme: Tellme's Package Management and Deployment System, Proceedings of the 14th USENIX conference on System administration, December 03-08, 2000, New Orleans, Louisiana
 
21
Gentoo-Portage. http://gentoo-portage.com/.
 
22
Installing Applications: Packages and Ports. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ports.html.
 
23
RPM Package Manager. http://www.rpm.org/.
 
24
P. Sharma, P. Shah, and S. Bhattacharya. Mirror hopping approach for selective denial of service prevention. Object-Oriented Real-Time Dependable Systems, 2003.(WORDS 2003). Proceedings of the Eighth International Workshop on, pages 200--208, 2003.
 
25
Slackware Package Management. http://www.slacksite.com/slackware/packages.html.
 
26
Stork. http://www.cs.arizona.edu/stork.
 
27
Synaptic Package Manager -- Home. http://www.nongnu.org/synaptic/.
 
28
URPMI. http://www.urpmi.org/.
 
29
dkpg-sig support wanted? http://nixforums.org/about101637-asc-15.html.
 
30
Glenn Wurster , P. C. van Oorschot, Self-signed executables: restricting replacement of program binaries by malware, Proceedings of the 2nd USENIX workshop on Hot topics in security, p.1-5, August 07, 2007, Boston, MA
 
31
YaST -- openSuSE. http://en.opensuse.org/YaST.
 
32
Yum: Yellow Dog Updater Modified. http://linux.duke.edu/projects/yum/.

INDEX TERMS

Primary Classification:
  K. Computing Milieux
  K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS
      K.6.5 Security and Protection (D.4.6, K.4.2)

Additional Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.0 General
          Subjects: Security and protection (e.g., firewalls)

  K. Computing Milieux
  K.4 COMPUTERS AND SOCIETY
      K.4.1 Public Policy Issues
          Subjects: Abuse and crime involving computers


General Terms:
Security


Keywords:
mirrors, package management, replay attack

Collaborative Colleagues:
Justin Cappos: colleagues
Justin Samuel: colleagues
Scott Baker: colleagues
John H. Hartman: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player