A Look in the Mirror: Attacks on Package Managers

Download Now Free registration required

Executive Summary

This work studies the security of ten popular package managers. These package managers use different security mechanisms that provide varying levels of usability and resilience to attack. The authors find that, despite their existing security mechanisms, all of these package managers have vulnerabilities that can be exploited by a man-in-the-middle or a malicious mirror. While all current package managers suffer from vulnerabilities, their security is also positively or negatively impacted by the distribution's security practices. Weaknesses in package managers are more easily exploited when distributions use third-party mirrors as official mirrors. They were successful in using false credentials to obtain an official mirror on all five of the distributions they attempted.

  • Format: PDF
  • Size: 155.8 KB