[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: A Look In the Mirror: Attacks on Package Managers

On Sun, 6 Jun 2010 12:28:27 +1000 Erik de Castro Lopo wrote:

> Hi All,
> Did anyone see this paper:
>     A Look In the Mirror: Attacks on Package Managers
>     http://www.cs.arizona.edu/~jhh/papers/ccs08.pdf
> It suggests that anyone who has control of a mirror can cause client
> machines to install software created by the attacker or install an
> outdated version of a package with a vulnerability the attacker knows
> how to exploit.

All of the issues raised in this paper can be mitigated by a "proactive"
user.  Malicious mirror activity can be detected by paying attention to
debsecan and the security tracker [0].  debsecan displays all known
vulnerable packages on a particular system, and the security tracker
displays all known vulnerable packages.  Differences between the two for
a period longer than about a week would be a sign that the mirror is
intentionally holding back vulnerable packages.

Of course the major flaw with this statement is that there aren't a
whole these "proactive" users.  However, if there are enough, some will
spot the activity, and raise concern, which will ultimately protect
others when the evil mirror is shut down.


[0] http://security-tracker.debian.org

Reply to: