Re: A Look In the Mirror: Attacks on Package Managers
On Sun, 6 Jun 2010 12:28:27 +1000 Erik de Castro Lopo wrote:
> Hi All,
> Did anyone see this paper:
> A Look In the Mirror: Attacks on Package Managers
> It suggests that anyone who has control of a mirror can cause client
> machines to install software created by the attacker or install an
> outdated version of a package with a vulnerability the attacker knows
> how to exploit.
All of the issues raised in this paper can be mitigated by a "proactive"
user. Malicious mirror activity can be detected by paying attention to
debsecan and the security tracker . debsecan displays all known
vulnerable packages on a particular system, and the security tracker
displays all known vulnerable packages. Differences between the two for
a period longer than about a week would be a sign that the mirror is
intentionally holding back vulnerable packages.
Of course the major flaw with this statement is that there aren't a
whole these "proactive" users. However, if there are enough, some will
spot the activity, and raise concern, which will ultimately protect
others when the evil mirror is shut down.