A look in the mirror: Attacks on package managers

Justin Cappos, Justin Samuel, Scott Baker, John H. Hartman

    Research output: Chapter in Book/Report/Conference proceedingConference contribution


    This work studies time security of ten popular package managers. These package managers use different security mechanisms that provide varying levels of usability and resilience to attack. We find that, despite their existing security mnechanisms, all of these package managers have vulnerabilities that can be exploited by a man-in-the-middle or a malicious mirror. While all current package managers suffer frons vulnerabilities. their security is also positively or negatively impacted by the distribution's security practices. Weaknesses in package managers are more easily exploited when distributions use third-party nurrors as official mirrors. We were successful in using false credentials to obtain an official nurror on all five of the distributions we attempted. We also found that some security mechanisms that control where a client obtains metadata and packages frotn may actually decrease security. We analyze current package managers to show that by exploiting vulnerabilities, an attacker with a mirror can compromise or crash hundreds to thousands of clients weekly. The problemns we disclose are now being corrected by many different package manager maintainers.

    Original languageEnglish (US)
    Title of host publicationProceedings of the 15th ACM Conference on Computer and Communications Security, CCS'08
    Number of pages10
    StatePublished - 2008
    Event15th ACM conference on Computer and Communications Security, CCS'08 - Alexandria, VA, United States
    Duration: Oct 27 2008Oct 31 2008

    Publication series

    NameProceedings of the ACM Conference on Computer and Communications Security
    ISSN (Print)1543-7221


    Other15th ACM conference on Computer and Communications Security, CCS'08
    Country/TerritoryUnited States
    CityAlexandria, VA


    • Mirrors
    • Package managenient
    • Replay attack

    ASJC Scopus subject areas

    • Software
    • Computer Networks and Communications


    Dive into the research topics of 'A look in the mirror: Attacks on package managers'. Together they form a unique fingerprint.

    Cite this