TY - GEN
T1 - Mercury
T2 - 2017 USENIX Annual Technical Conference, USENIX ATC 2017
AU - Kuppusamy, Trishank Karthik
AU - Diaz, Vladimir
AU - Cappos, Justin
N1 - Publisher Copyright:
© USENIX Annual Technical Conference, USENIX ATC 2017. All rights reserved.
PY - 2019
Y1 - 2019
N2 - A popular community repository such as Docker Hub, PyPI, or RubyGems distributes tens of thousands of software projects to millions of users. The large number of projects and users make these repositories attractive targets for exploitation. After a repository compromise, a malicious party can launch a number of attacks on unsuspecting users, including rollback attacks that revert projects to obsolete and vulnerable versions. Unfortunately, due to the rapid rate at which packages are updated, existing techniques that protect against rollback attacks would cause each user to download 2-3 times the size of an average package in metadata each month, making them impractical to deploy. In this work, we develop a system called Mercury that uses a novel technique to compactly disseminate version information while still protecting against rollback attacks. Due to a different technique for dealing with key revocation, users are protected from rollback attacks, even if the software repository is compromised. This technique is bandwidth-efficient, especially when delta compression is used to transmit only the differences between previous and current lists of version information. An analysis we performed for the Python community shows that once Mercury is deployed on PyPI, each user will only download metadata each month that is about 3.5% the size of an average package. Our work has been incorporated into the latest versions of TUF, which is being integrated by Haskell, OCaml, RubyGems, Python, and CoreOS, and is being used in production by LEAP, Flynn, and Docker.
AB - A popular community repository such as Docker Hub, PyPI, or RubyGems distributes tens of thousands of software projects to millions of users. The large number of projects and users make these repositories attractive targets for exploitation. After a repository compromise, a malicious party can launch a number of attacks on unsuspecting users, including rollback attacks that revert projects to obsolete and vulnerable versions. Unfortunately, due to the rapid rate at which packages are updated, existing techniques that protect against rollback attacks would cause each user to download 2-3 times the size of an average package in metadata each month, making them impractical to deploy. In this work, we develop a system called Mercury that uses a novel technique to compactly disseminate version information while still protecting against rollback attacks. Due to a different technique for dealing with key revocation, users are protected from rollback attacks, even if the software repository is compromised. This technique is bandwidth-efficient, especially when delta compression is used to transmit only the differences between previous and current lists of version information. An analysis we performed for the Python community shows that once Mercury is deployed on PyPI, each user will only download metadata each month that is about 3.5% the size of an average package. Our work has been incorporated into the latest versions of TUF, which is being integrated by Haskell, OCaml, RubyGems, Python, and CoreOS, and is being used in production by LEAP, Flynn, and Docker.
UR - http://www.scopus.com/inward/record.url?scp=85076353948&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85076353948&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:85076353948
T3 - Proceedings of the 2017 USENIX Annual Technical Conference, USENIX ATC 2017
SP - 673
EP - 688
BT - Proceedings of the 2017 USENIX Annual Technical Conference, USENIX ATC 2017
PB - USENIX Association
Y2 - 12 July 2017 through 14 July 2017
ER -