Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages

Package managers have become a vital part of the modern software development process. They allow developers to reuse third-party code, share their own code, minimize their codebase, and simplify the build process. However, recent reports showed that package managers have been abused by attackers to distribute malware, posing significant security risks to developers and end-users. For example, eslint-scope, a package with millions of weekly downloads in Npm, was compromised to steal credentials from developers. To understand the security gaps and the misplaced trust that make recent supply chain attacks possible, we propose a comparative framework to qualitatively assess the functional and security features of package managers for interpreted languages. Based on qualitative assessment, we apply well-known program analysis techniques such as metadata, static, and dynamic analysis to study registry abuse. Our initial efforts found 339 new malicious packages that we reported to the registries for removal. The package manager maintainers confirmed 278 (82%) from the 339 reported packages where three of them had more than 100,000 downloads. For these packages we were issued official CVE numbers to help expedite the removal of these packages from infected victims. We outline the challenges of tailoring program analysis tools to interpreted languages and release our pipeline as a reference point for the community to build on and help in securing the software supply chain.

[1]  Zexin Lu,et al.  Survey on malware anti-analysis , 2014, Fifth International Conference on Intelligent Control and Information Processing.

[2]  Gianluca Borello,et al.  System and Application Monitoring and Troubleshooting with Sysdig , 2015 .

[3]  Reza Curtmola,et al.  in-toto: Providing farm-to-table guarantees for bits and bytes , 2019, USENIX Security Symposium.

[4]  Dongyoon Lee,et al.  A Sense of Time for JavaScript and Node.js: First-Class Timeouts as a Cure for Event Handler Poisoning , 2018, USENIX Security Symposium.

[5]  Eleni Constantinou,et al.  On the Impact of Security Vulnerabilities in the npm Package Dependency Network , 2018, 2018 IEEE/ACM 15th International Conference on Mining Software Repositories (MSR).

[6]  Justin Cappos,et al.  Package Management Security , 2008 .

[7]  Michael Pradel,et al.  Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers , 2018, USENIX Security Symposium.

[8]  Markus Zimmermann,et al.  Small World with High Risks: A Study of Security Threats in the npm Ecosystem , 2019, USENIX Security Symposium.

[9]  Quan Chen,et al.  Mystique: Uncovering Information Leakage from Browser Extensions , 2018, CCS.

[10]  Joshua Sunshine,et al.  Detecting Suspicious Package Updates , 2019, 2019 IEEE/ACM 41st International Conference on Software Engineering: New Ideas and Emerging Results (ICSE-NIER).

[11]  Benjamin Livshits,et al.  SYNODE: Understanding and Automatically Preventing Injection Attacks on NODE.JS , 2018, NDSS.

[12]  Jonathan M. Smith,et al.  BreakApp: Automated, Flexible Application Compartmentalization , 2018, NDSS.

[13]  Arun Madan,et al.  Front cover Securely Adopting Mobile Technology Innovations for Your Enterprise Using IBM Security Solutions , 2013 .

[14]  Greg Cooper DTrace: dynamic tracing in oracle Solaris, Mac OS X, and free BSD by Brendan Gregg and Jim Mauro , 2012, SOEN.

[15]  Eric Bodden,et al.  StubDroid: Automatic Inference of Precise Data-Flow Summaries for the Android Framework , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[16]  Bülent Yener,et al.  A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web , 2017, ROOTS.

[17]  Guodong Li,et al.  SymJS: automatic symbolic testing of JavaScript web applications , 2014, SIGSOFT FSE.

[18]  Christopher Krügel,et al.  Hulk: Eliciting Malicious Behavior in Browser Extensions , 2014, USENIX Security Symposium.

[19]  Christopher Krügel,et al.  BareCloud: Bare-metal Analysis-based Evasive Malware Detection , 2014, USENIX Security Symposium.

[20]  Michael Backes,et al.  HideNoSeek: Camouflaging Malicious JavaScript in Benign ASTs , 2019, CCS.

[21]  Kieran McLaughlin,et al.  Obfuscation: The Hidden Malware , 2011, IEEE Security & Privacy.

[22]  Justin Cappos,et al.  Mercury: Bandwidth-Effective Prevention of Rollback Attacks Against Community Repositories , 2017, USENIX Annual Technical Conference.

[23]  Ruian Duan,et al.  Measuring and Preventing Supply Chain Attacks on Package Managers , 2020, ArXiv.

[24]  Justin Cappos,et al.  Diplomat: Using Delegations to Protect Community Repositories , 2016, NSDI.

[25]  Giovanni Vigna,et al.  MalGene: Automatic Extraction of Malware Analysis Evasion Signature , 2015, CCS.

[26]  Wesley J. Chun,et al.  Python Web Development with Django , 2008 .

[27]  Christopher Krügel,et al.  TriggerScope: Towards Detecting Logic Bombs in Android Applications , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[28]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[29]  Teddy Reed,et al.  osquery—Windows, macOS, Linux Monitoring and Intrusion Detection , 2017 .

[30]  Ashish Jadhav,et al.  Evolution of evasive malwares: A survey , 2016, 2016 International Conference on Computational Techniques in Information and Communication Technologies (ICCTICT).

[31]  Brendan Gregg,et al.  Dtrace: Dynamic Tracing in Oracle Solaris, Mac OS X and Freebsd , 2011 .

[32]  Yan Shoshitaishvili,et al.  Angr - The Next Generation of Binary Analysis , 2017, 2017 IEEE Cybersecurity Development (SecDev).

[33]  Justin Cappos,et al.  A look in the mirror: attacks on package managers , 2008, CCS.

[34]  Xiangyu Zhang,et al.  J-Force: Forced Execution on JavaScript , 2017, WWW.