Language-based ecosystems (LBE), i.e., software ecosystems based on a single programming language, are very common. Examples include the npm ecosystem for JavaScript, and PyPI for Python. These environments encourage code reuse between packages, and incorporate utilities - package managers - for automatically resolving dependencies. However, the same aspects that make these systems popular - ease of publishing code and importing external code - also create novel security issues, which have so far seen little study. We present an a systematic study of security issues that plague LBEs. These issues are inherent to the ways these ecosystems work and cannot be resolved by fixing software vulnerabilities in either the packages or the utilities, e.g., package manager tools, that build these ecosystems. We systematically characterize recent security attacks from various aspects, including attack strategies, vectors, and goals. Our characterization and in-depth analysis of npm and PyPI ecosystems, which represent the largest LBEs, covering nearly one million packages indicates that these ecosystems make an opportune environment for attackers to incorporate stealthy attacks. Overall, we argue that (i) fully automated detection of malicious packages is likely to be unfeasible; however (ii) tools and metrics that help developers assess the risk of including external dependencies would go a long way toward preventing attacks.
翻译:以语言为基础的生态系统(LBE),即基于单一编程语言的软件生态系统(LBE),是非常常见的,例如JavaScript的npm生态系统,PyPI为Python的Python的Pypm生态系统。这些环境鼓励在软件包之间进行编码再利用,并纳入公用事业-软件管理员-软件包管理者-自动解决依赖性。然而,使这些系统受到欢迎的同样方面——出版编码和输入外部编码的方便性——也产生了新的安全问题,迄今为止,这些方面很少看到什么研究。我们提出对困扰LBE的安全问题进行系统研究。这些问题是这些生态系统赖以发挥作用的方式所固有的,无法通过在建立这些生态系统的软件包或公用事业(例如软件管理工具)中解决软件脆弱性。我们系统地描述最近发生的安全攻击的各个方面,包括攻击战略、矢量和目标。我们对npm和PyPI生态系统的定性和深入分析表明,这些生态系统为攻击者提供了一种合适的环境。总体来说,这些问题是这些生态系统的固有环境。我们说,(i)帮助充分自动检测恶意货包的可靠工具,但也可能是用来评估。
相关内容
微信扫码咨询专知VIP会员