Package Manager Security
نویسندگان
چکیده
We analyze the security properties of package management software. First, we examine many package managers for basic security properties and we perform an in-depth security audit for several chosen package managers. Next, we construct and demonstrate an automated end-to-end attack against CPAN, a popular packagemanager for Perl. Finally, we make recommendations on how to build more secure package management programs.
منابع مشابه
Package Management Security
Package management is the task of determining which packages should be installed on a host and then downloading and installing those packages. This paper examines the popular package managers APT and YUM and presents nine feasible attacks on them. There are attacks that install malicious packages, deny users package updates, or cause the host to crash. This work identifies three rules of packag...
متن کاملAn Approach for Secure Software
We present an approach that addresses the problem of securing software configurations from the security-relevant actions of poorly built/faulty installation packages. Our approach is based on a policy-based control of the package manager’s actions and is customizable for site-specific policies. We discuss an implementation of this approach in the context of the Linux operating system for the Re...
متن کاملAn Approach for Secure Software Installation
We present an approach that addresses the problem of securing software configurations from the security-relevant actions of poorly built/faulty installation packages. Our approach is based on a policy-based control of the package manager’s actions and is customizable for site-specific policies. We discuss an implementation of this approach in the context of the Linux operating system for the Re...
متن کاملSecurity Policy Generation through Package Management
Generation and maintenance of security policies is too complex and needs simplification for it to be widely adopted and thus truly make a difference in delivering the promise of more secure computing systems (rather than just being ignored by administrators). In practice, one of the great obstacles to the adoption of security measures in system software is the complexity of configuration that i...
متن کاملISRAM: information security risk analysis method
Continuously changing nature of technological environment has been enforcing to revise the process of information security risk analysis accordingly. A number of quantitative and qualitative risk analysis methods have been proposed by researchers and vendors. The purpose of these methods is to analyze today's information security risks properly. Some of these methods are supported by a software...
متن کامل