michael pradel - tu darmstadt cam tenny - r2c small world with … · 2019-08-19 · small world...
TRANSCRIPT
![Page 1: Michael Pradel - TU Darmstadt Cam Tenny - r2c Small World with … · 2019-08-19 · Small World with High Risks: A Study of Security Threats in the npm Ecosystem 1 Markus Zimmermann](https://reader033.vdocuments.us/reader033/viewer/2022041818/5e5c4a64418c2a318261d15d/html5/thumbnails/1.jpg)
Small World with High Risks: A Study of Security Threats in the npm
Ecosystem
1
Markus Zimmermann - TU Darmstadt Cristian-Alexandru Staicu - TU Darmstadt
Cam Tenny - r2c Michael Pradel - TU Darmstadt
August 15, 2019
![Page 2: Michael Pradel - TU Darmstadt Cam Tenny - r2c Small World with … · 2019-08-19 · Small World with High Risks: A Study of Security Threats in the npm Ecosystem 1 Markus Zimmermann](https://reader033.vdocuments.us/reader033/viewer/2022041818/5e5c4a64418c2a318261d15d/html5/thumbnails/2.jpg)
JavaScript and npm
https://insights.stackoverflow.com/survey/2018/2
609 security advisories
npmjs.com retrieved on May 8, 2018
![Page 3: Michael Pradel - TU Darmstadt Cam Tenny - r2c Small World with … · 2019-08-19 · Small World with High Risks: A Study of Security Threats in the npm Ecosystem 1 Markus Zimmermann](https://reader033.vdocuments.us/reader033/viewer/2022041818/5e5c4a64418c2a318261d15d/html5/thumbnails/3.jpg)
eslint Incident
● ~10 million downloads
● Compromised credentials
of maintainer
● Malicious version
tried to steal access tokens
3
![Page 4: Michael Pradel - TU Darmstadt Cam Tenny - r2c Small World with … · 2019-08-19 · Small World with High Risks: A Study of Security Threats in the npm Ecosystem 1 Markus Zimmermann](https://reader033.vdocuments.us/reader033/viewer/2022041818/5e5c4a64418c2a318261d15d/html5/thumbnails/4.jpg)
Goals● What is the impact of an individual package on the ecosystem?
● What is the influence of a maintainer on the ecosystem?
● How many packages depend on a package with unpatched security vulnerabilities?
4
![Page 5: Michael Pradel - TU Darmstadt Cam Tenny - r2c Small World with … · 2019-08-19 · Small World with High Risks: A Study of Security Threats in the npm Ecosystem 1 Markus Zimmermann](https://reader033.vdocuments.us/reader033/viewer/2022041818/5e5c4a64418c2a318261d15d/html5/thumbnails/5.jpg)
● On average, packages implicitly trust 79 third-party packages and 39 maintainers
● Popular packages often influence more than 100,000 other packages
● Some maintainers have an impact on hundreds of thousands of packages
● Up to 40% of all packages depend on code with at least one publicly known vulnerability
Key Findings
5
![Page 6: Michael Pradel - TU Darmstadt Cam Tenny - r2c Small World with … · 2019-08-19 · Small World with High Risks: A Study of Security Threats in the npm Ecosystem 1 Markus Zimmermann](https://reader033.vdocuments.us/reader033/viewer/2022041818/5e5c4a64418c2a318261d15d/html5/thumbnails/6.jpg)
Particularities of npm
6
● No vetting of developers
● Open publishing model
● Heavy reuse
● Locked dependencies
Package / Account takeover
Malicious packages
Exploiting unmaintained legacy code
Maintainer collusion
![Page 7: Michael Pradel - TU Darmstadt Cam Tenny - r2c Small World with … · 2019-08-19 · Small World with High Risks: A Study of Security Threats in the npm Ecosystem 1 Markus Zimmermann](https://reader033.vdocuments.us/reader033/viewer/2022041818/5e5c4a64418c2a318261d15d/html5/thumbnails/7.jpg)
Empirical Study
7
![Page 8: Michael Pradel - TU Darmstadt Cam Tenny - r2c Small World with … · 2019-08-19 · Small World with High Risks: A Study of Security Threats in the npm Ecosystem 1 Markus Zimmermann](https://reader033.vdocuments.us/reader033/viewer/2022041818/5e5c4a64418c2a318261d15d/html5/thumbnails/8.jpg)
Experimental Setup
8
Observation period: November 2010 - April 2018
676,539 packages 5,386,239 versions
199,327 maintainers 609 security advisories
![Page 9: Michael Pradel - TU Darmstadt Cam Tenny - r2c Small World with … · 2019-08-19 · Small World with High Risks: A Study of Security Threats in the npm Ecosystem 1 Markus Zimmermann](https://reader033.vdocuments.us/reader033/viewer/2022041818/5e5c4a64418c2a318261d15d/html5/thumbnails/9.jpg)
Evolution of Dependencies
9A user implicitly trusts 79 other packages due to transitive dependencies.
![Page 10: Michael Pradel - TU Darmstadt Cam Tenny - r2c Small World with … · 2019-08-19 · Small World with High Risks: A Study of Security Threats in the npm Ecosystem 1 Markus Zimmermann](https://reader033.vdocuments.us/reader033/viewer/2022041818/5e5c4a64418c2a318261d15d/html5/thumbnails/10.jpg)
Evolution of Package Reach
10Popular packages can reach more than 100,000 other packages, making them a prime target for attacks.
![Page 11: Michael Pradel - TU Darmstadt Cam Tenny - r2c Small World with … · 2019-08-19 · Small World with High Risks: A Study of Security Threats in the npm Ecosystem 1 Markus Zimmermann](https://reader033.vdocuments.us/reader033/viewer/2022041818/5e5c4a64418c2a318261d15d/html5/thumbnails/11.jpg)
Evolution of Maintainer Influence
11
Less than 100 maintainers are needed to reach 50%, 22.2 % are needed to reach all with dependencies
![Page 12: Michael Pradel - TU Darmstadt Cam Tenny - r2c Small World with … · 2019-08-19 · Small World with High Risks: A Study of Security Threats in the npm Ecosystem 1 Markus Zimmermann](https://reader033.vdocuments.us/reader033/viewer/2022041818/5e5c4a64418c2a318261d15d/html5/thumbnails/12.jpg)
Evolution of Security Advisories
12Up to 40% of all packages rely on code known to be vulnerable.
![Page 13: Michael Pradel - TU Darmstadt Cam Tenny - r2c Small World with … · 2019-08-19 · Small World with High Risks: A Study of Security Threats in the npm Ecosystem 1 Markus Zimmermann](https://reader033.vdocuments.us/reader033/viewer/2022041818/5e5c4a64418c2a318261d15d/html5/thumbnails/13.jpg)
Potential Mitigations
● Raising developer awareness of dependency risks
● Warn about vulnerable packages
● Vetting code or maintainers
13
![Page 14: Michael Pradel - TU Darmstadt Cam Tenny - r2c Small World with … · 2019-08-19 · Small World with High Risks: A Study of Security Threats in the npm Ecosystem 1 Markus Zimmermann](https://reader033.vdocuments.us/reader033/viewer/2022041818/5e5c4a64418c2a318261d15d/html5/thumbnails/14.jpg)
Code Vetting as Mitigation
14Vetting the most dependent upon 1,500 packages would reduce the implicitly trusted packages by a factor of 10
![Page 15: Michael Pradel - TU Darmstadt Cam Tenny - r2c Small World with … · 2019-08-19 · Small World with High Risks: A Study of Security Threats in the npm Ecosystem 1 Markus Zimmermann](https://reader033.vdocuments.us/reader033/viewer/2022041818/5e5c4a64418c2a318261d15d/html5/thumbnails/15.jpg)
Conclusions
● On average, packages implicitly trust 79 third-party packages and 39 maintainers
● Popular packages influence often more than 100,000 other packages
● Some maintainers have an impact on hundreds of thousands of packages
● Up to 40% of all packages depend on code with at least one publicly known vulnerability
15