Package Management Security

Package management is the task of determining which packages should be installed on a host and then downloading and installing those packages. This paper examines the popular package managers APT and YUM and presents nine feasible attacks on them. There are attacks that install malicious packages, deny users package updates, or cause the host to crash. This work identifies three rules of package management security: don’t trust the repository, the trusted entity with the most information should be the one who signs, and don’t install untrusted packages. The violation of these rules leads to the described vulnerabilities. Unfortunately, many of the flaws are architectural in nature, so repair requires more than patches to APT and YUM. While the rules of package management security argue that the design of existing package managers is insufficient, they do not prescribe how to provide security. This led to the development of three design principles for building a secure package manager: selective trust delegation, customized repository views, and explicitly treating the repository as untrusted. These principles were used to construct a package manager Stork which is not vulnerable to the attacks identified for YUM and APT. Stork has been in use for four years and has managed over half a million clients.