This repository was archived by the owner on Jul 16, 2020. It is now read-only.
forked from pypa/pip
-
Notifications
You must be signed in to change notification settings - Fork 2
Endless data attacks for pip with TUF
Trishank Karthik Kuppusamy edited this page Sep 21, 2013
·
5 revisions
In an endless data attack, we serve endless data to pip. This will allow an attacker to fill up the victim's hard drive.
First, we set up the virtual environment (for cleanroom testing) and install pip-with-TUF:
$ cd /tmp
$ curl -O https://pypi.python.org/packages/source/v/virtualenv/virtualenv-1.10.1.tar.gz
$ tar xvfz virtualenv-1.10.1.tar.gz
$ python virtualenv-1.10.1/virtualenv.py --no-site-packages endless-data-with-tuf
$ source endless-data-with-tuf/bin/activate
$ sudo apt-get install python-dev libgmp-dev
$ pip install --upgrade https://github.com/theupdateframework/tuf/archive/v0.7.5.zip
$ pip install --upgrade https://github.com/theupdateframework/pip/archive/trishank.poly.edu.zipSuppose that FooBar 0.1 is actually ~8MB and the web server sends instead FooBar-0.1 twice in a row:
# POINT TO REPOSITORY WITH INTACT TUF METADATA.
$ curl http://mirror1.poly.edu/test-pip/endless-data/tuf.interposition.json -o endless-data-with-tuf/local/lib/python2.7/site-packages/pip/tuf.interposition.json
$ pip install FooBar
Downloading/unpacking FooBar
Downloading FooBar-0.1.tar.gz (unknown size): 8.4MB downloaded
Running setup.py egg_info for package FooBar
Installing collected packages: FooBar
Running setup.py install for FooBar
FooBar 0.1
Successfully installed FooBar
Cleaning up...In this small-scale test, pip-with-TUF simply downloaded the intended length of the file (read from the trusted, signed targets metadata) without trusting what the malicious web server served. A successful endless data attack would have filled up the victim's hard drive and prevented pip-with-TUF from checking for a bad hash. Compare this with the situation where pip works without TUF.