Skip to content
This repository was archived by the owner on Jul 16, 2020. It is now read-only.

Slow retrieval attacks for pip with TUF

Trishank Karthik Kuppusamy edited this page Sep 21, 2013 · 6 revisions

In a slow retrieval attack, we trickle updates to pip. This might allow an attacker to remotely exploit a vulnerability before an update is downloaded to completion.

First, we set up the virtual environment (for cleanroom testing) and install pip-with-TUF:

$ cd /tmp
$ curl -O https://pypi.python.org/packages/source/v/virtualenv/virtualenv-1.10.1.tar.gz
$ tar xvfz virtualenv-1.10.1.tar.gz
$ python virtualenv-1.10.1/virtualenv.py --no-site-packages slow-retrieval-with-tuf
$ source slow-retrieval-with-tuf/bin/activate
$ sudo apt-get install python-dev libgmp-dev
$ pip install --upgrade https://github.com/theupdateframework/tuf/archive/v0.7.5.zip
$ pip install --upgrade https://github.com/theupdateframework/pip/archive/trishank.poly.edu.zip

Suppose that FooBar 0.1 is ~8MB and the web server responds at about 4KB/s (after the first few hundred bytes):

# POINT TO REPOSITORY WITH INTACT TUF METADATA.
$ curl http://mirror1.poly.edu/test-pip/slow-retrieval/tuf.interposition.json -o slow-retrieval-with-tuf/local/lib/python2.7/site-packages/pip/tuf.interposition.json

$ time pip install FooBar
Downloading/unpacking FooBar
Cleaning up...
Exception:
Traceback (most recent call last):
  File "/tmp/slow-retrieval-with-tuf/local/lib/python2.7/site-packages/pip/basecommand.py", line 134, in main
    status = self.run(options, args)
  File "/tmp/slow-retrieval-with-tuf/local/lib/python2.7/site-packages/pip/commands/install.py", line 270, in run
    sys.exit('TUF stopped the update due to an error:\n'+str(error))
SystemExit: TUF stopped the update due to an error:
No working mirror was found:
  mirror1.poly.edu: Average download speed: 7943.72791266 bytes/second

Storing complete log in /home/trishank/.pip/pip.log

real	1m1.374s
user	0m0.180s
sys	0m0.024s

We detect the slow retrieval soon enough. In this case, we had only one mirror and so were forced to terminate the entire update. However, in the general case where there are more fast mirrors than slow ones, then pip-with-TUF will stop downloading from the slow ones and switch to the fast ones instead. Compare this with the situation where pip works without TUF.

Clone this wiki locally