This repository was archived by the owner on Jul 16, 2020. It is now read-only.
forked from pypa/pip
-
Notifications
You must be signed in to change notification settings - Fork 2
Slow retrieval attacks for pip with TUF
Trishank Karthik Kuppusamy edited this page Sep 21, 2013
·
6 revisions
In a slow retrieval attack, we trickle updates to pip. This might allow an attacker to remotely exploit a vulnerability before an update is downloaded to completion.
First, we set up the virtual environment (for cleanroom testing) and install pip-with-TUF:
$ cd /tmp
$ curl -O https://pypi.python.org/packages/source/v/virtualenv/virtualenv-1.10.1.tar.gz
$ tar xvfz virtualenv-1.10.1.tar.gz
$ python virtualenv-1.10.1/virtualenv.py --no-site-packages slow-retrieval-with-tuf
$ source slow-retrieval-with-tuf/bin/activate
$ sudo apt-get install python-dev libgmp-dev
$ pip install --upgrade https://github.com/theupdateframework/tuf/archive/v0.7.5.zip
$ pip install --upgrade https://github.com/theupdateframework/pip/archive/trishank.poly.edu.zip
Suppose that FooBar 0.1 is ~8MB and the web server responds at about 4KB/s (after the first few hundred bytes):
# POINT TO REPOSITORY WITH INTACT TUF METADATA.
$ curl http://mirror1.poly.edu/test-pip/slow-retrieval/tuf.interposition.json -o slow-retrieval-with-tuf/local/lib/python2.7/site-packages/pip/tuf.interposition.json
$ time pip install FooBar
Downloading/unpacking FooBar
Cleaning up...
Exception:
Traceback (most recent call last):
File "/tmp/slow-retrieval-with-tuf/local/lib/python2.7/site-packages/pip/basecommand.py", line 134, in main
status = self.run(options, args)
File "/tmp/slow-retrieval-with-tuf/local/lib/python2.7/site-packages/pip/commands/install.py", line 270, in run
sys.exit('TUF stopped the update due to an error:\n'+str(error))
SystemExit: TUF stopped the update due to an error:
No working mirror was found:
mirror1.poly.edu: Average download speed: 7943.72791266 bytes/second
Storing complete log in /home/trishank/.pip/pip.log
real 1m1.374s
user 0m0.180s
sys 0m0.024s
We detect the slow retrieval soon enough. In this case, we had only one mirror and so were forced to terminate the entire update. However, in the general case where there are more fast mirrors than slow ones, then pip-with-TUF will stop downloading from the slow ones and switch to the fast ones instead. Compare this with the situation where pip works without TUF.