![]() ![]() The trick is that it's not tokio-helpers that is backdoored, it's a dependency of a dependency of a. I can make a Pull Request with a new dependency, let say tokio-helpers. The chance of a code review of all the transitive dependencies is approximately 0.įor example, let say I want to backdoor a popular crate. While It's hard to have a more explicit name, imagine if I would have named this crate tokio-workerpool or tokio-future.īy using misleading metadata such as the README, the repository, and tags, an attacker can make this crate appear like an official one.Īgain, it's hard! Transitive dependenciesīy burying a backdoored dependency deep in the dependency tree, an attacker can conceal a backdoored crate. For example, I just uploaded the crate tokio-backdoor. Problem: Anyone can upload a package with a given prefix. ![]() Thus, organizations, projects, and developers rely on prefixes to make their packages discoverable and group them. Misleading nameĪll crates on crates.io live under a global namespace, which means no organizational scoping. It's hard! You can look at the Owners section or the total number of downloads.īut still, this is not perfect: I could have made up my crates.io profile in order to look like a famous developer. How to know if a crate is legitimate or not? When you look at both crates on crates.io, it's very hard to tell which one is legitimate and which one is malicious.Īctually, my num_cpu crate has been downloaded 24 times in less than 24 hours, but I'm not sure if it's by bots or real persons (I didn't embed any active payload to avoid headaches for anyone involved). Interested in Security and Rust? Get my book Black Hat Rustīy naming a crate in a very similar way to a popular one, we can expect that a non-zero number of developers will make a typo in the name, either when searching on crates.io or when installing the crate.Īs an example, I just published the crate num_cpu which targets the num_cpus crate with almost 43,000,000 downloads. Of course, an attacker can combine these techniques to make them more effective and stealthy. The goal of this post is to raise awareness among developers about how easy it's to carry these kinds of attacks and how pernicious they can be. I voluntarily ignored perniciously backdoored algorithms such as cryptographic primitives or obfuscated code because this is a whole different topic. We are going to study 8 techniques to achieve Remote Code Execution (RCE) on developers', CI/CD, or users' machines. In Rust, packages are called crates and are (most of the time) hosted on a central repository: for better discoverability. Supply chains attacks are all the rage these days, whether to deliver RATs, cryptocurrencies miners, or credential stealers.
0 Comments
Leave a Reply. |