Limited automated controls integrated into the Python Package Index (PyPI) package uploading process make PyPI an attractive target for attackers to trick developers into using malicious packages. Several times this goal has been achieved via the combosquatting and typosquatting attacks when attackers give malicious packages similar names to already existing legitimate ones. In this paper, we study the attacks, identify potential attack targets, and propose an approach to identify combosquatting and typosquatting package names automatically. The approach might serve as a basis for an automated system that ensures the security of the packages uploaded and distributed via PyPI.

Typosquatting and Combosquatting Attacks on the Python Ecosystem / Vu Duc, Ly; Pashchenko, Ivan; Massacci, Fabio; Plate, Henrik; Sabetta., Antonino. - (2020), pp. 509-514. (Intervento presentato al convegno WACCO tenutosi a Italy nel 2020) [10.1109/EuroSPW51379.2020.00074].

Typosquatting and Combosquatting Attacks on the Python Ecosystem.

Duc-Ly Vu;Ivan Pashchenko;Fabio Massacci;
2020-01-01

Abstract

Limited automated controls integrated into the Python Package Index (PyPI) package uploading process make PyPI an attractive target for attackers to trick developers into using malicious packages. Several times this goal has been achieved via the combosquatting and typosquatting attacks when attackers give malicious packages similar names to already existing legitimate ones. In this paper, we study the attacks, identify potential attack targets, and propose an approach to identify combosquatting and typosquatting package names automatically. The approach might serve as a basis for an automated system that ensures the security of the packages uploaded and distributed via PyPI.
2020
5th IEEE European Symposium on Security and Privacy Workshops
Piscataway, NJ USA
IEEE
978-1-7281-8597-2
Vu Duc, Ly; Pashchenko, Ivan; Massacci, Fabio; Plate, Henrik; Sabetta., Antonino
Typosquatting and Combosquatting Attacks on the Python Ecosystem / Vu Duc, Ly; Pashchenko, Ivan; Massacci, Fabio; Plate, Henrik; Sabetta., Antonino. - (2020), pp. 509-514. (Intervento presentato al convegno WACCO tenutosi a Italy nel 2020) [10.1109/EuroSPW51379.2020.00074].
File in questo prodotto:
File Dimensione Formato  
ly2020typosquatting.pdf

accesso aperto

Tipologia: Post-print referato (Refereed author’s manuscript)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 186.18 kB
Formato Adobe PDF
186.18 kB Adobe PDF Visualizza/Apri
Typosquatting_and_Combosquatting_Attacks_on_the_Python_Ecosystem.pdf

Solo gestori archivio

Tipologia: Versione editoriale (Publisher’s layout)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 589.25 kB
Formato Adobe PDF
589.25 kB Adobe PDF   Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11572/282646
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 26
  • ???jsp.display-item.citation.isi??? 18
social impact