Typosquatting and Combosquatting Attacks on the Python Ecosystem.

IRIS

Limited automated controls integrated into the Python Package Index (PyPI) package uploading process make PyPI an attractive target for attackers to trick developers into using malicious packages. Several times this goal has been achieved via the combosquatting and typosquatting attacks when attackers give malicious packages similar names to already existing legitimate ones. In this paper, we study the attacks, identify potential attack targets, and propose an approach to identify combosquatting and typosquatting package names automatically. The approach might serve as a basis for an automated system that ensures the security of the packages uploaded and distributed via PyPI.

Typosquatting and Combosquatting Attacks on the Python Ecosystem / Vu Duc, Ly; Pashchenko, Ivan; Massacci, Fabio; Plate, Henrik; Sabetta., Antonino. - (2020), pp. 509-514. (Intervento presentato al convegno WACCO tenutosi a Italy nel 2020) [10.1109/EuroSPW51379.2020.00074].

Typosquatting and Combosquatting Attacks on the Python Ecosystem.

Duc-Ly Vu;Ivan Pashchenko;Fabio Massacci;Henrik Plate;Antonino Sabetta.

2020-01-01

Abstract

Limited automated controls integrated into the Python Package Index (PyPI) package uploading process make PyPI an attractive target for attackers to trick developers into using malicious packages. Several times this goal has been achieved via the combosquatting and typosquatting attacks when attackers give malicious packages similar names to already existing legitimate ones. In this paper, we study the attacks, identify potential attack targets, and propose an approach to identify combosquatting and typosquatting package names automatically. The approach might serve as a basis for an automated system that ensures the security of the packages uploaded and distributed via PyPI.

Scheda breve

Scheda completa

Scheda completa (DC)

	Anno di pubblicazione (Date of publication)
	
				2020
			
	Titolo del volume (Proceedings title)
	
				5th IEEE European Symposium on Security and Privacy Workshops
			
	Luogo di edizione (Place of publication)
	
				Piscataway, NJ USA
			
	Casa editrice (Publisher)
	
				IEEE
			
	ISBN
	
				978-1-7281-8597-2
			
	Codice Scopus (Scopus Identifier)
	
				2-s2.0-85096191658
			
	Codice WOS (WOS identifier)
	
				WOS:000630275400064
			
	Tutti gli autori
	
						Vu Duc, Ly; Pashchenko, Ivan; Massacci, Fabio; Plate, Henrik; Sabetta., Antonino
					
	Citazione
	
				Typosquatting and Combosquatting Attacks on the Python Ecosystem / Vu Duc, Ly; Pashchenko, Ivan; Massacci, Fabio; Plate, Henrik; Sabetta., Antonino. - (2020), pp. 509-514. (Intervento presentato al  convegno WACCO tenutosi a Italy nel 2020) [10.1109/EuroSPW51379.2020.00074].
			
	Appare nelle tipologie:
	
				04.1 Saggio in atti di convegno (Paper in Proceedings)

File in questo prodotto:

File	Dimensione	Formato
ly2020typosquatting.pdf accesso aperto Tipologia: Post-print referato (Refereed author’s manuscript) Licenza: Tutti i diritti riservati (All rights reserved) Dimensione 186.18 kB Formato Adobe PDF Visualizza/Apri	186.18 kB	Adobe PDF	Visualizza/Apri
Typosquatting_and_Combosquatting_Attacks_on_the_Python_Ecosystem.pdf Solo gestori archivio Tipologia: Versione editoriale (Publisher’s layout) Licenza: Tutti i diritti riservati (All rights reserved) Dimensione 589.25 kB Formato Adobe PDF Visualizza/Apri	589.25 kB	Adobe PDF	Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11572/282646

Citazioni

ND

31

19

social impact