Similar to Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_open_source_software_dependencies_-_javier_junquera_-_carlos_cilleruelo
Bodin - Hullin & Potencier - Magento Performance Profiling and Best PracticesMeet Magento Italy
Similar to Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_open_source_software_dependencies_-_javier_junquera_-_carlos_cilleruelo (20)
6. Background
● How many apps have problems with
homograph attacks?
● How developer software is dealing with it?
○ IDEs
○ Text Editor
○ Programing languages
6
31. Fuzzer
➔ change_similar(homográficos,h𝐨mográficos,changing o by
b'xf0x9dx90xa8')
➔ homophonic(homofonicos,houmoufounicous,o sounds like ou)
➔ gen_deletions(truncar,tuncar,0, 1)
➔ gen_permutations(permutar,premutar,permuting char at 1)
➔ duplicates(duplicar,dupplicar,2)
➔ gen_case(caselogic,caseloGic,6)
➔ add_spaces(spaces,s<U+180E>paces,inserting space
b'xe1xa0x8e' at position 1)
➔ rtl(ltr,<U+202D>rtl,inserting b'e280ad' at position 0)
31
33. Uploading
➔ Let's upload everything
◆ UNICODE not allowed :(
◆ “Spaces not allowed”
◆ But… everything else:
● No limit, no control :)
◆ Remember academia
33
34. Dependencies selection
● Top 10
○ PyPI
○ NPM
● Some we consider complicated to write
○ Who t.f. chose psycopg2-binaries?
34
35. Packages creation
You have commited an error installing
the dependency `{original_name}`,
and have installed `{new_name}`.
If `{new_name}` had mailicious code,
you would have been pwned.
This file has been generated by
`{new_name}` for advertising you, and
we have no made any change in your
system.
35
Fix: you just need to delete the
dependency
`{new_name}` and
install `{original_name}`.
{new_name} is part of a research
about
attack in dependecies names.
For more information about it
contact javier@junquera.xyz
36. Telemetry
➔ User profile (Root | Not)
➔ Package manager (pypi | npm)
➔ Original name
➔ Modified name
➔ OS version
➔ Country, ~City (RGPD IP)
◆ It is difficult asking for consent :)
36