Show simple item record

dc.contributor.advisorDavidson, Drew
dc.contributor.authorTaylor, Matthew
dc.date.accessioned2022-03-10T21:01:47Z
dc.date.available2022-03-10T21:01:47Z
dc.date.issued2020-05-31
dc.date.submitted2020
dc.identifier.otherhttp://dissertations.umi.com/ku:17181
dc.identifier.urihttp://hdl.handle.net/1808/32580
dc.description.abstractProgram size and complexity have dramatically increased over time. To reduce their workload, developers began to utilize package managers. These packages managers allow third-party functionality, contained in units called packages, to be quickly imported into a project. Due to their utility, packages have become remarkably popular. The largest package repository, npm, has more than 1.2 million publicly available packages and serves more than 80 billion package downloads per month. In recent years, this popularity has attracted the attention of malicious users. Attackers have the ability to upload packages which contain malware. To increase the number of victims, attackers regularly leverage a tactic called typosquatting, which involves giving the malicious package a name that is very similar to the name of a popular package. Users who make a typo when trying to install the popular package fall victim to the attack and are instead served the malicious payload. The consequences of typosquatting attacks can be catastrophic. Historical typosquatting attacks have exported passwords, stolen cryptocurrency, and opened reverse shells. This thesis focuses on typosquatting attacks in package repositories. It explores the extent to which typosquatting exists in npm and PyPI (the de facto standard package repositories for Node.js and Python, respectively), proposes a practical defense against typosquatting attacks, and quantifies the efficacy of the proposed defense. The presented solution incurs an acceptable temporal overhead of 2.5% on the standard package installation process and is expected to affect approximately 0.5% of all weekly package downloads. Furthermore, it has been used to discover a particularly high-profile typosquatting perpetrator, which was then reported and has since been deprecated by npm. Typosquatting is an important yet preventable problem. This thesis recommends package creators to protect their own packages with a technique called defensive typosquatting and repository maintainers to protect all users through augmentations to their package managers or automated monitoring of the package namespace.
dc.format.extent58 pages
dc.language.isoen
dc.publisherUniversity of Kansas
dc.rightsCopyright held by the author.
dc.subjectComputer engineering
dc.subjectComputer science
dc.subjectdefense
dc.subjectnpm
dc.subjectpackage
dc.subjectpypi
dc.subjectrepository
dc.subjecttyposquatting
dc.titleDefending Against Typosquatting Attacks in Programming Language-Based Package Repositories
dc.typeThesis
dc.contributor.cmtememberLuo, Bo
dc.contributor.cmtememberBardas, Alex
dc.thesis.degreeDisciplineElectrical Engineering & Computer Science
dc.thesis.degreeLevelM.S.
dc.identifier.orcid0000-0002-3765-9162


Files in this item

Thumbnail

This item appears in the following Collection(s)

Show simple item record