The malicious "rustdecimal" crate
The malicious "rustdecimal" crate
Posted May 11, 2022 21:56 UTC (Wed) by amarao (guest, #87073)In reply to: The malicious "rustdecimal" crate by Gaelan
Parent article: The malicious "rustdecimal" crate
So, to install a malware on your machine I need to write a malicious crate with misleading description, send you a link and .. make 10000 downloads?
I'd say that the latest is the easiest...
Posted May 12, 2022 0:27 UTC (Thu)
by NYKevin (subscriber, #129325)
[Link] (1 responses)
Posted May 12, 2022 13:03 UTC (Thu)
by amarao (guest, #87073)
[Link]
You miss the point of my argument. I'm saying that imitating some reasonable number of downloads for crate is simple. It's the simplest part of the trickery. That means, you can't use it to meaningfully defend yourself from malicious crates by looking on download counter (and all cousins, like number of forks and stars on GH). That doesn't mean you can't use 'little downloads' as a red flag, but you can't use it as a qualifier for 'safe to use'.
Posted May 12, 2022 12:11 UTC (Thu)
by excors (subscriber, #95769)
[Link] (2 responses)
crates.io prominently shows not just the total download count, but a chart of downloads per version over the last 90 days. (See the bottom of https://crates.io/crates/rust_decimal). So if you want to make a malicious crate that doesn't look immediately suspicious and untrustworthy, you'll need to spend 90 days replicating that pattern of downloads.
I suspect you'd have more success by e.g. finding a popular but not-very-well-maintained crate, and sending a pull request that correctly implements a frequently-requested feature but includes a dependency on a new crate that you maintain yourself. Hopefully the maintainer will be glad to receive the patch and won't be concerned enough about the new dependency to reject it or rewrite it.
Developers who check the download history of the popular crate will have no reason to be concerned, and nobody has time to check the download history of every dependency of a crate before they use it. Then you can make a new release of your crate with some malicious code, and anyone starting a new project or running "cargo update" will receive your update.
(Old projects that don't explicitly update won't see the new version, because the old version number is stored in the project's Cargo.lock file, which is usually checked into VCS so every developer builds exactly the same code.)
For a conscientious application developer, I think one possible solution is to run "cargo vendor" to retrieve a local copy of all dependencies, and check that into your VCS. Use the net.offline config option to prevent Cargo accidentally using a non-local crate. Whenever you want to update dependencies: run "cargo update", "cargo vendor" again, then push it to your code review system and read the diffs of all the vendored dependencies. And whenever you want to add a new dependency to your project, look at the number and complexity of its indirect dependencies and consider the long-term costs of reviewing all that code and its updates forever, and balance that against the benefits it provides.
Posted May 12, 2022 13:00 UTC (Thu)
by amarao (guest, #87073)
[Link] (1 responses)
Okay. I need to a broken crate with misleading description, put a systemd timer with a curl with some randomness in it ... 15 minutes of playing with execution times based on chart from other well-known crate?
Then I need to wait for 90 days, upload malicious create and send you a link.
Still, 'malicious crate' and 'misleading description' is the hardest part in my opinion.
That means, that looking on download counter as safe measure is useless. You can filter rarely-used-untested crates, but not the malicious ones.
Posted May 13, 2022 13:16 UTC (Fri)
by mathstuf (subscriber, #69389)
[Link]
There is `cargo-crev` which is aiming to help this problem. https://github.com/crev-dev/cargo-crev
The malicious "rustdecimal" crate
The malicious "rustdecimal" crate
The malicious "rustdecimal" crate
The malicious "rustdecimal" crate
The malicious "rustdecimal" crate