[논문 리뷰] Small World with High Risks: A Study of Security Threats in the npm Ecosystem
이 논문은 npm의 의존성(dep) 및 유지관리자 네트워크를 분석하여 보안 위험을 정량화하고, 소수의 유지관리자나 인기가 높은 패키지로부터 광범위한 공격이 가능하다는 높은 암묵적 신뢰를 보여준다. 또한 위험을 줄이기 위한 신뢰된 유지관리자와 vetting(심사)과 같은 완화 전략도 평가한다.
The popularity of JavaScript has lead to a large ecosystem of third-party packages available via the npm software package registry. The open nature of npm has boosted its growth, providing over 800,000 free and reusable software packages. Unfortunately, this open nature also causes security risks, as evidenced by recent incidents of single packages that broke or attacked software running on millions of computers. This paper studies security risks for users of npm by systematically analyzing dependencies between packages, the maintainers responsible for these packages, and publicly reported security issues. Studying the potential for running vulnerable or malicious code due to third-party dependencies, we find that individual packages could impact large parts of the entire ecosystem. Moreover, a very small number of maintainer accounts could be used to inject malicious code into the majority of all packages, a problem that has been increasing over time. Studying the potential for accidentally using vulnerable code, we find that lack of maintenance causes many packages to depend on vulnerable code, even years after a vulnerability has become public. Our results provide evidence that npm suffers from single points of failure and that unmaintained packages threaten large code bases. We discuss several mitigation techniques, such as trusted maintainers and total first-party security, and analyze their potential effectiveness.
연구 동기 및 목표
- npm에서 의존성과 생태계가 어떻게 성장하는지 정량화하고 이 성장이 보안 위험에 어떤 영향을 미치는지 파악한다.
- 패키지와 유지관리자가 생태계의 보안 표면에 미치는 영향을 평가한다.
- 전이 의존성을 통해 취약점이 어떻게 확산되는지 조사하고 중요한 실패 지점을 식별한다.
- 높은 영향력을 가진 패키지와 유지관리자의 위험을 줄이기 위한 완화 전략을 평가한다.
제안 방법
- 시간 스냅샷에 걸친 패키지 메타데이터에서 npm 의존성 그래프 G_t를 구성한다.
- 지표를 정의하고 계산한다: package reach (PR), implicitly trusted packages (ITP), maintainer reach (MR), 및 implicitly trusted maintainers (ITM).
- 위협 모델링(악성 패키지, 관리되지 않는 레거시 코드, 패키지 탈취, 계정 탈취, 담합)과 지표를 통해 위험 노출을 도출한다.
- 릴리스 데이터(5,386,239 releases; 676,539 packages; 199,327 maintainers; 609 advisories)를 사용하여 시간에 따른 변화를 분석한다.
- 공개 자문(공개 보안 경고)을 사용하여 vulnerability reach (VR_t)와 vulnerability reporting rate (VRR_t)를 정의하고 노출을 평가한다.
실험 결과
연구 질문
- RQ1How connected and dense is the npm dependency network, and how does this evolve over time?
- RQ2How many packages and maintainers can be implicitly trusted when a given package is installed or when a maintainer is compromised?
- RQ3Which maintainers and packages pose the greatest reach and how does this change with ecosystem growth?
- RQ4What portion of the ecosystem depends on vulnerable or unpatched code, and how rapidly are vulnerabilities reported?
- RQ5What mitigation strategies are feasible to reduce risk without crippling ecosystem growth?
주요 결과
- On average, installing an npm package implicitly trusts 79 third-party packages and 39 maintainers.
- Highly popular packages can influence hundreds of thousands of other packages, making them prime targets for malware.
- A very small number of compromised maintainer accounts can inject malware into a majority of packages, and this risk has grown over time.
- The ecosystem shows increasing package reach and maintainer reach, with some packages reaching over 100,000 other packages and maintainers reaching over 10,000 packages by 2018.
- Up to 40% of all packages depend on code with at least one publicly known vulnerability, highlighting substantial exposure to unpatched code.
- Mitigation options such as a vetted set of trusted maintainers could halve risk; vetting top 300 packages could also substantially reduce risk; aiming for perfect first- and third-party security remains challenging but informative for high-use packages.
더 나은 연구,지금 바로 시작하세요
연구 설계부터 논문 작성까지, 연구 시간을 획기적으로 줄여보세요.
카드 등록 없음 · 무료 플랜 제공
이 리뷰는 AI가 만들고, 인간 에디터가 검토했습니다.