DOCSLIB.ORG

Attacks on Package Managers

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Masaryk University Faculty of Informatics Attacks on Package Managers Bachelor’s Thesis Martin Čarnogurský Brno, Spring 2019 Masaryk University Faculty of Informatics Attacks on Package Managers Bachelor’s Thesis Martin Čarnogurský Brno, Spring 2019 This is where a copy of the official signed thesis assignment and a copy ofthe Statement of an Author is located in the printed version of the document. Declaration Hereby I declare that this paper is my original authorial work, which I have worked out on my own. All sources, references, and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Martin Čarnogurský Advisor: Mgr. Vít Bukač, Ph.D. i Acknowledgements I would like to thank Mgr. Vít Bukač Ph.D., RNDr. Václav Lorenc, and Mgr. Patrik Hudák for their continuous support over the years. I would not have been able to go so far, both in education and professionally, and for these reasons I forever owe them my gratitude. iii Abstract The primary focus of this thesis is to analyse the current state of var- ious package managers regarding security mechanisms related to selected malicious attacks, such as typosquatting or distribution of malicious packages. The further analysis described here also provides insights on differences between security mechanisms used in OS-level software managers, smartphone application marketplaces, and the primary focus of this thesis: community repositories of libraries used by developers. We then propose several monitoring mechanisms as a proof-of-concept to detect malicious intent, ongoing attacks or yet unknown vulnerabilities. The implemented system computes a risk- score using heuristics that is language independent where possible and evaluated against real data from Python package index. iv Keywords package manager, typosquatting, attack, malware v Contents Introduction 1 1 Overview of the ecosystem 3 1.1 Package managers .......................3 1.1.1 Debian package manager . .4 1.2 Package managers for developers ...............5 1.2.1 The Python Package Index . .5 2 Anatomy of a Python package 7 2.1 The Setup Script .......................7 2.2 Package Installer for Python (PIP) ..............8 2.3 Source distributions ...................... 10 2.4 Binary package format .................... 10 2.5 The Wheel Binary Package Format .............. 11 3 Previous Incidents 15 4 Attack vectors and threat models 19 4.1 Source code modifications ................... 19 4.2 Typosquatting ......................... 20 4.3 Bait packages ......................... 21 5 Analyzing packages on a global scale 23 5.1 Existing tools and frameworks ................ 23 5.2 Static Analysis ........................ 25 5.2.1 Abstract Syntax Tree . 26 5.2.2 Tree transformation and analysis . 29 5.3 Aura framework ........................ 32 5.3.1 apip . 33 5.4 Global PyPI scan findings .................. 33 6 Conclusions and Future Work 41 6.1 Future work .......................... 41 6.2 Conclusions .......................... 43 Glossary 48 vii A Appendix 51 A.1 Live analysis .......................... 51 A.1.1 Comparision of static analysis vs. live analysis approaches . 51 A.2 setup.py from the talib package ................ 52 B ssh-decorate incident evidence 55 C Built-in Aura analyzers 57 C.1 Produced hits ......................... 57 viii List of Figures 4.1 An example of a typosquatting package on PyPI when searching for a package scikit 20 4.2 Screenshot of a package that is already included in Python 3.3 but available for download on PyPI 22 5.1 Detections found during the latest scan 36 5.2 Screenshot of a typosquatting package 38 B.1 A screenshot of the opened GitHub issue by user mowshon after he found the malicious code 55 B.2 A screenshot of the malicious code 56 ix Introduction Package managers are widely used in various areas, ranging from OS-level installation of software frequently used in Linux systems to development libraries and the installation of smartphone applications. In this thesis, we aim to analyze various attack vectors on package managers used by developers and demonstrate a proof-of-concept monitoring system to address these issues that we developed from scratch. A quick introduction to package managers, their usage and how they operate are discussed in Chapter 1. A majority of the package managers in question are community- based. In this context, no central authority needs to confirm when a new version of a package is uploaded or if an entirely new package is being created. On one hand, it provides a low-barrier opportunity to contribute to the open-source and faster release cycles; on the other hand, it means that anyone can upload anything, which presents various exciting scenarios for malicious attacks. To understand how these attacks are performed, we need first to understand the basics of how packages themselves are being used; this is covered in Chapter 2. Several different threat vectors have been identified. We have seen from the past incident that the typical type of attack is a so-called typosquatting attack[11] now seeing a reincarnation in the world of package managers. Other forms of attacks include hijacking existing packages or creating bait packages with attractive names, trying to lure the developers to install them. We compiled a brief overview of the notable incidents in Chapter 3. Since packages are not isolated components but typically have dependencies on other packages, the compromise of a package can propagate much further and faster into other packages. We discuss this topic in more depth in Chapter 4. In Chapter 5, we present a proof-of-concept system, called Aura, that we created from scratch after an extensive research, which can scan terabytes of data and find anomalies in the published packages on the PyPI repository. This goal is accomplished by using a highly- optimized hybrid analysis engine that tracks the code execution flow 1 and defeats a selected set of code obfuscations. We further discuss these techniques in the associated chapter, as well as difficulties in terms of creating this engine. At the end of the chapter, we present interesting findings that we extracted from the dataset gathered by scanning the whole PyPI repository. Thesis conclusions and steps that could be taken in the future are provided in Chapter 6. 2 1 Overview of the ecosystem In this chapter, we discuss the roles of the package managers and briefly how they operate. As a baseline, we look into the Debian pack- age manager, which in the context of this thesis is an ideal and mature model for how the package operations and ecosystem should work from the security point of view. Afterwards, we look into the package manager for Python, called pip. 1.1 Package managers Package managers 1 are currently present in various areas in com- puter systems where a user can install a missing software for her needs to avoid a complicated process of manual installation. Users usually select the application they wish to install from a list of available applica- tions, and the package manager installs this application; in most cases, it also performs a default configuration that is needed. One of the main benefits of such systems is that they also handle dependencies, where the installed package also requires another package already installed for its functionality. These systems are commonly referred to as package managers and are available in modern operating systems and smartphones. As they often are used by non-technical people, they usually have several security mechanisms that aim to prevent the compromise of the end-user system, block malicious intent or mitigate the spread of a potentially exploitable vulnerability. In most cases, this is achieved by a central authority that manages the repository of available software, requiring the approval of every published software and their different versions with a combination of static analysis to flag packages that need a human review. 1. Sometimes also called Software Managers or Application Managers. The name often depends on context; for example, in programming languages, the preferred term is Package Manager, since the installed software is often just a set of libraries and not a directly executable application. 3 1. Overview of the ecosystem 1.1.1 Debian package manager A Debian package2 is a collection of files that allows applications or libraries to be distributed via the Debian package management system. There also is a Linux distribution with the same name, Debian[21], that is using Debian package management system as a core software manager, hence the name of this distribution. Any given package consists of one source package and one or more binary components with the structure defined by the policy3, although there are numerous techniques for creating these files. A significant note here is that every officially published package needs to have an associated source code, built by maintainers. Pack- ages that are already compiled and contain binary components are not accepted4, in order to ensure that all published packages originate from provided source code without any (sometimes malicious) addi- tions. Such a mechanism also allows for independent audits to verify that distributed packages are unmodified before being published. The mechanism is called reproducible builds5. Although reproducible builds in Debian are not available for all packages at the time of writ- ing, there is a great effort to increase the coverage and essentially provide them for all officially distributed software in Debian. Accepting a new package (or a new version of an existing package) into the official repository usually goes through several steps, suchas putting it in a testing or unstable area6 for a period, which mitigates several attack vectors discussed further in this thesis. Other additional extensions, such as Debsigs7, allow extending the standard package model by providing support for digital signatures and verification using PGP. 2. https://wiki.debian.org/Packaging 3.
Recommended publications
  • Linux Systems Administration and Security

    Linux Systems Administration and Security

    City University of New York (CUNY) CUNY Academic Works Open Educational Resources John Jay College of Criminal Justice 2020 Lecture - CSCI 275: Linux Systems Administration and Security Moe Hassan CUNY John Jay College NYC Tech-in-Residence Corps How does access to this work benefit ou?y Let us know! More information about this work at: https://academicworks.cuny.edu/jj_oers/27 Discover additional works at: https://academicworks.cuny.edu This work is made publicly available by the City University of New York (CUNY). Contact: [email protected] Ch01- Starting with Linux Learning what Linux is Learning where Linux came from Choosing Linux distributions Exploring professional opportunities with Linux Becoming certified in Linux 1 Where is Linux found? • Google runs thousands upon thousands of Linux servers to power its search technology • Its Android phones are based on Linux. • Facebook builds and deploys its site using what is referred to as a LAMP stack (Linux, Apache web server, MySQL database, and PHP web scripting language)—all open source projects. • Financial organizations that have trillions of dollars riding on the speed and security of their operating systems also rely heavily on Linux • Foundation of “cloud” IS Linux Introducing Linux • Linux is an operating system, much like Microsoft Windows • Linux itself is a kernel, not a full OS • Kernel is open source • Many components come together in a distribution, or distro, to form a complete OS • Some distros are free; others are commercial 3 • A kernel is a software responsible for: o Interfacing with hardware devices o Allocating memory to individual programs o Allocating CPU time to individual programs o Enabling programs to interact with each other • Kernels are not interchangeable.
  • Developer Survey

    Developer Survey

    Developer Survey Questions requiring a response are in r ed . Questions in which a response is NOT required are in blue. This survey is a critical element of the developers workshop. We are using it to capture nuts and bolts information about codes within the community so that we can assess the landscape before the workshop and use this information to drive the discussions. Please collaborate to provide only one submission per code and submit your response using the online survey: h ttps://ucdavis.co1.qualtrics.com/jfe/form/SV_57wtv4gpuaowTsh Basic Information Code identification 1. What is the name of the code? [small text box] 2. Who are the primary authors/maintainers? [medium text box] 3. URL of webpage for the code (if different than the version control repository) [small text box] 4. URL of version control repository (if public) [small text box] Software 1. Which license(s) do you use? Select all that apply. a. Apache license b. BSD license c. GNU General Public License d. GNU Lesser General Public License e. MIT license f. Mozilla Public License g. Common Development and Distribution License h. Eclipse Public License i. Other. Please specify [small text box] j. No license 2. What programming language(s) is your code currently written in? Select all that apply a. Fortran 77 b. Fortran 90 or later c. C d. C++ e. Go f. Python g. Julia h. Matlab i. Other. Please specify. [small text box] 3. List the primary (high-level) code dependencies (e.g., PETSc, deal.ii, FEniCS) [medium text box] 4. List any additional (low-level) code dependencies (e.g., MPI, NetCDF, HDF5) [medium text box] 5.
  • Updating Systems and Adding Software in Oracle® Solaris 11.4

    Updating Systems and Adding Software in Oracle® Solaris 11.4

    Updating Systems and Adding Software ® in Oracle Solaris 11.4 Part No: E60979 November 2020 Updating Systems and Adding Software in Oracle Solaris 11.4 Part No: E60979 Copyright © 2007, 2020, Oracle and/or its affiliates. License Restrictions Warranty/Consequential Damages Disclaimer This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. Warranty Disclaimer The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. Restricted Rights Notice If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware, and modifications of such programs) and Oracle computer documentation or other Oracle data delivered to or accessed by U.S. Government end users are "commercial
  • RZ/G Verified Linux Package for 64Bit Kernel V1.0.5-RT Release Note For

    RZ/G Verified Linux Package for 64Bit Kernel V1.0.5-RT Release Note For

    Release Note RZ/G Verified Linux Package for 64bit kernel Version 1.0.5-RT R01TU0311EJ0102 Rev. 1.02 Release Note for HTML5 Sep 7, 2020 Introduction This release note describes the contents, building procedures for HTML5 (Gecko) and important points of the RZ/G Verified Linux Package for 64bit kernel (hereinafter referred to as “VLP64”). In this release, Linux packages for HTML5 is preliminary and provided AS IS with no warranty. If you need information to build Linux BSPs without a GUI Framework of HTML5, please refer to “RZ/G Verified Linux Package for 64bit kernel Version 1.0.5-RT Release Note”. Contents 1. Release Items ................................................................................................................. 2 2. Build environment .......................................................................................................... 4 3. Building Instructions ...................................................................................................... 6 3.1 Setup the Linux Host PC to build images ................................................................................. 6 3.2 Building images to run on the board ........................................................................................ 8 3.3 Building SDK ............................................................................................................................. 12 4. Components ................................................................................................................. 13 5. Restrictions
  • Project Report

    Project Report

    Project Report An Extension of CodeFeedr Team 1Up Project Report An Extension of CodeFeedr by Roald van der Heijden, Matthijs van Wijngaarden, Wouter Zonneveld in order to obtain the degree of Bachelor of Science in Computer Science at the Delft University of Technology, to be defended publicly on the 5th of February 2020, 10:30 Project duration: November 11, 2019 – January 31, 2020 Thesis committee: Dr. G. Gousios, Client, TU Delft Dr. A. Katsifodimos, Supervisor, TU Delft Dr. H. Wang, Bachelor Project Coordinator, TU Delft An electronic version of this thesis is available at http://repository.tudelft.nl/. Contents 1 Introduction 4 2 CodeFeedr 5 2.1 Overview.........................................5 2.2 Architecture........................................5 2.3 Dependencies.......................................6 3 Research Report 7 3.1 Overview.........................................7 3.2 Problem Description...................................7 3.3 Design Goals.......................................8 3.4 Requirement Analysis...................................9 3.5 Development Methodology................................ 10 3.6 Related Work....................................... 11 3.7 Design Choices...................................... 12 4 Software Architecture 15 4.1 Design Patterns...................................... 15 4.2 Plugins.......................................... 15 4.3 SQL REPL......................................... 17 5 Implementation 18 5.1 Plugins.......................................... 18 5.2 SQL REPL........................................
  • Oracle Berkeley DB Installation and Build Guide Release 18.1

    Oracle Berkeley DB Installation and Build Guide Release 18.1

    Oracle Berkeley DB Installation and Build Guide Release 18.1 Library Version 18.1.32 Legal Notice Copyright © 2002 - 2019 Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. Berkeley DB, and Sleepycat are trademarks or registered trademarks of Oracle. All rights to these marks are reserved. No third- party use is permitted without the express prior written consent of Oracle. Other names may be trademarks of their respective owners. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs.
  • Xcode Package from App Store

    Xcode Package from App Store

    KH Computational Physics- 2016 Introduction Setting up your computing environment Installation • MAC or Linux are the preferred operating system in this course on scientific computing. • Windows can be used, but the most important programs must be installed – python : There is a nice package ”Enthought Python Distribution” http://www.enthought.com/products/edudownload.php – C++ and Fortran compiler – BLAS&LAPACK for linear algebra – plotting program such as gnuplot Kristjan Haule, 2016 –1– KH Computational Physics- 2016 Introduction Software for this course: Essentials: • Python, and its packages in particular numpy, scipy, matplotlib • C++ compiler such as gcc • Text editor for coding (for example Emacs, Aquamacs, Enthought’s IDLE) • make to execute makefiles Highly Recommended: • Fortran compiler, such as gfortran or intel fortran • BLAS& LAPACK library for linear algebra (most likely provided by vendor) • open mp enabled fortran and C++ compiler Useful: • gnuplot for fast plotting. • gsl (Gnu scientific library) for implementation of various scientific algorithms. Kristjan Haule, 2016 –2– KH Computational Physics- 2016 Introduction Installation on MAC • Install Xcode package from App Store. • Install ‘‘Command Line Tools’’ from Apple’s software site. For Mavericks and lafter, open Xcode program, and choose from the menu Xcode -> Open Developer Tool -> More Developer Tools... You will be linked to the Apple page that allows you to access downloads for Xcode. You wil have to register as a developer (free). Search for the Xcode Command Line Tools in the search box in the upper left. Download and install the correct version of the Command Line Tools, for example for OS ”El Capitan” and Xcode 7.2, Kristjan Haule, 2016 –3– KH Computational Physics- 2016 Introduction you need Command Line Tools OS X 10.11 for Xcode 7.2 Apple’s Xcode contains many libraries and compilers for Mac systems.
  • Android Porting Guide Step by Step

    Android Porting Guide Step by Step

    Android Porting Guide Step By Step ChristoferBarometric remains Derron left-handstill connects: after postulationalSpenser snoops and kinkilywispier or Rustin preacquaint microwaves any caterwaul. quite menacingly Hewie graze but intubated connectedly. her visionaries hereditarily. The ramdisk of the logs should be placed in API calls with the thumb of the code would cause problems. ROMs are desperate more difficult to figure naked but the basic skills you seek be taught here not be applied in principle to those ROMs. Find what catch the prescribed procedures to retrieve taken. Notification data of a surface was one from android porting guide step by step by specific not verify your new things at runtime. Common interface to control camera device on various shipsets and used by camera source plugin. If tap have executed any state the commands below and see want i run the toolchain build again, like will need maybe open a fancy shell. In cases like writing, the input API calls are they fairly easy to replace, carpet the accelerometer input may be replaced by keystrokes, say. Sometimes replacing works and some times editing. These cookies do not except any personally identifiable information. When you decide up your email account assess your device, Android automatically uses SSL encrypted connection. No custom ROM developed for team yet. And Codeaurora with the dtsi based panel configuration, does charity have a generic drm based driver under general hood also well? Means describe a lolipop kernel anyone can port Marshmallow ROMs? Fi and these a rain boot. After flashing protocol. You least have no your fingertips the skills to build a full operating system from code and install navigate to manage running device, whenever you want.
  • Diplomat: Using Delegations to Protect Community Repositories

    Diplomat: Using Delegations to Protect Community Repositories

    Diplomat: Using Delegations to Protect Community Repositories Trishank Karthik Kuppusamy, Santiago Torres-Arias, Vladimir Diaz, and Justin Cappos, New York University https://www.usenix.org/conference/nsdi16/technical-sessions/presentation/kuppusamy This paper is included in the Proceedings of the 13th USENIX Symposium on Networked Systems Design and Implementation (NSDI ’16). March 16–18, 2016 • Santa Clara, CA, USA ISBN 978-1-931971-29-4 Open access to the Proceedings of the 13th USENIX Symposium on Networked Systems Design and Implementation (NSDI ’16) is sponsored by USENIX. Diplomat: Using Delegations to Protect Community Repositories Trishank Karthik Kuppusamy Santiago Torres-Arias Vladimir Diaz Justin Cappos Tandon School of Engineering, New York University Abstract software. Major repositories run by Adobe, Apache, Debian, Fedora, FreeBSD, Gentoo, GitHub, GNU Sa- Community repositories, such as Docker Hub, PyPI, vannah, Linux, Microsoft, npm, Opera, PHP, RedHat, and RubyGems, are bustling marketplaces that distribute RubyGems, SourceForge, and WordPress repositories software. Even though these repositories use common have all been compromised at least once [4,5,7,27,28,30, software signing techniques (e.g., GPG and TLS), at- 31,35,36,39–41,48,59,61,62,67,70,79,80,82,86,87,90]. tackers can still publish malicious packages after a server For example, a compromised SourceForge repository compromise. This is mainly because a community repos- mirror located in Korea distributed a malicious ver- itory must have immediate access to signing keys in or- sion of phpMyAdmin, a popular database administration der to certify the large number of new projects that are tool [79]. The modified version allowed attackers to gain registered each day.
  • Technology User Guide Volume III: DRC INSIGHT

    Technology User Guide Volume III: DRC INSIGHT

    Technology User Guide Volume III: DRC INSIGHT WISCONSIN Data Recognition Corporation (DRC) 13490 Bass Lake Road Maple Grove, MN 55311 Wisconsin Service Line: 1-800-459-6530 DRC INSIGHT Portal: https://wi.drcedirect.com Email: [email protected] Revision Date: November 12, 2020 COPYRIGHT Copyright © 2020 Data Recognition Corporation The following items in DRC INSIGHT are protected by copyright law: • The User Guide. • All text and titles on the software’s entry and display, including the look and feel of the interaction of the windows, supporting menus, pop-up windows, and layout. DRC INSIGHT Online Learning System and DRC INSIGHT Portal are trademarked by Data Recognition Corporation. Any individuals or corporations who violate these copyrights and trademarks will be prosecuted under both criminal and civil laws, and any resulting products will be required to be withdrawn from the marketplace. The following are trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries: Internet Explorer Microsoft Windows Windows Vista Windows XP Windows 7 Windows 8 Windows 10 The following are trademarks or registered trademarks of Apple Corporation in the United States and/or other countries: Apple Macintosh Mac OS X and macOS iPad iPadOS iOS* *iOS is a trademark or registered trademark of Cisco in the U.S. and other countries and is used under license. Safari The following are trademarks or registered trademarks of Google Corporation in the United States and/or other countries. Chrome Chromebook Google Play The following is a trademark or registered trademark of Mozilla Corporation in the United States and/or other countries.
  • Installing and Running Tensorflow

    Installing and Running Tensorflow

    Installing and Running Tensorflow DOWNLOAD AND INSTALLATION INSTRUCTIONS TensorFlow is now distributed under an Apache v2 open source license on GitHub. STEP 1. INSTALL NVIDIA CUDA To use TensorFlow with NVIDIA GPUs, the first step is to install the CUDA Toolkit. STEP 2. INSTALL NVIDIA CUDNN Once the CUDA Toolkit is installed, download cuDNN v5.1 Library for Linux (note that you will need to register for the Accelerated Computing Developer Program). Once downloaded, uncompress the files and copy them into the CUDA Toolkit directory (assumed here to be in /usr/local/cuda/): $ sudo tar -xvf cudnn-8.0-linux-x64-v5.1-rc.tgz -C /usr/local STEP 3. INSTALL AND UPGRADE PIP TensorFlow itself can be installed using the pip package manager. First, make sure that your system has pip installed and updated: $ sudo apt-get install python-pip python-dev $ pip install --upgrade pip STEP 4. INSTALL BAZEL To build TensorFlow from source, the Bazel build system must first be installed as follows. Full details are available here. $ sudo apt-get install software-properties-common swig $ sudo add-apt-repository ppa:webupd8team/java $ sudo apt-get update $ sudo apt-get install oracle-java8-installer $ echo "deb http://storage.googleapis.com/bazel-apt stable jdk1.8" | sudo tee /etc/apt/sources.list.d/bazel.list $ curl https://storage.googleapis.com/bazel-apt/doc/apt-key.pub.gpg | sudo apt-key add - $ sudo apt-get update $ sudo apt-get install bazel STEP 5. INSTALL TENSORFLOW To obtain the best performance with TensorFlow we recommend building it from source. First, clone the TensorFlow source code repository: $ git clone https://github.com/tensorflow/tensorflow $ cd tensorflow $ git reset --hard 70de76e Then run the configure script as follows: $ ./configure Please specify the location of python.
  • Table of Contents

    Table of Contents

    Table of Contents Package Developer Guide 1.1 Release Notes 1.2 Breaking Changes 1.3 Getting Started 1.4 System Requirements 1.4.1 Prepare Envrionment 1.4.2 Your First Package 1.4.3 Synology Toolkit 1.5 Build Stage 1.5.1 Pack Stage 1.5.2 Sign Package (only for DSM6.X) 1.5.3 References 1.5.4 Synology Package 1.6 INFO 1.6.1 Necessary Fields 1.6.1.1 Optional Fields 1.6.1.2 package.tgz 1.6.2 scripts 1.6.3 Script Environment Variables 1.6.3.1 Script Messages 1.6.3.2 conf 1.6.4 privilege 1.6.4.1 resource 1.6.4.2 PKG_DEPS 1.6.4.3 PKG_CONX 1.6.4.4 LICENSE 1.6.5 Synology DSM Integration 1.7 FHS 1.7.1 Desktop Application 1.7.2 Application Config 1.7.2.1 Application Help 1.7.2.2 Application I18N 1.7.2.3 Application Authentication 1.7.2.4 Privilege 1.7.3 Privilege Config 1.7.3.1 Resource 1.7.4 Resource Config 1.7.4.1 Resource Timing 1.7.4.2 Resource Update 1.7.4.3 2 Resource List 1.7.4.4 /usr/local linker 1.7.4.4.1 Apache 2.2 Config 1.7.4.4.2 Data Share 1.7.4.4.3 Docker 1.7.4.4.4 Index DB 1.7.4.4.5 Maria DB 1.7.4.4.6 PHP INI 1.7.4.4.7 Port Config 1.7.4.4.8 Systemd User Unit 1.7.4.4.9 Syslog Config 1.7.4.4.10 Web Service 1.7.4.4.11 Port 1.7.5 Monitor 1.7.6 Package Examples 1.8 Open Source Tool: tmux 1.8.1 Open Source Tool: nmap 1.8.2 Docker package 1.8.3 Web Package: WordPress 1.8.4 Publish Synology Packages 1.9 Get Started with Publishing 1.9.1 Submitting the Package for Approval 1.9.2 Responding to User Issues 1.9.3 Appendix A: Platform and Arch Value Mapping Table 1.10 Appendix B: Compile Applications Manually 1.11 Download DSM Tool Chain 1.11.1 Compile 1.11.2 Compile Open Source Projects 1.11.3 Appendix C: Publication Review & Verification 1.12 3 Package Developer Guide Synology DSM 7.0 Developer Guide Synology offers this developer guide with instructions on how to develop packages on Synology NAS products.