Security expert blesses Google Native Client technology

Researcher who wins bug-finding contest says Google Native Client technology is architecturally sound.

Elinor Mills Former Staff Writer

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.

See full bio

Elinor Mills

July 7, 2009 5:00 p.m. PT

2 min read

Mark Dowd, X-Force research engineer at IBM Internet Security Systems and winner of the Google Native Client security contest along with partner Ben Hawkes. Mark Dowd

Two security researchers are splitting a cash prize from Google after winning a bug hunt contest designed to improve the security of Google Native Client technology, Google announced on Tuesday.

Despite the dozen or so bugs they found in the code, which lets Web-based applications run native code and take advantage of a computer's processing power, one of the winners predicted the technology will be secure when it is deployed.

"The quality of the implementation was pretty good," said Mark Dowd, X-Force researcher engineer at IBM Internet Security Systems. "Everyone makes a few mistakes here and there, and the purpose of the competition was to weed those out."

Dowd and his partner, Ben Hawkes, an independent security researcher in New Zealand, found the largest number of security vulnerabilities and the most severe of the 22 total bugs that were reported by contestants and accepted as valid, said Brad Chen, Google's engineering manager of Native Client.

The more severe bugs, for instance, would allow an attacker to completely disable the technology's inner sandbox, according to Chen.

"Had this been available on production Web sites you would have been able to take some of these vulnerabilities and turn them into exploits and gain complete control of systems," Dowd said. But "this is not a production release, so there's not a huge user base at this point you can exploit."

"I know they want to roll out a few more features before they bring it into prime time, but the core technology itself is pretty interesting, and if they keep up with the security side of it I think...it will be deployed on the Internet in a secure fashion," he said.

The technology, revealed as a research project in December and promoted to a development platform last month, is an attempt to enable computers to run Web applications downloaded from the Internet directly on the processor and at the speed of "native" software installed on a computer.

Current Web application programming environments, like Flash, JavaScript, and ActiveX, offer limited processing power and have suffered their own share of implementation flaws that can be exploited.

With Native Client, Google faces with the challenge of balancing more performance with new security challenges from a relatively new approach. That approach, called static analysis, involves screening software before it runs to make sure it doesn't perform any of a range of prohibited risky actions.

Google expects to integrate Native Client into the developer version of its Chrome browser before the end of the year, opening it up to the broader development community as it does so, Chen said.

About 600 people participated in the contest, which was announced in February and judged by a panel of nine experts.