Poor programming practices in Chinese-mandated Green Dam filtering software put users at risk of compromise, security expert says.
The content-filtering software the Chinese government wants installed on all PCs sold in that country beginning next week was poorly developed and puts users at risk of having their computers compromised, a security expert who examined the code said on Thursday.
The Chinese government is requiring that all PCs include the Green Dam-Youth Escort software to block pornography, but it also blocks access to content related to violent computer games, illegal drugs and political speech, said Ben Feinstein, director of research at SecureWorks, a managed security service provider.
Critics are worried that the Chinese government could use Green Dam, a free download, to block all kinds of content and monitor online activities of users, as well as worried that the software could allow for a massive botnet to be created, either by cybercriminals or the Chinese government itself.
Feinstein and colleagues at SecureWorks' Counter Threat Unit examined the Green Dam code earlier this month and found that it uses a variety of unsafe programming practices that have been banned at Microsoft and other U.S. companies, he said.
An example is the use of Strcpy, or string copy, a library function in the C programming language that copies memory from one buffer to another, according to Feinstein. If the copied string doesn't fit in the destination buffer, it will overwrite memory and can be used in a buffer overflow attack.
"This software appears to be of low quality and to have not been developed with a secure methodology," Feinstein said. "It likely suffers from a whole host of problems."
The way Green Dam is designed to inspect all Internet traffic coming into and going out of a PC means more parts of the code are exposed to potential attack compared with programs that are more limited in scope and process less data, he said.
In addition, having the software on all PCs in China, as mandated, would create a huge install base and be an attractive target for attackers who could attack millions of computers by targeting just this one program, Feinstein said.
China historically has censored the Internet using filters on the network, blocking access to pages that deal with politically sensitive subjects like Tiananman Square, Falun Gong, and Tibet. Installing filtering software on the end-user computers will make it easier to block content than doing it in the network, according to Feinstein.
"You get efficiencies of scale if you push the filtering down to the end point rather than inspect huge Trans-Pacific pipes entering and leaving your country," he said. Green Dam was published by Jinhui Computer Systems Engineering, which is run by a former officer of the Peoples' Liberation Army, he added.
Researchers at the University of Michigan issued a report two weeks ago that found two major security vulnerabilities in Green Dam that could allow someone to remotely take over a computer running the software. The software was later updated and patched, according to an update to the report issued a week ago, however the researchers said they had discovered an additional security hole that remained unfixed.
Separately, a security researcher said he had released on a public Web site an exploit for a buffer overflow that remained unpatched in the Green Dam update.