Security expert blesses Google Native Client technology

Mark Dowd, X-Force research engineer at IBM Internet Security Systems and winner of the Google Native Client security contest along with partner Ben Hawkes.

(Credit: Mark Dowd)

Two security researchers are splitting a cash prize from Google after winning a bug hunt contest designed to improve the security of Google Native Client technology, Google announced on Tuesday.

Despite the dozen or so bugs they found in the code, which lets Web-based applications run native code and take advantage of a computer's processing power, one of the winners predicted the technology will be secure when it is deployed.

"The quality of the implementation was pretty good," said Mark Dowd, X-Force researcher engineer at IBM Internet Security Systems. "Everyone makes a few mistakes here and there, and the purpose of the competition was to weed those out."

Dowd and his partner, Ben Hawkes, an independent security researcher in New Zealand, found the largest number of security vulnerabilities and the most severe of the 22 total bugs that were reported by contestants and accepted as valid, said Brad Chen, Google's engineering manager of Native Client.

The more severe bugs, for instance, would allow an attacker to completely disable the technology's inner sandbox, according to Chen.

"Had this been available on production Web sites you would have been able to take some of these vulnerabilities and turn them into exploits and gain complete control of systems," Dowd said. But "this is not a production release, so there's not a huge user base at this point you can exploit."

"I know they want to roll out a few more features before they bring it into prime time, but the core technology itself is pretty interesting, and if they keep up with the security side of it I think...it will be deployed on the Internet in a secure fashion," he said.

The technology, revealed as a research project in December and promoted to a development platform last month, is an attempt to enable computers to run Web applications downloaded from the Internet directly on the processor and at the speed of "native" software installed on a computer.

Current Web application programming environments, like Flash, JavaScript, and ActiveX, offer limited processing power and have suffered their own share of implementation flaws that can be exploited.

With Native Client, Google faces with the challenge of balancing more performance with new security challenges from a relatively new approach. That approach, called static analysis, involves screening software before it runs to make sure it doesn't perform any of a range of prohibited risky actions.

Google expects to integrate Native Client into the developer version of its Chrome browser before the end of the year, opening it up to the broader development community as it does so, Chen said.

About 600 people participated in the contest, which was announced in February and judged by a panel of nine experts.

[JasonCe]

I am confused.

These guys have "found the largest number of security vulnerabilities and the most severe of the 22 total bugs that were reported by contestants", and that product has not even shipped yet (no one is looking to exploit it), so chances are there are many times more vulnerabilities still in it, and yet they "bless Google Native Client technology"?

Shouldn't it be the other way around?

I wonder if it has anything to do with Google paying these guys...

[khimru]

Number of guys attacking something != number of defects found. Not even close. Think about PS3 and XBox360. Heck, think about DES and AES! AES, DES, and Cell (central piece of PS3 security architecture) - all these things very reviewed by security professionals before release - and they all are unbroken as of yet (DES just used too short passwords so brute force attacks are now feasible). The only thing with "zero number of known and fixed vulnerabilities at the release date" in the list above is XBox360. It included top-secret Microsoft's in-house architecture and many tricks to make it "more secure"... and it was broken months after release.

Sure, review of security professionals is not a panacea (think MD5), but it sure as hell better then alternatives. And 22 bugs are not such a big number if you'll consider size of Native Client's code...

[Marcus Westrup]

I have to agree with JasonCe on this one - this endorsement sounds a little too cozy. Google has crossed it's "do no evil" line a few times, so why should we trust this?
I'd like to get a second opinion.

[simmons142]

I second what khimru says, above -- there's no contradiction with security researchers finding 22 bugs and then giving the software their blessing. Laymen often assume that security is a matter of whittling down bugs, when it is actually the application of sound principles and good design. Even in a well-designed piece of software, finding 22 bugs comes as no big surprise because writing software is hard, humans are fallible, and the rigorous engineering processes needed to create bug-free software have not been invented (or perhaps just haven't been popularized).

[GEO2003]

These Security Experts no doubt have great credentials to be able to analyse vulnerabilities in WEB applications. The questions is - Are they really smarter then undergroud hackers whom may be able to surpace the technical knowledge of of these Security Experts. At any point in time someone else could come alone who may be better at finding vectors to attack Web Applications.

The email that show this article is the same email from Cnet that show the story of Google's Cloud computing OS. They both complement each other, in that while Google may be touting their Web OS as secure, this story shows the opposite.