Mark Dowd, X-Force research engineer at IBM Internet Security Systems and winner of the Google Native Client security contest along with partner Ben Hawkes.
(Credit: Mark Dowd)Two security researchers are splitting a cash prize from Google after winning a bug hunt contest designed to improve the security of Google Native Client technology, Google announced on Tuesday.
Despite the dozen or so bugs they found in the code, which lets Web-based applications run native code and take advantage of a computer's processing power, one of the winners predicted the technology will be secure when it is deployed.
"The quality of the implementation was pretty good," said Mark Dowd, X-Force researcher engineer at IBM Internet Security Systems. "Everyone makes a few mistakes here and there, and the purpose of the competition was to weed those out."
Dowd and his partner, Ben Hawkes, an independent security researcher in New Zealand, found the largest number of security vulnerabilities and the most severe of the 22 total bugs that were reported by contestants and accepted as valid, said Brad Chen, Google's engineering manager of Native Client.
The more severe bugs, for instance, would allow an attacker to completely disable the technology's inner sandbox, according to Chen.
"Had this been available on production Web sites you would have been able to take some of these vulnerabilities and turn them into exploits and gain complete control of systems," Dowd said. But "this is not a production release, so there's not a huge user base at this point you can exploit."
"I know they want to roll out a few more features before they bring it into prime time, but the core technology itself is pretty interesting, and if they keep up with the security side of it I think...it will be deployed on the Internet in a secure fashion," he said.
The technology, revealed as a research project in December and promoted to a development platform last month, is an attempt to enable computers to run Web applications downloaded from the Internet directly on the processor and at the speed of "native" software installed on a computer.
Current Web application programming environments, like Flash, JavaScript, and ActiveX, offer limited processing power and have suffered their own share of implementation flaws that can be exploited.
With Native Client, Google faces with the challenge of balancing more performance with new security challenges from a relatively new approach. That approach, called static analysis, involves screening software before it runs to make sure it doesn't perform any of a range of prohibited risky actions.
Google expects to integrate Native Client into the developer version of its Chrome browser before the end of the year, opening it up to the broader development community as it does so, Chen said.
About 600 people participated in the contest, which was announced in February and judged by a panel of nine experts.
Satisfied that its security underpinnings are solid, Google has promoted its open-source Native Client technology to accelerate Web applications out of its research phase and is taking steps to build it into the Chrome Web browser.
"Based on our experience to date, we believe that the basic architecture of our system is sound and the implementation is supportable. So now we are undertaking a number of tasks to transition Native Client from a research technology to a development platform," said Brad Chen, Google's Native Client engineering manager, in a mailing list announcement Wednesday.
Brad Chen, engineering manager of the Google Native Client
(Credit: Stephen Shankland/CNET)Native Client, called NaCl for short, is a mechanism to run software downloaded over the Web directly on x86 processors such as Intel's Core line. The key motivation is to attain the speed of regular "native" software installed on a computer rather than the much slower JavaScript environment that sophisticated Web sites use today. It's one part of Google's broad effort to evolve the Web from a collection of relatively static sites into foundation for more powerful applications.
Executing native code from the Web is easy--until you start trying to worry about security risks. To this end, Native Client examines software before it runs to block software that takes a variety of prohibited actions, an idea called static analysis, and it runs the software in a protected sandbox.
"We recognized the underlying technology to be ambitious and risky, and felt strongly than a generous measure of public scrutiny was appropriate before we committed to any definite plans," Chen said. Satisfied that Native Client passed muster, Google will remove various security constraints such as the inability to execute Native Client software downloaded from the open Internet, he said.
Native Client was first introduced in December a browser plug-in, but Google doesn't like that approach.
"We recognize that there is well-justified resistance to installing browser plug-ins. For this reason we have a strong preference for delivering Native Client pre-installed or built into the browser, and we'll be focusing on that as our main strategy for delivering Native Client to users," Chen said.
And now we see one reason why Google is interested having a browser of its own available: "Careful readers may have already noticed evidence of integration into Chromium in the Native Client source," Chen said, referring to the open-source project that underlies the Chrome browser.
Google touted Native Client at its Google I/O conference in May, showing off a Web-based photo editor as an example of the processing power the technology offers. Google also is trying to pair Native Client with another company project, O3D, which lets browsers take advantage of hardware to accelerate 3D graphics.
Even at the cutting edge of cloud computing, Web-based applications can be frustrating to write and to use.
Spreadsheets can't sort data well, there are lags between mouse clicks and the program's response, graphics look Mickey Mouse rather than lavish. But Google, among the most aggressive cloud computing advocates, is trying to address some of those shortcomings.
The company has released experimental but still very much real software that brings in some of the power of the PC, where people often use Web applications. Google Native Client--first released in 2008 but updated with a new version Thursday--is a browser plug-in for securely running computationally intense software downloaded from a Web site. And on Tuesday, Google released O3D, a plug-in that lets Web-based applications tap into a computer's graphics chip, too.
The projects are rough around the edges, to say the least. Native Client--NaCl for short--is more security research project than usable programming foundation right now, and O3D exists in part to try to accelerate the arrival of some future, not necessarily compatible, standard for building 3D abilities into Web applications.
Google Native Client is shown here running a fractal landscape explorer.
(Credit: Google)But both fundamentally challenge the idea that Web apps necessarily are stripped-down, feeble counterparts to the software that runs natively on a personal computer, and they come from a company that has engineering skill, a yen for moving activity to the Internet, and search-ad profits that can fund projects that don't immediately or directly make money.
"There are things you can do in desktop apps that you can't do in Web apps. We're working very hard to close that gap, so anything you can do in a desktop application you can do safely and securely from a Web application," said Linus Upson, a Google engineering director.
... Read more- prev
- 1
- next
