Google Inc.'s motto may be "Don't be evil," but some people in
the security community are worried that the company's new code
search tool could help attackers do just that.
 | | | | | A lot of people leave code
sitting around. This is absolutely useful to the bad
guys.
Gary McGraw,
CTOCigital Inc. |
| | | | | |
| |
|
Hackers for years have been using Google's main search engine as
a way to find Web sites that might be vulnerable to a particular
attack. By searching for a given string of code or a specific error
message, they can identify
Web-based applications ripe for attack.
However, the new
Google Code Search
makes that process even simpler by enabling users to search for
regular expressions, exact strings and even restrict their searches
to code written in specific programming languages. The tool
searches all of the publicly available source code it can find,
which includes not just open-source code intentionally made
available to the public, but also any code in a Concurrent Versions
System (CVS) repository or other form that a developer happens to
leave on a public server.
"A lot of people leave code sitting around. This is absolutely
useful to the bad guys," said Gary McGraw, CTO of Cigital Inc., a
software security consultancy based in Dulles, Va., that performs
code reviews and other services. "A lot of people accidentally
publish their CVS code on Web servers or wherever. It could just be
that somebody screwed up, but it's still out there."
McGraw cited the formerly proprietary code that runs Diebold
Election Systems' AccuVote-TX electronic voting machines as an
example. A voting activist was able to download the source code
from a Diebold FTP site, which led to the
exposure of a number of
security flaws in the software and
widespread questions about the accuracy of the machines and the
integrity of votes cast with them.
Other security experts say the new tool may result in a slew of
new vulnerability disclosures in the near future.
"They've made it a lot easier to get something meaningful out of
it. I do expect to see a lot more vulnerabilities announced because
of this, because it will be an easy way for some of these guys to
get some quick press," said Max Caceres, director of product
management at Core Security Inc., a Boston-based company that
develops penetration-testing tools. "It's very easy to write a
clever regular expression and get a thousand results back."
A few simple queries with Google Code Search can easily show a
user an area that application developers think might be vulnerable
to attack, McGraw said. By looking for terms such as "to do" or
"bug" or "security," users can find comments in source code left by
developers or testers pointing out problems.
"That's the first thing you do when you do a code review, you
start by looking for those comments," McGraw said. "We did a code
review once for a big bank and found a comment in the code saying
that the developer thought a certain function might be a security
vulnerability. He was right and it was even worse than they
thought."
Still, the new search engine has plenty of potential as a
legitimate tool for developers and could end up being a net
positive in terms of security, Caceres said.
"People shouldn't be so quick to label this a security
disaster," he said. "Security-wise, in the long term I think it
could be a good thing because developers will realize that what
they do has implications and will be seen. So maybe they'll be a
little more careful."
Pete Lindstrom, a research director at The Burton Group, of
Midvale, Utah, said Web developers should already be searching for
their own code to avoid risk. Still, there's very little value in
external developers attempting to find source code, he said.
"It highlights what the good guys should be looking out for to
begin with," Lindstrom said. "Simply because Google is leveraging
the scalability of computers through search, shouldn't change our
interest in protecting the code to begin with."