Google reveals winners of Native Client bug contest
Published: 09 Jul 2009 09:22 BST
Two security researchers are splitting a cash prize from Google after winning a bug-hunt contest designed to improve the security of Google Native Client technology, Google announced on Tuesday.
Despite the dozen or so bugs they found in the code, which lets web-based applications run native code and take advantage of a computer's processing power, one of the winners predicted the technology will be secure when it is deployed.
"The quality of the implementation was pretty good," said Mark Dowd, X-Force researcher engineer at IBM Internet Security Systems. "Everyone makes a few mistakes here and there, and the purpose of the competition was to weed those out."
Dowd and his partner, Ben Hawkes, an independent security researcher in New Zealand, found the largest number of security vulnerabilities and the most severe of the 22 total bugs that were reported by contestants and accepted as valid, said Brad Chen, Google's engineering manager of Native Client.
The more severe bugs, for instance, would allow an attacker to completely disable the technology's inner sandbox, according to Chen.
"Had this been available on production websites you would have been able to take some of these vulnerabilities and turn them into exploits and gain complete control of systems," Dowd said, adding: "This is not a production release, so there's not a huge user base at this point you can exploit."
Read this
Leader: Google Chrome OS takes shine off Windows
The Chrome OS is perfectly pitched at Microsoft's weaknesses…
Dowd said: "I know they want to roll out a few more features before they bring it into prime time, but the core technology itself is pretty interesting, and if they keep up with the security side of it I think... it will be deployed on the internet in a secure fashion."
The technology, revealed as a research project in December and promoted to a development platform last month, is an attempt to enable computers to run web applications downloaded from the internet directly on the processor and at the speed of "native" software installed on a computer.
Current web-application programming environments, such as Flash, JavaScript and ActiveX, offer limited processing power and have suffered their own share of implementation flaws that can be exploited.
With Native Client, Google faces the challenge of balancing more performance with new security challenges from a relatively new approach. That approach, called static analysis, involves screening software before it runs to make sure it does not perform any of a range of prohibited risky actions.
Google expects to integrate Native Client into the developer version of its Chrome browser before the end of the year, opening it up to the broader development community as it does so, Chen said.
About 600 people participated in the contest, which was announced in February and judged by a panel of nine experts.
Credit: Security expert blesses Google Native Client technology from CNET News
Did you find this article useful?
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
