密歇根大学对于绿坝的技术分析--存在重大漏洞

本文转自http://www.cse.umich.edu/~jhalderm/pub/gd/
　　
　　绿坝审查系统分析
　　Scott Wolchok, Randy Yao, J. Alex Halderman
　　计算机科学及工程学院
　　密歇根大学
　　
　　版本号：2.4 2009年6月11日
　　
　　摘要：
　　我们已经在“绿坝”软件中发现远程缓冲区溢出漏洞，这是一款由中国政府强制安装的审查软件。任何一个网站都可以取得“绿坝”用户的PC控制权。
　　
　　根据媒体报道，中国很快将要求国内所有的PC厂商安装“绿坝”软件，该软件将会监视Web站点访问和其他用户行为，并且阻止成人内容和政治敏感信息。
　　
　　我们测试了“绿坝”软件，并发现了一系列由于编码错误而导致的安全缺陷，一旦“绿坝”软件被安装之后，任何web站点可对用户的电脑进行溢出攻击，并取得计算机控制权，这会导致恶意站点盗窃用户隐私信息，发送垃圾邮件，或将该计算机加入僵尸网络。除此之外，我们同样发现在“绿坝”软件进行黑名单升级的过程中，由于程序本身的缺陷，可导致软件提供商或其他人植入恶意代码。
　　
　　在不到12小时的测试中，我们发现了上述问题，并且我们坚信这仅仅是冰山一角。“绿坝”软件频繁使用不安全及过时的编码方法，这有可能会导致其他软件缺陷，修正这些问题将引发大规模的软件修改及谨慎的重新测试。在此期间，我们推荐用户立即删除“绿坝”软件来保护自己。
　　
　　简介：
　　根据最近的新闻报道（NYT，WSJ），中国政府已下令，自7月1日起，强制所有中国境内的PC销售商必须安装一个称为“绿坝”的审查软件。这个软件用来个人电脑的监控互联网连接及文本输入，它将阻止不良内容及政治敏感信息，并有可能汇报给官方。“绿坝”由一个称为“金慧”的公司开发，并提供免费下载。我们测试的版本为3.17。
　　
　　“绿坝”是如何工作的
　　“绿坝”软件通过监控其他程序中的文本、网站图片以及URL来实现内容过滤，过滤黑名单包括了政治及成人内容。一些黑名单显然是从一个美国产的过滤软件中拷贝而来。
　　
　　-图像过滤器：
　　“绿坝”软件包含了计算机图像技术用于阻拦互联网图片（包括裸体图像），据报道，该图片过滤器基于对人体皮肤色调的标记，而对于人脸大头像例外。我们已经发现，该程序中的代码库和配置文件来源于一个称为OpenCV的开源图像识别软件。
　　
　　-文本过滤器
　　“绿坝”软件会在众多程序中扫描已被阻止的文本，包括猥亵词汇和政治敏感短语。被列入黑名单的条目位于三个文件中，采用简单的密钥进行加密处理，我们对这些文件进行了解密操作：xwordl.dat, xwordm.dat, xwordh.dat。我们还发现，F_a_l_u_nWord.lib，看起来是一个词典文件，而实际上是一个精巧的语句处理算法。当“绿坝”检测出（某个软件包含）这些关键词时，该软件将会被强制关闭，并且屏幕上会显示出一个错误提示。
　　
　　-URL过滤器
　　“绿坝”对网站URL使用黑/白名单中的配型（位于文件*fil.dat, adwapp.dat及TrustUrl.dat中）对比进行过滤，这些文件采用简单的密钥进行加密处理，作为黑名单用于文本过滤。5个黑名单对应于“绿坝”选项中的5个内容过滤类别。
　　我们已发现证据，有相当多的黑名单是来自于一个美国产的过滤软件CyberSitter，更有甚者，我们发现了一个加密的配置文件wfileu.dat，它引用了CyberSitter网站的黑名单及下载链接，我们推断，这个文件是偶然被加入的，因为它与过滤文件的后缀名相同。
　　
　　安全问题：
　　在对“绿坝”软件进行短短的一天测试之后，我们发现了两个较大的安全隐患。首先，是该软件在处理其监视的网站的过程中存在问题，其次是该软件安装黑名单方法存在Bug。
　　-网页过滤缺陷：
　　“绿坝”软件会拦截互联网流量，并就其是否访问了黑名单中的网站进行检查。为了实现监控，它将一个Surfgd.dll的文件注入到使用Socket API的软件中，当用户访问一个web站点时，这段代码将会检查该URL是否存于黑名单中，并且记录URL。
　　在处理Web站点请求的代码中，我们发现了编码错误。这段代码在处理URL时，采用了一个定长的缓冲区，一个精心构造的URL可以超出该缓冲区，并破坏执行堆栈，任何一个网站，使用这种恶意的URL，均可将用户浏览器重定向至一个网页，以取得用户计算机的控制权。
　　我们构造了一个用于演示的URL，用于触发该问题，如果你已经安装了“绿坝”软件，在我们的演示页面上按下按钮，将导致你的浏览器（或标签页）崩溃。
　　这个概念性验证演示了我们有能力去控制执行堆栈，而一个实际的攻击者可以利用该缺陷执行恶意代码。
　　“绿坝”软件的设计缺陷，导致了几乎任何一款浏览器都可被利用，现在，毫无疑问地，用户保护自己的方法只有删除“绿坝”软件。
　　-黑名单升级缺陷：
　　“绿坝”软件在读取其过滤器文件时，我们发现了第二个问题，该问题将导致用户下载安装了过滤器之后，“绿坝”软件开发商、第三方假冒者，可在用户计算机上执行任意代码或安装恶意软件。
　　“绿坝”软件采用不安全的C字符库，在代码的有些地方，它使用了fscanf函数来在过滤器文件中读取一行，并存入执行堆栈的一个定长缓冲区内。这将导致典型的缓冲区溢出漏洞。例如，如果TrustUrl.dat中的某行超出了该缓冲区的大小，缓冲区将溢出，破坏执行堆栈，并潜在性地给予攻击者控制权。
　　如果用户允许了过滤器更新，过滤器文件将会被软件提供商远程替换，这些更新有可能会破坏这些有缺陷的文件，并利用我们发现的上述问题。对于那些安装了该软件并开启了自动更新过滤器的计算机来说，“绿坝”软件提供商可以取得它们的控制权。除此之外，更新过程采用未加密的HTTP协议，这可能会导致第三方伪装更新服务器（例如：利用DNS缺陷），使用这种攻击方式来获得计算机控制权。
　　
　　删除“绿坝”软件
　　对于拥有管理员密码的用户，“绿坝”软件允许进行删除操作。我们测试了删除程序，并发现它有效地在计算机上删除了“绿坝”软件。但是，在删除某些日志文件时失败，所以有关用户行为的证据依然隐藏在系统中。
　　
　　结论
　　我们对于“绿坝”软件的简短测试，证明了其存在非常严重的安全隐患，不幸的是，这些问题反映了代码内部的系统性缺陷。这款软件广泛应用了公认的非安全编码方法，例如有争议的C字符处理函数sprintf和fscanf，这款软件在设计上综合了这些问题。并且，这些问题建立了一个巨大的攻击层面：内容过滤和互联网流量处理，大部分的代码将处于攻击之下。
　　
　　感谢
　　感谢我们密歇根大学的同事，是他告知我们对“绿坝”软件做出警示，并提供翻译帮助。
　　
　　联系作者：
　　请将问题或评论发送至 J.Alex Halderman 教授(http://www.cse.umich.edu/~jhalderm/)

附原文：

Analysis of the Green Dam Censorware System
Scott Wolchok, Randy Yao, and J. Alex Halderman
Computer Science and Engineering Division
The University of Michigan
Revision 2.4 – June 11, 2009
Summary    We have discovered remotely-exploitable vulnerabilities in Green Dam, the censorship software reportedly mandated by the Chinese government. Any web site a Green Dam user visits can take control of the PC.

According to press reports, China will soon require all PCs sold in the country to include Green Dam. This software monitors web sites visited and other activity on the computer and blocks adult content as well as politically sensitive material.

We examined the Green Dam software and found that it contains serious security vulnerabilities due to programming errors. Once Green Dam is installed, any web site the user visits can exploit these problems to take control of the computer. This could allow malicious sites to steal private data, send spam, or enlist the computer in a botnet. In addition, we found vulnerabilities in the way Green Dam processes blacklist updates that could allow the software makers or others to install malicious code during the update process.

We found these problems with less than 12 hours of testing, and we believe they may be only the tip of the iceberg. Green Dam makes frequent use of unsafe and outdated programming practices that likely introduce numerous other vulnerabilities. Correcting these problems will require extensive changes to the software and careful retesting. In the meantime, we recommend that users protect themselves by uninstalling Green Dam immediately.

Green Dam displays this message when it detects banned phrases.
Introduction
Accordingly to recent news reports (NYT, WSJ), the Chinese government has mandated that, beginning July 1, every PC sold in China must include a censorship program called Green Dam. This software is designed to monitor internet connections and text typed on the computer. It blocks undesirable or politically sensitive content and optionally reports it to authorities. Green Dam was developed by a company called Jin Hui and is available as a free download. We examined version 3.17.

How Green Dam Works
The Green Dam software filters content by blocking URLs and website images and by monitoring text in other applications. The filtering blacklists include both political and adult content. Some of the blacklists appear to have been copied from American-made filtering software.

Image filter    Green Dam includes computer vision technology used to block online images containing nudity. The image filter reportedly works by flagging images containing large areas of human skin tone, while making an exception for close-ups of faces. We've found that the program contains code libraries and a configuration file from the open-source image recognition software OpenCV.

Text filter    Green Dam scans text entry fields in various applications for blocked words, including obscenities and politically sensitive phrases (for example, references to Falun Gong). Blacklisted terms are contained in three files, encrypted with a simple key-less scrambling operation. We decrypted the contents of these files: xwordl.dat, xwordm.dat, and xwordh.dat. We also found what appears to be a word list for a more sophisticated sentence processing algorithm in the unencrypted file FalunWord.lib. When Green Dam detects these words, the offending program is forcibly closed and an error image (shown above) is displayed.

URL filter    Green Dam filters website URLs using patterns contained in whitelist and blacklist files (*fil.dat, adwapp.dat, and TrustUrl.dat). These files are encrypted with the same key-less scrambling operation as the blacklists for the text filter. Five of the blacklists correspond to the categories in the content filtering section of Green Dam's options dialog (shown below).

We found evidence that a number of these blacklists have been taken from the American-made filtering program CyberSitter. In particular, we found an encrypted configuration file, wfileu.dat, that references these blacklists with download URLs at CyberSitter's site. We also found a setup file, xstring.s2g, that appears to date these blacklists to 2006. Finally, csnews.dat is an encrypted 2004 news bulletin by CyberSitter. We conjecture that this file was accidentally included because it has the same file extension as the filters.

Security Problems
After only one day of testing the Green Dam software, we found two major security vulnerabilities. The first is an error in the way the software processes web sites it monitors. The second is a bug in the way the software installs blacklist updates. Both allow remote parties to execute arbitrary code and take control of the computer.

Web Filtering Vulnerability
Green Dam intercepts Internet traffic and processes it to see whether visited web sites are blacklisted. In order to perform this monitoring, it injects a library called SurfGd.dll into software that uses the socket API. When a user access a web site, this code checks the address against the blacklist and logs the URL.

We discovered programming errors in the code used to process web site requests. The code processes URLs with a fixed-length buffer, and a specially-crafted URL can overrun this buffer and corrupt the execution stack. Any web site the user visits can redirect the browser to a page with a malicious URL and take control of the computer.

We have constructed a demonstration URL that triggers this problem. If you have Green Dam installed, clicking the button on our demonstration attack page will cause your browser (or tab) to crash.

This proof-of-concept shows that we are able to control the execution stack. An actual attacker could exploit this to execute malicious code.

Green Dam's design makes this problem exploitable from almost any web browser. At this time, the surest way for users to protect themselves is to uninstall Green Dam.

Blacklist Update Vulnerability
We found a second problem in the way Green Dam reads its filter files. This problem would allow Green Dam's makers, or a third-party impersonating them, to execute arbitrary code and install malicious software on the user's computer after installing a filter update. Users can enable automatic filter updates from the Green Dam configuration program.

Green Dam reads its filter files using unsafe C string libraries. In places, it uses the fscanf function to read lines from filter files into a fixed-length buffer on the execution stack. This creates classic buffer-overflow vulnerabilities. For example, if a line in the file TrustUrl.dat exceeds a certain fixed length, the buffer will be overrun, corrupting the execution stack and potentially giving the attacker control of the process.

The filter files can be replaced remotely by the software maker if the user has enabled filter updates. The updates could corrupt these vulnerable files to exploit the problems we found. This could allow Green Dam's makers to take control of any computer where the software is installed and automatic filter updates are enabled. Furthermore, updates are delivered via unencrypted HTTP, which could allow a third party to impersonate the update server (for example, by exploiting DNS vulnerabilities) and take control of users' computers using this attack.

Removing Green Dam
Green Dam allows users who know its administrator password to uninstall the software. We tested the uninstaller and found that it appears to effectively remove Green Dam from the computer. However, it fails to remove some log files, so evidence of users' activity remains hidden on the system.

In light of the serious vulnerabilities we outlined above, the surest way for users to protect themselves is to remove the software immediately using its uninstall function.

Conclusion
Our brief testing proves that Green Dam contains very serious security vulnerabilities. Unfortunately, these problems seem to reflect systemic flaws in the code. The software makes extensive use of programming techniques that are known to be unsafe, such as deprecated C string processing functions including sprintf and fscanf. These problems are compounded by the design of the program, which creates a large attack surface: since Green Dam filters and processes all Internet traffic, large parts of its code are exposed to attack.

If Green Dam is deployed in its current form, it will significantly weaken China's computer security. While the flaws we discovered can be quickly patched, correcting all the problems in the Green Dam software will likely require extensive rewriting and thorough testing. This will be difficult to achieve before China's July 1 deadline for deploying Green Dam nationwide.


--------------------------------------------------------------------------------

Additional Screenshot
Users can configure which categories of web sites are blocked by Green Dam.
Additional filters are used to block adult and politically-sensitive terms in text entry fields.


--------------------------------------------------------------------------------

Acknowledgments
We wish to thank our colleagues at the University of Michigan who alerted us to Green Dam and assisted with translation.
Contacting the Authors
Please send questions or comments to Professor J. Alex Halderman.

=============================================

PS:这个是技术分析的文章，贴出来希望大家能了解由于这个软件由于设计的缺陷而带来的危险，短短12小时的分析就已经发现如此多的重要的漏洞，这样的软件实在不能令人放心，要是政府机关或一些重要的国家部门都安装了这个软件，很可能给我国带来极大的信息安全隐患。正如文章所说的，倘若无视这些存在的漏洞而强行大规模安装，那中国国内的计算机网络很可能就成为了世界最大的僵尸网络，希望绿坝公司能尽早填补这漏洞，而不是视而不见。

这文章在娱乐综合被删了一次，理由是“内容敏感，这是官方强制推广软件，限制批评，感谢理解”，但我本人觉得这关系到整个中国国内网络的信息安全，发现问题应该证实问题，解决问题，而不能就这样鸵鸟政策，坐视不理，不然很可能就是我们自己制造的苦果自己吞。希望大家都能正视！

本文转自http://www.cse.umich.edu/~jhalderm/pub/gd/
　　
　　绿坝审查系统分析
　　Scott Wolchok, Randy Yao, J. Alex Halderman
　　计算机科学及工程学院
　　密歇根大学
　　
　　版本号：2.4 2009年6月11日
　　
　　摘要：
　　我们已经在“绿坝”软件中发现远程缓冲区溢出漏洞，这是一款由中国政府强制安装的审查软件。任何一个网站都可以取得“绿坝”用户的PC控制权。
　　
　　根据媒体报道，中国很快将要求国内所有的PC厂商安装“绿坝”软件，该软件将会监视Web站点访问和其他用户行为，并且阻止成人内容和政治敏感信息。
　　
　　我们测试了“绿坝”软件，并发现了一系列由于编码错误而导致的安全缺陷，一旦“绿坝”软件被安装之后，任何web站点可对用户的电脑进行溢出攻击，并取得计算机控制权，这会导致恶意站点盗窃用户隐私信息，发送垃圾邮件，或将该计算机加入僵尸网络。除此之外，我们同样发现在“绿坝”软件进行黑名单升级的过程中，由于程序本身的缺陷，可导致软件提供商或其他人植入恶意代码。
　　
　　在不到12小时的测试中，我们发现了上述问题，并且我们坚信这仅仅是冰山一角。“绿坝”软件频繁使用不安全及过时的编码方法，这有可能会导致其他软件缺陷，修正这些问题将引发大规模的软件修改及谨慎的重新测试。在此期间，我们推荐用户立即删除“绿坝”软件来保护自己。
　　
　　简介：
　　根据最近的新闻报道（NYT，WSJ），中国政府已下令，自7月1日起，强制所有中国境内的PC销售商必须安装一个称为“绿坝”的审查软件。这个软件用来个人电脑的监控互联网连接及文本输入，它将阻止不良内容及政治敏感信息，并有可能汇报给官方。“绿坝”由一个称为“金慧”的公司开发，并提供免费下载。我们测试的版本为3.17。
　　
　　“绿坝”是如何工作的
　　“绿坝”软件通过监控其他程序中的文本、网站图片以及URL来实现内容过滤，过滤黑名单包括了政治及成人内容。一些黑名单显然是从一个美国产的过滤软件中拷贝而来。
　　
　　-图像过滤器：
　　“绿坝”软件包含了计算机图像技术用于阻拦互联网图片（包括裸体图像），据报道，该图片过滤器基于对人体皮肤色调的标记，而对于人脸大头像例外。我们已经发现，该程序中的代码库和配置文件来源于一个称为OpenCV的开源图像识别软件。
　　
　　-文本过滤器
　　“绿坝”软件会在众多程序中扫描已被阻止的文本，包括猥亵词汇和政治敏感短语。被列入黑名单的条目位于三个文件中，采用简单的密钥进行加密处理，我们对这些文件进行了解密操作：xwordl.dat, xwordm.dat, xwordh.dat。我们还发现，F_a_l_u_nWord.lib，看起来是一个词典文件，而实际上是一个精巧的语句处理算法。当“绿坝”检测出（某个软件包含）这些关键词时，该软件将会被强制关闭，并且屏幕上会显示出一个错误提示。
　　
　　-URL过滤器
　　“绿坝”对网站URL使用黑/白名单中的配型（位于文件*fil.dat, adwapp.dat及TrustUrl.dat中）对比进行过滤，这些文件采用简单的密钥进行加密处理，作为黑名单用于文本过滤。5个黑名单对应于“绿坝”选项中的5个内容过滤类别。
　　我们已发现证据，有相当多的黑名单是来自于一个美国产的过滤软件CyberSitter，更有甚者，我们发现了一个加密的配置文件wfileu.dat，它引用了CyberSitter网站的黑名单及下载链接，我们推断，这个文件是偶然被加入的，因为它与过滤文件的后缀名相同。
　　
　　安全问题：
　　在对“绿坝”软件进行短短的一天测试之后，我们发现了两个较大的安全隐患。首先，是该软件在处理其监视的网站的过程中存在问题，其次是该软件安装黑名单方法存在Bug。
　　-网页过滤缺陷：
　　“绿坝”软件会拦截互联网流量，并就其是否访问了黑名单中的网站进行检查。为了实现监控，它将一个Surfgd.dll的文件注入到使用Socket API的软件中，当用户访问一个web站点时，这段代码将会检查该URL是否存于黑名单中，并且记录URL。
　　在处理Web站点请求的代码中，我们发现了编码错误。这段代码在处理URL时，采用了一个定长的缓冲区，一个精心构造的URL可以超出该缓冲区，并破坏执行堆栈，任何一个网站，使用这种恶意的URL，均可将用户浏览器重定向至一个网页，以取得用户计算机的控制权。
　　我们构造了一个用于演示的URL，用于触发该问题，如果你已经安装了“绿坝”软件，在我们的演示页面上按下按钮，将导致你的浏览器（或标签页）崩溃。
　　这个概念性验证演示了我们有能力去控制执行堆栈，而一个实际的攻击者可以利用该缺陷执行恶意代码。
　　“绿坝”软件的设计缺陷，导致了几乎任何一款浏览器都可被利用，现在，毫无疑问地，用户保护自己的方法只有删除“绿坝”软件。
　　-黑名单升级缺陷：
　　“绿坝”软件在读取其过滤器文件时，我们发现了第二个问题，该问题将导致用户下载安装了过滤器之后，“绿坝”软件开发商、第三方假冒者，可在用户计算机上执行任意代码或安装恶意软件。
　　“绿坝”软件采用不安全的C字符库，在代码的有些地方，它使用了fscanf函数来在过滤器文件中读取一行，并存入执行堆栈的一个定长缓冲区内。这将导致典型的缓冲区溢出漏洞。例如，如果TrustUrl.dat中的某行超出了该缓冲区的大小，缓冲区将溢出，破坏执行堆栈，并潜在性地给予攻击者控制权。
　　如果用户允许了过滤器更新，过滤器文件将会被软件提供商远程替换，这些更新有可能会破坏这些有缺陷的文件，并利用我们发现的上述问题。对于那些安装了该软件并开启了自动更新过滤器的计算机来说，“绿坝”软件提供商可以取得它们的控制权。除此之外，更新过程采用未加密的HTTP协议，这可能会导致第三方伪装更新服务器（例如：利用DNS缺陷），使用这种攻击方式来获得计算机控制权。
　　
　　删除“绿坝”软件
　　对于拥有管理员密码的用户，“绿坝”软件允许进行删除操作。我们测试了删除程序，并发现它有效地在计算机上删除了“绿坝”软件。但是，在删除某些日志文件时失败，所以有关用户行为的证据依然隐藏在系统中。
　　
　　结论
　　我们对于“绿坝”软件的简短测试，证明了其存在非常严重的安全隐患，不幸的是，这些问题反映了代码内部的系统性缺陷。这款软件广泛应用了公认的非安全编码方法，例如有争议的C字符处理函数sprintf和fscanf，这款软件在设计上综合了这些问题。并且，这些问题建立了一个巨大的攻击层面：内容过滤和互联网流量处理，大部分的代码将处于攻击之下。
　　
　　感谢
　　感谢我们密歇根大学的同事，是他告知我们对“绿坝”软件做出警示，并提供翻译帮助。
　　
　　联系作者：
　　请将问题或评论发送至 J.Alex Halderman 教授(http://www.cse.umich.edu/~jhalderm/)

附原文：

Analysis of the Green Dam Censorware System
Scott Wolchok, Randy Yao, and J. Alex Halderman
Computer Science and Engineering Division
The University of Michigan
Revision 2.4 – June 11, 2009
Summary    We have discovered remotely-exploitable vulnerabilities in Green Dam, the censorship software reportedly mandated by the Chinese government. Any web site a Green Dam user visits can take control of the PC.

According to press reports, China will soon require all PCs sold in the country to include Green Dam. This software monitors web sites visited and other activity on the computer and blocks adult content as well as politically sensitive material.

We examined the Green Dam software and found that it contains serious security vulnerabilities due to programming errors. Once Green Dam is installed, any web site the user visits can exploit these problems to take control of the computer. This could allow malicious sites to steal private data, send spam, or enlist the computer in a botnet. In addition, we found vulnerabilities in the way Green Dam processes blacklist updates that could allow the software makers or others to install malicious code during the update process.

We found these problems with less than 12 hours of testing, and we believe they may be only the tip of the iceberg. Green Dam makes frequent use of unsafe and outdated programming practices that likely introduce numerous other vulnerabilities. Correcting these problems will require extensive changes to the software and careful retesting. In the meantime, we recommend that users protect themselves by uninstalling Green Dam immediately.

Green Dam displays this message when it detects banned phrases.
Introduction
Accordingly to recent news reports (NYT, WSJ), the Chinese government has mandated that, beginning July 1, every PC sold in China must include a censorship program called Green Dam. This software is designed to monitor internet connections and text typed on the computer. It blocks undesirable or politically sensitive content and optionally reports it to authorities. Green Dam was developed by a company called Jin Hui and is available as a free download. We examined version 3.17.

How Green Dam Works
The Green Dam software filters content by blocking URLs and website images and by monitoring text in other applications. The filtering blacklists include both political and adult content. Some of the blacklists appear to have been copied from American-made filtering software.

Image filter    Green Dam includes computer vision technology used to block online images containing nudity. The image filter reportedly works by flagging images containing large areas of human skin tone, while making an exception for close-ups of faces. We've found that the program contains code libraries and a configuration file from the open-source image recognition software OpenCV.

Text filter    Green Dam scans text entry fields in various applications for blocked words, including obscenities and politically sensitive phrases (for example, references to Falun Gong). Blacklisted terms are contained in three files, encrypted with a simple key-less scrambling operation. We decrypted the contents of these files: xwordl.dat, xwordm.dat, and xwordh.dat. We also found what appears to be a word list for a more sophisticated sentence processing algorithm in the unencrypted file FalunWord.lib. When Green Dam detects these words, the offending program is forcibly closed and an error image (shown above) is displayed.

URL filter    Green Dam filters website URLs using patterns contained in whitelist and blacklist files (*fil.dat, adwapp.dat, and TrustUrl.dat). These files are encrypted with the same key-less scrambling operation as the blacklists for the text filter. Five of the blacklists correspond to the categories in the content filtering section of Green Dam's options dialog (shown below).

We found evidence that a number of these blacklists have been taken from the American-made filtering program CyberSitter. In particular, we found an encrypted configuration file, wfileu.dat, that references these blacklists with download URLs at CyberSitter's site. We also found a setup file, xstring.s2g, that appears to date these blacklists to 2006. Finally, csnews.dat is an encrypted 2004 news bulletin by CyberSitter. We conjecture that this file was accidentally included because it has the same file extension as the filters.

Security Problems
After only one day of testing the Green Dam software, we found two major security vulnerabilities. The first is an error in the way the software processes web sites it monitors. The second is a bug in the way the software installs blacklist updates. Both allow remote parties to execute arbitrary code and take control of the computer.

Web Filtering Vulnerability
Green Dam intercepts Internet traffic and processes it to see whether visited web sites are blacklisted. In order to perform this monitoring, it injects a library called SurfGd.dll into software that uses the socket API. When a user access a web site, this code checks the address against the blacklist and logs the URL.

We discovered programming errors in the code used to process web site requests. The code processes URLs with a fixed-length buffer, and a specially-crafted URL can overrun this buffer and corrupt the execution stack. Any web site the user visits can redirect the browser to a page with a malicious URL and take control of the computer.

We have constructed a demonstration URL that triggers this problem. If you have Green Dam installed, clicking the button on our demonstration attack page will cause your browser (or tab) to crash.

This proof-of-concept shows that we are able to control the execution stack. An actual attacker could exploit this to execute malicious code.

Green Dam's design makes this problem exploitable from almost any web browser. At this time, the surest way for users to protect themselves is to uninstall Green Dam.

Blacklist Update Vulnerability
We found a second problem in the way Green Dam reads its filter files. This problem would allow Green Dam's makers, or a third-party impersonating them, to execute arbitrary code and install malicious software on the user's computer after installing a filter update. Users can enable automatic filter updates from the Green Dam configuration program.

Green Dam reads its filter files using unsafe C string libraries. In places, it uses the fscanf function to read lines from filter files into a fixed-length buffer on the execution stack. This creates classic buffer-overflow vulnerabilities. For example, if a line in the file TrustUrl.dat exceeds a certain fixed length, the buffer will be overrun, corrupting the execution stack and potentially giving the attacker control of the process.

The filter files can be replaced remotely by the software maker if the user has enabled filter updates. The updates could corrupt these vulnerable files to exploit the problems we found. This could allow Green Dam's makers to take control of any computer where the software is installed and automatic filter updates are enabled. Furthermore, updates are delivered via unencrypted HTTP, which could allow a third party to impersonate the update server (for example, by exploiting DNS vulnerabilities) and take control of users' computers using this attack.

Removing Green Dam
Green Dam allows users who know its administrator password to uninstall the software. We tested the uninstaller and found that it appears to effectively remove Green Dam from the computer. However, it fails to remove some log files, so evidence of users' activity remains hidden on the system.

In light of the serious vulnerabilities we outlined above, the surest way for users to protect themselves is to remove the software immediately using its uninstall function.

Conclusion
Our brief testing proves that Green Dam contains very serious security vulnerabilities. Unfortunately, these problems seem to reflect systemic flaws in the code. The software makes extensive use of programming techniques that are known to be unsafe, such as deprecated C string processing functions including sprintf and fscanf. These problems are compounded by the design of the program, which creates a large attack surface: since Green Dam filters and processes all Internet traffic, large parts of its code are exposed to attack.

If Green Dam is deployed in its current form, it will significantly weaken China's computer security. While the flaws we discovered can be quickly patched, correcting all the problems in the Green Dam software will likely require extensive rewriting and thorough testing. This will be difficult to achieve before China's July 1 deadline for deploying Green Dam nationwide.


--------------------------------------------------------------------------------

Additional Screenshot
Users can configure which categories of web sites are blocked by Green Dam.
Additional filters are used to block adult and politically-sensitive terms in text entry fields.


--------------------------------------------------------------------------------

Acknowledgments
We wish to thank our colleagues at the University of Michigan who alerted us to Green Dam and assisted with translation.
Contacting the Authors
Please send questions or comments to Professor J. Alex Halderman.

=============================================

PS:这个是技术分析的文章，贴出来希望大家能了解由于这个软件由于设计的缺陷而带来的危险，短短12小时的分析就已经发现如此多的重要的漏洞，这样的软件实在不能令人放心，要是政府机关或一些重要的国家部门都安装了这个软件，很可能给我国带来极大的信息安全隐患。正如文章所说的，倘若无视这些存在的漏洞而强行大规模安装，那中国国内的计算机网络很可能就成为了世界最大的僵尸网络，希望绿坝公司能尽早填补这漏洞，而不是视而不见。

这文章在娱乐综合被删了一次，理由是“内容敏感，这是官方强制推广软件，限制批评，感谢理解”，但我本人觉得这关系到整个中国国内网络的信息安全，发现问题应该证实问题，解决问题，而不能就这样鸵鸟政策，坐视不理，不然很可能就是我们自己制造的苦果自己吞。希望大家都能正视！