Skip to content

绿坝过滤软件的分析报告

2009/06/16
by
下文转/译自密歇根大学计算机科学和工程分部网站《Analysis of the Green Dam Censorware System》. 对原文的查询请与作者直接联系. 对译文的问题或转载, 请给我留言.
 
Accordingly to recent news reports (NYT, WSJ), the Chinese government has mandated that, beginning July 1, every PC sold in China must include a censorship program called Green Dam.

This software is designed to monitor internet connections and text typed on the computer. It blocks undesirable or politically sensitive content and optionally reports it to authorities. Green Dam was developed by a company called Jin Hui and is available as a free download. We examined version 3.17.

How Green Dam Works

The Green Dam software filters content by blocking URLs and website images and by monitoring text in other applications. The filtering blacklists include both political and adult content. Some of the blacklists appear to have been copied from American-made filtering software.

Image filter Green Dam includes computer vision technology used to block online images containing nudity. The image filter reportedly works by flagging images containing large areas of human skin tone, while making an exception for close-ups of faces. We’ve found that the program contains code libraries and a configuration file from the open-source image recognition software OpenCV.

Text filter Green Dam scans text entry fields in various applications for blocked words, including obscenities and politically sensitive phrases (for example, references to Falun Gong). Blacklisted terms are contained in three files, encrypted with a simple key-less scrambling operation. We decrypted the contents of these files: xwordl.dat, xwordm.dat, and xwordh.dat. We also found what appears to be a word list for a more sophisticated sentence processing algorithm in the unencrypted file FalunWord.lib. When Green Dam detects these words, the offending program is forcibly closed and an error image (shown above) is displayed.

URL filter Green Dam filters website URLs using patterns contained in whitelist and blacklist files (*fil.dat, adwapp.dat, and TrustUrl.dat). These files are encrypted with the same key-less scrambling operation as the blacklists for the text filter. Five of the blacklists correspond to the categories in the content filtering section of Green Dam’s options dialog (shown below).

We found evidence that a number of these blacklists have been taken from the American-made filtering program CyberSitter. In particular, we found an encrypted configuration file, wfileu.dat, that references these blacklists with download URLs at CyberSitter’s site. We also found a setup file, xstring.s2g, that appears to date these blacklists to 2006. Finally, csnews.dat is an encrypted 2004 news bulletin by CyberSitter. We conjecture that this file was accidentally included because it has the same file extension as the filters.

Security Problems

After only one day of testing the Green Dam software, we found two major security vulnerabilities. The first is an error in the way the software processes web sites it monitors. The second is a bug in the way the software installs blacklist updates. Both allow remote parties to execute arbitrary code and take control of the computer.

Web Filtering Vulnerability

Green Dam intercepts Internet traffic and processes it to see whether visited web sites are blacklisted. In order to perform this monitoring, it injects a library called SurfGd.dll into software that uses the socket API. When a user access a web site, this code checks the address against the blacklist and logs the URL.

We discovered programming errors in the code used to process web site requests. The code processes URLs with a fixed-length buffer, and a specially-crafted URL can overrun this buffer and corrupt the execution stack. Any web site the user visits can redirect the browser to a page with a malicious URL and take control of the computer.

We have constructed a demonstration URL that triggers this problem. If you have Green Dam installed, clicking the button on our demonstration attack page will cause your browser (or tab) to crash.

This proof-of-concept shows that we are able to control the execution stack. An actual attacker could exploit this to execute malicious code.

Green Dam’s design makes this problem exploitable from almost any web browser. At this time, the surest way for users to protect themselves is to uninstall Green Dam.

Blacklist Update Vulnerability

We found a second problem in the way Green Dam reads its filter files. This problem would allow Green Dam’s makers, or a third-party impersonating them, to execute arbitrary code and install malicious software on the user’s computer after installing a filter update. Users can enable automatic filter updates from the Green Dam configuration program.

Green Dam reads its filter files using unsafe C string libraries. In places, it uses the fscanf function to read lines from filter files into a fixed-length buffer on the execution stack. This creates classic buffer-overflow vulnerabilities. For example, if a line in the file TrustUrl.dat exceeds a certain fixed length, the buffer will be overrun, corrupting the execution stack and potentially giving the attacker control of the process.

The filter files can be replaced remotely by the software maker if the user has enabled filter updates. The updates could corrupt these vulnerable files to exploit the problems we found. This could allow Green Dam’s makers to take control of any computer where the software is installed and automatic filter updates are enabled. Furthermore, updates are delivered via unencrypted HTTP, which could allow a third party to impersonate the update server (for example, by exploiting DNS vulnerabilities) and take control of users’ computers using this attack.

Removing Green Dam

Green Dam allows users who know its administrator password to uninstall the software. We tested the uninstaller and found that it appears to effectively remove Green Dam from the computer. However, it fails to remove some log files, so evidence of users’ activity remains hidden on the system.

In light of the serious vulnerabilities we outlined above, the surest way for users to protect themselves is to remove the software immediately using its uninstall function.

Conclusion

Our brief testing proves that Green Dam contains very serious security vulnerabilities. Unfortunately, these problems seem to reflect systemic flaws in the code. The software makes extensive use of programming techniques that are known to be unsafe, such as deprecated C string processing functions including sprintf and fscanf. These problems are compounded by the design of the program, which creates a large attack surface: since Green Dam filters and processes all Internet traffic, large parts of its code are exposed to attack.

If Green Dam is deployed in its current form, it will significantly weaken China’s computer security. While the flaws we discovered can be quickly patched, correcting all the problems in the Green Dam software will likely require extensive rewriting and thorough testing. This will be difficult to achieve before China’s July 1 deadline for deploying Green Dam nationwide.

     据报道, 中国政府规定自七月一日起, 每一台在中国销售的个人电脑都必须安装一个名叫"绿坝"的过滤软件.

     这个软件是用来监视互联网的连接和键入电脑的字符. 它能够阻止不良的或政治敏感的内容, 并且可以给监管机构发送报告. 绿坝是由一个叫金惠的公司开发的, 可以免费下载. 我们测试的版本是3.17.

 

绿坝是怎样工作的?

     绿坝软件从以下方面过滤内容: 阻拦网站地址和网站图片, 监视其它软件内的字符. 过滤的黑名单包括政治和成人的内容. 部分黑名单疑似从一个美国的过滤软件拷贝而来.

 

图象过滤 绿坝用计算机视觉技术来阻止含有裸体的内容. 图象过滤器以是否有大面积的人体肤色来进行判别, 除了脸部的特写以外. 我们在程序中发现了从开源图象识别软件OpenCV的代码库和一个配置文件.

 

文字过滤 绿坝扫描众多应用软件内的字符域来阻止文字内容, 包括不雅的和政治敏感的词语. 黑名单由三个文件组成, 使用简单的无钥置乱操作加密. 我们破解了这些文件: xwordl.dat, xwordm.dat 和xwordh.dat. 我们还发现了一个在复杂的整句处理算法中使用的词语库FalunWord.lib. 当绿坝探测到这些词语, 它会强行终止相关程序, 并且弹出警告图片.

 

 

网址过滤 绿坝使用白名单和黑名单文件(*fil.dat, adwapp.dat 和TrustUrl.dat)来过滤含有相应特征的网站地址. 这些文件和文字过滤的黑名单一样使用无钥置乱操作加密. 五个黑名单和内容过滤选项里的五个类别相对应.

 

 

     我们发现这些黑名单中的一部分取自一个美国出品的过滤软件CyberSitter. 具体地说, 我们发现一个加密的配置文件wfileu.dat标明这些黑名单从CyberSitter的网站上下载而来. 我们还发现一个安装文件xstring.s2g显示这些黑名单还是2006年的. 除此之外, csnews.dat 是一个加密的CyberSitter在2004年的新闻稿. 我们猜想, 因为这个文件和过滤名单有相同的后缀名, 所以它被不小心地放到软件包里去了.

 

 安全问题

     仅仅对绿坝软件测试一天后, 我们就发现了两个严重的安全漏洞. 第一个是软件对其监控的网址的操作中的一个错误. 第二个是软件安装黑名单更新方式的一个失误. 这两个漏洞都会允许异地实施任意代码的运行, 并且对电脑进行接管.

网址过滤的漏洞

     绿坝拦截互联网通讯, 分析并判断访问的网址是否在黑名单内. 为了实现监视, 这个使用套接字程序接口的软件包含了库文件SurfGd.dll. 当用户访问一个互联网址的时候, 这段代码会将地址和黑名单进行比对, 同时记录下网络地址.

 

     我们在处理网址请求的代码中发现了编程错误. 代码使用固定长度的缓冲区来处理网址, 而经过编辑的特定的网址会使缓冲区溢出并且破坏执行堆栈. 任何用户访问的网站都可能把浏览器重定向到一个恶意的网址, 然后接管电脑.

 

     我们建立了一个能够演示这个问题的示范网站. 如果你安装了绿坝软件, 点击左面这个网页里的按钮, 你就会看到你的浏览器是怎么崩溃的.

     这个演示表明我们能够控制执行堆栈. 而一个真正的黑客就可能利用这个漏洞来执行恶意代码.

     绿坝的设计方法使得几乎每一种浏览器都可能被入侵. 目前最为安全的方法就是卸载绿坝.

 

黑名单更新的漏洞

     我们在绿坝读取过滤文件的过程中发现了第二个问题. 这个问题使得绿坝的设计者或者假冒他们的第三者能够在安装过滤更新文件的时候在用户的电脑上执行任意的代码或者植入恶意的软件. 而用户会在绿坝的配置文件里设成自动更新.

 

     绿坝使用不安全的C语言字符串库来读取过滤文件. 在几个地方, 它使用了fscanf函数把过滤文件中的几行内容读取到执行堆栈里的固定长度的缓冲区里. 这个就会导致缓冲溢出的漏洞. 例如, 如果文件TrustUrl.dat里的一行超出了定长, 缓冲区就会溢出, 破坏执行堆栈, 其后果就是给黑客控制进程创造了机会.

 

     另外, 如果用户开启了更新功能, 软件制造者就能够远程更新过滤文件. 而被我们发现的那些漏洞会在更新过程破坏过滤文件. 这样, 绿坝的制造者就能够操纵任何一台安装了绿坝, 并且启动了自动更新的电脑.  不仅如此, 由于更新是通过未加密的HTTP协议完成的, 第三方也有可能假冒更新服务器(譬如利用域名服务的漏洞)来挟持用户的电脑.

 

 

卸载绿坝

     绿坝软件允许有本地管理员权限的用户卸载这个软件. 我们测试了卸载过程, 发现卸载还算比较彻底. 唯一就是它不能删除一些日志文件, 所以用户的使用记录还是隐藏在系统中.

 

     基于以上我们列出的这些漏洞, 用户只有马上卸载这个软件才能可靠地保护自己.

结论

     我们所做的这些简单的测试证明绿坝有非常严重的安全漏洞. 遗憾的是, 这些问题反映出了代码中的系统性缺陷. 软件商大量使用众所周知的不安全的编程方法, 例如不宜使用的C语言字符串操作函数sprintf和fscanf. 这些问题体现在整个程序的设计中, 从而导致大面积的可攻击目标: 因为绿坝过滤和处理所有的互联网通讯, 它的大部分代码都可能受到攻击.

 

     如果绿坝按目前的要求实施安装的话, 它将显著地降低中国整体的电脑安全性. 虽然我们所发现的那些缺陷能够很快被弥补, 但是纠正绿坝软件中所有的问题涉及大量的代码重写和完整的测试过程. 这个工作量很难在七月一日中国全国绿坝实施日之前完成.

 

Read Full Report: Analysis of the Green Dam Censorware System

Scott Wolchok, Randy Yao, and J. Alex Halderman
Computer Science and Engineering Division
The University of Michigan

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: