Bugle Goes Googling for Source Code Flaws

A source code reviewer in London is working on a project to collect search queries that can be used to identify some of the most common vulnerabilities in open-source code indexed by Google.

The worlds most popular search engine can be used to pinpoint software security bugs in source code available on the Internet, according to a new research project launched by a U.K.-based researcher.

The project, called Bugle, is a collection of Google search queries that can be used to identify some of the most common vulnerabilities in open-source code indexed by the search giant.

Emmanouel Kellinis, a security penetration tester and source code reviewer for KPMG in London, started working on Bugle privately to find pinpoints to some of the most common coding mistakes and decided to go public with the project to expand the list of search queries.

"Bugle was created mainly to help in open-source projects. Of course, it can also be used by the wider community using the Google desktop utility," Kellinis said in an e-mail interview with eWEEK.

Kellinis believes security researchers can combine Bugle queries with Googles "highly intelligent indexing algorithms" to identify vulnerable code indexed by the search engine. "Bugle will give you hints for a potential vulnerability, but you still require skill to identify an actual issue," he explained.

/zimages/1/28571.gifWebsense uses Google to mine for malicious code. Click here to read more.

So far, with the help of third-party researchers, Kellinis has released a search string flaw that can help identify buffer overflows, integer overflows, format string, command injection, SQL injection and cross-site scripting flaws.

The project can also offer help in identifying bad practices and suspicious comments that are typically included in source code. In the early days of the project, Kellinis received input from several well-known programmers and security researchers, including Symantecs Ollie Whitehouse and Google hacker Philipp Lenssen.

In addition, Bugle can trigger Google Alerts, allowing developers and researches to get advance notice on new vulnerable source code for each subscribed query.

"Google is an excellent search engine with highly intelligent indexing algorithms and a huge resources database. It is a very important tool for many tasks, and security research is definitely one of them," Kellinis said.

He thinks an expanded Bugle project can be used by the open-source community as a way to more quickly eliminate security bugs. "Researchers and developers can find vulnerable code and try to report or fix, respectively, a vulnerability without the need to download tons of files," he said.

Kellinis also believes Bugle can be used as a reference for open-source programmers. "[They] can look at the list and know what not to do, so to speak."

The release of Bugle comes on the heels of H.D Moores malware search project, which offers a Web interface to find live malware samples through Google queries.

/zimages/1/28571.gifClick here to read more about Moores malware search project.

Moore, creator of the Metasploit hacking tool and the security researcher behind the MoBB (Month of Browser Bugs) project, programmed the malware search tool to directly search Google using fingerprints from known executables. The project uses code strings, or fingerprints in malware samples, then runs a search on Google for those characteristics.

Security researchers at Websenses Security Labs have also used Google in the hunt for malicious .exe files on the Internet. Websense has used the freely available Google SOAP Search API to automate the search for malware hosted on hacker forums, newsgroups and mailing list archives indexed by Google.

/zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.