Googles security team is home-brewing a powerful combination scanner and fuzzing tool that experts say will be unique outside of the commercial domain.
In a posting on the Google security teams blog, Srinath Anantharaju said on July 16 that the security team has been working on a black-box fuzzing tool called Lemon, in the spirit of the word as its used to denote defective products.
Fuzz testing, or fuzzing, is a black-box software testing technique in which malformed data is injected automatically to find implementation bugs in code. In particular, Google is targeting XSS (cross-site scripting) bugs, according to Anantharaju.
But Lemon more closely resembles a commercial product in that it not only fuzzes applications but scans them as well. “[Lemon is] not just doing fuzzing through fault injection,” as do other open-source fuzzers, said Danny Allan, director of security research for Web application security software and services firm Watchfire. “[Google] also created a scanner, so [the tool] understands input, and [theyre] fuzzing on top of it. That doesnt exist in the open-source domain. However, thats what commercial tools, including Watchfires, already do.”
Open-source fuzzers, in fact, can be automated to do “weak” crawling, Allan said, but the combination of the two is “very weak” in open-source fuzz tools now available, he said. “You have to manually point to a particular parameter you want to fuzz. … It looks like theyve taken it to the next step.”
Used by an organization to find its own security holes, fuzzing is a useful tool, Allan said. But in the hands of an attacker, a fuzzer can become a weapon.
“What theyre building, theyre looking for XSS [flaws],” which is a laudatory goal, Allan said—Watchfire itself has found a few XSS bugs in Google Desktop. “All [XSS bugs] are vulnerabilities. Used by an organization on themselves, thats a very useful tool. But if Im a malicious individual, I use it to find vulnerabilities on someone else.”
Scanning and fuzzing in particular is a very powerful combination that, when put into the hands of attackers, could facilitate attacks, he said; the scanner/fuzzer combo doesnt just spew malicious code arbitrarily—it also knows where to spew it.
But that is exactly what Google is working on. According to Anantharaju, Googles testing tool goes beyond a typical fuzz tester, which supplies inputs designed to trigger and expose flaws in an application. Lemon also enumerates an applications URLs and corresponding input parameters and then iteratively supplies fault strings designed to expose XSS and other vulnerabilities to each input, analyzing the resulting responses to dig out the bugs.
“Although it started out as an experimental tool, it has proved to be quite effective in finding XSS problems,” Anantharaju said.
Tracking Down Security Flaws
Besides ferreting out XSS flaws, Lemon is sniffing out other security problems, including response-splitting attacks (where an attacker sends a single HTTP request that forces the Web server to form an output stream, which is then interpreted by the target as two HTTP responses instead of one response). This type of flaw can be used in XSS attacks or similar exploits.
Other security bugs Lemon is finding include cross-user defacement (temporary site defacement used in cases of information, ID or password theft), Web cache poisoning (a larger defacement where a cache used by multiple users is poisoned and causes visitors to think the site has been defaced or that a bogus site is in fact a genuine site), cookie poisoning (modification of the contents of a cookie in order to bypass security mechanisms), stack trace leaks (a stack trace shows where an error occurs in a program), encoding issues and character set bugs.
Fuzzing tools are powerful, but theyre also a bear to create. Why would Google create one from scratch, given that powerful scanners/fuzzers already exist in the commercial sector?
Anantharaju said that since the tool is home-grown, its easy to integrate into Googles automated test environment and to extend based on the search giants specific needs. “We are constantly in the process of adding new attack vectors to improve the tool against known security problems,” he said.
Still, testing experts find it curious that Google would brew such a tool at home. “As an outsider, Id say that it wouldnt be first thing Id spend time on—to build my own Web application security tools—if I were an enterprise,” said Matasano President Dave Goldsmith.
When Google enters a market, that market changes. But, in spite of the search giant having launched a security blog recently and having sent tongues wagging on the subject of whether it would enter the security market, experts arent sweating Lemon.
“Id be pretty surprised if they jumped into the Web application security market, into the scanning market,” Goldsmith said. “I think they should take Web applications seriously. I dont know that building my own internal tools is one [option Id think of] when there are tools they could buy that are already available. But with enough Web applications to scan, Id look at purchasing over building. [Lemon has] got to be driven by the fact that theyve got a lot of applications to look at.”
Watchfires Allan said that he uses manual fuzzers himself “all the time.” The reason is that they allow a user to apply human intelligence in looking at a Web application and determining how it should be fuzzed.
“You get the ability to specify what and how it works,” he said. “My guess is [Google] developed a customized environment. In order to control how input was being fuzzed, they [also] built [a fuzzer] on their own.”
At any rate, if Google were to be building a fuzzer for commercial release—something he strongly doubts—Allan said that he would be surprised, given its “do no evil” motto.
“Make no mistake, what theyre building, if they release it to a malicious individual, it could be used for malicious attacks,” he said.
Google told eWEEK that it has no plans to market Lemon externally, at least not in the near future, given that its “highly customized for Google apps.” The companys security team did in fact evaluate commercially available fuzzers but “felt that our specialized needs could be served best by developing our own tools,” a spokesperson said.
Editors Note: This story was updated to comments from a Google spokesperson.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.