A Software Composition Flaw in Google Desktop Search

A Software Composition Flaw in Google Desktop Search,Oren Dobzinski,Jeannette M. Wing

A Software Composition Flaw in Google Desktop Search  
BibTex | RIS | RefWorks Download
Modern software systems are composed of dierent modules and objects that interact with each other. Each of these components may satisfy a local security policy. It may also satisfy a global security policy with respect to its intended operating environment. However, when many components are put together, because of unexpected interactions among them, a local security policy and/or the global security pol- icy may be violated. A composition flaw is when the ex- ecution of a composition of separately secure components leads to a system state in which a local or the global secu- rity policy is invalidated1. We are particularly interested in composition flaws at the design, not code level and therefore are currently exploring the nature of these flaws so we can detect them automatically before the composition is per- formed. Our long-term goal is to identify new kinds of com- position flaws before attackers discover and exploit them. As a first step towards this goal we show an analysis of a recent composition flaw discovered in the Google Desktop Search application, a flaw that compromises users' privacy. We show the principles of this type of flaws and describe our approach to detecting them. Once a request is detected, gds performs a lo- cal search. When the results from return, the local search results are integrated with the returned html page. The integrated page is returned to the initiating en- tity. The other component in our system is a Java applet, whose security policy states that it cannot read any local files. While each of these components obeys the global security policy, their composition creates a flaw that can be exploited in the following way. A gds user visits a malicious website that contains a Java applet, which is loaded to the user's host memory. The applet connects to the attacker's host, which serves as a web proxy and performs a google search. The outgoing google query is detected by gds, and a local search is initiated by gds. The attacker's host returns a results page, possibly an old one that it cached, and gds integrates the search results and returns it to the applet. The search results are transmitted to the attacker's host, which can observe the snippets from localhost's files. In fact, it can initiate any search it desires with any keyword and therefore read sensitive parts of files on localhost.
Cumulative Annual
View Publication
The following links allow you to view full publications. These links are maintained by other sources not affiliated with Microsoft Academic Search.