Bug vulnerabilities in Chine’s mandatory filterng software

Gauthier Befahy
Gauthier has been active in the IT field for over 10 years. Currently working for Scademy Ltd, He oversees global Sales and Marketing.

Recent reports indicate that the Chinese government is planning to extend the reach of its Internet censorship efforts. The government’s massive back-end filtering system, referred to satirically in the west as the Great Firewall of China, will soon be augmented by client-side filtering tools that the Chinese government is pressuring hardware manufacturers to ship with new computers.

The filtering software, which is called Green Dam, is designed to analyze the user’s network traffic and block material that is politically sensitive or adult in nature. Security researchers at the University of Michigan analyzed the software and have discovered a number of extremely serious security vulnerabilities. They say that malicious websites can take advantage of the security bugs to run arbitrary code on the user’s computer.

The report also provides insight into the scope of the filtering system’s functionality, resolving many of the ambiguities that existed in previous reports about the technology. The software includes image, text, and URL filters. The researchers say that the image filtering system, which is designed to filter out pornographic material, leverages the open source OpenCV imaging library to detect images with significant areas of skin tone.

The text filtering system operates by matching against word lists and also includes a text analysis algorithm. The filtering system will automatically terminate programs when the forbidden words are detected. The researchers say that a large volume of the contents of the blacklists have been taken verbatim from commercial filtering programs that are sold in the United States, including CyberSitter.

The researchers were able to exploit a buffer overflow vulnerability in the filtering software’s URL analyzer. Because the filtering system hooks itself into the network stack at a relatively low level, these vulnerabilities are said to be exploitable in virtually all browsers.

“We discovered programming errors in the code used to process web site requests. The code processes URLs with a fixed-length buffer, and a specially-crafted URL can overrun this buffer and corrupt the execution stack,” the report says. “Any web site the user visits can redirect the browser to a page with a malicious URL and take control of the computer.”

The researchers also discovered a troubling vulnerability in the mechanism that parses the banned word files. This is especially problematic because the program is designed to support automatic updates of URL blacklists and banned words directly over the Internet. The maker of the software (or whoever controls the updates) could potentially deploy a malicious update file that exploits the vulnerability, thus giving them the ability to take control of the user’s computer.

These problems demonstrate the risk of broadly deploying state-enforced censorship software. If the filtering software were sufficiently pervasive, automated exploits would be able to turn the whole country into a giant botnet practically overnight.