Analysis of the Green Dam Censorware System
Scott Wolchok, Randy Yao, and J. Alex Halderman
Computer Science and Engineering Division
The University of Michigan
Revision 2.4 – June 11, 2009
Summary We have discovered remotely-exploitable vulnerabilities in Green
Dam, the censorship software reportedly mandated by the Chinese government.
Any web site a Green Dam user visits can take control of the PC.
According to press reports, China will soon require all PCs sold in the
country to include Green Dam. This software monitors web sites visited and
other activity on the computer and blocks adult content as well as
politically sensitive material.
We examined the Green Dam software and found that it contains serious
security vulnerabilities due to programming errors. Once Green Dam is
installed, any web site the user visits can exploit these problems to take
control of the computer. This could allow malicious sites to steal private
data, send spam, or enlist the computer in a botnet. In addition, we found
vulnerabilities in the way Green Dam processes blacklist updates that could
allow the software makers or others to install malicious code during the
update process.
We found these problems with less than 12 hours of testing, and we believe
they may be only the tip of the iceberg. Green Dam makes frequent use of
unsafe and outdated programming practices that likely introduce numerous
other vulnerabilities. Correcting these problems will require extensive
changes to the software and careful retesting. In the meantime, we
recommend that users protect themselves by uninstalling Green Dam
immediately.
Green Dam displays this message when it detects banned phrases.
Introduction
Accordingly to recent news reports (NYT, WSJ), the Chinese government has
mandated that, beginning July 1, every PC sold in China must include a
censorship program called Green Dam. This software is designed to monitor
internet connections and text typed on the computer. It blocks undesirable
or politically sensitive content and optionally reports it to authorities.
Green Dam was developed by a company called Jin Hui and is available as a
free download. We examined version 3.17.
How Green Dam Works
The Green Dam software filters content by blocking URLs and website images
and by monitoring text in other applications. The filtering blacklists
include both political and adult content. Some of the blacklists appear to
have been copied from American-made filtering software.
Image filter Green Dam includes computer vision technology used to block
online images containing nudity. The image filter reportedly works by
flagging images containing large areas of human skin tone, while making an
exception for close-ups of faces. We've found that the program contains
code libraries and a configuration file from the open-source image
recognition software OpenCV.
Text filter Green Dam scans text entry fields in various applications
for blocked words, including obscenities and politically sensitive phrases
(for example, references to Falun Gong). Blacklisted terms are contained in
three files, encrypted with a simple key-less scrambling operation. We
decrypted the contents of these files: xwordl.dat, xwordm.dat, and
xwordh.dat. We also found what appears to be a word list for a more
sophisticated sentence processing algorithm in the unencrypted file
FalunWord.lib. When Green Dam detects these words, the offending program is
forcibly closed and an error image (shown above) is displayed.
URL filter Green Dam filters website URLs using patterns contained in
whitelist and blacklist files (*fil.dat, adwapp.dat, and TrustUrl.dat).
These files are encrypted with the same key-less scrambling operation as
the blacklists for the text filter. Five of the blacklists correspond to
the categories in the content filtering section of Green Dam's options
dialog (shown below).
We found evidence that a number of these blacklists have been taken from
the American-made filtering program CyberSitter. In particular, we found an
encrypted configuration file, wfileu.dat, that references these blacklists
with download URLs at CyberSitter's site. We also found a setup file,
xstring.s2g, that appears to date these blacklists to 2006. Finally,
csnews.dat is an encrypted 2004 news bulletin by CyberSitter. We conjecture
that this file was accidentally included because it has the same file
extension as the filters.
Security Problems
After only one day of testing the Green Dam software, we found two major
security vulnerabilities. The first is an error in the way the software
processes web sites it monitors. The second is a bug in the way the
software installs blacklist updates. Both allow remote parties to execute
arbitrary code and take control of the computer.
Web Filtering Vulnerability
Green Dam intercepts Internet traffic and processes it to see whether
visited web sites are blacklisted. In order to perform this monitoring, it
injects a library called SurfGd.dll into software that uses the socket API.
When a user access a web site, this code checks the address against the
blacklist and logs the URL.
We discovered programming errors in the code used to process web site
requests. The code processes URLs with a fixed-length buffer, and a
specially-crafted URL can overrun this buffer and corrupt the execution
stack. Any web site the user visits can redirect the browser to a page with
a malicious URL and take control of the computer.
We have constructed a demonstration URL that triggers this problem. If you
have Green Dam installed, clicking the button on our demonstration attack
page will cause your browser (or tab) to crash.
This proof-of-concept shows that we are able to control the execution
stack. An actual attacker could exploit this to execute malicious code.
Green Dam's design makes this problem exploitable from almost any web
browser. At this time, the surest way for users to protect themselves is to
uninstall Green Dam.
Blacklist Update Vulnerability
We found a second problem in the way Green Dam reads its filter files. This
problem would allow Green Dam's makers, or a third-party impersonating
them, to execute arbitrary code and install malicious software on the
user's computer after installing a filter update. Users can enable
automatic filter updates from the Green Dam configuration program.
Green Dam reads its filter files using unsafe C string libraries. In
places, it uses the fscanf function to read lines from filter files into a
fixed-length buffer on the execution stack. This creates classic
buffer-overflow vulnerabilities. For example, if a line in the file
TrustUrl.dat exceeds a certain fixed length, the buffer will be overrun,
corrupting the execution stack and potentially giving the attacker control
of the process.
The filter files can be replaced remotely by the software maker if the user
has enabled filter updates. The updates could corrupt these vulnerable
files to exploit the problems we found. This could allow Green Dam's makers
to take control of any computer where the software is installed and
automatic filter updates are enabled. Furthermore, updates are delivered
via unencrypted HTTP, which could allow a third party to impersonate the
update server (for example, by exploiting DNS vulnerabilities) and take
control of users' computers using this attack.
Removing Green Dam
Green Dam allows users who know its administrator password to uninstall the
software. We tested the uninstaller and found that it appears to
effectively remove Green Dam from the computer. However, it fails to remove
some log files, so evidence of users' activity remains hidden on the system.
In light of the serious vulnerabilities we outlined above, the surest way
for users to protect themselves is to remove the software immediately using
its uninstall function.
Conclusion
Our brief testing proves that Green Dam contains very serious security
vulnerabilities. Unfortunately, these problems seem to reflect systemic
flaws in the code. The software makes extensive use of programming
techniques that are known to be unsafe, such as deprecated C string
processing functions including sprintf and fscanf. These problems are
compounded by the design of the program, which creates a large attack
surface: since Green Dam filters and processes all Internet traffic, large
parts of its code are exposed to attack.
If Green Dam is deployed in its current form, it will significantly weaken
China's computer security. While the flaws we discovered can be quickly
patched, correcting all the problems in the Green Dam software will likely
require extensive rewriting and thorough testing. This will be difficult to
achieve before China's July 1 deadline for deploying Green Dam nationwide.