Google's Code Search as hacker tool
Google's Code Search for locating source code snippets has not attracted universal acclaim. Security experts are now noting that the repositories of open source projects can be searched for flawed software; in essence, the new search engine provides hackers a quicker and more effective tool for locating programming errors. Security experts criticise that security holes turned up by the search can then be exploited to break into systems. While this is not necessarily conducive to targeted attacks, that is not always what hackers are after either.
Pages are already turning up on the internet demonstrating examples of search queries that can turn up holes via Google. This includes classics like the C functions strcpy and gets, which when improperly applied can lead to buffer overflows used to write and execute malicious code on the stack. It should be noted that Code Search often includes older versions of software in its indices, meaning that in many cases the flaws identified have already been removed in the current program version. Yet more than a few users continue using outdated versions.
To fill its code database, Google is grazing from "as many publicly accessible code archives as possible," including .tar.gz- and .zip files, as well as CVS and subversion repositories. Regrettably, Google has to this point refused to indicate how many lines of code currently comprise the database. The search can also even accommodate regular expressions, and can filter for specific software licenses like BSD, GPL and others.
Yet Code Search also allows software auditors the opportunity to find and remove holes. From Google's point of view, this is an affirmation of one of the security arguments central to open source software: the more eyes that view a piece of code, the more likely that flaws will be located – and removed. In the view of security specialists, Code Search may even provide future motivation for programmers to create, follow and seek out continuing education for guidelines for secure programming. This requires developers to resist the temptation to hide their repositories from Google, however.
Google has also long been abused as a tool for turning up holes in web servers and databases. Google hacking is the art of turning up data from password-protected sites. Google recently upgraded the search engine to allow for the searching of signatures from EXE files, which web sites use to detect viruses and worms on the internet.
- Google Source Code Bug Finder, examples for Code Search