China's Green Dam and the cyberwar implications

Guest editorial by Oliver DayChinese military leaders have always been aware of the military advantage the US has over the People's Liberation Army.  Reading through their published assessments of Sino-US war possibilities confirm our belief that we would dominate them in the air, land and sea.
Written by Ryan Naraine, Contributor

Guest editorial by Oliver Day

Chinese military leaders have always been aware of the military advantage the US has over the People's Liberation Army.  Reading through their published assessments of Sino-US war possibilities confirm our belief that we would dominate them in the air, land and sea.  However the PLA was born of asymmetric warfare and this remains a core part of their strategies against any possible wars with the US.  Specifically the PLA writes about the use of cyberwarfare as a means of countering this imbalance. This makes a lot of sense from a military perspective.  The US economy is intimately tied to information services which rely on the Internet.  China's economy is primarily based on manufacturing physical goods.  Taking down their network infrastructure would not have devastating effects while taking down ours would be near catastrophic.  But the effects on our economy isn't the only asymmetry worth talking about.  The Chinese Internet is simply different than the US Internet.  Their network is self contained and has only a handful of choke points which interact with the outside world.  China has gone as far as null routing various non Chinese services in the past, such as Youtube and Google, simply for the sake of censoring unflattering media about the PRC government.  The US doesn't have this capability nor the style of government which would permit this type of unilateral action.

On July 1, 2009 China's Ministry of Industry and Information Technology (MIIT) mandated that everyone must install filtering software known as Green Dam Youth Escort [wikipedia.com].  The decree ensures that, depending on your interpretation, it is provided or installed on every computer sold in China.  The ensuing outrage by Chinese netizens has MIIT back peddling their stance and softening the tone of their mandate.  Whether or not the program survives is currently a heated subject of debate however it is worth noting that the companies invovled in producing the software are known to have both government and military ties.  The government has already paid roughly $6M for the software which covers a site license for the entire country.  Even though US computer manufacturers are dragging their feet due to moral and copyright concerns Japanese manufacturer Sony has reportedly already started to comply.

I've been thinking about the implications of the success of the program from a cyberwar perspective.  China's military leaders tout their ability to conduct asymmetric warfare using pinpoint attacks on our Internet infrastructure but Green Dam's security vulnerabilities offer the chance to recruit every Chinese netizen into a botnet and destroy this capability from the inside.  Green Dam represents a ubquitous new software mechanism in the landscape of the Chinese Internet which, in it's brief history, has shown an incredible lack of security forethought.

Within the first weeks of scrutiny by security researchers the Green Dam filtering software was hit by two vulnerabilities discovered by a team lead by University of Michigan's J Alex Halderman.  One vulnerability required victims to browse specially crafted URLs and the other allowed a tainted security update to execute arbitrary code.  Jinhui, the main manufacturer of the software, was quick to patch those vulnerabilities however another vulnerabilty was found in the patched code within hours by the University of Michigan team.  At least two of those have known exploits circulating on the Internet already.  Analysis of the filtering software shows a 1990's mentality towards coding and brings with it all the sophomoric security flaws of those times.  It is not unreasonable to assume that many more flaws exist in the code which will undoubtedly be exploited soon.

The vulnerabilities which require a victim to view a URL are interesting but not as critical as the update vulnerabilities.  The update mechanism for Green Dam was poorly thought out and has very little in the way of content assurance.  The filtering software polls the main Jinhui server and asks for an update over clear text protocols.  Furthermore no code signing is used to verify the authenticity of the contents of the file meaning anyone skillful enough to penetrate their servers can inject code into the potentially millions of computers over a short period of time.  This flaw could completely undermine the asymmetric warfare advantage the Chinese previously had.

Companies like Microsoft go to great lengths to ensure that only authorized code is sent and executed by the millions of computers requesting updates.  They use code signing to ensure the integrity and authenticity of the code sent to its users.  They understand that their update servers are an incredibly rich target for anyone that wants to control massive numbers of computers using a critical strike.  If the MIIT decree is carried out successfully Jinhui will be in a similar situation.  They will have the ability to execute code on literally millions of computers, both government and civilian, during update cycles.  Any new cyberwar scenario will undoubtedly include this fact in its planning.  One attack on the Jinhui server will offer the chance to capture every computer running Green Dam and possibly turn them against their own country.

It's obviously not too late for Jinhui to get their act together and shore up their defenses.  But right now they are entirely reactive instead of proactive.  Historically this means that any attempt to fix their issues will be done with great haste and introduce as many problems as it fixes.

* Oliver Day is a security researcher at StopBadware.org, a project of the Berkman Center for Internet and Society at Harvard University.  He has over ten years experience in web and network security, working for companies including @stake, eEye, and Rapid7.

Editorial standards