A Software Composition Flaw in Google Desktop Search

Modern software systems are composed of different modules and objects that interact with each other. Each of these components may satisfy a local security policy. It may also satisfy a global security policy with respect to its intended operating environment. However, when many components are put together, because of unexpected interactions among them, a local security policy and/or the global security policy may be violated. A composition flaw is when the execution of a composition of separately secure components leads to a system state in which a local or the global security policy is invalidated. We are particularly interested in composition flaws at the design, not code level and therefore are currently exploring the nature of these flaws so we can detect them automatically before the composition is performed. Our long-term goal is to identify new kinds of composition flaws before attackers discover and exploit them. As a first step towards this goal we show an analysis of a recent composition flaw discovered in the Google Desktop Search application, a flaw that compromises users’ privacy. We show the principles of this type of flaws and describe our approach to detecting them.