Google open-sources Tsunami vulnerability scanner


Google has open-sourced a vulnerability scanner for large-scale enterprise networks consisting of thousands or even millions of internet-connected systems.

Named Tsunami, the scanner has been used internally at Google and has been made available on GitHub last month.

Tsunami will not be an officially-branded Google product but will instead be maintained by the open-source community, similarly to how Google first made Kubernetes (another Google internal tool) available for the masses.

How Tsunami works

There are already hundreds of other commercial or open-sourced vulnerability scanners on the market, but what’s different about Tsunami is that Google built the scanner with mammoth-sized companies like itself in mind.

This includes companies that manage networks that include hundreds of thousands of servers, workstations, networking equipment, and IoT devices that are connected to the internet.

Google said it designed Tsunami to adapt to these extremely diverse and extremely large networks on the get-go, without the need to run different scanners for each device type.

Google said it did this by first splitting Tsunami into two main parts, and then adding an extendable plugin mechanism on top.

The first Tsunami component is the scanner itself — or the reconnaissance module. This component scans a company’s network for open ports. It then tests each port and attempts to identify the exact protocols and services running on each, in an attempt to prevent mislabelling ports and test devices for the wrong vulnerabilities.

Google said the port fingerprinting module is based on the industry-tested nmap network mapping engine but also uses some custom code.

The second component is the one that’s more complex. This one runs based on the results of the first. It takes each device and its exposed ports, selects a list of vulnerabilities to test, and runs benign exploits to check if the device is vulnerable to attacks.

The vulnerability verification module is also how Tsunami can be extended through plugins — the means through which security teams can add new attack vectors and vulnerabilities to check inside their networks.

The current Tsunami version comes with plugins to check for:

  • Exposed sensitive UIs: Applications such as Jenkins, Jupyter, and Hadoop Yarn ship with UIs that allow a user to schedule workloads or to execute system commands. If these systems are exposed to the internet without authentication, attackers can leverage the functionality of the application to execute malicious commands.
  • Weak credentials: Tsunami uses other open source tools such as ncrack to detect weak passwords used by protocols and tools including SSH, FTP, RDP, and MySQL.

Google said it plans to enhance Tsunami through new plugins to detect a wider variety of exploits in the coming months. All plugins will be released through a second dedicated GitHub repository.

Project will be focused on no false-positives

The search giant said that going forward Tsunami will focus on meeting the goals of high-end enterprise clients like itself, and the conditions found in these types of large and multi-device networks.

Scan accuracy will be the primary goal, with the project focusing on providing results with as little as possible false-positives (incorrect detections).

This will be important since the scanner will be running inside giant networks where even the slightest false-positive findings can result in sending incorrect patches to hundreds or thousands of devices, possibly resulting in device crashes, network crashes. countless of wasted work hours, and even losses to a company’s bottom-line.

Furthermore, Tsunami will also be extended with support only for high-severity vulnerabilities that are likely to be weaponized, rather than focus on scanning for everything under the sun, as most vulnerability scanners tend to do today. This will be done to reduce alert fatigue for security teams.