lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200311140116.hAE1Gcpe017153@linus.mitre.org>
From: coley at mitre.org (Steven M. Christey)
Subject: why commcerical software *could* be better [WAS: Re: Microsoft prepares security assault on Linux]

> 3. No source (!!) available for people to examine, thus making it, to a
>    level, harder to locate security "holes" - for outsides in any case.

Possibly harder, but the vulnerabilities would still be latent in the
software.

Last year, I did a presentation on open vs. closed source security at
the Open Source Security Summit.  In it, I reported on the 10 most
commonly reported vulnerability types.  When comparing open source
versus closed source advisories, I found these semi-surprising
results:

  - format string bugs and symlink errors were reported more often in
    open source

  - "malformed input" denial-of-service problems were reported more
    often in closed source

My theory is that since format string bugs and symlinks were found
more often in open source because grep-strength auditing tools can be
effective in finding the usual suspect functions (yes, I know that
grep-strength has its problems with false positives).  Does that mean
these bugs appear less frequently in closed source?  Who knows? but
I'd think they'd be about the same.  But think of format string bugs,
which often appear when the application reports errors.  If you were
to perform a dynamic audit of an application, you'd have to reproduce
the environment that triggers the error, and "top-down" enumerate all
possible error conditions and then test them.  A lot more difficult
than grepping through source code.

Same goes for symlink issues.

On the other hand, look at "malformed input" DoS.  With closed source,
there's probably a lot more dynamic analysis going on.  Dynamic
analysis frequently involves manipulating inputs using fuzzers, etc.
It's probably a lot easier to find bugs this way instead of using
grep-style analysis (what do you even grep for?).  One way of testing
this notion is to look at PROTOS-style vulnerability testing suites
against both closed and open source products and see if there are any
major distinctions.

So, it may well be that open source software could benefit from more
black box testing, and closed source software could benefit from more
audits by third parties who have access to the source code.

It's a theory anyway.

- Steve


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ