[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200311140116.hAE1Gcpe017153@linus.mitre.org>
From: coley at mitre.org (Steven M. Christey)
Subject: why commcerical software *could* be better [WAS: Re: Microsoft prepares security assault on Linux]
> 3. No source (!!) available for people to examine, thus making it, to a
> level, harder to locate security "holes" - for outsides in any case.
Possibly harder, but the vulnerabilities would still be latent in the
software.
Last year, I did a presentation on open vs. closed source security at
the Open Source Security Summit. In it, I reported on the 10 most
commonly reported vulnerability types. When comparing open source
versus closed source advisories, I found these semi-surprising
results:
- format string bugs and symlink errors were reported more often in
open source
- "malformed input" denial-of-service problems were reported more
often in closed source
My theory is that since format string bugs and symlinks were found
more often in open source because grep-strength auditing tools can be
effective in finding the usual suspect functions (yes, I know that
grep-strength has its problems with false positives). Does that mean
these bugs appear less frequently in closed source? Who knows? but
I'd think they'd be about the same. But think of format string bugs,
which often appear when the application reports errors. If you were
to perform a dynamic audit of an application, you'd have to reproduce
the environment that triggers the error, and "top-down" enumerate all
possible error conditions and then test them. A lot more difficult
than grepping through source code.
Same goes for symlink issues.
On the other hand, look at "malformed input" DoS. With closed source,
there's probably a lot more dynamic analysis going on. Dynamic
analysis frequently involves manipulating inputs using fuzzers, etc.
It's probably a lot easier to find bugs this way instead of using
grep-style analysis (what do you even grep for?). One way of testing
this notion is to look at PROTOS-style vulnerability testing suites
against both closed and open source products and see if there are any
major distinctions.
So, it may well be that open source software could benefit from more
black box testing, and closed source software could benefit from more
audits by third parties who have access to the source code.
It's a theory anyway.
- Steve
Powered by blists - more mailing lists