IntroductionScopeInitial Systems AnalysisA Brief Overview of Source TheologiesOpen Source is More SecureSecurity Through ObscurityMetrics are Often MisleadingOpen and Closed Source Software are IntertwinedVulnerabilitiesSource-Dependent AttacksBuffer OverflowSQL InjectionPatch Reverse EngineeringSource-Independent AttacksUser ParticipationBrute Force AttacksProtocol Vulnerabilities.Physical Intrusion and Inside JobsFrequency of AttacksUnderstanding Attack FrequencySecurity AnalysisVulnerability DiscoverySecurity ToolsThreat Modeling and Exploit ClassificationSource Code ScannersSecurity ReviewsSocioeconomic EffectsBusiness DecisionsAccountability and SupportPatch and Fix DistributionAvailability of Security FixesCustom Software and ConfigurationsSecurity Fixes for End-of-Lifed SoftwareConclusionIs Open Source Software More Secure?Russell [email protected] [email protected] [email protected] Security / Cyber SecurityContents1 Introduction 11.1 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Initial Systems Analysis 22.1 A Brief Overview of Source Theologies . . . . . . . . . . . . . . . 22.1.1 Open Source is More Secure . . . . . . . . . . . . . . . . . 22.1.2 Security Through Obscurity . . . . . . . . . . . . . . . . . 32.2 Metrics are Often Misleading . . . . . . . . . . . . . . . . . . . . 42.3 Open and Closed Source Software are Intertwined . . . . . . . . 43 Vulnerabilities 53.1 Source-Dependent Attacks . . . . . . . . . . . . . . . . . . . . . . 63.1.1 Buffer Overflow . . . . . . . . . . . . . . . . . . . . . . . . 83.1.2 SQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . 83.1.3 Patch Reverse Engineering . . . . . . . . . . . . . . . . . 93.2 Source-Independent Attacks . . . . . . . . . . . . . . . . . . . . . 93.2.1 User Participation . . . . . . . . . . . . . . . . . . . . . . 103.2.2 Brute Force Attacks . . . . . . . . . . . . . . . . . . . . . 113.2.3 Protocol Vulnerabilities. . . . . . . . . . . . . . . . . . . . 113.2.4 Physical Intrusion and Inside Jobs . . . . . . . . . . . . . 113.3 Frequency of Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 123.4 Understanding Attack Frequency . . . . . . . . . . . . . . . . . . 134 Security Analysis 134.1 Vulnerability Discovery . . . . . . . . . . . . . . . . . . . . . . . 134.2 Security Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144.2.1 Threat Modeling and Exploit Classification . . . . . . . . 144.2.2 Source Code Scanners . . . . . . . . . . . . . . . . . . . . 154.3 Security Reviews . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Socioeconomic Effects 175.1 Business Decisions . . . . . . . . . . . . . . . . . . . . . . . . . . 185.2 Accountability and Support . . . . . . . . . . . . . . . . . . . . . 195.3 Patch and Fix Distribution . . . . . . . . . . . . . . . . . . . . . 205.4 Availability of Security Fixes . . . . . . . . . . . . . . . . . . . . 215.5 Custom Software and Configurations . . . . . . . . . . . . . . . . 225.6 Security Fixes for End-of-Lifed Software . . . . . . . . . . . . . . 246 Conclusion 25AbstractIn an attempt to contribute to the current state of understanding with respect tosystems security, this paper inspects one software source distribution philosophythat underlies the operation of a representative class of networked computerstoday. Establishing whether open source leads to more secure software willhave serious implications for organizations utilizing or constructing open sourcesoftware, the trust established between a user and a program (irrespective ofsource visibility), and provide valuable observations for proprietary softwarevendors as well. It is the intent of this paper to advance forward the stateof understanding with respect to source philosophies, initially and criticallyexplore the vulnerability differences caused by the source visibility differences,and propose an answer to a modern and relevant question: Does open sourcedevelopment lead to more secure code?1 INTRODUCTION 11 IntroductionIn this paper, we se ek to measure the security value (or lack thereof) of theopen source software distribution philosophy. While many groups treat this dis-cussion as a religious debate between open source and proprietary software, weseek to empirically describe the issues and factors in support of or against thesecurity of open source software and avoid as best we can the issues we cannotmeasure. Further, this debate is often partitioned along the axis of the dominantoperating system on each side, and may be colored by opinions just as muchas fact. However, we believe the security analysis of, and differences between,the open source and proprietary software design philosophies dont reduce to acontest between Microsoft Windows (proprietary) and Apple Macintosh OS X(where the kernel is primarily open source) or Linux (completely open source).Rather, in this pap er we seek to observe the theoretical and practical differ-ences in security between representative classes of software systems, regardlessof the corporations or organizations resp onsible for the products under scrutiny.Hence, the examples presented in this paper are chosen as practical, represen-tative, and timely. We feel it is appropriate, then, to recognize and understandthe tussles that exist in this area of research, to then formulate our reasoningand research further. Also, since there is both fiction and fact on each side of thedebate, we initially advocate for both sides, only to later analyze and explainthese observations.1.1 ScopeThis section defines the extent and limits of our discussion. We have chosenmany issues as topics for future work, and identified issues not bearing signifi-cant relevance for their inclusion, understanding that time, trials, and experiencewill validate or discredit these simplifying assumptions. We are not interested in2 INITIAL SYSTEMS ANALYSIS 2the dissection of the corporate ecosystems, nor in comparisons of one company’sproduct versus another (indeed, such rep orts are already plentiful). We are notarguing which …
View Full Document
Unlocking...