epic
User
 Inregistrat: acum 17 ani
Postari: 1896
|
|
Open Source versus Closed Source software: What is most secure
By Rob klein Gunnewiek
On May 17, 2006
For English class presentation
Saxion University Enschede )
1. Introduction
2. Open and Closed source software
3. Security introduction
4. Closed source software security
5. Open source software security
6. Related issues
7. Conclusions
1. Introduction
Since years there has been a fierce debate about what is the best
choice for the user: Open Source or Closed Source software. Since the
beginning of that debate one of the major arguments in favor of Open Source
software has been that Open Source as a concept is more secure than a
Closed Source model. The main argument being the "Many Eyes" theory:
because the source code can be scrutinized by the public, bugs will quickly
be found and fixed.
Recently this argument is questioned alot in news articles and in the
security community. This could be a reaction from Microsoft's Get the Facts
campaign against Linux, in which it claims that Windows is more secure to
Linux. Before, this argument in favor of Open Source was largely
undisputed.
This paper approaches the subject objectively. Starting with an
introduction to Open Source and Security, we can look at the security
implications Open Source and Closed Source software have. Then at the end
we can draw our conclusions.
2. Open and Closed source software
There are alot of misconceptions about what Open Source software comprises
exactly, even though it is very simple. Open Source software is software
that complies to the Open Source Definition (OSD), as formulated by the
Open Source Initiative (OSI). Their website is,
on which you can also read the definition. Simplified the definition says
that Open Source software is software released under a license that
guarantees the user the following three freedoms:
* freedom to read the source code;
* freedom to modify the source code;
* freedom to redistribute modified source code.
Some other restrictions can be added in the license that do not conflict
these freedoms, such as the requirement of Attribution.
Note that in no way does this license say that the software has to be
non-commercial. In fact, you can sell any Open Source software
independently, provided you give them the same rights, section 6 of the OSD
guarantees this. So Open Source software is not necessarily free of charge.
However it must be said that the OSD allows anyone to freely distribute
the software, including for no costs. So in practice there is usually a way
to obtain Open Source software free of charge.
Examples of Open Source programs are the Linux kernel, the FreeBSD
operating system, the OpenOffice.Org word processor and the Mozilla Firefox
web browser.
The freedoms also grant anyone to make a derivative of the program. So one
could modify the software, and re-release it under a different name, under
the same license. Most often the license would however require that the new
version attributes the contributors of the original version. And also, some
licenses (such as BSD-style licenses) don't require derivatives to be
released under the same license, they may in fact be redistributed as
Closed Source software.
So, in fact it would be possible for you to obtain a copy of the Mozilla
Firefox source code. You could then modify it, for example to add new
features and re-release your version under a new name. For this you still
need to follow the Mozilla Public License, but as it is OSI approved it
will allow you to do this under certain decent terms.
This happened before. Take for example the Flock project
). They took Mozilla Firefox and added features to
communicate with fellow web surfers on the Internet. For example to share
your photos.
Another example is the Safari web browser of Mac OS X, which uses the KHTML
library of the KDE ) project. Apple also uses the Mach
3.0 micro-kernel and FreeBSD as its foundation to run the Aqua desktop
environment, and their entire system.
3. Security introduction
Security issues cover a very broad area. Only a small but important part of
that concerns the security in software development. Other area's concern
for example network protocols, physical security and system security which
are not deemed (or much less) important for the discussion of Open Source
versus Closed Source.
Mistakes are always made in large software projects. Some of these mistakes
can be called security vulnerabilities. Security vulnerabilities can be
exploitable, which means they can harm the integrity of the system.
Sometimes a vulnerability is so severe that it can be used to bypass
security policy.
In practice this means attackers can use vulnerabilities in software to
remotely gain access to files, or even to control the affected system by
running commands, introducing new processes and so forth. Sometimes a
less dangerous vulnerability could allow an attacker to read arbitrary
files from the hard-disk.
Security vulnerabilities in software caused by programming mistakes are
one of the main causes of system compromises.
4. Closed source software security
To judge the advantages and disadvantages of Open Source and Closed Source
software methodologies in terms of security I will first state facts, and
then look at the implications they have on security.
Closed Source software has several characteristics:
1: it is relatively hard to understand how software works without
having its source code
2: Closed Source software can only be modified by their copyright
owners
3: Closed Source software is often also commercial software
Now we'll examine these three statements further. What are their
implications on security?
The consequences of fact 1 are that first of all it's infeasible to
perform a full systematic audit of Closed Source software, at least for
independent researchers. In a full audit it is usually relatively easy to
walk through all code for bugs that can affect security. In a Closed Source
program this is much harder. One would need to debug everything, and then
understand the assembler output of the debugger. Not only that, it is very
hard to make sure you have covered all code. In any sizable program it
would take too much time to check all code. Also, there would be relatively
few people with the skills to begin to do this.
Secondly, fact 1 makes it harder that when a bug has been fixed, to verify
whether this fix is satisfactory. It has happened many times in the past
that a bug was supposedly fixed, but that it was insufficient because the
bug was still exploitable in a slightly different manner. If a binary
update is all a researcher has, it is harder to see if the fix is correct.
And at last, fact 1 makes it impractical to examine changes between
versions. New code in theory should have more vulnerabilities than the
older code that has matured. When new versions are released that have new
features, it is harder with Closed Source software to find out where to
find the new code. It is therefore harder for a researcher to examine
changes between software versions.
Fact 2 is of a different nature. Namely, if software cannot be modified,
then the consumer is always at the mercy of the copyright owner to fix any
bugs. If for some reason the copyright owner doesn't deem it worthwhile to
release a fix for the bug, then the consumer is powerless.
One of the most common reasons to not release a bug fix is when the
software is no longer maintained. This may happen if a company goes
bankrupt, or is taken over and no other company continues development of
the software. It also happens when software is deemed obsolete, the company
simply stops maintaining it. This has for example happened with Microsoft's
Windows NT and Windows 98. Many people still use this software, but
security bugs are no longer fixed. People who still depend on this software
cannot fix vulnerabilities in their systems.
Another possibility is that the company will decide to charge money for
security updates. Currently to my knowledge no company seems does this,
as they all recognize that they should fix their mistakes. However, it is
entirely possible that one day some companies will start doing this.
Fact 3 says that most commercial companies release their software under
Closed Source licenses. The reason is often said to be that they want to
make it harder for competition to make a competing product.
When software is sold for money it can be thought that such a company or
person (in case of an individual or small group of programmers) has a
greater obligation to its user to deliver support. They usually deliver
on-line support to paying customers.
Software that costs money also allows the programmers or companies to
exist professionally. They don't only have to make the software in their
spare time. And as long as business goes well they will probably continue
to maintain the software.
However an argument often used against commercial software is that there is
more pressure to release software within a deadline, that quality does not
come at first place. Of course this does not count for every company. But
Microsoft for example is known to have given quality a low priority against
quality. The need to deliver new features which are much more visible to
consumers, that cause people to buy the software was deemed more important
than the product's quality. Microsoft now says that security has become its
top priority.
5. Open source software security
Open Source software has the following characteristics that concern security:
1: it is relatively easy to understand how a program works when
having its source code
2: it is possible to make independent changes to the program
3: it is possible to re-distribute a derivative version
4: many Open Source programs are available free of charge, many are
maintained by non-profit organizations or groups of people
Let's look at their implications for security.
With Open Source software it is relatively easy to discovery bugs, if any.
It is possible to do a full audit of the entire source code systematically.
It also possible to do automated vulnerability scanning on the source tree.
As such the United States Department of Homeland Security has funded the
development of a software vulnerability scanning system to scan for errors
in popular Open Source software, such as Linux, Apache, PostGreSQL, BIND,
Firefox, OpenSSL and so forth. Many bugs have been found and fixed already.
With Open Source software it is also easy to examine the changes made
between versions. Often there is even a detailed list of changes. But it is
also possible to use comparison software to generate a list of differences.
The possibility of third parties to make changes to an Open Source program
(fact 2) is very useful for security. It empowers users to fix problems
with the software themselves, when for some reason the original authors
won't do it. It also becomes possible for service providers or resellers to
independently fix bugs of their clients in case for some reason the vendor
will not.
In case users lose trust in the way the Open Source project is maintained,
they can also take matters in their own hands. It is possible for them to
start their own version of the software. This sort of practice occurs
sometimes. Usually though this happens because certain groups of people
have different intentions for the project. A good example is DragonFly BSD
) which derived from the FreeBSD 4.x branch.
So when an Open Source program is no longer maintained, it is possible for
their users to take over and continue.
The last fact we need to look at is the fact that Open Source programs are
often free of charge. Many Open Source projects are maintained by
non-profit organizations, individuals or groups of people. It must be
stressed though that this is not always the case. Commercial companies too
do fund Open Source projects. For example, MySQL the SQL database server is
a project of MySQL AB. MySQL AB sells commercial versions of the MySQL
database, such as MySQL High Availability server. Another example is
OpenOffice.Org which is derived from Sun StarOffice. StarOffice benefits
from OpenOffice.Org and the voluntary contributions to it, the community
benefits from the freedoms given through OpenOffice.Org. Sun has also made
its Solaris operating system Open Source, see.
When programs are not payed for you cannot expect first class support. But
in case of Open Source software you can also argue that you do not depend
on the willingness of the vendor to provide this support. If support is
necessary users should have a support contract from a different company,
perhaps a reseller. In the Netherlands we have approximately at least 50
companies who sell and support Linux for example.
Finally, when there is less pressure to deliver software versions within a
deadline or monetary budget, more effort can be placed on quality code. If
this also really happens in practice is of course questionable. One could
also say that as the programmers get no money for their work there is no
reason to have a high quality standard. On the other hand you can argue why
one would write programs for free if not to write great things. Would
voluntary programmers really not care for the quality of their program? In
fact, most of such programmers work on programs they use themselves and are
very enthusiastic about. That is often their main motivation.
6. Related issues
There is evidence that commercial interests sometimes conflict the
interests of security researchers. First of all, any bug found is usually
bad P.R. for a company. For example, Cisco routers for years were regarded
as not vulnerable to buffer overflow attacks. Then, last year a researcher
named Michael Lynn attempted to make public his research on Cisco
exploitation during a major security conference Black Hat in Las Vegas. He
was legally threatened to not do the presentation on Cisco vulnerabilities.
A team from Cisco also removed pages from the conference materials of Black
Hat that concerned Michael Lynn's work. Michael Lynn proceeded his
presentation on the Cisco issues. Currently he is employed by Cisco's
main competitor, Juniper Networks.
In this case commercial interests clearly have caused security research to
be suppressed. Increasingly vulnerability researchers are being threatened
with legal action. Laws like the Digital Millennium Copyright Act (DMCA)
make it illegal to circumvent Digital Rights Management (DRM) and basically
make it illegal to figure out how things work. As such, a programmer named
Dmitri Skylarov was sued for figuring out how to break CSS, the copy
protection of DVDs. In France there are also similar laws that make it
illegal to reverse engineer the working of programs.
Because of all this, it becomes dangerous to perform security research on
Closed Source programs. Security research, especially with Closed Source
software requires the understanding of the program. The mentioned laws make
it very hard to do so.
7. Conclusions
First of all let me start with a fact: Popular software matures faster than
unpopular software. The reason is that when software is popular for users,
it is also popular for independent researchers. Therefore bugs will be
discovered at a much faster pace in popular software. Over time the quality
of the code will simply increase, especially when the feature set starts
stabilizing. There are less bugs to be found in mature software.
Now the conclusion I want to draw is that Open Source software matures
faster than Closed Source software. Open Source software can be more easily
examined, causing bugs to be found at a higher rate compared to Closed
Source software. With Closed Source software bugs are more hidden and take
longer to be found. As long as Open Source software is immature, bugs will
be found at a higher rate than if it were Closed Source. As the software
matures bug density will become so low that the bug discovery frequency
would become lower than if it were Closed Source software.
A dilemma however is the following: What is more secure, a popular Closed
Source program or a less popular Open Source program? Of course this
entirely depends on respectively how popular both programs are. And also
of course, are both projects really comparable? Take for example Mozilla
Firefox versus Microsoft Internet Explorer. Mozilla Firefox has an
estimated market share of 10%, Microsoft Internet Explorer has about 80%.
Although Internet Explorer is much more used than Firefox, both are
certainly as well known in the security community. It is hard to say how
popular both programs are among researchers.
_______________________________________
:< 4 8 15 16 23 42 *execute*
TOATA LUMEA ESTE INVITATA PE NOUL FORUM!
|
|
