epic
User
Inregistrat: acum 17 ani
Postari: 1896
|
|
Open Source versus Closed Source software: What is most secure
By Rob klein Gunnewiek On May 17, 2006 For English class presentation Saxion University Enschede )
1. Introduction 2. Open and Closed source software 3. Security introduction 4. Closed source software security 5. Open source software security 6. Related issues 7. Conclusions
1. Introduction
Since years there has been a fierce debate about what is the best choice for the user: Open Source or Closed Source software. Since the beginning of that debate one of the major arguments in favor of Open Source software has been that Open Source as a concept is more secure than a Closed Source model. The main argument being the "Many Eyes" theory: because the source code can be scrutinized by the public, bugs will quickly be found and fixed.
Recently this argument is questioned alot in news articles and in the security community. This could be a reaction from Microsoft's Get the Facts campaign against Linux, in which it claims that Windows is more secure to Linux. Before, this argument in favor of Open Source was largely undisputed.
This paper approaches the subject objectively. Starting with an introduction to Open Source and Security, we can look at the security implications Open Source and Closed Source software have. Then at the end we can draw our conclusions.
2. Open and Closed source software
There are alot of misconceptions about what Open Source software comprises exactly, even though it is very simple. Open Source software is software that complies to the Open Source Definition (OSD), as formulated by the Open Source Initiative (OSI). Their website is, on which you can also read the definition. Simplified the definition says that Open Source software is software released under a license that guarantees the user the following three freedoms:
* freedom to read the source code; * freedom to modify the source code; * freedom to redistribute modified source code.
Some other restrictions can be added in the license that do not conflict these freedoms, such as the requirement of Attribution.
Note that in no way does this license say that the software has to be non-commercial. In fact, you can sell any Open Source software independently, provided you give them the same rights, section 6 of the OSD guarantees this. So Open Source software is not necessarily free of charge. However it must be said that the OSD allows anyone to freely distribute the software, including for no costs. So in practice there is usually a way to obtain Open Source software free of charge.
Examples of Open Source programs are the Linux kernel, the FreeBSD operating system, the OpenOffice.Org word processor and the Mozilla Firefox web browser.
The freedoms also grant anyone to make a derivative of the program. So one could modify the software, and re-release it under a different name, under the same license. Most often the license would however require that the new version attributes the contributors of the original version. And also, some licenses (such as BSD-style licenses) don't require derivatives to be released under the same license, they may in fact be redistributed as Closed Source software.
So, in fact it would be possible for you to obtain a copy of the Mozilla Firefox source code. You could then modify it, for example to add new features and re-release your version under a new name. For this you still need to follow the Mozilla Public License, but as it is OSI approved it will allow you to do this under certain decent terms.
This happened before. Take for example the Flock project ). They took Mozilla Firefox and added features to communicate with fellow web surfers on the Internet. For example to share your photos.
Another example is the Safari web browser of Mac OS X, which uses the KHTML library of the KDE ) project. Apple also uses the Mach 3.0 micro-kernel and FreeBSD as its foundation to run the Aqua desktop environment, and their entire system.
3. Security introduction
Security issues cover a very broad area. Only a small but important part of that concerns the security in software development. Other area's concern for example network protocols, physical security and system security which are not deemed (or much less) important for the discussion of Open Source versus Closed Source.
Mistakes are always made in large software projects. Some of these mistakes can be called security vulnerabilities. Security vulnerabilities can be exploitable, which means they can harm the integrity of the system. Sometimes a vulnerability is so severe that it can be used to bypass security policy.
In practice this means attackers can use vulnerabilities in software to remotely gain access to files, or even to control the affected system by running commands, introducing new processes and so forth. Sometimes a less dangerous vulnerability could allow an attacker to read arbitrary files from the hard-disk.
Security vulnerabilities in software caused by programming mistakes are one of the main causes of system compromises.
4. Closed source software security
To judge the advantages and disadvantages of Open Source and Closed Source software methodologies in terms of security I will first state facts, and then look at the implications they have on security.
Closed Source software has several characteristics:
1: it is relatively hard to understand how software works without having its source code 2: Closed Source software can only be modified by their copyright owners 3: Closed Source software is often also commercial software
Now we'll examine these three statements further. What are their implications on security?
The consequences of fact 1 are that first of all it's infeasible to perform a full systematic audit of Closed Source software, at least for independent researchers. In a full audit it is usually relatively easy to walk through all code for bugs that can affect security. In a Closed Source program this is much harder. One would need to debug everything, and then understand the assembler output of the debugger. Not only that, it is very hard to make sure you have covered all code. In any sizable program it would take too much time to check all code. Also, there would be relatively few people with the skills to begin to do this.
Secondly, fact 1 makes it harder that when a bug has been fixed, to verify whether this fix is satisfactory. It has happened many times in the past that a bug was supposedly fixed, but that it was insufficient because the bug was still exploitable in a slightly different manner. If a binary update is all a researcher has, it is harder to see if the fix is correct.
And at last, fact 1 makes it impractical to examine changes between versions. New code in theory should have more vulnerabilities than the older code that has matured. When new versions are released that have new features, it is harder with Closed Source software to find out where to find the new code. It is therefore harder for a researcher to examine changes between software versions.
Fact 2 is of a different nature. Namely, if software cannot be modified, then the consumer is always at the mercy of the copyright owner to fix any bugs. If for some reason the copyright owner doesn't deem it worthwhile to release a fix for the bug, then the consumer is powerless.
One of the most common reasons to not release a bug fix is when the software is no longer maintained. This may happen if a company goes bankrupt, or is taken over and no other company continues development of the software. It also happens when software is deemed obsolete, the company simply stops maintaining it. This has for example happened with Microsoft's Windows NT and Windows 98. Many people still use this software, but security bugs are no longer fixed. People who still depend on this software cannot fix vulnerabilities in their systems.
Another possibility is that the company will decide to charge money for security updates. Currently to my knowledge no company seems does this, as they all recognize that they should fix their mistakes. However, it is entirely possible that one day some companies will start doing this.
Fact 3 says that most commercial companies release their software under Closed Source licenses. The reason is often said to be that they want to make it harder for competition to make a competing product.
When software is sold for money it can be thought that such a company or person (in case of an individual or small group of programmers) has a greater obligation to its user to deliver support. They usually deliver on-line support to paying customers.
Software that costs money also allows the programmers or companies to exist professionally. They don't only have to make the software in their spare time. And as long as business goes well they will probably continue to maintain the software.
However an argument often used against commercial software is that there is more pressure to release software within a deadline, that quality does not come at first place. Of course this does not count for every company. But Microsoft for example is known to have given quality a low priority against quality. The need to deliver new features which are much more visible to consumers, that cause people to buy the software was deemed more important than the product's quality. Microsoft now says that security has become its top priority.
5. Open source software security
Open Source software has the following characteristics that concern security:
1: it is relatively easy to understand how a program works when having its source code 2: it is possible to make independent changes to the program 3: it is possible to re-distribute a derivative version 4: many Open Source programs are available free of charge, many are maintained by non-profit organizations or groups of people
Let's look at their implications for security.
With Open Source software it is relatively easy to discovery bugs, if any. It is possible to do a full audit of the entire source code systematically.
It also possible to do automated vulnerability scanning on the source tree. As such the United States Department of Homeland Security has funded the development of a software vulnerability scanning system to scan for errors in popular Open Source software, such as Linux, Apache, PostGreSQL, BIND, Firefox, OpenSSL and so forth. Many bugs have been found and fixed already.
With Open Source software it is also easy to examine the changes made between versions. Often there is even a detailed list of changes. But it is also possible to use comparison software to generate a list of differences.
The possibility of third parties to make changes to an Open Source program (fact 2) is very useful for security. It empowers users to fix problems with the software themselves, when for some reason the original authors won't do it. It also becomes possible for service providers or resellers to independently fix bugs of their clients in case for some reason the vendor will not.
In case users lose trust in the way the Open Source project is maintained, they can also take matters in their own hands. It is possible for them to start their own version of the software. This sort of practice occurs sometimes. Usually though this happens because certain groups of people have different intentions for the project. A good example is DragonFly BSD ) which derived from the FreeBSD 4.x branch. So when an Open Source program is no longer maintained, it is possible for their users to take over and continue.
The last fact we need to look at is the fact that Open Source programs are often free of charge. Many Open Source projects are maintained by non-profit organizations, individuals or groups of people. It must be stressed though that this is not always the case. Commercial companies too do fund Open Source projects. For example, MySQL the SQL database server is a project of MySQL AB. MySQL AB sells commercial versions of the MySQL database, such as MySQL High Availability server. Another example is OpenOffice.Org which is derived from Sun StarOffice. StarOffice benefits from OpenOffice.Org and the voluntary contributions to it, the community benefits from the freedoms given through OpenOffice.Org. Sun has also made its Solaris operating system Open Source, see.
When programs are not payed for you cannot expect first class support. But in case of Open Source software you can also argue that you do not depend on the willingness of the vendor to provide this support. If support is necessary users should have a support contract from a different company, perhaps a reseller. In the Netherlands we have approximately at least 50 companies who sell and support Linux for example.
Finally, when there is less pressure to deliver software versions within a deadline or monetary budget, more effort can be placed on quality code. If this also really happens in practice is of course questionable. One could also say that as the programmers get no money for their work there is no reason to have a high quality standard. On the other hand you can argue why one would write programs for free if not to write great things. Would voluntary programmers really not care for the quality of their program? In fact, most of such programmers work on programs they use themselves and are very enthusiastic about. That is often their main motivation.
6. Related issues
There is evidence that commercial interests sometimes conflict the interests of security researchers. First of all, any bug found is usually bad P.R. for a company. For example, Cisco routers for years were regarded as not vulnerable to buffer overflow attacks. Then, last year a researcher named Michael Lynn attempted to make public his research on Cisco exploitation during a major security conference Black Hat in Las Vegas. He was legally threatened to not do the presentation on Cisco vulnerabilities. A team from Cisco also removed pages from the conference materials of Black Hat that concerned Michael Lynn's work. Michael Lynn proceeded his presentation on the Cisco issues. Currently he is employed by Cisco's main competitor, Juniper Networks.
In this case commercial interests clearly have caused security research to be suppressed. Increasingly vulnerability researchers are being threatened with legal action. Laws like the Digital Millennium Copyright Act (DMCA) make it illegal to circumvent Digital Rights Management (DRM) and basically make it illegal to figure out how things work. As such, a programmer named Dmitri Skylarov was sued for figuring out how to break CSS, the copy protection of DVDs. In France there are also similar laws that make it illegal to reverse engineer the working of programs.
Because of all this, it becomes dangerous to perform security research on Closed Source programs. Security research, especially with Closed Source software requires the understanding of the program. The mentioned laws make it very hard to do so.
7. Conclusions
First of all let me start with a fact: Popular software matures faster than unpopular software. The reason is that when software is popular for users, it is also popular for independent researchers. Therefore bugs will be discovered at a much faster pace in popular software. Over time the quality of the code will simply increase, especially when the feature set starts stabilizing. There are less bugs to be found in mature software.
Now the conclusion I want to draw is that Open Source software matures faster than Closed Source software. Open Source software can be more easily examined, causing bugs to be found at a higher rate compared to Closed Source software. With Closed Source software bugs are more hidden and take longer to be found. As long as Open Source software is immature, bugs will be found at a higher rate than if it were Closed Source. As the software matures bug density will become so low that the bug discovery frequency would become lower than if it were Closed Source software.
A dilemma however is the following: What is more secure, a popular Closed Source program or a less popular Open Source program? Of course this entirely depends on respectively how popular both programs are. And also of course, are both projects really comparable? Take for example Mozilla Firefox versus Microsoft Internet Explorer. Mozilla Firefox has an estimated market share of 10%, Microsoft Internet Explorer has about 80%. Although Internet Explorer is much more used than Firefox, both are certainly as well known in the security community. It is hard to say how popular both programs are among researchers.
_______________________________________ :< 4 8 15 16 23 42 *execute* TOATA LUMEA ESTE INVITATA PE NOUL FORUM!
|
|