Re: [Full-Disclosure] why commcerical software *could* be better [WAS: Re: [Full-Disclosure] Microsoft prepares security assault on Linux]

From: Steven M. Christey (coley_at_mitre.org)
Date: 11/14/03

  • Next message: damned: "RE: [Full-Disclosure] Fwd: YOUR PAYPAL.COM ACCOUNT EXPIRES"
    To: full-disclosure@lists.netsys.com
    Date: Thu, 13 Nov 2003 20:16:38 -0500 (EST)
    
    

    > 3. No source (!!) available for people to examine, thus making it, to a
    > level, harder to locate security "holes" - for outsides in any case.

    Possibly harder, but the vulnerabilities would still be latent in the
    software.

    Last year, I did a presentation on open vs. closed source security at
    the Open Source Security Summit. In it, I reported on the 10 most
    commonly reported vulnerability types. When comparing open source
    versus closed source advisories, I found these semi-surprising
    results:

      - format string bugs and symlink errors were reported more often in
        open source

      - "malformed input" denial-of-service problems were reported more
        often in closed source

    My theory is that since format string bugs and symlinks were found
    more often in open source because grep-strength auditing tools can be
    effective in finding the usual suspect functions (yes, I know that
    grep-strength has its problems with false positives). Does that mean
    these bugs appear less frequently in closed source? Who knows? but
    I'd think they'd be about the same. But think of format string bugs,
    which often appear when the application reports errors. If you were
    to perform a dynamic audit of an application, you'd have to reproduce
    the environment that triggers the error, and "top-down" enumerate all
    possible error conditions and then test them. A lot more difficult
    than grepping through source code.

    Same goes for symlink issues.

    On the other hand, look at "malformed input" DoS. With closed source,
    there's probably a lot more dynamic analysis going on. Dynamic
    analysis frequently involves manipulating inputs using fuzzers, etc.
    It's probably a lot easier to find bugs this way instead of using
    grep-style analysis (what do you even grep for?). One way of testing
    this notion is to look at PROTOS-style vulnerability testing suites
    against both closed and open source products and see if there are any
    major distinctions.

    So, it may well be that open source software could benefit from more
    black box testing, and closed source software could benefit from more
    audits by third parties who have access to the source code.

    It's a theory anyway.

    - Steve

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: damned: "RE: [Full-Disclosure] Fwd: YOUR PAYPAL.COM ACCOUNT EXPIRES"