Re: [Full-Disclosure] why commcerical software *could* be better [WAS: Re: [Full-Disclosure] Microsoft prepares security assault on Linux]
From: Steven M. Christey (coley_at_mitre.org)
To: firstname.lastname@example.org Date: Thu, 13 Nov 2003 20:16:38 -0500 (EST)
> 3. No source (!!) available for people to examine, thus making it, to a
> level, harder to locate security "holes" - for outsides in any case.
Possibly harder, but the vulnerabilities would still be latent in the
Last year, I did a presentation on open vs. closed source security at
the Open Source Security Summit. In it, I reported on the 10 most
commonly reported vulnerability types. When comparing open source
versus closed source advisories, I found these semi-surprising
- format string bugs and symlink errors were reported more often in
- "malformed input" denial-of-service problems were reported more
often in closed source
My theory is that since format string bugs and symlinks were found
more often in open source because grep-strength auditing tools can be
effective in finding the usual suspect functions (yes, I know that
grep-strength has its problems with false positives). Does that mean
these bugs appear less frequently in closed source? Who knows? but
I'd think they'd be about the same. But think of format string bugs,
which often appear when the application reports errors. If you were
to perform a dynamic audit of an application, you'd have to reproduce
the environment that triggers the error, and "top-down" enumerate all
possible error conditions and then test them. A lot more difficult
than grepping through source code.
Same goes for symlink issues.
On the other hand, look at "malformed input" DoS. With closed source,
there's probably a lot more dynamic analysis going on. Dynamic
analysis frequently involves manipulating inputs using fuzzers, etc.
It's probably a lot easier to find bugs this way instead of using
grep-style analysis (what do you even grep for?). One way of testing
this notion is to look at PROTOS-style vulnerability testing suites
against both closed and open source products and see if there are any
So, it may well be that open source software could benefit from more
black box testing, and closed source software could benefit from more
audits by third parties who have access to the source code.
It's a theory anyway.
Full-Disclosure - We believe in it.