Re: [Full-Disclosure] why commcerical software *could* be better [WAS: Re: [Full-Disclosure] Microsoft prepares security assault on Linux]

From: Steven M. Christey (
Date: 11/14/03

  • Next message: damned: "RE: [Full-Disclosure] Fwd: YOUR PAYPAL.COM ACCOUNT EXPIRES"
    Date: Thu, 13 Nov 2003 20:16:38 -0500 (EST)

    > 3. No source (!!) available for people to examine, thus making it, to a
    > level, harder to locate security "holes" - for outsides in any case.

    Possibly harder, but the vulnerabilities would still be latent in the

    Last year, I did a presentation on open vs. closed source security at
    the Open Source Security Summit. In it, I reported on the 10 most
    commonly reported vulnerability types. When comparing open source
    versus closed source advisories, I found these semi-surprising

      - format string bugs and symlink errors were reported more often in
        open source

      - "malformed input" denial-of-service problems were reported more
        often in closed source

    My theory is that since format string bugs and symlinks were found
    more often in open source because grep-strength auditing tools can be
    effective in finding the usual suspect functions (yes, I know that
    grep-strength has its problems with false positives). Does that mean
    these bugs appear less frequently in closed source? Who knows? but
    I'd think they'd be about the same. But think of format string bugs,
    which often appear when the application reports errors. If you were
    to perform a dynamic audit of an application, you'd have to reproduce
    the environment that triggers the error, and "top-down" enumerate all
    possible error conditions and then test them. A lot more difficult
    than grepping through source code.

    Same goes for symlink issues.

    On the other hand, look at "malformed input" DoS. With closed source,
    there's probably a lot more dynamic analysis going on. Dynamic
    analysis frequently involves manipulating inputs using fuzzers, etc.
    It's probably a lot easier to find bugs this way instead of using
    grep-style analysis (what do you even grep for?). One way of testing
    this notion is to look at PROTOS-style vulnerability testing suites
    against both closed and open source products and see if there are any
    major distinctions.

    So, it may well be that open source software could benefit from more
    black box testing, and closed source software could benefit from more
    audits by third parties who have access to the source code.

    It's a theory anyway.

    - Steve

    Full-Disclosure - We believe in it.

  • Next message: damned: "RE: [Full-Disclosure] Fwd: YOUR PAYPAL.COM ACCOUNT EXPIRES"

    Relevant Pages

    • Re: [Full-disclosure] Two MSIE 6.0/7.0 NULL pointer crashes
      ... it comes to security response - certainly not as often as portrayed. ... open source community is inherently responsive - does not even deserve ... Both in the open source and in the closed source world, ... And only if a vulnerability is a threat to adoption of a product is that ...
    • Re: Ada is getting more popular!
      ... I've been buying and using both closed and open source software since the mid 90's, and I can tell you that, in general, the quality of open source software is much higher than it's closed counterpart. ... The core software used by my business is closed source, and I've had to build my own safeguards around it, just to keep it running somewhat stable. ... I've contributed to the AdaCore AWS project, and I've done so because I had an itch that needed scratching. ...
    • Re: What so special about PostgreSQL and other RDBMS?
      ... > Free, loaded with features, not particularly fast, some extras ... choice between closed and open source really means, ... backer, and with closed source, you can only chose the copyright ... Since you have no source code, no one knows but Microsoft (and the ...
    • Re: Qns on linux security frm windows users :::Help !!!
      ... But can anyone help me with some qns which windows users asked me...??? ... If you are getting your versions of Open Source software ... The alternate case is that some programmer makes Bar Deluxe as a closed ... a closed source software project is likely to have sloppy ...
    • Re: Whats the story with the "end of XP"?
      ... one case it was being actively promoted by the FOSS Devotees over the commercial SW simply because it was FOSS for all the usual reasons... ... There are times when being open source is an absolute requirement, and poor open source software is then infinitely better than wonderful closed source software. ...