Thread: Open Source and Security

  1. #1
    l'Anziano DavidP's Avatar
    Join Date
    Aug 2001
    Location
    Plano, Texas, United States
    Posts
    2,743

    Open Source and Security

    I, like many of you, use many open source tools on my computer every single day. In fact, I am using one right now as I type this post: Firefox. I was thinking this morning about the open source movement and the security issues that come with it.

    Although there is some amazing open source software out there, is it not true that if the source code is available to a product, then it would make it easier for a hacker to exploit any security vulnerabilities? In other words: If I am a hacker, and I have the source code of a product available to me, it would make it easier to find the holes, slip ups, and mistakes of the programmers in order to exploit them for my own purposes....correct?

    Given that, how is that the open source community has continued to thrive so much? Is it that hackers see more opportunity in commercial software (i.e. a "stick-it-to-the-man" attitude)? Is it the fact that the average user uses very little open source software compared to someone like a computer programmer? I just wanted to bring out some discussion on this.
    My Website

    "Circular logic is good because it is."

  2. #2
    Kernel hacker
    Join Date
    Jul 2007
    Location
    Farncombe, Surrey, England
    Posts
    15,677
    It works both ways: In my view, the more eyes that see the source, the more likely it is that someone will spot bits of broken code and propose a fix.

    If you don't have source code available, it's much harder for us mere mortals to understand if the code is safe - not that's trivial to see if Firefox is safe or not either - I admit that immediately.

    And it all comes down to how well you trust the commercial company with the closed source.

    --
    Mats
    Compilers can produce warnings - make the compiler programmers happy: Use them!
    Please don't PM me for help - and no, I don't do help over instant messengers.

  3. #3
    (?<!re)tired Mario F.'s Avatar
    Join Date
    May 2006
    Location
    Ireland
    Posts
    8,446
    I'm surprised you ask David.
    In my view it's exactly peer review that makes the Open Source software so - generally, of course - darn secure. The ability to detect bugs and exploits is increased considerably when the community has access to the code. To this we add the fact the same community can write, suggest and publish the corrected code.

    On your second point, I'm not confident on the idea hackers may find commercial software more appetizing only for the sake of some stick-to-the-man attitude. Certainly there may be something to it; given my current bias, were I a hacker, I'd be all against the big corporation. But I'd put my money on the fact a) having access to the code offers no challenge and b) on the case of Open Source, the race works the other way around and generally hackers come second. Exactly because of the first paragraph.
    Originally Posted by brewbuck:
    Reimplementing a large system in another language to get a 25% performance boost is nonsense. It would be cheaper to just get a computer which is 25% faster.

  4. #4
    Ethernal Noob
    Join Date
    Nov 2001
    Posts
    1,901
    Notice how every update of firefox fixes a "critical security" issue. I don't know if that's related to it but you take risks.

  5. #5
    Kernel hacker
    Join Date
    Jul 2007
    Location
    Farncombe, Surrey, England
    Posts
    15,677
    Quote Originally Posted by indigo0086 View Post
    Notice how every update of firefox fixes a "critical security" issue. I don't know if that's related to it but you take risks.
    And how many (service packs and hotfixes) have MS submitted in respect of Internet Explorer? Given that there's no one that checks MS code (other that MS themselves, at least), it's likely that almost all of those holes where found by either crackers or by people working for "security companies".

    --
    Mats
    Compilers can produce warnings - make the compiler programmers happy: Use them!
    Please don't PM me for help - and no, I don't do help over instant messengers.

  6. #6
    &TH of undefined behavior Fordy's Avatar
    Join Date
    Aug 2001
    Posts
    5,793
    If you are worried about this read Secrets & Lies by Bruce Schneier.

    If you want to obscure information from public view, you keep the key secret, not the algorithm. The algorithm should be public to get as many people trying to find holes and weaknesses as possible. That's why algorithms like AES were chosen in public with lots of fanfare - if the algorithm is closed source, the only person to find weaknesses is the person writing it. Chances are that if you create your own algorithm it will be easy to break when the code is decompiled.

    Mind you...excellent algorithms can still be used in a sloppy manner in code and weaknesses are generated that aren't the fault of the algorithm - in that case having the code open source is an advantage

  7. #7
    Ethernal Noob
    Join Date
    Nov 2001
    Posts
    1,901
    I was hearing my teacher talk about how to keep programs secure you expose the security to a certain degree to make it truly secure.

  8. #8
    & the hat of GPL slaying Thantos's Avatar
    Join Date
    Sep 2001
    Posts
    5,681
    In my post(s) open source shall refer to programs in which the source can be seen and free shall refer to monetary cost, without regard to political ideology.
    Quote Originally Posted by DavidP View Post
    Is it that hackers see more opportunity in commercial software (i.e. a "stick-it-to-the-man" attitude)?
    Having worked on open source software I can say that os software is no less of a target for malicious people.

    Is it the fact that the average user uses very little open source software compared to someone like a computer programmer?
    I think the use of free software is about equal on a personal (vs at work) level between programmers and others.


    Using closed source as a security measure isn't really security if that is all you have. A lot of attacks can be done without ever looking at the source.

  9. #9
    Kernel hacker
    Join Date
    Jul 2007
    Location
    Farncombe, Surrey, England
    Posts
    15,677
    Quote Originally Posted by Thantos View Post
    Using closed source as a security measure isn't really security if that is all you have. A lot of attacks can be done without ever looking at the source.
    Not to mention that it doesn't take a lot of skill to understand some assembler code and from that derive a rough sketch of what the code looks like in the original source. If we combine that with some understanding of where the security hole may be located, it is likely that we can find the hole without an enormous amount of effort. Of course, traipsing through tons of disassembly is slightly more complex than doing the same with tons of source code, but it is not sufficient to make one secure and the other insecure in and of itself.

    --
    Mats
    Compilers can produce warnings - make the compiler programmers happy: Use them!
    Please don't PM me for help - and no, I don't do help over instant messengers.

  10. #10
    & the hat of GPL slaying Thantos's Avatar
    Join Date
    Sep 2001
    Posts
    5,681
    Quote Originally Posted by matsp View Post
    Not to mention that it doesn't take a lot of skill to understand some assembler code and from that derive a rough sketch of what the code looks like in the original source. If we combine that with some understanding of where the security hole may be located, it is likely that we can find the hole without an enormous amount of effort. Of course, traipsing through tons of disassembly is slightly more complex than doing the same with tons of source code, but it is not sufficient to make one secure and the other insecure in and of itself.

    --
    Mats
    Well not all software can be broken down that way. For example an type of interpreted code or code ran on a server that you can't get to (at least not without breaking the software in question).

    But yeah, a lot of the initial attempt is just trying known exploits to see what happens which can lead someone who knows what they are doing to break the software without ever looking at the code or assembly.

  11. #11
    Kernel hacker
    Join Date
    Jul 2007
    Location
    Farncombe, Surrey, England
    Posts
    15,677
    Quote Originally Posted by Thantos View Post
    Well not all software can be broken down that way. For example an type of interpreted code or code ran on a server that you can't get to (at least not without breaking the software in question).

    But yeah, a lot of the initial attempt is just trying known exploits to see what happens which can lead someone who knows what they are doing to break the software without ever looking at the code or assembly.
    I was more referring to code that is published as binary only vs. published as (or with) source - someone determined enough will break either. But of course, if the system is running on a server where you do not have access to the code in either binary or source form, it doesn't PREVENT someone from trying to break it - it just makes it a bit harder.

    Apparently, Alan Cox is using "security by obscurity" by running a firewall on a simulated Z/390 running Linux, based on the assumption that if there's a security hole in the firewall+OS, it's unlikely to be found/exploited first on Z/390....

    --
    Mats
    Compilers can produce warnings - make the compiler programmers happy: Use them!
    Please don't PM me for help - and no, I don't do help over instant messengers.

  12. #12
    (?<!re)tired Mario F.'s Avatar
    Join Date
    May 2006
    Location
    Ireland
    Posts
    8,446
    Quote Originally Posted by Thantos View Post
    Having worked on open source software I can say that os software is no less of a target for malicious people.
    I cannot agree with this bit, Thantos. Well, I don't agree if you mean they can be equally successful in finding and using an exploit.

    The problem with commercial software is that it reaches the public attention solely based on marketing forces. Open Source (with a few notable exceptions) instead reaches the mainstream through plain usage. Because of this commercial software is usually subject to much less development cycles than open source, which limits its code quality (arguable I know. But here I mean only from a security perspective).

    Taking a stroll through any security reporting (to name them nicely) website reveals not only more interest in commercial software, but also more density of reported security holes in commercial software. It seems it just loses on all fronts. This I attribute mostly to the fact any software worth being investigated for security holes by a cracker, security expert or power user, must have reached some public attention already. On the case of open source this means a lot more code and a lot more brain matter contributed to the current software status. Whereas closed source software mostly reached the attention of these folks through marketing strategies and enjoyed much less time in the drawing board and with a much smaller development team.

    There's also, in my opinion, another factor I'm going to name the Quality Assurance Testing factor (or QAT because I'm feeling godly). And this is basically to do with the fact pay-to-use software follows the same rules as traditional commercial products where we constantly strive to test, compare, and judge what we are being sold. Open Source software, while not being entirely different in such a competitive market as that of software development, is yet less prone to this QAT. I think because it sells well a general feeling of security by virtue of its open source nature and open and (usually) wide community support.
    Originally Posted by brewbuck:
    Reimplementing a large system in another language to get a 25% performance boost is nonsense. It would be cheaper to just get a computer which is 25% faster.

  13. #13
    & the hat of GPL slaying Thantos's Avatar
    Join Date
    Sep 2001
    Posts
    5,681
    First commerical software is not the opposite of os software. There are plenty of commerical os software (hint: you are using one right now).

    As a whole I don't think os developers are any better then closed source developers. In fact on a os project I worked with some developers that wouldn't be able to get an intro programming job at any software firm. They weren't bad programmers but just not educated or experienced.

    Also if you think that os developers don't suffer from market pressure, time constraints, etc then you are sorely mistaken. In any market environment you have those issue.

    Depending on the exact nature of the project, os projects also suffer a reduction in user review/comments as more people start using it who are less knowledgable. It is also misleading to think that the amount of people using the software is a reflection on the amount of people reviewing the code. For example: How many people are using firefox and have never looked at the code?

  14. #14
    Banal internet user
    Join Date
    Aug 2002
    Posts
    1,380
    I don't think hackers target software glitches as much as user/administrator ignorance.

  15. #15
    (?<!re)tired Mario F.'s Avatar
    Join Date
    May 2006
    Location
    Ireland
    Posts
    8,446
    Quote Originally Posted by Thantos View Post
    First commerical software is not the opposite of os software.
    No. They are not opposites. Both development processes are however different as is the distribution and support models.

    I again feel forced to disagree with you, the amount of people using the software reflects indeed on the amount of people supporting the software in an Open Source model. Not by some direct relation, but simply because that is simply the nature of Open Source software. I'm sure you can find me some exceptions (I can for you; gcc). However because of the freely distributed code of this type of software, it is perfectly safe to assume that the more popular a software is, the more people maintaining it there will be. Some on a permanent basis, most just dropping by for a fix or two. Certainly.

    Finally, I don't think either that OS developers are, or need to be, especially bright. However I spoke of collective minds working for a single goal that open source has in the very least the potential to collect in higher numbers (some of them doing off-time work from their commercial applications, btw).

    My mantra is not diminishing commercial software in any way other than what is absolutely necessary. And "what is absolutely necessary" actually has nothing to do with the topic at hand. I however don't see that open source software is as liable to damage as commercial software. Everywhere you turn, with dully noted exceptions, it's the other way around.
    Originally Posted by brewbuck:
    Reimplementing a large system in another language to get a 25% performance boost is nonsense. It would be cheaper to just get a computer which is 25% faster.

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Linux Security Modules Programming
    By vugluskr in forum Linux Programming
    Replies: 1
    Last Post: 02-17-2009, 11:10 AM
  2. Punkbuster / DRM / copy protection as Open Source?
    By sept in forum A Brief History of Cprogramming.com
    Replies: 30
    Last Post: 03-11-2008, 07:15 PM
  3. Is Linux More Secure Than Windows?
    By xErath in forum A Brief History of Cprogramming.com
    Replies: 69
    Last Post: 06-29-2005, 07:13 PM
  4. Switch security information
    By Sang-drax in forum Networking/Device Communication
    Replies: 0
    Last Post: 08-04-2004, 11:06 AM
  5. Open source: is it secure?
    By samGwilliam in forum Linux Programming
    Replies: 6
    Last Post: 02-28-2002, 09:58 AM