Open-source software security

Open-source software security is the measure of assurance or guarantee in the freedom from danger and risk inherent to an open-source software system.

Open Source software versus Open Algorithms

A software project is in general an implementation of an algorithm. Although implementations can only be tested, and testing can only prove the presence of errors (and not their absence), algorithms can be proven correct.

In secret key cryptography, one of the premisses is that the algorithm must be known and only a small piece of information must be kept secret: The secret key. That is, for a cypher to be considered secure, the algorithm must be proven to be correct and the proof must be available for whoever party that wants to use the cypher.

Therefore, in computer security, there is a consensus that algorithms must be open, however there is an ensuing debate whether implementations should be open-source (public) or proprietary software (secret).

The implementation debate

The effort of auditing an implementation is greatly reduced by focusing in verifying that it corresponds to a (provenly) correct algorithm. Given that the auditor has access to the source code, this can be done regardless if the software is open-source or proprietary.

It is vital to understand that the audit of software depends on the access to the source code. Because of that, a new audit of a proprietary software depends on the willingness of the owner of the software, while the audit of open-source software can be done at any time by any willing independent party.

This concern has become more and more severe as backdoors in well established software have been disclosed. If face of this, the ongoing debate on whether open-source software increases software security or is detrimental to its security has become pointless. Even though some of the arguments on either side are subjective and no relationship between number of vulnerabilities in an application and its open-source/proprietary status has been observed, both of them may contain backdoors. However, only open-source software can be freely audited and therefore, proprietary software must be considered inherently insecure.

Benefits of open-source security

More people can inspect the source code to find and fix a possible vulnerability. This can lead to both faster discovery of unintentional security vulnerabilites and prevention of intentional vulnerabilites (backdoors) in the code put there by the developers themselves.
Proprietary software forces the user to accept the level of security that the software vendor is willing to deliver and to accept the rate that patches and updates are released.^[1]
The end-user of open-source code has the ability to change and modify source to implement any extra "features" of security they may wish for a specific use, which can extend to the kernel level if they so wish.
It is assumed that any compiler that is used creates code that can be trusted, but it has been demonstrated by Ken Thompson that a compiler can be subverted using an eponymous Thompson hack to create faulty executables that are unwittingly produced by a well-intentioned developer.^[2] With access to the source code for the compiler, the developer has at least the ability to discover if there is any mal-intention.
- David A. Wheeler demonstrates that the existence of two different open-source self-compiling compilers (which should be able to compile each other) can be used to establish a binary for one of them that is known not to be subverted by the Thompson hack.^[3]
Kerckhoffs' principle is based on the idea that an enemy can steal a secure military system and not be able to compromise the information. His ideas were the basis for many modern security practices, and followed that security through obscurity is a bad practice.^[4]

Drawbacks of open-source security

All people have access to the source code, including potential attackers.^[2] Any unpatched vulnerability can be used by attackers.
Simply making source code available does not guarantee review. A good example of this occurring is when Marcus Ranum, an expert on security system design and implementation, released his first public firewall toolkit. At one point in time, there were over 2,000 sites using his toolkit, but only 10 people gave him any feedback or patches.^[5]
Having a large amount of eyes reviewing code can "lull a user into a false sense of security".^[6] Having many users look at source code does not guarantee that security flaws will be found and fixed.

Metrics and models

There are a variety of models and metrics to measure the security of a system. These are a few methods that can be used to measure the security of software systems.

Number of days between vulnerabilities

It is argued that a system is most vulnerable after a potential vulnerability is discovered, but before a patch is created. By measuring the number of days between the vulnerability and when the vulnerability is fixed, a basis can be determined on the security of the system. There are a few caveats to such an approach: not every vulnerability is equally bad, and fixing a lot of bugs quickly might not be better than only finding a few and taking a little bit longer to fix them, taking into account the operating system, or the effectiveness of the fix.^[2]

Poisson process

The Poisson process can be used to measure the rates at which different people find security flaws between open and closed source software. The process can be broken down by the number of volunteers N_v and paid reviewers N_p. The rates at which volunteers find a flaw is measured by λ_v and the rate that paid reviewers find a flaw is measured by λ_p. The expected time that a volunteer group is expected to find a flaw is 1/(N_v λ_v) and the expected time that a paid group is expected to find a flaw is 1/(N_p λ_p).^[2]

Morningstar model

By comparing a large variety of open source and closed source projects a star system could be used to analyze the security of the project similar to how Morningstar, Inc. rates mutual funds. With a large enough data set, statistics could be used to measure the overall effectiveness of one group over the other. An example of such as system is as follows:^[7]

1 Star: Many security vulnerabilities.
2 Stars: Reliability issues.
3 Stars: Follows best security practices.
4 Stars: Documented secure development process.
5 Stars: Passed independent security review.

Coverity scan

Coverity in collaboration with Stanford University has established a new baseline for open-source quality and security. The development is being completed through a contract with the Department of Homeland Security. They are utilizing innovations in automated defect detection to identify critical types of bugs found in software.^[8] The level of quality and security is measured in rungs. Rungs do not have a definitive meaning, and can change as Coverity releases new tools. Rungs are based on the progress of fixing issues found by the Coverity Analysis results and the degree of collaboration with Coverity.^[9] They start with Rung 0 and currently go up to Rung 2.

Rung 0

The project has been analyzed by Coverity’s Scan infrastructure, but no representatives from the open-source software have come forward for the results.^[9]

Rung 1

At rung 1, there is collaboration between Coverity and the development team. The software is analyzed with a subset of the scanning features to prevent the development team from being overwhelmed.^[9]

Rung 2

There are 11 projects that have been analyzed and upgraded to the status of Rung 2 by reaching zero defects in the first year of the scan. These projects include: AMANDA, ntp, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and tcl.^[9]

References

↑ Cowan, C. (January 2003). IEEE Security & Privacy. IEEE Security & Privacy, 38–45. Retrieved 5 May 2008, from IEEE Computer Society Digital Library.
↑ 2.0 2.1 2.2 2.3 Witten, B., Landwehr, C., & Caloyannides, M. (2001, September/October). Does Open Source Improve System Security? IEEE Software , 57–61. Retrieved 5 May 2008, from Computer Database.
↑ Wheeler, David A. Fully Countering Trusting Trust through Diverse Double-Compiling.
↑ Hoepman, J.-H., & Jacobs, B. (2007). Increased Security Through Open Source. Communications of the ACM , 50 (1), 79–83. Retrieved 5 May 2008, from ACM Digital Library.
↑ Lawton, G. (March 2002). Open Source Security: Opportunity or Oxymoron? Computer , 18–21. Retrieved 5 May 2008, from IEEE Computer Society Digital Library.
↑ Hansen, M., Köhntopp, K., & Pfitzmann, A. (2002). The Open Source approach – opportunities and limitations with respect to security and privacy. Computers & Security , 21 (5), 461–471. Retrieved 5 May 2008, from Computer Database.
↑ Peterson, G. (6 May 2008). Stalking the right software security metric. Retrieved 18 May 2008, from Raindrop: http://1raindrop.typepad.com/1_raindrop/security_metrics/index.html
↑ Coverity. (n.d.). Accelerating Open Source Quality. Retrieved 18 May 2008, from Scan.Coverity.com: http://scan.coverity.com/index.html
↑ 9.0 9.1 9.2 9.3 Coverity. (n.d.). Scan Ladder FAQ. Retrieved 18 May 2008, from Scan.Coverity.com: http://scan.coverity.com/ladder.html

External links

Bruce Schneier: Open Source and Security Crypto-Gram Newsletter, 15 September 1999

Free and open-source software

General	Alternative terms for free software Comparison of open source and closed source Comparison of open-source software hosting facilities Formerly proprietary software Free and open-source Android applications Free and open-source software packages Free software Free software events Free software movement Free software project directories Free software web applications Gratis versus libre Long-term support Open-source software Outline SPDX

Operating system families	AROS BSD Contiki Darwin eCos FreeDOS GNU Haiku Inferno Linux Mach MINIX OpenSolaris Plan 9 ReactOS TUD:OS

Development	Basic For Qt Eclipse Free Pascal FreeBASIC Gambas GCC Java Julia LLVM Lua NetBeans Open64 OpenSSH Perl PHP Python ROSE Ruby Smalltalk Tcl

History	GNU Haiku Linux Mozilla Application Suite Firefox Thunderbird

Organizations	Android Open Source Project Apache Software Foundation Blender Foundation The Document Foundation Eclipse Foundation Free Software Foundation Europe India Latin America FreeBSD Foundation freedesktop.org FSMI GNOME Foundation GNU Project Google Code KDE e.V. Linux Foundation Mozilla Foundation Open Knowledge Foundation Open Source Geospatial Foundation Open Source Initiative OpenBSD Foundation Software Freedom Conservancy SourceForge Symbian Foundation Ubuntu Foundation VideoLAN Organization Wikimedia Foundation X.Org Foundation Xiph.Org Foundation XMPP Standards Foundation

Licenses	Apache APSL Artistic Beerware Boost BSD CC0 CDDL EPL GNU GPL GNU LGPL ISC MIT MPL Ms-PL/RL WTFPL zlib

License types and standards	Comparison of free and open-source software licenses Contributor License Agreement Copyfree Copyleft Debian Free Software Guidelines Definition of Free Cultural Works Free license The Free Software Definition The Open Source Definition Open-source license Permissive free software licence Public domain Viral license

Challenges	Binary blob Digital rights management Free and open-source graphics device driver Comparison of open-source wireless drivers Hardware restrictions License proliferation Mozilla software rebranding Proprietary software SCO–Linux controversies Secure boot Software patents Software security Trusted Computing

Related topics	The Cathedral and the Bazaar Forking Linux distribution Microsoft Open Specification Promise Revolution OS

Book Category Commons Portal