The Mathematics of Obscurity: On the Trustworthiness of Open Source

It is more difficult to find errors when source code is secret. More people search for errors when source code is public. These counteracting effects are pivotal to the question whether openness fosters security. Errors in software are found by people with either constructive contribution or exploitation in mind. Focusing exclusively on this discovery aspect, we present a probabilistic model, which allows us to compare the open source and closed source situations. We start out with our assumptions explained using a simple introductory model. We then extend this to what we believe to be an adequate model of a bug-hunting process conducted by multiple competing parties. The model employs an asymmetric race paradigm. One of the surprising results is that even an arbitrarily large group with good intentions cannot safely dominate the evil attackers. Instead, they are limited by a significant upper bound in their winning chances.

[1]  Dawson R. Engler,et al.  Bugs as deviant behavior: a general approach to inferring errors in systems code , 2001, SOSP.

[2]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[3]  Junfeng Yang,et al.  An empirical study of operating systems errors , 2001, SOSP.

[4]  Vinod Yegneswaran,et al.  Characteristics of internet background radiation , 2004, IMC '04.

[5]  Eric Rescorla,et al.  Is finding security holes a good idea? , 2005, IEEE Security & Privacy.

[6]  Bernhard Plattner,et al.  Large-scale vulnerability analysis , 2006, LSAD '06.

[7]  Yuanyuan Zhou,et al.  Triage: diagnosing production run failures at the user's site , 2007, SOSP.

[8]  Paul Kavanagh,et al.  The Open Source Definition , 2004 .

[9]  Norman L. Johnson,et al.  Urn models and their application , 1977 .

[10]  Norman E. Fenton,et al.  Quantitative Analysis of Faults and Failures in a Complex Software System , 2000, IEEE Trans. Software Eng..

[11]  Yuanyuan Zhou,et al.  Designing and Implementing Malicious Hardware , 2008, LEET.

[12]  Stuart E. Schechter,et al.  Milk or Wine: Does Software Security Improve with Age? , 2006, USENIX Security Symposium.

[13]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[14]  Peter Oehlert,et al.  Violating Assumptions with Fuzzing , 2005, IEEE Secur. Priv..

[15]  Kyung Dong Ryu,et al.  Dynamic and adaptive updates of non-quiescent subsystems in commodity operating system kernels , 2007, EuroSys '07.

[16]  David A. Wheeler,et al.  Secure Programming for Linux and Unix HOWTO , 2003 .

[17]  David Brumley,et al.  Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[18]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[19]  Yuanyuan Zhou,et al.  Have things changed now?: an empirical study of bug characteristics in modern open source software , 2006, ASID '06.

[20]  Miguel Castro,et al.  Vigilante: end-to-end containment of internet worms , 2005, SOSP '05.

[21]  Stuart E. Schechter Toward econometric models of the security risk from remote attacks , 2005, IEEE Security & Privacy.

[22]  Saumya K. Debray,et al.  Obfuscation of executable code to improve resistance to static disassembly , 2003, CCS '03.

[23]  Dawson R. Engler,et al.  From uncertainty to belief: inferring the specification within , 2006, OSDI '06.

[24]  Bruce Schneier The nonsecurity of secrecy , 2004, CACM.

[25]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[26]  Bernhard Plattner,et al.  Modelling the Security Ecosystem- The Dynamics of (In)Security , 2009, WEIS.

[27]  Ross J. Anderson,et al.  Security in open versus closed systems - the dance of Boltzmann , 2002 .

[28]  B. E. Eckbo,et al.  Appendix , 1826, Epilepsy Research.

[29]  Christian Payne,et al.  On the security of open source software , 2002, Inf. Syst. J..

[30]  Elliot Soloway,et al.  Where the bugs are , 1985, CHI '85.

[31]  Yashwant K. Malaiya,et al.  Modeling the vulnerability discovery process , 2005, 16th IEEE International Symposium on Software Reliability Engineering (ISSRE'05).