Does Open Source Improve System Security?

The current climate of functionality and performance-driven markets has created enormous code bases, which have helped drive growth in the US gross domestic product. However, these code bases have also created an information infrastructure whose vulnerabilities are so striking as to endanger national and economic security. Distributed denial of service attacks have demonstrated that such vulnerabilities can degrade the Internet's aggregate performance, and recurrent virus outbreaks have inflicted substantial repair and recovery costs on businesses worldwide. An attacker could examine public source code to find flaws in a system. So, is source code access a net gain or loss for security? The authors consider this question from several perspectives and tentatively conclude that having source code available should work in favor of system security.

[1]  David H. Ackley,et al.  Building diverse computer systems , 1997, Proceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No.97TB100133).

[2]  Tomas Olovsson,et al.  A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior , 1997, IEEE Trans. Software Eng..

[3]  Gary McGraw,et al.  ITS4: a static vulnerability scanner for C and C++ code , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[4]  David A. Patterson,et al.  The Art of Massive Storage: A Web Image Archive , 2000, Computer.

[5]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[6]  David Wright,et al.  Towards Operational Measures of Computer Security: Concepts , 1995 .

[7]  Carleen Maitland,et al.  Trust in cyberspace , 2000 .

[8]  Bruce Schneier,et al.  Cryptanalysis of the cellular message encryption algorithm , 1997 .

[9]  Bruce Schneier,et al.  Cryptanalysis of the Cellular Encryption Algorithm , 1997, CRYPTO.

[10]  Ken Thompson,et al.  Reflections on trusting trust , 1984, CACM.

[11]  Ross J. Anderson How to cheat at the lottery (or, massively parallel requirements engineering) , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[12]  David Wright,et al.  Towards Operational Measures of Computer Security , 1993, J. Comput. Secur..

[13]  Lee Garber,et al.  Denial-of-Service Attacks Rip the Internet , 2000, Computer.