Posted on 06/20/2002 6:30:20 PM PDT by rit
Study: Open, closed source equally secure
By Robert Lemos Staff Writer, CNET News.com June 20, 2002, 6:00 PM PT
Proprietary programs should mathematically be as secure as those developed under the open-source model, a Cambridge University researcher argued in a paper presented Thursday at a technical conference in Toulouse, France.
In his paper, computer scientist Ross Anderson used an analysis equating finding software bugs to testing programs for the mean time before failure, a measure of quality frequently used by manufacturers. Under the analysis, Anderson found that his ideal "open-source" programs were as secure as the "closed-source" programs.
"Other things being equal, we expect that open and closed systems will exhibit similar growth in reliability and in security assurance," Anderson wrote in his paper.
The decision to adopt a closed-source policy is typically driven by other motivations, such as foiling competition or protecting the reputation of the developer by limiting information about flaws, he said.
The research is unlikely to quell the long-running debate between proponents of open-source software and corporations that believe closed-source software is better. While providing ammunition for each side's arguments, the paper also undermines each coalition. Supporters in the Linux community have maintained that open-source programs are more secure, while Microsoft's senior vice president for Windows, Jim Allchin, argued in court that opening up Windows code would undermine security.
"The more creators of viruses know about how anti-virus mechanisms in Windows operating systems work, the easier it will be to create viruses or disable or destroy those mechanisms," Allchin testified in May.
Anderson rebuts those types of arguments in his paper.
Idealizing the problem, the researcher defines open-source programs as software in which the bugs are easy to find and closed-source programs as software where the bugs are harder to find. By calculating the average time before a program will fail in each case, he asserts that in the abstract case, both types of programs have the same security.
However, the paper has yet to be peer-reviewed and errors in his assumptions could undermine his theory. Furthermore, he acknowledged that real-world considerations could easily skew his conclusions.
"Even though open and closed systems are equally secure in an ideal world, the world is not ideal, and is often adversarial," Anderson said.
For example, the same quality that makes it easier to find bugs in open-source code may also make it easier for attackers to find ways to exploit the code. On the other hand, software makers may be less quick to assign resources to fixing flawed software and may not want to admit that such flaws exist for economic reasons.
Oddly, Anderson used the latter third of the paper to launch into a criticism of the Trusted Computer Platform Alliance, a security consortium started by Microsoft, Intel, Hewlett-Packard, Compaq Computer and IBM in October 1999.
While they claim their focus is on security, it's really on creating a platform from which competitors can be excluded, he argued. Furthermore, the alliance's technology for assigning a computer a unique ID is really another arrow in the quiver of Hollywood and music companies to fence off their content.
"There are potentially serious issues for consumer choice and for the digital commons," he wrote.
This is an important statement. Real-world considerations make a huge amount of difference. Consider the macro viruses that have been plaguing the Microsoft Windows community. This is not a new problem. Twenty years ago there were the same problems with the Emacs text editor (which had the feature of being able to execute macros embedded in a file). Because that feature could not be turned off, many sites banned its use by root because malicious damage could be done.
Also, I and others warned that the Good Times virus was potentially not a hoax and a misconfigured system was vulnerable long before they became a problem in fact. Most of the Microsoft problems come about from two horrible engineering design decisions they made. One is that there is literally no protection at the file level. An ordinary user can overwrite any file in the system. A macro virus running on behalf of an ordinary user can do anything it wants to the system. The second is that they made the decision to run untrusted code without the user's consent received over a network.
Details matter. While I find it interesting that Anderson could make this proof (he is a brilliant man), more analysis needs to be done. In my opinion.
One other factor missing in his analysis is that Windows attracts crackers like flies to scat, and not just because of it's design flaws. Antipathy for Microsoft and the massive installed base may have as much to do with the far greater numbers of Windows security violations as the fact that Windows is closed-source.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.