Open Source in Security: Visiting the Bizarre

Although open-source software development has virtues, there is reason to believe that the approach would not have a significant effect on the security of today’s systems. The lion’s share of vulnerabilities caused by software bugs is easily dealt with by means other than source code inspections. And the tenets of open-source development are inhospitable to business models whose success depends on promoting secure systems. Feature Enhancement Dominates. A principle tenet of open-source development is that source code be available for review and modification. For systems having a large developer base (infrastructure software might, specialized applications won’t), this means that many are inspecting and improving the code. But one must be careful to distinguish between what is possible and what is probable. There is no reason to believe that the many eyes inspecting (open) source code would be successful in identifying bugs that allow system security to be compromised. In fact, one could argue that such bugs would likely elude opensource developers. Developer-perceived improvements are what drives code-base evolution for open-source systems. Open source developers—as opposed to hackers—have no more incentive to invest time and energy in code audits to uncover security vulnerabilities than closed-source developers do. ∗Supported in part by ARPA/RADC grant F30602-96-1-0317, AFOSR grant F49620-94-1-0198, Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory, Air Force Material Command, USAF, under agreement number F30602-99-1-0533, National Science Foundation Grant 9703470, and a grant from Intel Corporation. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of these organizations or the U.S. Government. The U.S. Government is authorized to reproduce and distribute reprints for Government purposes notwithstanding any copyright annotation thereon. Closed-source software development is driven by market-entry time and features, because the industry believes that’s what the market wants. Testing and other activities that increase quality but delay deployment are thus eschewed by closed-source software developers. And the quality of their systems suffers for it. But a change in the market could reverse that. Such a change might result from adverse publicity or from legislation that makes developers liable for flaws in their software. With open-source software, the same change in the market would affect only the value-added service providers since customers, wanting to have someone to hold accountable for claims about assurance, would obtain such added value in this way. These service providers, however, could not justify significant investments aimed at raising assurance. First, any bugs they identify and repair would, as proscribed by the tenets of open-source development, be reflected in everyone’s code base—the return on investment in this activity is thus diluted. Second, today’s techniques for establishing assurance are not incremental. A constantly evolving code base, as is likely because of the large number of developers in open-source development, would thus require continuing, significant investments. Grease the Squeaky Wheel. Systems today are compromised not only because hackers exploit bugs but for prosaic reasons: initial configurations are shipped with defenses disabled, administrators misconfigure their systems, and users find it inconvenient to set protections for their files or encrypt their data. Some of these vulnerabilities would be addressed with easier-to-use security functionality while others require a new culture of caution and care amongst users. None has anything to do with whether a system is open-source or closed-source. Thus, if bugs in the code base are not today the dominant avenue of attack, then embracing open-source software is applying grease to the wrong wheel. Even if we restrict attention to vulnerabilities caused by software bugs, which open-source facilitated inspections 0-7695-0665-8/00 $10.0