Hangout for experimental confirmation and demonstration of software, computing, and networking. The exercises don't always work out. The professor is a bumbler and the laboratory assistant is a skanky dufus.

Recent Items
 
Grounding Your Work's Usability
 
Like It Or Not, We're In This Together -- The Software Improvement Cycle
 
Demos - Catalogue - The Pro-Am Revolution
 
Self-Configuring Networks
 
Open Source Enterprise
 
Failure Is Your Friend
 
Encouraging Open-Source Development
 
Streamlining Software Upgrade
 
Trusting Wireless Routing
 
CNR Area Pisa Italiano

Archives
2004-06-13
2004-06-20
2004-06-27
2004-08-29
2004-09-05
2004-09-12
2004-09-19
2004-10-10
2004-10-24
2004-11-07
2004-11-28
2004-12-05
2004-12-12

Open-Source: How Trustworthy, How Secure?

The Myth of Open-Source Security

Here are more gleanings on security, this time with emphasis on open-source development processes and the opportunity, or not, for trustworthy, secure software.  I'm still looking for a vaguely-remembered blurb where a group of experts identified lack of a disciplined process and measures for quality as an impediment to credible claims to inherent security of open source.

Slashdot | Open Source Security: Still A Myth.  This blurb suggests that the many-eyeballs characteristic of open-source software is not an automatic assurance of security.  It is uncertain that "those eyeballs are looking for security problems in a structured way."

John Viega's 2004-09-16 ONLamp.com Security Devcenter article begins with this intriguing lead:  "Open source may have many benefits over closed systems, but don't count security among them--yet."

The article examines the concern by commercial and governmental users that open source developers are "too little 'engineer,' cobbling together solutions without going through a structured software engineering process (such as requirements, specification, and analysis)."  I have begun to argue that the open-source community has a unique opportunity to raise the security bar on software.  Viega has evidence that the open-source culture may not be anxious to do the work required.

One daunting example is the Sardonix project. Although funded by the Department of Defense to collect reports of security audits of open-source packages, there has not been wide acceptance of this DARPA Composable High-Assurance Trusted Systems (CHATS) funded research project.  After an initial flurry in 2002, the discussion list of the site (considered to be in beta) has dwindled to three postings in 2004.  It is not clear what the impediment is, and I will not speculate here.

It seems that the serious tension around adoption decisions is that "people who want to sell software to organizations in [security-conscious] markets have to answer tough questions about the security properties of their software.  Many times, potential customers must fill out extensive documentation about their products and the processes and technologies used to build them.  Sometimes, potential customers must even submit their software to independent third-party source code auditing before purchase."  The difficulty is that the customer is not expecting to pay for the software security, but open-source developers have no way to fund software security and include it in the price of the product.

There is more to the article, and the many comments.  Viega's summing-up is close enough for now:  "I believe that in the long run, open source software does have the potential to be more secure than closed systems, since open source projects can do everything commercial projects can. ... Open source projects need to migrate to software engineering processes that resonate with the industry."

Yes, Still a Myth

Dana Epp's ramblings at the Sanctuary : Open Source Security: Still a Myth?.  Dana Epp looks over John Viega's article and sees its resonance with Dana's own thinking. There are links to two earlier posts of Dana's that bear on this issue.

April 15, 2004: Open Source vs. Closes Source Security with rich comments too.

February 14, 2004: Shattering the Crystal and Poking Holes in the Black Box was Dana's initial foray onto this territory.  More links to articles, an extended essay and an extensive accumulation of comments.

Security is Really a Low-Level Software Issue?

ACM News Service: Open BSD's Theo de Raadt Talks Software Security.  This blurb juxtaposes three remarkable items:

1. Low-Level Propagation: "The vast majority of software security holes are due to low-level programming errors that are copied and spread throughout many different applications.
2. Strange Environments: "The approach de Raadt advocates is making the environment difficult for the hacker to understand, so that even after they have found the bug, they do not know how to use it to obtain the needed system privileges.
3. Es gar nicht hilfen: "Adopting OpenBSD is not a solution to security problems, however, since most hackers are targeting the Internet at large and building up spam or denial-of-service capabilities that threaten even securely coded systems."

From there de Raadt extrapolates about Microsoft being beyond-cure.

Rodney Gedda's 2004-09-10 ComputerWorld Australia article unravels the situation by revealing that in one case de Raadt is talking about "Almost all the security problems that happen in software" being the result of low-level programmer errors.

Stepping back from that to what I'd call the engineering issues, de Raadt asserts that "[Vendors] are not doing the security audits that are required, they're not doing the education, and they are not integrating very simple technologies which effectively stump the attackers' attempts. The attacker still finds a bug and still knows what the side-effects are, but [in harsh environments] the side-effects are in such a strange environment that the attacker can't gain ground and gain the privileges he wants."

I want to think about this a lot, especially in the case of distributed-object and dynamic-object systems.  Dot-net might qualify as a harsh environment, and I think I might have an even stronger one in Miser.  So I am repelled and attracted at the same time.  Exciting.

And this is a good place to leave with the key issue and vision: "The way I look at security is that my security depends on your security because every single insecure machine on the Internet becomes a machine that can send me spam. These machines can be broken into to do a denial-of-service against me and take down my T1. And in a model like that we have to secure the entire Internet; that's the main target."

There is another observation with regard to platforms, and I think this may play into what I am looking into with regard to trustworthy open-source quality:  "For the operating system, a proprietary Unix or open Unix, it comes down to craftsmanship and realities on the floor.  And I don't think anybody is doing anything better than anybody else.  Some of the projects are good in some ways and terrible in other ways.  The source code doesn't make a difference.  You can get the source code for anything today and an attacker can find vulnerabilities.  The fact of the matter is, there is no more closed source there is just limited open source."

Open-Source Opportunity for Europe

ACM News Service: EU Boost to Open Source Software.  I notice high expectations of the open-source developments that are conducted in European Union research initiatives of the kinds reported in IST Results.  In extreme cases the open-source software is automatically assumed to be better along with other magical qualities such as being automatically useful (although not being installable and configurable by anyone who didn't actually write it, as well as I could tell after fumbling around and giving up in the case of one open-source software-engineering tool).

The Coordinated Action for Libre Software (CALIBRE) is an EU effort designed specifically "to improve the deployment of open-source software development projects."  There is some thought of leap-frogging the U.S.-led software industry too.

Matthew Broersma's 2004-09-03 TechWorld article identifies CALIBRE as starting in September 2004 and continuing for two years.  There's other fascinating context here, including this observation by the University of Limerick Professor Brian Fitzgerald: "Interestingly, the majority of open source contributions come from Europe, but strategic thinking and leadership of many open-source projects is probably very much US-dominated."

The goal is to build the case for open-source development and also identify best practices.  There are links to two related initiatives for open source and open standards in government and public administration.

Related Gleanings

See Also:

2004-05-29:  Safe Safety Systems
2004-05-28:  Least-Privilege Stance
2004-05-25:  Threats, Risk, and Trust
2004-03-20:  Exploiting Software and tie-in of security to software-engineering practices
2004-03-19:  The OpenSSL bug and how it was handled responsibly and quickly
2004-03-18:  Watts Humphrey on software quality and way more on the OpenSSL/TLS bug.
2004-02-26:  RSA Panel on Cryptography Can't Foil Human Weakness
2004-02-24:  Security Challenges
2004-02-21:  Open Source and Dependable Systems Development
2004-02-19:  SSH and SCP for DOS (?)
2004-02-17:  Reputation and Webs of Trust in Social Computing
2003-12-06:  Discussion of the work the Debian team invests in protecting the integrity of their distributions; Links to the UC Irvine work of Walt Scacchi to bring software engineering to open-source development
2003-09-15:  Bruce Schneier on ductility and the Counterpane Security Centers
2003-05-21:  FIPS 180-2 for OpenSSL and related activities
2003-02-26:  Links on OpenPGP and discussion of flaws, secure key servers, etc.
2003-02-26:  Discussion of Plan9 security and the importance of the user's conceptual model; links on Security '02
2002-11-15:  DRM2002 and the 9th ACM Conference on Computer and Communications Security.
2002-11-12:  NIST Computer Security Division and (further down) OASIS security initiatives, including in AAA

posted by orcmid at 9/21/2004 01:21:28 AM, rating data by NewsGator Online