1 / 10

Security and Open Source: the 2-Edged Sword

Security and Open Source: the 2-Edged Sword. Crispin Cowan, Ph.D WireX Communications, Inc wirex.com. Reliability and Security.

daw
Download Presentation

Security and Open Source: the 2-Edged Sword

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security and Open Source:the 2-Edged Sword Crispin Cowan, Ph.DWireX Communications, Incwirex.com

  2. Reliability and Security • •Reliable software does what it is supposedto do.•Secure software does what it is supposed todo … and nothing else.–Ivan Arce•Security is very simple: only run perfectsoftware … Oh, so we need a ‘plan B’.–Crispin

  3. Open Source and Security: a2-Edged Sword • •Open source gives greater power to analyzesoftware for security … for good or bad–Attackers get enhanced capability to find holes to exploit–Defenders get enhanced capability to find holes to close•So if you do nothing then Open Source isdangerous•But if you leverage what Open Source gives you,then it is a defender’s advantage–… and there are tools to help you

  4. Security Enhancing Toolsfor Software • Code Auditing: static or dynamic analysis ofprograms to detect flaws, e.g. ITS4 and friendsVulnerability Mitigation: compiled in defense thatblock vulnerability exploitation at run-time, e.g.StackGuard and friendsBehavior Management: OS features to control thebehavior of programsClassic: mandatory access controlsBehavior blockers: block known pathologies

  5. Security Enhancing Toolsand Open Source • •Most of these tools operate on source code•Proprietary systems:–Only the vendor can apply the tools–Users must accept vendor’s level of diligence•Open source systems:–Users can raise the level of diligence themselves–Motivated vendors can sell the same system (e.g. BSD,Linux) with higher levels of diligence (e.g. OpenBSD,Open Wall Linux, Immunix)•Paper: to appear in the new IEEE Security andPrivacy magazine

  6. Way Too Reasonable • •… time to get outrageous :-)

  7. “Buffer Overflows: We’rePast That” • We’ll be “past that” when buffer overflowsstop being a majority of all CERT advisories•We’ll be well past it when buffer overflowsslip from the #1 position (plurality) of CERT advisories

  8. “Full Disclosure Zealots” • •Perhaps the zealots have a point ...•“Timing the Application of Security Patchesfor Optimal Uptime”–Crispin + WireX staff + Adam Shostack–USENIX LISA 2002http://www.usenix.org/events/lisa02/tech/beattie.html

  9. Main Result: When To Patch Penetration Risk • Not never: you’ll gethacked•Not immediately: patchmight be buggy•As time advances–Chance of gettinghacked rises–Chance of patch beingbuggy drops•Optimize • Bad patch      risk

  10. Hidden Result: “ResponsibleDisclosure” Does Not Help • •Some Microsoft security advisories politelyacknowledge the “investigators” who reported thebug–Done only when the investigator cooperated withMicrosoft•With 93% confidence interval, “acknowledged”security patches are more likely to be defectivethan unacknowledged patches•Conjecture: “responsible” disclosure does nothelp, and may in fact hurt

More Related