March 20, 2002 4:00 AM PST
Building trust into open source
While Microsoft has concentrated on reviewing its flagship Windows source code as part of a new focus on security, Internet watchdogs have released the details of three widespread flaws in open-source applications usually shipped with the Linux operating system.
The flaws could compromise the security of computers on which the applications are installed, prompting some developers to urge the open-source community to take another look at popular code. But most fear the majority of members won't bother.
"No one is doing auditing," said Crispin Cowan, chief scientist at Linux maker WireX Communications, one of several companies selling a version of the OS with additional security options. Cowan is the founder of Sardonix, a Web site aimed at organizing groups of people who want to review major open-source software.
"Reviewing old code is tedious and boring and no one wants to do it," Cowan said.
With Microsoft launching a major security initiative in response to recent criticism, some fear that Linux and open-source developers have become complacent in the commonly held belief that open-source programs are more secure.
This year offered several reasons to question that belief.
In February, a flaw found in the popular scripting language PHP left as many as 9 million Web sites vulnerable to attack. Though the number of vulnerable sites could be as low as 100,000 and the flaw is hard to exploit, the software bug resembles the Web software slipup that left Microsoft servers vulnerable to the Code Red virus.
Gartner analysts Richard Stiennon and John Pescatore say that despite new attention given to software security, no software--whether proprietary or open source--will ever be 100 percent secure.
And in mid-March, a bug in the OpenSSH communications encryption program, commonly used to secure communications to and from Linux computers, left many of those machines open to attack.
The spate of flaws has not gone unnoticed by the open-source community's more vocal members.
"I see a lot of bad software being done," said Theo de Raadt, founder and project leader for the open-source Unix variant OpenBSD. "There is a lot of politics and inaction causing people not to make changes that makes their software better."
The "many eyes" theory
Open-source software's main claim to security is that because anyone can view the source code, developers can constantly look for bugs and fix them. And with a broad cross-section of expertise in the developer community, programmers with specific strengths can look for hard-to-understand, "deep," bugs and fix what others might miss.
In his essay on the open-source movement, "The Cathedral and the Bazaar," developer Eric Raymond wrote, "Given enough eyeballs, all bugs are shallow."
De Raadt led a team of OpenBSD developers on just such a review, cleaning up the source code for the Unix-like operating system and replacing functions that were known to be insecure with more robust substitutes.
Yet, the "many eyes" theory, as it is known in the open-source world, doesn't work so well in reality, said WireX's Cowan.
"It does not assure that many eyes are actually looking at the code," Cowan said. "In fact, it is likely that 'rock star' code that is hip to work on gets adequate attention, while the other 90 percent languishes, in many cases never even seen by anyone but the code's authors." And much of this unsexy code forms the foundation of Linux.
Cowan hopes his Sardonix site will become a central registration point for auditing efforts, but for now, Linux and open-source software must rely on developers feeling obligated enough to commit to the drudgery of vetting source code for software bugs.
After security researchers found the flaw in the Web scripting language PHP, a group of programmers decided to start auditing that popular project's code.
"It's difficult to introduce new features and review the existing code at the same time," said Frank Denis, a part-time systems administrator for a French Internet service provider and leader of the PHP code-auditing project. "It's why we are trying to give a hand on that point. We won't introduce any new features, but we will fix potentially dangerous code."
A central process to find bugs, such as Microsoft's Trustworthy Computing initiative, will never catch all flaws in open-source software, Denis added.
"To break into your server, script kiddies will try totally unconventional tricks that have no chance of being part of any initial validation procedure," Denis said, referring to the class of online vandals who are not as technically adept. "The result of (our) different approaches will give a more extensive audit than any strict guidelines. That is the strength of free software: Everyone can put his own brick in the wall."
Polishing the software
Despite the security problem with his own project's code, Jean-loup Gailly, chief software architect for Vision IQ and the co-creator of the Zlib compression library, stressed that Linux's development process still creates more secure code.
"Open-source programs are subject to much more scrutiny and, in case of problems, fixed much more quickly than closed-source programs," Gailly said. "Apache is not more popular than Microsoft IIS (Internet Information Server) by accident; one of the reasons is that it is more secure."
An additional layer of polish is put on the source code by companies and organizations such as Red Hat and Debian, which package their own Linux distributions, Gailly added.
Linus Torvalds, a senior engineer at chipmaker Transmeta and the creator of the Linux kernel, thinks the open-source development style works well.
"Most (code review) by far is simply people looking at code, often for some other reason that had nothing to do with formal auditing," Torvalds said. "I personally like it that way, and it's proven to work pretty well in practice."
Moreover, rather than seeing a threat from Microsoft's new focus on security, Torvalds believes the move shows how weak the company's security used to be. Microsoft wouldn't provide an executive for comment on the issue.
"Let's face it," Torvalds said. "Microsoft did their initiative because they've been so bad at security in general. They fix bugs when somebody drives a truck through them and they get embarrassed enough. Get embarrassed (often) enough, and you start creating 'initiatives'--whether in politics or in commercial software."
He continued: "In the open-source community, the community has so far been pretty good at policing itself without the embarrassment. Do bugs happen? Yes, of course. But do they get found and fixed without a new virus of the week that costs a few billion dollars of user time? You bet."