1. 1
Is There Inherent Security in Open
Source Operating Systems and Software?
William Chipman
Fall 2009
Dr. Schauble
2. 2
Introduction
The biggest idea in computing currently is open source software. Because most
open source software (OSS) is available for free or very reduced cost, many individuals
and companies would like to move the majority of their computing to the platform. While
many people are just now hearing about OSS, it is not a new concept. “Free and open
source software dates right back to the origins of the computing field, as far back in fact
as the 1950's, when all software was free, and most of it open” (Kadura & Schryen, 2009,
p. 2016).
In order for people to feel comfortable moving to the OSS culture and feel that
their assets are protected, the issue of security has to be addressed. This has been
polarizing to both the OSS camp and the closed source software (CSS) camp. Both sides
are adamant that their software is more secure than the other. This paper will present the
arguments from both sides and attempt to provide an unbiased conclusion as to whether
OSS, specifically open source operating systems are inherently more secure that the
equivalent closed source operating systems.
Definitions
Open Source Software
“Open source software, by definition, is any program or application that is freely
distributed, non-platform specific -- and in which the programming code is open and
visible” (Whitlock, 2001). Open source software, while offering access to the source
code, can fall under several different license arrangement. Discussions of the different
licensing agreements are beyond the scope of this paper. The delivery methods of OSS
are also important. While the source code is available to all, many consumers are not
3. 3
interested in compiling the code in order to build their systems; therefore, many open
source software packages and operating systems are available as pre-compiled binaries.
While Linux is the best known open source operating system (OSOS), it is not the only
one. OpenBSD, OpenSolaris and Minix are all open source, and any thorough discussion
of security issues and options will require a full picture of the entire open source market.
Closed Source Software
Closed source software (CSS) is software in which the source code is proprietary
and only binaries are delivered to the customer. Where as OSS customers take ownership
of the software, CSS customers only receive a license to use the software. The best
known closed source operating systems (CSOS), the Microsoft Windows and Apple
MacOS families of operating systems control the majority of the market and thus
experience the majority of the security issues and risks. “Risk is defined as a combination
of the likelihood of a successful attack on a system together with the damage to assets
resulting from it” (Hoepmann & Jacobs, 2007, p. 80). Because of the large market share
of the CSOS, they shoulder an uneven share of the risk on the operating system market.
Security Systems
Implementation in Open Source Software
OSS and CSS implement security in similar fashions. Most software is designed
and written in such a way as to minimize risk to the consumer. The goal of delivering a
quality product to the consumer that is both useful and secure is common to both OSS
and CSS. The big difference between the two is not in how the security is implemented
but in how problems and shortfalls in security are found and the speed with which they
4. 4
are fixed. “The tacit security of open source software comes from the concept of 'peer
review,' borrowed from the scientific community” (Whitlock, 2001).
Peer review is also known as 'many eyes'. OSS proponents claim that while OSS
may have no fewer security flaws as CSS, having many more people reviewing the code
ensures that security issues will be found faster and can thus be corrected more quickly.
In addition to having more eyes on the code, “open source even enables several different
and independent teams of people to evaluate the security of the system” (Hoepmann &
Jacobs, 2007, p. 82). Not only are 'many eyes' looking for issues, but those eyes are also
working independently and can have differing expertise. Through the use of these
security finding protocols, an open source operating system in 2000 was deemed the most
secure operating system available. OpenBSD had “a track record of three years without a
remote security vulnerability and two years without a local host
vulnerability”(Middleton, 2000). This is an incredible length of time in the computer
field.
Implementation in Closed Source Software
Proponents of CSS have a different view of the situation. They believe that by
distributing the source code for a piece of software, that software is more likely to be at
risk. The rationale is that while there are many eyes on the code, a large number of those
eyes may not be looking for the issues in order to alert the 'proper authorities'. These eyes
are looking for security risks in order to exploit them either in the software that is being
studied or in similar CSS applications. CSS proponents explain that “commercial
software development is usually under centralized control [which] makes it easier to
develop a roadmap for the product [and] control the architecture in a design phase”
5. 5
(Karels, 2003, p. 49). This control leads to better designed software that is then released
with fewer issues requiring attention in the future. CSS proponents argue that they also
have 'many eyes' on their software, and that those eyes belong to professionals paid to
find them. Their view is that, that while more eyes may have access to OSS code, the
eyes on CSS have greater expertise to scour the code and the incentive find and address
vulnerabilities.
Expert opinions
Pro Open Source Software
Experts in the computing field have been weighing in on this issue for many
years, and both sides have similar arguments about why their side is better. Most experts
that side with the OSS community argue that because the source code is available to the
masses, the code will not only be better written, but any risks will be identified in a
timely fashion and corrected. According to Ralston, “one of the biggest perceived
negatives cited by open source naysayers is the expanded security risks. As the number of
developers examining code increases, however, the quantity of improvements achieved
also rises - and these advancements are obtained more readily” (2009, p. 13). This is
essentially the 'more eyes' argument.
The second pro-OSS expert argument is that when the source code is available for
review, it is more likely to be clean, readable and without intentional risks. Whitlock tells
us that “when the source and changes to it are present in public for anyone to examine, it
becomes personally incumbent on the developer to ensure the code is right and that it
hasn't been tampered with by any unknown parties” (2001). Writing good code becomes
a pride issue. Coders know that every decision they make in their code will be endlessly
6. 6
reviewed and picked through. This leads to better design structures and less inherent risk
according to this argument. A person writing code wants to write the best software
product available because there is the potential for thousands of his peers to see every
shortfall. The consensus of OSS experts is that “closed source leads not to true security
but to a false sense of security” (Whitlock, 2001).
Pro Closed Source Software
“Lee Badger, principal computer scientist at Network Associates, … counter[s]
that the many-eyes theory 'assumes people are motivated to examine even the mundane
code'” (Whitlock, 2001). If the code is working well, then where is the motivation to
perform intense code reviews? In addition to this, there is a lack of reward for the
potential reviewers. In a CSS corporate setting, programmers are paid to review code and
find potential security risks. Additionally, “many potential reviewers do not inspect the
code because they believe that others have already done so” (Kadura & Schryen, 2009, p.
2018). Experts believe that there is an attitude of indifference in the OSS community
towards code reviews. If a potential reviewer thinks that the code has been reviewed and
corrected then they have no reason to waste their time looking through the code again.
The second main expert opinion in favor of CSS is that the people building OSS
lack the tools and skills to engineer truly secure software. McMillian explains that
software, especially operating systems software, “needs to be built by people who
understand security, using good tools and proper techniques, and then evaluated by
people who know something about security” (McMillian, 2002). Without the proper
background, it is unlikely that reviewers will find major security risks or address them in
7. 7
a timely fashion. Kershaw sums up the overall expert opinion against OSS as “it is an
open door and one would have to think it will be abused at some stage” (2009, p. 10).
Dealing with vulnerabilities
Open Source Software
Dealing with vulnerabilities in OSS is also a subject for discussion between many
experts in the industry. OSS's greatest asset for dealing with potential risk is in the fact
that by distributing the source code, not only does the number of eyes on the code
increase such that risks are found faster, but that those same people can immediately
“write additions to the code … removing bugs” (Kershaw, 2009, p. 10). According to
this principle, as the number of people that use the code increases, the number of
potential developers increases. There is also a communal spirit to the OSS movement.
Users that have the skills to be assets to the cause are motivated to aid in any way
possible in order to make the software better and thus bring in more potential users and
developers.
The second major advantage of freely distributing the source code is that in the
case of most major CSS packages, the source code is eventually leaked to the community.
The ubiquitousness of Internet access worldwide has helped increase the illicit flow of
closed source code, increasing the chance that the few people that have access to the code
may be looking for risks in order to exploit, not fix. Kadura and Schryen explain that “in
cases where a source code is only available to a few criminals, code hiding may be
counterproductive” (2009, p. 2018). Criminals are looking for ways to exploit
vulnerabilities, while few if any are looking at it in order to fix the risks.
Closed Source Software
8. 8
Vulnerabilities in CSS are looked at from a different perspective. The belief is that
first there are fewer risks in CSS because it was designed and coded by professionals that
better understand the potential for risk than the developers of open source code. Second,
the risks are limited because the security flaws are hidden from sight and therefore not
available to the general public. Criminals will have to work harder to find the
vulnerabilities and exploit them. The idea is that an unknown issue is not an issue until
someone discovers it.
The major CSOS vendor Microsoft took the idea of risk management to a new
level prior to the release of their flagship operating system: Windows Vista. “Microsoft,
… challenged some of the world's most acknowledged computer experts to hack into
Vista during its development period” (Ralston, 2009, p. 13). The idea was that while the
Microsoft developers and testers had the expertise to build and test the new operating
system, they lacked the volume of resources to truly test every aspect and potential risk.
Future potential
Many of the world's governments are getting on-board with the OSS movement.
This will help garner more support in the future and get OSS the tools needed to compete
on an equal playing field with CSS. “With President Obama's declared support for open
source technology, greater adoption is anticipated” (Ralston, 2009, p. 13). This expanded
adoption is already happening in the rest of the world. “It is interesting to note that the
Venezuelan government made the shift to OSS in 2004, The Peruvians in 2005 and large
national educational changes have been made in Spain, Germany, Brazil and Singapore”
(Kershaw, 2009, p. 10). The United States Department of Homeland Security in 2006 set
up a 3 year grant of over $1 million to Stanford University, Coverity and Symantec to
9. 9
look for bugs in open source software (Evers, 2006). CSS companies have long had
analysis tools that would look for potential security risks. These tools are an attempt by
the US Government to level the field between OSS and CSS so that OSS code can be
more secure prior to release and not have to rely solely on the OSS community to find
risks after release.
In the CSS world there is also a push back to slow the growth of OSS. “Microsoft
still has the market grip on accepted and standardized business applications and so has no
vested interest in seeing compatibility between OSS and its applications” (Kershaw,
2009, p. 46). Because of the stranglehold on the market that Microsoft and other CSS
vendors have currently, gaining a foothold will be difficult for the OSS community
without governmental support.
Conclusion
At this point in the OSS movement, it is difficult to draw complete conclusions as
to how much more or less secure open source is than closed source. The arguments are
there for both sides, but the empirical evidence is not there. Proponents of the open
source operating system, Linux, will point out that the majority of exploits are targeted
towards their competitor, Microsoft Windows. The reality of the argument is that with
such a large market share, MS Windows is a bigger target. “What the discussion on
software security specifically lacks is appropriate metrics, methodology and hard data”
(Kadura & Schryen, 2009, p. 2017). Until OSS becomes more competitive with CSS,
there is not enough data to determine conclusively which is fundamentally more secure.
OSS is finally getting the recognition needed by the world to help gain market
share and have the proper tools developed to make it a real competitor with its CSS
10. 10
equivalent. The next few years will be the telling time for OSS. If the market share can be
expanded to make it competitive with CSS, better conclusions will be able to be drawn as
to the true security benefits of OSS and OSOS. Until that time, all conclusions about
security will be speculative and subjective.
11. 11
References
Anonymous. (2009). Microsoft forms new open source foundation.
Networkworld.com. Retrieved October 30, 2009 from ACM Digital Library.
Evers, Joris. (2006). Homeland Security helps secure open-source code. CNET News.
Retrieved October 31, 2009 from http://news.cnet.com/Homeland-Security-helps-
secure-open-source-code/2100-1002_3-6025579.html
Hoepman, Jaap-Henk and Jacobs, Bart. (2007). Increased security through open
source. Communications of the ACM. 50(1). Retieved November 2, 2009 from
ACM Digital Library.
Karels, Michael. (2003). Commercializing open source software. ACM Queue.
Retrieved October 27, 2009 from ACM Digital Library.
Kadura, Rouven and Schryen, Guido. (2009). Open source vs. closed source software:
towards measuring security. SAC '09. Retrieved October 31, 2009 from ACM
Digital Library
Kershaw, Patrick. (2009). Open Source Software – is it the new solution?. NZ
Business. Retrieved November 1, 2009 from ProQuest database.
McMillian, Robert. (2002). Security Expert gives operating systems poor security
grade. Linux Planet. Retrieved October 30, 2009 from
http://www.linuxplanet.com/linuxplanet/interviews/4495/1/
Middleton, James. (2000). Most secure operating system update uses Digital Signature
Algorithm. Network IT Week. Retrieved October 30, 2009 from