Secure Coding mailing list archives
Re: Re: White paper: "Many Eyes" - No Assurance Against Many Spies
From: James Walden <jwalden () eecs utoledo edu>
Date: Fri, 30 Apr 2004 14:43:54 +0100
Jeremy Epstein wrote: I agree with much of what he says about the potential for infiltration of bad stuff into Linux, but he's comparing apples and oranges. He's comparing a large, complex open source product to a small, simple closed source product. I claim that if you ignore the open/closed part, the difference in trustworthiness comes from the difference between small and large. That is, if security is my concern, I'd choose a small open source product over a large closed source, or a small closed source over a large open source... in either case, there's some hope that there aren't bad things in there. He makes three claims for greater security of his embedded OS: (1) A carefully controlled process for modifying source code. (2) Small size in terms of lines of code. (3) Auditing of the object code. Certainly, a small, well-audited system is more likely to be secure than a large, poorly audited one. Also, as there has been one discovered failed attempt to insert a backdoor into the Linux kernel, I agree that the potential for further such attacks exists. However, his claim that Linux can never be made secure because it's too large to audit every time it changes is overstated. He's ignoring the fact that few people (and even fewer in defence) will or should upgrade every time the kernel changes. Widely used Linux distributions rarely include the latest kernel, even if your organization is using the latest distribution. He's also confusing the difference between desktop and embedded Linux systems. Yes, his embedded OS is small, but an embedded Linux system is going to be much smaller than the desktop distributions. While kernel 2.6.5 may contain 5.46 million lines of code (counting blank lines and comments), much of that code is unlikely to be present in an embedded system. After all, 2.72 million lines of code (49.8%) are drivers, 414,243 (7.6%) lines of code are sound-related, and another 514,262 (9.4%) lines are filesystem-related. You're going to build your embedded system with the hardware drivers and filesystems that you need, not every possible device and obscure filesystem available. The same is true for userspace setuid programs, which I'll not count as I'm not sure which ones would be necessary for the types of systems under discussion. In summary, there are both fewer times and fewer lines of source code (and bytes of object code) that need to be audited than he claims. While auditing Linux is a more difficult task than auditing a smaller embedded OS, his claims are overblown since he ignores the fact that you only need to audit the parts and versions of the kernel (and OS) that you install and use when you install a new version. -- James Walden, Ph.D. Visiting Assistant Professor of EECS The University of Toledo @ LCCC http://www.eecs.utoledo.edu/~jwalden/
Current thread:
- White paper: "Many Eyes" - No Assurance Against Many Spies Kenneth R. van Wyk (Apr 29)
- Re: White paper: "Many Eyes" - No Assurance Against Many Spies dtalk-ml (Apr 29)
- RE: White paper: "Many Eyes" - No Assurance Against Many Spies Dave Paris (Apr 30)
- Re: White paper: "Many Eyes" - No Assurance Against Many Spies der Mouse (Apr 30)
- <Possible follow-ups>
- RE: Re: White paper: "Many Eyes" - No Assurance Against Many Spies Jeremy Epstein (Apr 29)
- Re: Re: White paper: "Many Eyes" - No Assurance Against Many Spies James Walden (Apr 30)
- Re: Re: White paper: "Many Eyes" - No Assurance Against Many Spies Tad Anhalt (Apr 30)
- Re: Re: White paper: "Many Eyes" - No Assurance Against Many Spies ljknews (Apr 30)
- Re: Re: White paper: "Many Eyes" - No Assurance Against Many Spies Glenn and Mary Everhart (May 03)
- Re: Re: White paper: "Many Eyes" - No Assurance Against Many Spies Crispin Cowan (May 03)
- Re: Re: White paper: "Many Eyes" - No Assurance Against Many Spies Tad Anhalt (May 04)