Slashdot Mirror
Can Open Source Be Trusted?
"I also menitoned OpenBSD to him as an example of a secure system that was open source. I argued that it was exactly because of the OpenBSD/FreeBSD development model (i.e. closely controlled with a top down hierarchy) that it was able to be more secure. Dr. Spafford still felt that OpenBSD did not fit the criteria of a well-trusted system: because it was not designed to a formal spec, and there are no formalized tests or standards being applied to it. Are there some ways in which we can get OpenBSD more trusted by testing it against some infosec standards?
For the rabid reader, I would just like to point out that Dr. Spafford NEVER disagreed with the 'more eyeballs means less bugs' tenet of faith that so many open source advocates preach. He just felt this was irrelevant to his point--how do you judge whether a system is more trusted than another system when there was no design spec or goals listed out to which to test the system against?
All in all, it was a challenging lecture. I felt myself start to get irritated, but by the end of his lecture, I was convinced he had a good point. How do you think we can address his criticisms?"
Honestly, I would say the same thing about a lot of commercial software as well. Just because you sell something doesn't mean that it's been designed properly, and likely just because something is free doesn't mean it's been slapped together with duct tape. Further more I'd trust a program with source more than one without and many open source developers are always willing to accept a better design. I'd also like to say that just because there aren't many pieces of Open Source that proceed with fully documented design goals, that this won't always be the case for future projects.
On an unrelated note, Spaf (Dr. Spafford to you, buddy) also runs the usually-funny Yucks mailing list. This list has long seemed among the cream of the crop of net-humor to me.
"His assertion is that Open Source systems such as Linux are developed in too chaotic a system to ever reach a trusted state. "
What does the way something is developed have to do with the final product (or a given release), and the tests performed on it? You are testing the product, not the developement environment, surely?
Basically, he's right. All he's saying is that with no formal design spec or test process, a system can't be considered secure. Yes, we have some design specs in the form of RFCs, POSIX and so on, but we certainly don't do rigorous compliance testing for them with each new release. For systems that aren't done that way, though (a category which applies to more than 99% of all available software, at a guess) I'd much rather take an open source one than a closed source one.
"The invisible and the non-existent look very much alike." -- Delos B. McKown
One of the reasons you might use open source software, is that you can read through the source of all the software you consider using for any security holes / excess features etc. With closed source software you have to trust the software developer, and if/when security holes are found you have to trust that they will: 1. Officially announce it. and if your lucky... 2. Release a patch for it.
--
Laptop006 (RHCE: That means I know what I'm talking about! When talking about linux at least...)
/* FUCK - The F-word is here so that you can grep for it */
Gorkman
Because of the way Open Source is developed it will have less bugs than some commercial software, but it will never be developed to a formal specification using tried and tested Software Engeering principles.
Commercial software (i.e. closed source) benefits from not being developed in a chaotic way and can be more secure. Techniques such as the Cleanroom approach, software inspection can lead to almost zero-defect software. Which is something I don't think Open Source can ever really achieve.
The use of formal methods for specification and verification does achieve secure systems, the only way Open Source can match commerical systems developed in this way is for them to be developed in a similar fashion. Sure, you can still give the source away, but developement does need to be centralized for these techniques IMHO.
Open source software can be trusted more than closed source software when it comes to security, for all the reasons that you all know (quicker bugfixes, code open to scrutiny, etc). Closed source software can have hidden APIs, bad implementations and bugs, and the release cycle is slow.
OpenBSD is interesting, as they do audits on software to get rid of the security holes. They can only do this because the source code is available.
Of course, software like Sendmail, various ftpds, POP3 daemons etc, all mess up the security aspect of an OS. The OS can be as secure as it can possible be whilst still being usable and useful, but if the software being run on it is vulnerable, then backdoors into the system will be found. Having the source code available allows the cracker to find better access methods than having to guess and feel their way into a system.
You just have to remember that there will never be perfect security, and plan accordingly.
I find this amazing - so open source doesn't submit itself well to a closed-doors 'expert review' where the experts are usually appointed through a political process rather than a skills one?
Open source's strength is that it's Darwinian. Yes, a program can start off full of holes, but the whole point is that these holes become evident through the development process, and get plugged.
Hell, even I get this, and I'm not even a developer/techie. (Read The Microsoft Matrix" to see what I've learned.
- Read fiction at www.espressostories.com
My assertion is that open source challenges the notion that you need a formal spec to develop trusted software. Much like the submitter of this story, I would hold up OpenBSD as an example of a system that I consider trusted, yet was not developed under any formal spec. Perhaps it's time to realize that formal specs help to get things done correctly, and they certainly help get things done quickly (by preventing, in theory at least, feature-creep), but they certainly are a requirement.
Werd.
Honestly, I would say the same thing about a lot of commercial software as well.
I suspect that Dr Spafford would agree with you. Whether or not a piece of software is open source is orthogonal to whether or not it can be trusted.
Just because you sell something doesn't mean that it's been designed properly, and likely just because something is free doesn't mean it's been slapped together with duct tape.
Just because you sell something doesn't mean that it's not open source.
If you can actually PROOF that you adhered to the specs that were outlined eveything is okay.. but as with alot of things people cannot be trusted enough to follow the specs. Just look at constructing. If a wiring scheme inside a building can be much cheaper because of cheaper wires they will put those in.. if a company can save money by NOT adhering to the specs they sure as hell will... if you create some specs and afterwards your product seems to adhere to them that does not mean that internally eveything is correct. At least with Open Source you can check that. Of course he is correct at the point of Linux and most other projects being chaos like. That's inherent to the bazaar model of things.. But strongly run Open Source projects with clearly outlined goals and specifications can be as secure as anything else...
Just my thoughts about the subject
...of it's developers.
you're either kidding (and it's not really funny) or you're a troll. Outstanding.
Werd.
Very simple solution, write a "formal spec" for Linux/OpenBSD/FreeBSD/NetBSD, and test. I'm quite sure it would take several people, if not a community, to try to define all the potential ways of testing. And, then, turn the table back around and say, "well does your formal spec test for problem X, no? we have, on a monthly basis, with a programming community in the thousands judgeing the outcome"
Then even if they do test to a "formal spec" you would be able to clearly point out that only from an open community can you really know the weeknesses, and you could never trust a commercial company to release information about where they failed, and where they have problems. Odds are, if they fail on one point frequently, they just rewrite their "formal spec" to not include that test.
If a company like RedHat or SUSE decided there was a sufficiently large market for a "trusted" distribution, wouldn't it be possible for them to go through "formal" procedures. Obviously, such a distro would never be cutting-edge, because of all the extra testing that needs to be performed. It's only if you try to look at all of "GNU/Linux" developement at the same time that you might say "anarchy rules". As soon as you get to the distros, you get far less chaos and far more control of what goes in. I think that such a thing would even be more "trustworthy" than closed source, because afterwards, you would be able to see all the source that went into the "trusted" distro.
I didn't know that open source code meant anything except that the code was released? Since when was a project not open source if it had a specification, and went through bugtesting?
I currently work at a company that spent 40% of the development cycle on documentation, and will spend 20% on testing when the development team completes. So if we release the source code, it's no good?
Point is, just because it is open source doesn't mean you cannot do these things.
Formal this, formal that. Software development is a black art inspite of attempts at trying to formalize it; From flow charts to design specs to UML.
Formal is nice but it almost never works in the real world.
So far, good design is a result of an ongoing process of trial and error and never the fruit of a first attempt.
Open source takes it to the extreme by creating a massively parallel trial and error machine with a decent "good design" selection process.
I was under the impression that open source was a way or release not nessesarily development.
.plan = NULL;
By this i mean that the ideoloy behind open source is that the source is available to add/fix/do whatever to a system. So theoretically a trusted system could be open source, the source need only be released.
Would ssh be considered a trusted system by this person, or is this a trusted service instead, and where does that leave OpenSSH in that particular schema of things.
.sig =
http://www.alladvantage.com/go.asp?refid=HVZ895
Do the following really mean anything? SCSA MCP CCSA CCNA
--I'm not actually after an answer!
In practice that basically just means that the formal softeare development process has been described and red-taped. There is a hope that such a process will make it well though of and controlled in such a way that a second project would have come to the same solutions, fully disregarding that design is mostly an art and not a science.
In no way does it in reality mean that the program os more or less bugfree than a bazaar type open source code project. It only conclusion one can draw is that it most certanly exist a lot of documents describing the sytsem - which might or might not describe the actual code.
It also has taken a muck longer period to develop becasue a lot of documents has been produced. But in practice the document are never read anyway since most people who wants to know anything mostly looks inteo the source code anyway - since thay know that the docs never tell the whole truth.
Just saying it like it are.
----------
Stupid sexy Flanders.
I don't see that there is any connection between where your code comes from and the specifications it is built to.
A benevolent dictator, acting much like Linus, could accept only code that brings the product closer to the design.
The test suite or testing procedure could be released along with the code. Sure, goals like "ISO 9000 security compliance" are less popular than "a working operating system", but that doesn't mean you have to keep your source closed. And it doesn't mean you can't accept patches that bring you closer to your goal.
Thank you for not thinking.
Trusted, Assured, Safety Critical, these are all areas where IMO Open Source won't work. They require a level of discipline and upfront analysis and design that doesn't merge well with release early and often. OSS creates great software for large user bases, however it tends to create products rather than enterprise applications.
The key to trusted, assured or Safety Critical is the specification. You must know in advance what you have to prevent. Its no good after you've lost all of your data fixing the bug that allowed it open.
An Eye for an Eye will make the whole world blind - Gandhi
The article didn't mention any bias against open vs. closed source. Actually (if you'd read instead of shouting out OPEN SOURCE ROOLZ just to be cool), he mentioned that more developers looking at the code usually tends to produce a better system. However, open or closed source, if a system is not designed to rigorous specs and tests, it cannot be trusted. I think he has a good point.
It doesn't matter whether the source is open or closed.
Eric Allman is the sendmail hacker, ESR wrote fetchmail
And yes, sendmail sucks. run qmail or postfix instead.
(I can't belive that I actually reply to such a blunt flamebait ... )
Don't know what exactly a system has to be to be considered 'trusted' but OMG tested MICO against their CORBA spec for free in recognition of their efforts. MICO passed and hence can be legally branded as a CORBA implementation. Could MICO be considered a 'trusted system' then? It was tested in a very formal way.
1. There is no greed for money.
2. No need to rush the process (Except KDE and Gnome)
3. Just geeks are working on it. There are not Non-geek asses trying to do what they think the "public wants or needs".
4. Opensource developers are just more cool.
atto
I didn't use the preview button, so get over it!!!!
Mike
Then what makes a trusted system? What systems would be considered trusted?
Just because something is closed source, that doesn't mean it's developed to a formal specification with formalized testing.
Furthermore, what constitutes a formal specification? Both OpenBSD and Linux derive their security models from the Unix security model. That model *is* a specification. But is it a *formal* specification, and if not exactly what constitutes a formal specification?
FInally, as for formalized testing, I don't know that much about what Linux kernel hackers do, but I'm to understand its a very chaotic environment. I agree with the professor here: I don't think Linux has had formalized testing for *anything*, let alone the area where it matters (security.) Yes, to a bazillion eyeballs all bugs are shallow, but formalized testing means creating a formal benchmark test that puts the program into virtually every conceivable situation. I'm not saying that closed source developers do that (isn't it obvious? look at the number of security holes in the Windows operating systems over the years.) but I do think that Linux, and software development community as a whole, needs serious improvement in the areas of testing.
From what I can see, the proessor's whole gist is this: software development needs develop an engineering culture. Software needs to follow a systems development life cycle (SDLC)where formal specifications (requirements documents) are written up in advance, the software is developed within an engineering culture, and there is formalized testing and user acceptance. These seemingly superfluous controls, especially in the area of infosec, are vital to controlling the inevitable bugs that crop up and to making sure that software meets the requirements.
I think Linux and *BSD at least need to take a hard look at requirements gathering and testing phases and see if there is any room for improvement.
My journal has hot
Open source can be more trusted than closed source
Formally designed and reviewed software can be more trusted than chaotically assembled software.
These seem orthogonal to me (and to each other! wakka wakka wakka!). Sure, most all of the software out there is NOT formally designed for security first. A lot of it is open source, a lot of it isn't. Open source obviously doesn't make a programme or suite instantly bulletproof, neither does formal design and review. Nothing is 100% secure, trustworthy, or bug free. Loads of things can help or hurt the process.
Trees can't go dancing
So do them a big favor
Pretend dancing stinks!
I'd agree that open or closed source has little to do with trusted or not trusted. Either open or closed source software can follow strict design guidelines or be flakey. With closed source we get what a company wants to sell us and no way to prove if it is or isn't what we want. With opened source it's exactly what we want it to be. If that means trusted then it'll be trusted because otherwise what would be the point of coding it? The bottomline is that we are in control of our destiny.
At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
After all Linux is rather standards-friendly, but I fail to see how one-size-fits-all security design goal could ever be written, let alone implemented.
Think about it. There are somewhere around..what..20 Million Linux's running right now, doing all sorts of stuff, with all sorts of software and configurations, and they're exactly as secure as their weakest software and/or config file.
Bottom line: The OS only brings you a mechanism to implement _your_ security policy and nothing more!
-- Computers are not intelligent. They just think they are.
It looks to me like he wants "formal" and "formalized" testing and coding.
That's just about as irrelevant as saying that the coders must not drink coffee and must wear purple zoot suits. Code is code. If it works well it works well. The end user doesn't care at all about who wrote it wearing what or in what environment it was written. Open source is open. that means it's a TEAM of people working on it (the good ole, more minds makes better code idea)
More coders means more ideas, more coders also means more testing and more code review.
if Windows was open source, it would not be released with 65k bugs.
People can keep putting down open source and the excellent products that derive from open source, but open source will continue to thrive. these open source products that keep the web running will still be the best.
limiting your code to "formalized" yadda yadda blah blah blah will not make a better product in less time.
Fook
The price we pay for immortality... is death. Narnia The Great Fall
1. Open Source and Bazaar development is not the same. Indeed, Cathedral development might be better for systems with rigid specifications and well-defined goals and functionality. Just most products out there aren't like this - you can never know what you'll have to support until users try first version and say what are they lacking. /. misreporting?
And I'd expect from university doctor to have research on differences between Open Source and Bazaar development before giving lecture on the subject. Or is it
2. Most commercial companies are even more unfit for trusted development than the Bazaar. The reason is simple - they are driving by profits, and if release date and "doing things right" contradict - the latter will almost always lose, and marketing will push product out the door and say "we'll fix it later, it works good enough for 90% so 10% will be fixed afterweards". The only real way that I see trusted system can be developed is open academic environment - Open Source Cathedral style with lots of peer review. This puts chaotic component under control and allows to use it for moving into well-defined direction.
-- Si hoc legere scis nimium eruditionis habes.
There seem to be two distinct issues: (1) the lack of a formal spec against a formal test procedure; (2) the nature of open source software and protection of security by obscurity.
(1) Perhaps a formal test procedure could be created. It could even be a commercial opportunity. Even better, it could be an open source project itself, drawing from the best minds, and open to the scrutiny of all. This could be similar to encryption standards where algorithms are available to all.
(2) Perhaps there is a view that at least with the source code 'closed', then black hats cannot analyse the code. I would argue that black hats do have access to source code for many operating systems, perhaps even the trusted ones. I'm not sure I can weigh up the pros and cons quickly off the top of my head.
-- Matthew - matthew.gream@pobox.com, http://matthewgream.net
As long as trusted systems are evaluated in a many-month long process as defined in the Red Book (NCSC Trusted Systems Evaluation Criteria), most Open Source OS's will continue to fall, simply because they cannot afford to have the testing or certification performed.
What we really have to remember is that Open Source OS's simply don't have the features that the trusted system evaluation criteria dictate -- it has nothing to do with whether or not they're secure in practice, but has *everything* to do with if they're secure in theory, such that a poor implementation can't break the security model.
Memory that's segmented in hardware such that even increasing your process priveleges doesn't allow access to the memory space of another process? Filesystems that log every transaction (including read/stat operations)? Systems that log every system call reliably, in an untamperable state? These are the features of government critically evaluated trusted systems, and until Open Source OS's support them, we shouldn't gripe. =)
Ooo! Ooo! Someone criticising our beloved open source!
Must be a Microsoft drone!
Let's run him out of town on a rail!
What IS your problem here?
For example, I feel a lot happier knowing that computer software used for aircraft is designed in a strict formal method under close supervision. The kind of "trusted" system defined here.
I would feel a lot less happy had this software been designed by Joe Bloggs and Sid Snot in their spare time, with no formal checking done...
Open Source is no universal panacea - for some things you NEED a solid programming team under constant supervision, using formal methods.
"Information wants to be paid"
One of the big problems with the classic open source argument of "you can examine the source" in the "trusted" market is that it dosen't apply exclusively to open source projects. The bucks for this kind of thing are substantial enough that even M$ will open the source up to the auditors. On top of that the cost difference is not as substantial because the cost of having the suytem audited has to be figured into the TCO.
Also, like many people have pointed out development cycle time is less important because of the large time constant involved in testing. Basicly if closed source can get a release out in x amount of time and open source in x/4 time both will require c amount of time to test. While becomes negligble for sufficently large value of x, sufficently large value of x results in massively obsolete code.
The best way that open source can get a solid foothold on the trusted systems market is with the production of quality systems. If it does the job better then anything else on the market then people will use it. If it dosen't then they won't.
"You can't fight in here! This is the war room" --Dr. Stra
I think that it could be worthwhile to reconsider Ken Thompsons all time classic Reflections on Trusting Trust in this context.
Peer review (as one of the streanths in opensource) won't alone give you a secure system, there are far to many other factors to be considerd. Peer review is however one very important factor.
In the mathematical sense, he is right. If you start with a formal spec that can be tested (crypto-mathematically) to be safe and then implement that spec rigidly (testing each component) you can use some definition of the word "trusted" to describe the outcome.
This is probably the same method Bill Richardson advocates for keeping nuclear secrets safe.
You could also skip a little on the formality but add a buttload of real-world testing. Throw in a sense of honor that feels personally offended when a bug is found. Then mix in some "many eyes effect". Now you have something that you can't PROVE safe, but at least you FEEL safe.
Now before you respond, be aware that, Bill R ref aside, I'm not saying "those ivory tower fools don't know what it's like in the real world". What I AM saying is that formality, like scientific theory, is only as good as the real-world experiments that bear it out.
I also think that Linux could benefit from a little more...structure. There are some projects that are doing audits, but we all know it's better to design security in, not QA it in. However, I think Spafford is underappreciating the Open Source Way.
--
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
>Honestly, I would say the same thing about a lot of commercial software as well.
Well, yes. But that's not the point. You're playing the ad hominem deflection game: "seeeeee, they're just as bad, toooo!!!"
Boiling this issue down to open versus commercial is completely orthogonal to the actual point: well-designed, specced-out systems are going to be more trustable than ad-hoc slapped together ones.
Where the code comes from should be irrelevant -- if the spec is good and the code actually matches, all is well, regardless of origin. Granted, open source makes bugs easier to find, but also adds an element of chaos into the implementation phase that could be detrimental; the bazaar doesn't necessarily follow specifications. It's a tradeoff....
Trying to cast this issue in the light of open versus closed is really just playing the 'when what you have is a hammer everything looks like a nail' card with the Slashdot open-good-closed-bad mentality.
Not every software development issue can be solved by a free license. Really. I promise.
--
"His assertion is that Open Source systems such as Linux are developed in too chaotic a system to ever reach a trusted state. "
Having worked on several projects at different companies I believe that almost every product is born in chaos, especially towards the end of the development cycle. I would think the measure of whether or not something should be trusted is if the coding follows a standard, and is tested rigorously by users till it breaks so it can be fixed.
There are 'formal specs' and there is 'implementation'. You can have a good 'math-proven' formal spec for authorisation / security / encryption etc. The way it's implemented can be the weakest point - like the Xing DVD player.t tel component.
There's another issue: a burgular designing a lock uses his own expertise to build a better lock than those made by other manufactors.
Third thing is that 'formal specs' are specs made by people with a lot of expertise, their expertise can be outdated, there expertise can be limited. My guess is that 500 burgulars implementing a lock can build locks more secure than 10 burgular veterans designing a lock far into their burgular-retirement days.
Ofcourse, with everybody with their eyes into the lock design prevents the assholes for building in a back-door, or an auto-connect-send-some-customer-information-to-Ma
The guy forgets one thing in my opinion: those formal specs are made by people!
Bizar technology?
Without hearing the seminar it sounds as if Dr Spafford is talking about Trusted Systems, not security in general.
Trusted systems are usually of the kind where every action is auditable and traceable; system administrators do not have access to delete logs or change audit trails, etc. The 'trustiness' and 'security' of these types of systems is rather designed through system architecture and specification of how, exactly, everything works, and very strict definitions of security access and permission. Bugs and exploits dont even figure into wether or not the system is 'trusted'. It's a measure of how it works; ie, your sysadmin cant add a $50000 bonus to his salary in the economy system (he probably cant even access that data) and wipe the logs of his doing it, bugs notwithstanding.
Of course, no commercial or free 'standard' unix lives up to that, simply because of design (some trusted unix-like systems do tho).
Which, I think, would be his point; no open source OS currently exists that implements something like that, and the usual design methods in opensource favour functionality and features above things like total fascistic control and auditing of every action taken in the system.
That is not to say an opensource model wouldnt work for a trusted system; it would probably even be better, but bugs are irrelevant to the very idea of wether a system is considered a Trusted System or not.
Hmmmm, let's think here. I'm sure Microsoft goes through a very thorough and controlled (in their mind) testing phase, and look where it gets them. I don't know about you, but if my car got recalled 6a times (soon to be seven), it would be deemed unsafe to drive. 99% of the time the most controlled and tested products still have all of the same bugs. You need to throw in a chaos factor for a product to eventually become stable.
Formal specs are a god-send IF you ever get them. Programming by trial and error has got to be the most anti-productive way of working. I've done both, and believe me, with formal specs it makes the writing, debugging process awhole lot simpler and cleaner.
To use an example, I typically write code for manufacturing systems. IF I'm lucky my spec consists of a Post-it note with some chicken scratch on it. It ususally takes a long time to hash out all the "actually specs" of what the user wanted. On the FEW occasions I did get a formal spec, it took half as long to write the code, and hardly any time to debug it. And to this day those are the only programs I don't have to keep going back and "adjusting".
So, yes, in the real world, typically you won't get specs, clean room tests.... But that doesn't mean they aren't important.
I wouldn't want a Structural Engineer building a bridge by trial and error.
Sean D.
"Hmm. I am to metaphor cheese as metaphor cheese is to transitive verb crackers!"
You guys might want to listen to this guy, its Purdue for Christ's sake. I went to Purdue and the more I work the more I realize that most other educational institutions can't come close to Purdue. This guy is on the right track. Mike BS IM/MIS 97
This isn't so much a problem with Open Source, it's a problem with the way some open source projects are developed.
It's perfectly possible to have an open source product which has rigorous development standards imposed by the central source maintainer. That just isn't the way Linux development operates.
With Linux, he's basically right - the development is very chaotic, and there is almost certain to be a problem with trusing it in the way he wants.
However, there are other projects which, though open source, still maintain a strongly structured development.
The things to consider here are the number of developers, the number of independant versions, the licencing restrictions, and the amount of control excerted by the central source maintainers over the development process.
(Spudley Strikes Again!)
To describe this you generally start off with what you don't want it to do. Examples include "kill someone" or "let someone write to a file without authorisation". Then you have to say exactly what you mean by that (e.g. how might the system kill someone, and what constitutes "authorisation"), and before you know where you are you have a document several hundred pages long, much of which should be Z or VDM. Then you need to check that for any holes.
Then you have to prove that the system fulfils these requirements. Now a full formal proof of this is going to be a larger project than the original software by an order of magnitude, even with today's automated support. So the only feasible solution is to write the software very carefully. You have to identify each piece of code that might cause a non-spec event to occur, and then explain how it prevents any execution which might be outside the spec. And since this is important, you have to leave an audit trail behind so that potential clients (who are going to be staking lives and fortunes on your software) can see that you have done this properly. Unless you do all this, your system cannot be trusted.
(Aside: you also have messy recursive problems with trusting your development tools and hardware)
Put it this way. We all know Linux is reliable, right? But would you stake your life, or even your house, on keeping your Linux box up continuously for the next 12 months? I sure wouldn't. I wouldn't even do that with BSD. There are a few bits of software I would do that with, but... they were all written to these kinds of standards.
No matter how you slice it, this stuff requires a lot of hard work and bureaucracy. The question of "who will watch the watchers" is particularly germaine to the creation of trusted software.
Paul.
You are lost in a twisty maze of little standards, all different.
I feel that open Source can be trusted, because we have the opportunity to check the code.
"His assertion is that Open Source systems such as Linux are developed in too chaotic a system to ever reach a trusted state"
Order and patterns are found in chaos all the time, fractals.
What makes him think that the "closed Source" software is developed in any less of a chaotic maner? Just because we do not know does not mean it is done in an organized manner
TKrabec Pahh
We think of Linux and Open Source projects as being "secure." They are safe from most attacks in general... Once a problem arises, it is quickly fixed by the community -- and it is very likely to be found quickly.
The problem is that "trusted" within the infosec community means that you can reliably assume in a beyond-mission-critical environment that the system is totally secure from attack.
This means a careful, meticulous design, and very rigid, formal implementation and testing. The aspects involved are far more comprehensive and cohesive than Open Source generally considers...
We look at Open Source software in terms of the safety of a package. Sendmail is not secure, or QMail is secure, and imapd is not secure or... You get the idea... Building a trusted system means looking at the big picture -- as low level as how kernel data structures are defined and manipulated, to as high level as individual file permissions and pretty much everything in between...
IIRC, "trusted" Solaris tends to lag a couple versions behind the general release of Solaris and takes a bit of a performance hit. Why? Because it takes a lot of time to evaluate, and fix an OS to make it "trusted."
A simpler way of looking at the difference is this: A "trusted" system goes to great lengths to meticulously ensure that no edge cases exist. A "secure" Open Source system takes the shotgun approach: With enough monkeys pounding on enough keyboards for a long enough time you'll get the works of Shakespeare... Translation: Open Source counts on enough talented, skilled developers working on a project to cover all the cases without anyone specifically telling them to do so.
In the end, Open Source may or may not come out with a product whose security matches that of a "trusted" system -- but you wouldn't be able to recognize it if it did come out. You couldn't *verify* it.
-JF
MrJoy.com -- Because coding is FUN!
Please, don't bring Chaos into the argument. Does he understand chaos? Does he know what chaos is? Life evolved out of chaos, creating everything we know. How does he profess to understand the complexity of Open Source development without inquiring further into it's nature? What hidden jems of intellectual development are manifesting within this post-modern matrix of meme exchange? Does he really know?
He could have called it "random", but he called it "chaos". He acknowledges it's all beyond him. He doesn't "trust" it because he doesn't understand it. QED
...completely adhering to specs, it probably would be trusted. However no one ever done that -- even systems that are supposed to be "trusted" contain parts that aren't. Probably some embedded stuff can be "trusted", however it's the place where security problems are the least important, and only proper behavior with certain hardware is necessary -- what is much less of a challenge compared to, say, HTTP server + operating system, desktop environment or even a router. If people had many decades for the development of each version of operating system, switch from "chaotic" development to formal specs and proofs that a piece of code adheres to them probably would improve things, however this is not the case, and even if it was, it's possible that specs would end up being developed even slower than anyone would be able to follow then, thus slowing the pace of development to a halt.
Contrary to the popular belief, there indeed is no God.
trust no one.
-- "Perceptions create reality. By changing your perceptions you change your reality."
The ~4 phases of software engineering:
First off, it's really up to the programmers whether or not formalize their organization and follow the two and even third rigorously. I think he has made an analysis that all Open Source development is done in an unorganized, non-traditional software engineering environment and all commercial development is.
But let's say for a moment his assumption is correct. This brings me to the last two phases.
In stage three, commercial interests can drastically cut short the testing phase. The "rush-to-market" attitude prevails as software quality takes a back seat to profit margins -- the great conflict-of-interest that greatly reduces consumer benefit of the product. Vendor's release early way to often. A common misconception is the fact that while the "release" of an OSS product is less definable, because the source code has always been available, if software bugs are inherit to programs, why not always always make it available then? I think he fails to realize the testing _and_ recoding are inherit in use of an OSS product. And OSS projects still have to have the traditional "feature freeze" milestone to move even close to production quality. Unfortunately, commercial software cannot be recoded by consumers once released which makes it actually less tested than OSS -- again, especially if it falls victim to the "rush-to-market" mentality of most commercial software firms.
Then there's the final stage, which is 85% of the traditional software engineering model. Unfortunately, in today's shrink wrapped software world, it has been reduced to 5%. Why? Because there is basically no revenue stream in fixing commercial, shrink-wrapped software. As such, it does largely go unfixed, only being bothered with if a large volume customer complains enough and is paying several millions or tens of millions of dollars in support costs. OSS support never ceases because there is no set "release" of code, it's always been released. As such, OSS is in a continual state of support.
And that final stage is the biggest point. Again, the traditional software engineering model has always been about 85% post-release support. Only those design teams, whether they are OSS or commercial, who are driven by post-release support (either ethically or even financially) can accomodate this most important phase best. That's why when RedHat and other vendor's say "service-focused software firms" are the key to good software products, they are hitting the mark!
The days of rushing the 3rd phase and ignoring the 4th phase of the traditional software engineering model are over. OSS is here and it's our best chance at releasing quality software because it's inherit design methodology accomodates all phases of the software engineering model, even if it lacks an "official source code release" and the code can be chaotic at various points.
But even the concept and problem of the "choatic code state" is debatable. I mean, do you trust software just because it has been "officially released"? Or do you at least hear some peer-review before using it? I think the later applies to the adoption of all software more than the former.
-- Bryan "TheBS" Smith
-- Bryan "TheBS" Smith
Independent Author, Consultant and Trainer
I have a question for the good Doctor. Exactly
why does open source equate to a chaotic development model.
This is a wholy unwelcomed generalization...
Simply distributing the source code to an
application and attaching a very friendly
license does not say a damn word about the
process used to develop that software.
Take for instance OpenBSD, Q-Mail, ProFTPd.
Maybe they have various licenses...bsd license,
funky q-mail license and the gpl. But they are
mere examples of a group of people or individual
developing with a strict model of security in
mind.
I do believe the good doctor needs a new pair
of glasses. Obviously he hasn't had an
easy time reading or he would not have much
such a horrid generalization. He would have
read about some of those wonderful teams out
there working towards our benefit.
Silly professor, generalizations are for kids.
"You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
Formally testing a system against a set of specs at most only proves that the system works ACCORDING to those specs
In my experience writing a set of specs that cover every single possible problem (bugs, features, security holes..) is next to impossible.
A closed source security system which perform according to a resonable set of specs could still have problems, and even nasty little back doors.
That said, it doesn't mean that formal testing doesn't have a place, even (or especially!) in open source projects.
Simple things like the OpenSSL test suite which can be run every time you compile up a new version can be very useful, just think - you have a set of tests you run every time you build that can spot straight away if you inadvertentently break something
And I bet that having the Java Compatability Kit to run against has helped the people porting Java to Linux and BSD.
Just ask youself - what exactly to the tests prove?, before starting to rely on then
I mean a lot of computers pass their "ITSEC"/"TCSEC"/"Critères Communs" test and appear to be vulnerable. Even those models seem flawed to me in a sense that they tend to make people think that once the test passed the system can be trusted !!! That's wrong for many reasons : 1) A computer secure at a time may be insecure later as a new vulnerability appear. (I know that periodic audit is part of the certification, but can we trust the audit process(Is it really up-to-date?) 2) Security isn't only the hardware/software, most people underestimate the human factor which is to my mind by far the weakest point of the security chain. (Even those (maybe certified) MI5 laptop where lost...) 3) those formal system models can't be 100% sure (think to godel theorem...) I've read in a book (orange book?) : This system must be proven without any kind of covert channel ! How can you proove that ? Were the boxes in 1980 tested against TCP/IP covert channel ?(Read G. ROWLAND excellent article !) So the real question to my mind isn't : Can open source be trusted ? but rather is there a real formal method to certify that a computer can be trusted ?
Experience has shown that being tested and certified against a spec. Any spec is no guarantee that your system actually meets the goals of that spec. I.e. Windows NT is posix compliant. That doesn't mean porting a posix app to NT is a trivial task.
There are systems that are certified with various security levels according to DOD standards that the military refuse to use at those levels. Reason is that while a formal test bed will by it's very nature be limited in scope and consistent in the number and type of attacks it seeks to evaluate a real world hacker / cracker has no such rules. His goal is simply "Break this system by any means necessary".
I don't think you need to worry too much about Linux being a trusted system. If it ever gets to the high security standards of OpenBSD it will become the system of choice for the paranoid. Until then Open BSD is that system. No amount of certification and trust heaped on other systems will change that.
You see admins who must deploy trusted systems are evaluated in a different manner from managers generally. Did our system get "owned", "Rooted", "cracked" or otherwise compromised under your watch ? Can you tell us how many people tried and who they are ?
If you can't look smug answering those questions but can say "we have deployed trusted systems" you are out the door. It really is that simple.
Another point is that the definition of Trusted System includes the development process. How can you fit into the category without following that development methodology ? So far it seams you don't. Instead you force others to redefine the category so that you fit in. I.e. Right now lots of vendors are redefining "Unix" with the goal of including Linux. Linux taking a larger market share than all other Unix systems combined was no small part of this.
PS: Changing the development process on Linux isn't relay an option.
--= Isn't it surprising how badly I spell ?
I totally agree with the body of the Slashdot article. To pair Open Source and "chaos" may be acceptable from a certain point of view, but to state that commercial products come from a "serious" production environment is disputable by anybody who works in the IT industry, where usually the lack of time and and any sort of quick-and-dirty practices live.
From the "artisan" of software, that made the history of IT by writing custom code for single machines, and who often became unreachable after a couple of years (like his source code from him, erased from the messy piles of diskettes), to the most modern firms, whose SW products often come with bugs so evident that just a fool would think may pass a serious, basic quality test -that's to say, it never underwent any quality test-, the IT commercial industry could not provide such controlled development of software.
I'm sorry for speaking such words like I'm saying something against my collegues, but there is really nothing like that: we all know that there are so many external factors that make usually impossible to test software at the desired level, the level developers really would like to come.
Think about the history of security algorithms, that displays how "close" means real threat, and of how companies and organizations have probably been aware of the limits of their code but went on confiding that such limits could not be discovered -or not in a certain of time-. Would this have ever been possible in an open source environment?
Not to mention the poor quality of support that's often met when asking companies to solve a problem with their products... Open source gives a chance to ask somebody else for help, real-time help, close products do not.
I think that the view expressed by the man who criticized open source in favour of commercial products has a point -yes- but much more "intellectual" than practical.
I will partially agree with him the day that 90% of the software companies will provide what he's talking about, presumably when the whole process of SW making, included test and support will be rewarded as much as really due...
Not that I no anything about the subject.
But doesn't the rejection of NetBSD as a "secure" system imply that *no* system is "secure"?
Bjarne
Excuse me, my coffee hasn't kicked in yet, but isn't this a matter of definitions? That is, levels of "trust"?
Oversimplifying a bit, a "TRUSTED" system might be "built according to a formal specification and are tested and confirmed against a formal testing and standards process", a "Trusted" system might be "tested" secure, and "trusted" might mean "no known vulnerabilities". Under those definitions, Linux might be "trusted", and OpenBSD might be "Trusted", but I know of any operating systems offhand that would be "TRUSTED".
So I think Dr. Spafford is right. Linux isn't a "TRUSTED" system under (what I interpret to be) his definition of "TRUSTED". I think your interpretation that since Linux can't be "TRUSTED', therefore it can't be "trusted" is mistaken.
Hmmm, I think I'll get another cup of coffee and reread that.
// TODO: fix sig
YMMV, but I cannot trust source code I can't see.
If I can't see the code, how am I to know it was coded as designed?
Ed Craig "Who cares what you think?" George W. Bush, 4th of July 2001
At least for the design: Eros is an OS which is GPL'd and its security model (based on capabilities) has been demonstrated secure with a formal proof.
Of course demonstrating something with a formal proof is different from using formal spec and formal testing. But that's a first step.
Now can open source use formal spec, formal testing, etc?
I don't know but given the current mindset (use C because it is the most well-known language, patch now and release soon to fix later), its seems quite unlikely.
I have to reluctantly agree. Even if the official release of a given OS project could be certified, the fact that anybody can download the current code and insert back doors before compiling makes it impossible to determine whether the version of XXX that *you have* is actually secure. In addition, somebody could introduce security holes in a new feature that they develop and, unless somebody else is able to discover them before updating the CVS tree, somebody could download it along with the "current development release."
The only advantage I see to commercial software is that the releases are controlled. The code is not released to the public outside of clearly defined production releases. This ensures that interim security problems are repaired before anybody encounters them. In addition, binaries can only be obtained from one set of source code and from one trusted source. With OSS, anybody can download the current source, insert malicious code, compile, and then distribute their version as if it were the official release.
Any company that would certify OSS risks damaging their reputation should a version of the code they certified surface with a back door. Of course, that was not the code they reviewed, but the bad press they risk receiving would inhibit any desire to certify the security of OSS.
ByteMyCode.com: A Web 2.0 code sharing community.
My complaint with Dr. Spafford's position is this:
- the-next-one-2-years-later. So under the circumstances, I trust open-source systems collecting contributions from standards developers rather than closed-source developers with unseen and possibly out-of-date code, lagging behind.
Most present work in the web world now, where the standards are often implemented & written simultaneously. Laying aside complaints of poor design for a moment, I have to point out the problem here; Dr. Spafford defines trusted (ie, secure) systems as ones that pass "a formal testing and standards process". But are the attacks against web systems laid out before the system is built? Often, NO! So we have a conflict between how we're writing systems, and how Dr. Spafford defines trust.
Addressing more specifically open source, I want to point out the overwhelming portion of the web that runs on open-source. A primary reason behind that is that closed-source, desktop developers are very good at cloning systems, but don't do so well writing innovative products. The best stuff we have for web services are open, primarily written or extended in order to fulfill a specific need.(yesterday an interview with Brian Behlendorf was posted - a fine example) Fanning the flames here, often the standards developers either contribute or write these systems -- which definitely garners my trust. These systems are going to continue to evolve rapidly. No one here can or will wait 2 years for: freeze the standards, theorize attacks, design the system, write the system, test the system, release-and-now-keep-that-system-until-we-release
Point 2:
Spafford has a faulty argument. He criticizes all open-source development on the grounds of how several well-known projects are managed. Let us remember that the sets are not equal. The definition of open-source is a hell of a lot larger than, eg "how Linus runs things". I hope he recognizes that; I for one never again care to work with, extend, or support a system I cannot see the source to. You may trust your vendor, but more options are never a bad thing.
Trusted Systems are built according to a formal specification and are tested and confirmed against a formal testing and standards process.
Trusted systems are tested and confirmed against formal processes. Formal specifications can go a long way in identifing flaws, but would hardly seem a requirement.
Until open source many of the specifications & design documents were considered propriatary or corporate secrets. Open source provides a method to ensure systems are being built exactly to specification. Otherwise, we are trusting the developing entity has actually coded what was defined in the specification.
How often has anyone coded complex systems EXACTLY to specification, the first time? With an open source system we not only know, but can correct those issues as quickly as anyone finds them.
*cough*cough*cough*cough*cough*cough*cough*
Sorry, I got a bad cold.
"`Ford, you're turning into a penguin. Stop it.'" -THHGTTG
This doesn't really seem to a question of whether trusted systems can have open source code - clearly they can. All that's needed is to develop a trusted in the traditional manner then releases the source code and this need not endanger the system's trusted state.
What I think would be a fairer reading of his claim is that a decentralised development model with different developers doing the bits that scratches their itch is not the best way to meet a set of centrally determined formal specifications. But then this is a question of how the system is developed, not whether the source is open. Paying a bunch of programmers to meet the formal specifications and opening the source so that others can spot bugs doesn't seem to be a problem.
Maybe, if all the design goals were centrally determined, outsiders would be less inclined to contribute, so the benefits of open source would be less. But this hardly seems to be an argument for not opening the source code at all.
Am I missing something?
I understand the principle of wanting formal specifications and then testing against those specifications. Where do formal specifications come from? Those with expertise and/or control debate and decide that (x1) needs to be laid out in this way, (x2) should withstand this, (x3) should be designed keeping this in mind, ... (xn) needs to incorporate this, where (x1) ... (xn) define the specification, call it (X). Those in control then say that (X) is "secure" given certain assumptions.
... (xn) are all laid out for us.
... (yn) as its security specifications, which may or may not intersect with (x1) ... (xn) ... (yn) are not stated explicitly, and/or a complete list of (y1) ... (yn) may not exist
Someone then designs a system to (X), and then we can test the system to see if it meets (X), which is easy because (x1)
The problem arises when comparing (X) to, say, Linux because of a number of reasons, including:
(1) Linux was debated over and designed by a different set of experts than those that wrote (X)
(2) Linux was designed using (y1)
(3) Some of (y1)
Thus the security of (Y) can't be "properly" verified. This means that (Y) may require more "faith" in trusting it than the faith required for (X), but it doesn't necessarily mean that (X) is more or less secure than (Y). That (X) is explicit and (Y) is implicit doesn't mean that (X) is more secure than (Y).
One could easily come up with a set of specifications (Q), (R), and (S) against which (X) and (Y) be tested and verified. If (X) is secure with repect to (Q) and (S) and (Y) is secure with respect to (R) and (S), then why is (X) trusted and (Y) not trusted?
The difference in trying to build a trusted system is the formalization. The team which tries to break a system (or certify it), is called upon to review the design, and try to find all weaknesses that might be used to break it. While this could be done with open source, you'd have to find someone to play the role of review team. This could be a serious problem.
I think that it's certainly possible for an open source project to build an operating system to match "C2" specifications, or better. The problem with meeting the Orange Book requirements is that they require trained people to review and test a system. This requires a large commitment of time, effort, and especially, money. Then when you are done, you have certified one version of the system, and nothing supsequent. The open source model is one of many releases, with bug fixes as we go, which has many strengths, but makes the rapid obsolencence of what would be the "blessed" version a big weakness. So, it's possible, but I don't think we should try for it.
I do think that there is a better way, if the testing procedures can be automated, so that the code can be covered from every angle, by the a set of computers pounding on a system, this could be MORE secure than a "Trusted System", at least at the C2 level. A set of workstations could be set up to pound a system, and try to find weaknesses, ala "SATAN", with emphasis on stack overflow weaknesses, etc. If a computer does all the functional tests that a human review team does during C2 certification, this is a good step in the right direction, if nothing else. Add to this a group dedicated to adding test conditions for new flaws, as they are found, or hypothosized, and I think you've got the winning combination for a truely secure platform.
What is really needed is a way to make all of the consequences of a line of source code visible. With C, C++, Delphi, Fortran, et al, there is no way to see all of the possible (side) effects of a line of code. That simple iteration, could have a bounding condition that causes a major hole in security, or it might be perfect, how can anyone know? I consider this to be the problem of brittle code
Object Oriented Programming is a good step in the direction, it does, if properly used, make code testable down to the object level. There need to be better tools for hammering on each object, and making sure they work as delivered, but at least you have something which CAN be tested on a unit level. OOP is good, but still not good enough. It does go in the right direction, because cracks in a system can be traced down to a single component, but those components can be brittle. Testing those components to a high degree brings us close to the goal (my goal, actually) of perfect code. Close, but no cigar.
A platform needs to be built which can make writing a computer program as simple as working with physical objects, such as hammer, nail, etc. When you pound a nail into a 2x4, you know right away if something goes wrong, and what all the effects are. It's easy to test, and visually verify the results. Coding needs to be the same way. This would take a lot of the "magic" out of the process of coding (and uncertainty). What ideas are out there for making this happen? Is a system of individually tested components good enough?
I have a few ideas, which I posted more than a year ago with my own manifesto at basicsoftware.com, ( and I need to review those ideas myself) but really haven't contributed anything myself. So I'm in the same boat... my contribution is a possible pointer in the right direction, and a keen eye on others, and their response.
The goal should be to make software better than any possible real world analogy. We need components that don't fail, and work predictably in a all conditions. If that's not possible, it would be good for the component to signal exactly what went wrong. Nails holding things together loosen over time, software doesn't have that weakness. Nails don't signal failure, but wouldn't it be nice if the nails in your roof signaled failure before the disaster struck?
--Mike--
First of all, based on this definition of "trusted", the open source issue is irrelevant. Software could be "trusted" whether you could know the source or not, so long as the thing was designed to a precise formal specification and underwent sufficiently rigorous testing. None of the software I use (directly) is "trusted" in this sense.
That doesn't mean I don't trust my software. I put a certain amount of trust in it -- some more than others. But this is "trust" in the more usual sense. The sense in which it is used in the article above is an unfortunate jargonisation of a word with a well-defined meaning in everyday use. Let us rather refer to these systems as formal systems. That's probably an overloading of the term "formal", but at least there's less chance of getting confused relative to "trusted". Of course, you would expect such a formal system to be highly trustworthy by merit of the rigorous design and testing, and critical systems should almost certainly be constructed in a formal manner.
In general, I think more systems should be handled in a more formal manner. Indeed, in my opinion, lack of formality is one of the major reasons we have crap software. Usually we have specifications written by marketroids or by hackers scratching whatever itch is pestering them most at the moment. This doesn't make for good formality. Even when formality is attempted, it's rarely done well.
What's surprising about open source is that it seems to have a generally higher reliability than many commercial offerings, despite the fact that the development process is unfunded and chaotic. In that sense, it is relatively trustworthy, despite being informal. This isn't an absolute statement: there's a huge spectrum of quality, and it's mostly the top end of the quality that's interesting.
It would be interesting if a formal open source system were to be developed. The code contribution process could still be informal, but the specification and testing would have to be more organised. Infrastructure systems like DNS and TCP/IP stacks would do well from this, I think. Would there be enough interested parties to write the test harnesses? Who knows.
proof, n. A demonstration that a conclusion is implied by certain premises and axioms.
What we're seeing here is a big, old, fat dichotomy between the software engineering community who consider themselves engineers and the open source community who thinks of themselves as programmers or coders. I've traditionally always fallen into the latter group, however there is no doubt in my mind that the SE tactic of actually coming up with a sensible plan in advance is better. *This concept does NOT threaten open source software.* What it threatens is the culture of open source community. There's a difference between hundreds of programmers simultaneously fixing bugs within a predesigned and well thought out architechture, and those same hundred programmers randomly going off on their own design tangents. Any successful open source project has some kind of centralized authority- even if it a guy who just does the builds. What I'd like to see is a vast expansion of the whole TODO file concept. Rather than have a handful of items listed such as: "Somebody needs to figure out a way to blah blah", the TODO list should be a detailed spec. The process of coming up with that spec could itself be an distributed process but a very detailed and heavily reviewed spec should be developed before everyone starts coding.
Things such as accidental back-doors and such that might not be tested in a formal test, would have the chance to be noticed by hackers the world over. closed source does not mean no bugs, or potential security breaches, just none that the group of developers have thought of.
------------------------------------------
If God Droppd Acid, Would he see People???
What are we going to do tonight Brain?
A big company or a large organization, say the Army or a Government Agency, can take open-source software, submit it to a full auditing process [not only tests but also reverse engineering] and put in place a strict configuration control policy. They get trusted software and they don't need to depend on anybody else for their security. And probably they save lots of bucks in the process [wrt developing the software from scratch].
Individuals and small companies have neither resources nor skills to do that. Yes, anybody can look to open-source code. But how much it will cost in terms of man-power ? Skilled software engineer time is not a cheap resource.
Therefore, they have to trust someone else. At this point is not a matter of how the software is developed, but of what you choose to trust. It could be the peer-to-peer inspection of Open Source. Or it could be a company that distributes 'Trusted Linux' or 'Trusted BSD'. Or a company distributing a closed source system that they say is trusted.
Ciao
----
FB
I think that an important part of what you have to understand on this issue is that he's refering to a very formal concept of a trusted system. If you read the government guidelines on building trusted computer systems (e.g. the Orange book), one of the specific factors that is involved in designing systems at level B3 (IIRC) and above is that they be formally specified and proven to meet that specification.
While it's easy to gloss over this kind of requirement, there's some reason to think that it's actually a good idea. By the time you get to a class B system, you have to think about things like mandatory access controls, covert channel analysis, and the like. A formal demonstration that A) your system specification succeeds in meeting those goals and B) the system as built successfully implements the specification seems like a reasonable basis for reaching a high state of trust.
It's not impossible that you could build a free software project that could achieve this kind of goal. It certainly seems to be the case that every time someone says that free software can't do this, that, or the other thing, they've been proven wrong. But it's going to be tough to attract people to a project where you have to do stuff like keeping records of what you've done to meet design specifications, which is actually a requirement of high level trusted systems.
There's no point in questioning authority if you aren't going to listen to the answers.
Hey, even Dr. Gene Spafford ought to consider the POSIX standard, which the Linux community prides itself on conforming to. I believe I'm not mistaken when I say that some organization (UNIFIX) has already certified Linux to be 100% conformant to the POSIX.1 standard. POSIX is definitely a formal spec even by Dr. Spafford's rigorous definition, I suppose...
Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.
Somebody moderate ka9dgx up.
I think this guy is talking about a Trusted System, like C2 certification, ala orange book. I don't think you can swarm-code past those tests.
Go check out the post from ka9dgx: "Trusted Systems - Building Paranoia into the code" It's long, but it's good.
...or maybe not.
Next, copy losetup, bash and your kernel to an unencrypted /boot partition. Encrypt everything else. Add an option to lilo specifying that /boot/myscript.sh is init. I disrecall if you need to specify boot as the root partition and remount it, so some experimentation may be necessary.
In the myscript.sh, there should be the set of commands to run losetup and prompt you for your passphrase(s) to mount your partitions. Enter them. Script should then remount root and exec the real init. System boots normally.
Dear sir, I humbly ask that you attempt to bypass the login: prompt and access my data on a system so configured. You may use any tool you like.
Open Source not secure my arse...
I once declared a system as 'trusted'... But then it's programmers got busted, So I installed OpenBSD, Guess what happened to me? All the malicious attackers were disgusted!
"If it has to secured, DON'T put it on a computer".
I used to believe he was joking but now, with a little more experience, I totally agree with this declaration. If it's sensitive, for goodness's sake, don't put it on a computer, and especially on a computer which is connected to ANY form of network.
With all due respect to a senior 'net citizen such as Dr Spafford (who is certainly more intelligent than I am or ever will be), it is true that Linux (or *BSD) evolve in a chaotic and ramshackle way. But we should always remember a few points:
Want to keep something a secret? Remember the advice of that engineer: write it down on a piece of paper, use a one-time-pad, lock the paper in a steel box and put the box in a military-grade safe. Burn all other traces and throw the ashes in a vat of acid. But, for goodness sake, DON'T leave it on a computer!
Of course, this is just my US$0.02...
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
If I correctly understood your story, it just seems that because of some rule, open-sources will never get the sticker with the Trusted System trademark.
I believe this is kind of a restrictive approach even though there might be some good points about it.
By definition, you trust wh[o|at]oever you know.
If you get experienced enough with your server you should not look for such distinction but for ways to make it even more performant.
After all, this sounds like some new kind of benchmark and we all now that satisfaction is not necessarly a matter of figures.
--
Trolling using another account since 2005.
Well, perhaps Open Source software shouldn't be "trusted," given his definition of trused. But the true test of a program should be how well does it compare to it's competitors. If a program works better, it shouldn't really matter if it's "trusted" by his definition. It's still the better program. So if you're arguing whether open source is better or worse than closed source, I would say just look at what's out there. Which program performs better?
... Security is not something that can be tested for.
Makes sense if you think about it. And it blows a truck right through the "you need a formal spec to test against" premise.
I think Schnier makes much more sense from a theoretical point of view.
From http://www.counterpane.com/crypto- gram-9911.html
The only reasonable way to "test" security is to perform security reviews. This is an expensive, time-consuming, manual process. It's not enough to look at the security protocols and the encryption algorithms. A review must cover specification, design, implementation, source code, operations, and so forth. And just as functional testing cannot prove the absence of bugs, a security review cannot show that the product is in fact secure.
No mention of a formal spec.
Go Bruce!
DWR is Ajax for Java
Open source can be more trusted than closed source. Formally designed and reviewed software can be more trusted than chaotically assembled software. These seem orthogonal to me...
In fact, the two are orthogonal to one another in most aspects, but they can be aligned. I don't see any dichotomy between open source and the kind of intense process that produces trusted systems, it's just that the open source movement hasn't matured to that level yet.
Spafford's observation is correct today, but he makes the erroneous assumption that open source community will continue its current practices of doing inadequate planning and testing to ensure real trusted systems. This is one of those areas where the arrival of the commercial backers of open source, like IBM, an offer substantial contributions.
The one thing that has marked the open source movement from the beginning is the ability to respond and change quickly to get the job done. We are in the adolescence of the open source movement, and since trusted systems do require more process than the standard open source method provides, and since people will want trusted open source systems, it's only reasonable to assume that the open source process will morph as required to "scratch the itch"
"The future's good and the present is nothing to sneeze at." - Roblimo's last
"How do you think we can address his criticisms?"
A few outdated man-pages, HOWTOs and pointers to Web-URLs just won't cut it in this context. In Trusted systems you will need formal proof of ownership, wholistic design, white-box testing/analysis and black-box testing, plus other things I can't come up with now. Documentation on the whole process of conceiving and creating the system would be a great benefit. This would have to be Applied To The Whole Shebang(tm), down through every library, including formalization of every function and good comments on most of their lines.
Now doing this properly _after_ the actual implementation has always been a bad idea, and would further require much harder work than if it had been done in the first place. However, this is an impossibility when regarding how the Open Source-process really works. It would never be as good as it could have been.
If more companies started supporting Open Source solutions, they could perhaps fund this kind of work and release it to the public (either for free or for a fee). It could benefit these companies, because now they can Trust and use free software. Actually, I saw a book that documented the whole Linux kernel once, so I know that has been done successfully.
Of course, "trust" is a word of many meanings. I for one trust many Open Source solutions simply because I know they have stood the test of time again and again. However, I'm always aware that new versions may break things considerably, and the documentation is not always updated. That is why Open Source is not currently a good process for building really Trusted systems. (This has nothing to do wether you release the source or not, which should always be a benefit to trust.)
So to me personally it is good enough, and currently the Open Source-process has quite a few benefits over closed source in this context (and many more regarding price and freedom):
1) Peer review (less bloat, great functionality and inter-operability, harder to put in trojan-functionality)
2) Large techsavvy userbase (quicker bugfind- and fix cycle, easy to get help and gain a community)
3) Ability to find and fix errors or improve the system yourself (Although this should never be necessary in a trusted system. Doing so may also contaminate the system with eg. bad binaries. However, it can be done safely if you use the right process of doing so.)
Note that these points are connected to the very fundamentals of how Open Source works, and should be seriously considered by companies that not merely want to ride the "Open Source Wave".
However, if I were to buy a Trusted system from a company, I would make sure there was a contract that held them accountable. That would be one point to proprietary software I guess. I think it would be hard to find a company that wants to be held accountable for Open Source code (written by others) that they have merely certified..
And lastly, always remember this: There's no such thing as 100% security. You cannot prove security, only prove insecurities or specific lacks thereof.
So don't put your trust arbitrarily.
- Steeltoe
http://www.debunkingskeptics.com/
The whole issue really comes down to one things: the code is the only thing that can be trust. No test or even real life proving provides what the code does: solid proff that the program is what it claims to be. Test after test could be run on some M$ server program and it could meet some very rigerous, formal standard, but that means nothing to me becuase they won't let me see the code, so I don't know if M$ is secretely observing my use of their program or violating the privacy of my users and myself.
Like I wrote; the only thing that can ever be trusted is the code.
---
-- Gordon Worley
... And you need to remember that his bread is (as I've said before) partially buttered by closed-source development, and that butter may be threatened by open-source code and economics. Also, beyond just his livelihood, open-source does not necessarily obey his notions of secure design and practices. Academics REALLY HATE when real-world practice doesn't fit into their theoretical structures.. So inconvenient!
We can definitely learn from this man, listen to his experience and knowledge, steal his ideas, and write more secure software, but leave the obsolete preconceptions behind. Then again, he should know that the only reliable crypto is open/peer-reviewed crypto, and security in general needs to be scrutinized by many people of different talent areas to be of quality.
Your Working Boy,
The following is dry, and opinionated, from the POV of an old-timer VV&T/QT/Tester.
I'm big on specifications, and will argue both sides of a contract when a spec is violated. I've even been in a couple shouting matches over them, fighting for the correct implementation, not supposed "flexibility" though they do need to be bent at times.
Fortunately, the shouting matches are rare and as a Contractor Scum(tm), I never take them personally...only as a barganing point and to help stiffen the backs of those who are easily swayed. It's a shame when good projects go bad, but that's other people's money!
Good specifications are invaluable in eliminating all sorts of conflicts and allow projects to actually end without different groups wanting to kill each other.
Unfortunately, specifications are by necessity limited in scope. If it's not in the spec, it can't easily be added. If it's in the spec, it can't be modified easily.
On a formal contract, adding in goals like "The system shall be fast" don't work well, so more detail is usually specified; "The system shall retrieve a query on the client stations within 4 seconds at all times".
There's always a few details that slip by, and if the people on the project aren't reasonable the details will cause quite a few social and technical problems.
Even relying on an outside specification is a problem...since APIs/protocols/... are usually vauge on some level.
The people who implement it and the environment have a much greater impact on the results; there will be good and bad free software / open source projects...as there are good and bad commercial projects.
From what I've seen, I'll trust open source as much or more in most cases...but I'll test it first.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
He's right in the tradition sense of "trusted" i.e. "tried and true". These systems are trusted because they're a veritable Rock of Gibraltar - they're been around for a long time and have weathered all storms. Fair enough, as long as you can live within such a framework. (Change something, however trivial, and you may well ruin its trustworthiness.)
Open Source, OTOH, takes a different approach. Instead of standing still, it is constantly changing - any problems that are discovered are fixed quickly; it's very difficult to besiege a moving target. Exactly how fast it moves depends on what you are looking for - Linux is probably the fastest evolving Open Source OS; OpenBSD takes the slowly but surely approach. Exactly which approach is best depends on what the user wants - the way it should be.
Your testing is all very well-defined. If the pre-conditions are violated, then your input is in error. Your routine should determine this (how is unimportant) and exit safely. To test this, run the routine in a test harness and see what happens when you enter "normal", extreme and erronious data. (Ok, hands up! How many of you have heard exactly the same thing from Comp Sci lecturers, throughout school and University? Just cos they're lecturers doesn't make them wrong. At least, not all the time.)
The next round of testing is the post-conditions. If your routine exits and violates a post-condition, then the logic in the routine is faulty. The case being tested is not being handled correctly, according to the specification. So you fix the routine. Big deal.
Who defines the pre-conditions and post-conditions? That's simple. For IP-based networking, the IETF RFC's define those very nicely. For device drivers, the specs for the device do the same. Then, there are POSIX and UNIX98 standards docs. Since Linux is a mish-mash of BSD and SysV, the specs for both of these are usable.
All in all, the problem with Linux is NOT that there aren't enough formal specs (there are plenty!) but that Linux doesn't have any wide-spread test harnesses, or databases of pre/post-conditions.
If someone (anyone!) could come up with a way of plugging ANY Linux module into a test harness, and pound it with different cases, and then have the responses checked against the pre/post-condition DB to see if the module violated the specs, you'd have ALL the formal testing you'd ever need and auditing would become a breeze.
Dibs Linux for B1 before Windows!
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Specifically, it wants all access to all objects on the system to be fully logged, leveled security, and blatant marking, plus whatever else is in there and too dry to read.
However, remote access to systems is a job not only for the operating system of the host, but also for the network it runs on. Being that networks in 1983 were a little different than they are now, I would hope that a system that was meant to provide access to possibly classified data would rely on more than simply the security of the selected operating system, regardless of the openness of the sourcecode. The system in that case would take into consideration the OS, the firewall, and the network connection from client to server. The possibility probably exists to buld a system based on Linux that could be trusted, but would need to be spec'd out with "system" referring to more than just the OS of a host computer.
When it comes down to it, would you really want the good name of Linux drug in the mud by some military stiffs who can't secure the Army web servers?
--m
First of all, I think your mention of the Linux community and how it prides itself on its haphazard development model is a bit misleading. Even the Linux kernel itself is not developed in the chaotic manner you described (parts of it, specially the in-the-works LVM, have formal specs and desing).
What you seem to miss though, is that not all free software projects are developed in quite the same way. The contrast between Linux and OpenBSD is just the tipof the iceberg. Many more projects have such a close knit assembly of core developers who add features following a formal design, and use formal tests to ensure that the builds are OK.
The argument you seem to have missed in that lecture is that there's no reason why an openly developed free software cannot have thourough, formal design and testing, and there's no guarantee that a closed development has it either.
Information wants to be beer, or something like that.
Gene Spafford's argument seems to proceed simply as a tautology from his definition of "trusted", if I've understood the summary correctly. By this definition, a system is "trusted" if and only if a formal specification and testing process exists, and the system satisfies the spec and passes the tests. Thus it's trivially true (if we accept the definition) that a system that doesn't satisfy these criteria isn't "trusted".
It is *not* true, however, that an Open Source system could never satisfy this definition. Set your formal specification and get your Open Source coders to work on fulfilling the spec. When they're done, then voila! A "trusted" Open Source system.
Alternatively, one could reject Spafford's definition of "trusted", as not matching the intuitive notion of trust. One could reasonably argue that "trust", in the common and intuitive sense, can only be realistically achieved by extensive peer review. I would furthermore argue that satisfying a formal spec is not enough for trust, because a spec might fail define a system that most of us would intuitively view as trustworthy.
If all he's saying is that all we need is a spec in order for a system to be "trusted", without saying what such a spec has to be like, then I say he's wrong; because a spec can specify any kind of untrustworthy foolhardiness you imagine.
To demonstrate this, I hereby give a formal specification of "trust": A system is "trusted" if and only if it crashes at least once for every six hours of operation. The formal test is: Run the system for sixty hours; if it crashes ten times or more, then it's "trusted". There you are, a formal spec and testing process. But hardly anyone could describe such a system as "trusted".
BTW, although I'm disagreeing with him, I remember Gene Spafford with great respect as a major driving force in the early days of Usenet, and the author of an O'Reilly book on security. I'm a bit dismayed that so many Slashdotters don't recognize him.
Always keep a sapphire in your mind
He certainly has a point in that the design of open source programs often leaves something to be desired.
Also, there are too many open source projects that were started by inexperienced designers and programmers, and get reworked over and over to meet quality and security standards.
Maybe, now that Linux is getting more and more attention, a next level should be started: some kind of "open specification and design" system.
One that allows new projects, or new versions of existing projects, to be specified, designed and documented before the coding starts. "open source" focusses a lot on the actual code, and we all know that this is only a small part of a successfully functioning software system.
"Government is a disease masquerading as its own cure." --Robert LeFevre
Once there was a young monk who saw another young monk from a rival temple on the road.
"Where are you going!" he said in a rude voice to the rival monk.
"I am going wherever my feet take me" said the rival in a mysterious voice.
This flustered the first monk. When the first monk went to his masters and related this, they beat him, and said "You fool! Ask him, 'What if you had no feet?'"
The next day, the monk saw the same rival walking down the same road.
"Where are you going!" he challenged.
"I am going whereever the wind blows," replied the rival solemnly.
This flummoxed the first monk, who was not expecting this. Again he related this to his masters, and they beat him, and said "Idiot! Ask him, 'What if there were no wind?'"
Thinking he had this figured out, he lay in wait for his rival, who in due course came down the road.
"Where are you going?", he challenged.
"I am going to the market to buy vegetables" said the rival.
---
The point of this is that when somebody is thinking on a deeper level and carefully factoring in your own methods of reasoning, he can defeat you. The Morris worm was a perfect example.
I agree that open source is not a panacaea, but neither is formal specification and testing. Paranoia suggests multiple and orthagonal methods for enhancing security, not relying exlusively on one strategy.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
The entire concept of trusted software is predicated on the notion that the user knows what he wants, that this desire will not change and that it can be captured in a specification. That is sheer folly.
-Eldurbarn
Open source is more likely to be free from intentional 'features' which compromise security, because the source has been stared at by hundreds of eyes without the same nefarious goal. Contrast with Microsoft, where "Netscape Engineers are Weenies!"...
However, if the source is open, your own developers can put in whatever 'features' they want.
Are you more worried about external intrusion by a monopolistic corporation, or internal moles and unhappy workers?
What policies would you place on open source code that would keep it 'secure'?
-- What you do today will cost you a day of your life.
it doesn't matter how the software is delivered, only who you can trust.
take Micro$oft, they deliver an os environment with undocumented features. how trustworthy is that!?
I commented earlier poking a few holes in Dr Spafford's argument, but now I'm posting again with a totally different point.
Let's say he's right: Open Source isn't a security panacea. So what?
This is only a big deal to the ESR's of the world because they try to make arguments about using "Open Source" software based on business needs (like security, cost, bugs, etc). But that's not why I (a non-business, after all) use Linux (and friends). I'm in it for the freedom. And no amount of specs and formalism will give you freedom.
--
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
Anyway, I said "depressingly" in my subject line because there are a whole bunch of people commenting down below who don't see what is so obvious to you. To them, open source means baggy pants, cap on backwards, dissin' the man! You can see that view also in ESR's debate that was up here yesterday, too. Sheesh, folks! Open source is about getting your hands on the source, that's all. It's not about no plans, no deadlines, no testing, just like it's not about more plans, more deadlines and more testing.
That said, let me add one not terribly original point: a system that is tested and certified by lots of committees and agencies, and it is open and open source, and it still passes all the tests and certs, is a system that is probably pretty secure. The various public key encryption systems come to mind as examples.
If I understand this correctly, he's saying that becuase its open source it can't be secure?
My experience with software as programmer and system admin is that the user community drives security. As a sys admin, its my job to use products with the appropriate level of security available and in place. This being true of all similiar folks, natural selection of processes and software overall, IMHO, will drive towards higher levels of security and quality.
Along with this, I believe many of the programmers involved in open source are also consumers and also familiar with standards. Security standards are well documented and even specd out in some cases.
I'd also like to agree with the original poster about existing 'closed source' software and OS. Many holes have been and will continue to be found in existing OSs. Open source just speeds the recovery along vs closed system based on risk/income.
Rant done,
TJ
I'm sure he had his reasons to say what he did. But its incomplete unless you look at both the sides.
1. Open source is only as much chaotic as the maintainers want it to be. I've tried developing for open GNU products and belive me when I say it, it is a pain in the *** to get a patch built into the main code for some people, and for the others the maintainers don't even think twice. Still there are others where 10 different groups have 10 different tree of the same code and try to merge them every few months... this is chaotic. However the linux kernel is one of the best maintained opensource projects I've noticed... if you could just imagine how many people are contributing to it you would appretiate what "linux" actually means.
2."Trust" again is a weird word. Do you trust MS on Office2000 ? How do you know they don't have a code in there which will turn you into a borg ? Atleast I'm sure linux kernel doesn't have anything like that... and millions of people who have seen, studied, and written to the code can vouch for it.
3.Again, the word opensource need not mean that the development is also opensource. I think there are too many journalists out there who mixup words like "opensource", "open development" and "freeware". Whats common to all opensource is that it can be seen and studied by everyone. MSIE is free, but not open at all. And the problem of "trust" which you spoke about involves only in situations where development is also open. For example Plan 9, from lucent is a closed development... (I think this is a good example).
The way I look at it is that, if something is not chaotic then its probably invisible to you. Nothing in this world is perfect... chaos is a relative term... and I don't care if linux development is chaotic... 'cause it works for me.
rkt
Probably the biggest example of why Open Source systems can't be trusted from a contratual standpoint. This runs contrary to the open source ideologly that you can change something completely if it makes the software better.
- My password is slashdot
ISO certification is a great comfort to purchasing managers who prefer trusting a bureaucratic process to trusting individuals or their own judgment. This is similar to companies that require job candidates to have a certification, rather than independently assessing the candidate's skills and knowledge. It's not meant to be an equal opportunity process. It's meant to be a discriminating process that allows a decision to be made without anyone having to exercise their own judgment and thereby risk their reputation. It means you aren't risking your own reputation, and you don't trust anyone else's.
The fact is that making judgments of quality or security is difficult, and most people are lazy. Nothing prevents anyone from coming up with a way to measure security and putting OpenBSD to the test. This mentality, however, would make it an imperative that the software be retested with every change. Any what assurance is there that the test itself, or the person conducting it, can be trusted. ("We'll need to see some certification").
Certain types of people will always have greater confidence in the legal recourse to hold someone else accountable than they have in their own judgment. It's just too bad that those people are given so much credit.
Most companies that purchase custom written software require a strict process known as "Verification & Validation" (V&V) to be performed in order to certify a system as meeting their requirements. IEEE has standards (IEEE.1012, iirc) that cover what should occur during this process. These companies also usually have a clause to the effect "If your system isn't up to par on the documentation, a good history/track record may be sufficient to supplement available documentation". The idea is that even though your software may not have an independently reviewed test plan derived from requirements documents, etc. that you're software shouldn't be excluded from consideration as long it has a history of working well and accurately.
For the Linux kernel systems, this V&V process amounts to verifying that the screwdrivers used to build the house meet your living requirements. So long as Apache continues to serve web pages, and a server can fairly reliably server files, mail, news, mailing lists, etc. there is a general consensus that the Linux part is trustworthy.
I wonder what he thinks of Microsoft's OSs, where they are known to deliberately mess with OS internals in order to affect performance of competing applications. The email regarding how to adversely affect PalmOS users to the advantage of WinCE users springs to mind... Is this a system I should trust?
How's my programming? Call 1-800-DEV-NULL
What doesn't work is having the source code *be* the spec, because if you run with that far enough, you end up with Microsoft Word, where the specification of Word's
---
At least mafia-owned pizzarias make excellent pizza. Compare to Bill Gates.
I wouldn't just go around dismissing him. It's particularly bad to dismiss him on the grounds that his arguements are based on (his) financial well being. The man gets paid to be a professor. His status in the security community comes from his work in security (as a researcher).
:)\n"
One of his goals as a researcher is to develop security testing packages. Dan Farmer, under Spafford's direction, wrote SATAN to help people find the holes in their systems--and patch them.
I think this man is more concerned with developing a secure world than he is by profiteering off a particular economic model.
OK, it's possible to miss a point. We all remember Ken Thompson's remarks about Linux, and I remember being in a lecture hall where Owen Brown and Gordon Bell both trashed on Open Source. It's very possible that Spafford missed this as well. However, as an earlier post pointed out, Spafford's lecture seems to be aimed at a controlled, replicable, process (gee...that sounds like software engineering). As much as many of us hate to admit it, most open source software is designed by the code-and-fix method. I have the feeling that this was one of his main points. It's hard to set up a detailed testing model which handles all of the inputs and outputs (black-box) to see what a routine will do when the routine is evolving into existence.
Finally, I don't think we should "steal" from Dr. Spafford. Aside from the fact that he gives his information out for free (it's payed by research money but donated to the community at large), it's illegal, immoral, and, from a socio-economic point of view, inappropriate to steal.
I didn't have the opportunity to sit through his lecture, but I wish I could've. I'm sure it was quite interesting to those who didn't let certain biases cloud their thinking.
if ($user =~ m/shaldannon/i) {
print "\n-- $user
}
What is your Slash Rating?
Remember the NT C1 (now C2) compliance thing? Because NT's design happened to include some of the elements of the C2 definition, they were able to come up with a configuration that could be trusted. Not bugfree or secure, but trusted. (Note, NT's C2 security used to involve no NIC, but I think they fixed it).
OpenBSD is really fucked secure, but isn't designed to the spec, doesn't include the ACLs and other stuff needed for DoD compliance, etc.
Neither does FreeBSD, but remember the Trusted FreeBSD project? They are trying to make a B1 compliant (trusted) BSD based off FreeBSD.
Also, Operating Systems are not inherently trustable. It is the entire system that earns a security rating. It largely involves a fine tuned control of file access, but not a fine tuned fixing of bugs.
Alex
Yes, I picked NT as my "trusted OS" mostly because it will generate the stupid /. effect of "waah waah waah, NT is horrible, you must be a moron" the required "you are the stupidest ass in the world" and other stuff like that.
Get a grip kids! OSes are NOT the end all and be all of life. Further, drop the prejudices. I am an MCSE, that does not make me a moron, clueless, or a lemming. Indeed, just because all the MCSEs that you know are dumb does not mean that they are dumb BECAUSE they are MCSEs. Some of us happen to be very competant administrators, and happen to have a certification. Some of us actually learned are shit to get it, instead of just memorizing study guides.
Quit hurling insults to people that sometimes disagree.
Alex
First, the big fallacy in his argument: Open Source is not the Bazaar! Specifically, there is nothing to stop a person from getting a group of programmers together, writing up a formal spec, paying them to write code, paying a third party to do a formal audit and testing it against formal standards, and then releasing it under an Open Source license. It wouldn't cost any more than the analagous proprietary effort he's presumably advocating.
Secondly, you can use the Bazaar to reduce the cost of developing such software. Take a Bazaar-developed program that does pretty much what you want it to, draw up a formal spec, pay some programmers to audit the program and bring it up to spec, and then go through the formal testing. If you pick wisely, this could greatly reduce the cost of such development, and it should comfortably meet his definition of "Trusted".
Thirdly, I question whether formal specifications improves security; granted, that's no consolation if you're working for an organization that requires it. Formal specification merely means that some thought went into design before the program was written (or modified in the above example). It is very difficult to test a specification for security problems, for obvious reasons. Also, it is easy to write a program that matches a formal specification, yet introduces subtle security holes.
Fourth, there is no reason why you can't perform formal testing (for what it's worth) on any piece of Open Source software, Bazaar or not. Then you have a formally tested program. You must refrain from upgrading without running through the testing procedure again; just like proprietary security software.
The bottom line is, if you want formally trusted software, you've got to spend some money. Open Source will not prevent this, Free Software will not prevent this, neither the Cathedral nor the Bazaar will prevent this. That doesn't mean they should be excluded from consideration.
----
----
Open mind, insert foot.
THe problem with specifications, is exactly its benefits.
.. minutes?
When WYSYWYG interfaces, someone point out that not only is What You See Is What You Get, but also that What you see is ALL you get. This means that while you can see on the surface what document or page or whatever that your creating, and how its looking, but thats all your going to get, nothing else, no more, no less.
Take example a standard graphics program like the GIMP, and compare it to POVRay. The GIMP's WYSYWIG interface is really slick, but with POVRay, you can create ray traced images that would be next to impossible in a WYSYWYG environment, but you dont get to see the exact creation before its done.
With programming, a formalized, structured process ensures that the program will give you what you want, but it will never provide more than that.
True "Innovation" will never occur. No one may spot the flaw in the security model, no one may realize that 40-bit encryption is a bad way to protect DVD's from being copied, no one may predict that a Record-Industry defined "secure" file will only be effective for a couple of
But by setting Goals, but allowing for large amounts of flexibility of the Programmers allows for products to be delivered that are not only Programs that meet their requirements, to Products that truly meet their needs.
And trust me, clients requirements and their needs are almost always two completely separate things.
Use Gnumeric as an example - the author did what? Copied Excel. What did excel do? Copied Lotus? Lotus? They copied VisiCalc.
But the question remains, these products are meeting requirments, but are they really meeting the NEEDS of the people that use them. Couldnt someone have thought of a better way of setting up a spreadsheet? Making the formulas? Hell, why are there formulas at all?
But I'm sure you get the point.
Linux may not have the strict methodology that modern business management and Quality Testing require, and that, is exactly why it ends up with higher quality products in a shorter amount of time.
... hi bingo
There is nothing stopping OpenSource code from having formal specs and a well thought out design process.
Does Mr. Spafford think Kerberos insecure?
Last time I checked Kerberos has a formal design spec, peer review AND is opensource.
I do not see that Microsoft products qualify as secure. Where is the formal design spec? The peer review? It doesn't look better on the closed source side of things, but I guess Gene didn't want to grind that axe eh?
If it was said on slashdot, it MUST be true!
Every function, every procedure has a well-defined set of pre-conditions and post-conditions. What goes in the middle, and how many people are involved in the process, is all irrelevent.
All very well for purely sequential programs that start at A and run straight through to B...
Unfortunately, most real world programs have loops, and proving things about even moderately complex loops is Quite Hard (anyone who has done anything involving the proof of loop invariants and termination conditions will know what I mean), most especially if these proofs are attempted 'after the fact'.
Even then, if you can do that, you run into the problem that many systems are not purely sequential, but have some concurrency involved in their operation. Reasoning about concurrency is also Quite Hard, as anyone who has played with CSP, pi-calculus or any of the other process calculi out there.
Finally, you suddenly butt up against the problem that any formal axiomatic system that is sufficiently powerful to do anything useful (say, arithmetic) is also incomplete, so there will be true propositions in your code that you cannot prove. Blame Godel.
Cheers, Nick.
-- O improbe amor, quid non mortalia pectora cogis!
Simple. Real world usage. If somebody breaks security, the answer is staring you in the face. (Now, of only the network admins at a bank would be as gutsy as me. . .)
"If I were to ask you a hypothetical question, what would you like it to be about?"
You can have reckless or disciplined developers in both the open- and closed-source worlds. You can have and not have formal design and test specifications in both the open- and closed-source worlds. You can have rigorous reviews in both the open- and closed-source worlds. It just all depends on the mindset and discipline of the people actually doing the work. Let's not forget the space shuttle developers.
I, personally, don't think closed-source software, by definition, is more trustworthy than open-source software -- and vice-versa. But it's a lot easier to ascertain the trustworthiness, security, reliability, etc. of open-source software than it is of closed-source software because, in the open-source world, you've got the code, giving you the option and ability to do your own reviews, free of spin control from the developer(s) or prosecution via stupid laws like UCITA, and to fix any defects you find. That is what makes open-source code so powerful, in my opinion.
What is to keep someone from writing an open RFC style formal spec and then allow the open source community program to the spec? Open source is all about programming to standards.
The code can be tested by the writer of the RFC as part of the creation standard. In effect that RFC writer becomes the lead programmer on the project.
Maybe breaking up the patterns will make it harder to breach your systems.
"If I were to ask you a hypothetical question, what would you like it to be about?"
Has noone heard of the Department of Defense "Orange Book" (actually I think the latest standard may be a different color)? When commercial OS vendors say they are 'C2 out of the box, B1 when you buy blah-blah-blah)', that is what they refer to as the standard for setting security levels of trusted systems. Why wouldn't that be the place to start? My enthusiasm for Open Source is based on the fact that the finished products are at least as good, and often superior, to commercial implementations. For the corporate marketplace to accept open source software as a realistic, viable alternative, the OS vendors (Red Hat, BSDI, Corel) must be able to equal (if not better) the HP-UX and Solaris' of the world by any objective measure.
I think that adhering to formals specs don't make your software more or less trustable. Formal specs are a good thing, no doubt. But take a look at CERT advisory or BugTraq: most security problems don't stem from bad designs but from bad implementations (e. g. buffer overruns). It doesn't help if your spec says "don't allow buffer overruns". Now just let assume that you have a perfect formal design for a secure system. Vendor X implements his system according to this design... or so he claims. How do you know? You just have moved your trust from the specs to the Vendor X... which does not help, even if the Vendor X has never before been caught by bad implementations (and such a vendor does not exist). If the system is open, at least you don't have to trust, you can see for yourself. Formal specs will make it easier to discuss implementation details. You need a formal test to see if it is implemented right. And if these formal tests exist, you can apply them no matter if the system has been hacked together, is open source, closed source or any combination. And still, in practice, you will get caught occasionally, even if the test will support the illusion that everything is OK. Security is a process, not a state. Never be fooled into thinking a system is secure because you can't spot a flaw. Design is theory, implementation is practice. It doesn't matter a bit what a theory tells you... you can ONLY trust the practice.
You found a sword: +4 damage, +5 moderator points
Call me chaotic
Formal specs are safe but dull
While I live, I hack
------
------
You are in a twisty little maze of open source licenses, all different.
Hmmm, well - you can easily test if the networking components of open source software live up to the RFCs that they are designed to meet. Sounds like a bunch of specs to me. A description showing overall protocols and spefic situations, with specified function and response to stimulus sounds like a pretty good control document to me.
The HTTP RFCs are a good example.
This is what you MUST do:
This is what you SHOULD do:
This is what you CAN do (if you feel like it):
This is what you MUST NOT do:
Pretty cut and dry, and rather effective (the web works, don't it?).
I'd say that most JAVA implementations (from most companies) would fail full compliance to the Java spec (well, at least some of the Java specs... there's so many these days).
"It's tough to be bilingual when you get hit in the head."
It seems clear to me that if there was a market for a formally tested linux code base, a value-add company like RedHat or Caldera could do the work necessary to create a branch which was tested and certified, and sell that.
Right now I think most people fall for "open source" hype much more than "formally tested" hype, so that's probably why we don't see this (yet).
2) Almost nobody cares. I certainly don't. Nuclear power plants, NASA Mission Control, and the CIA care but I don't. Let them use something else.
3) Trusted doesn't mean Linux, OpenBSD, or xpilot suck, it just means that we have no idea if they meet the appropriate standards. Now, if some enterprising company would like to take the source code and go through the rigorous and expensive process of testing it and making it conform, I'd think that was pretty cool. The source code is out there, and they're welcome to it. This is Free Software, remember.
A trusted system does not necessarily mean that it is secure.
:-) (the transformation produces an awful lot of clauses so your complextity grows *very* fast).
I can specify a (software) system in a formal way using formal languages like Z or TROLL (TROLL really is a formal specification language, honestly). But this does not mean that it has to be more secure, it only means that I am able to define the systems behavior *exactly*, so that the resulting software system behaves in a predictable way.
This is working fine in theory but to my knowledge there are no working (as in usuable) tools to automate the derivation of the software system from the formal sepcification. So you are still left with several gaps in the design/implementation process.
Proofing of your specification is simple: Transform your spec into predicate logic clauses und do a resolution
Until this process is fully automated, formal specification and *verification* (!) is too difficult and cumbersome for widespread use.
So this talking about trusted/untrusted systems is completely unrelated to any Open/Closed Source security debate.
+++ after all, it's just my thoughts +++
bye,
blurred
Spaff (and I've met him once or twice. Brilliant, but kinda prickley) is saying that by definition a trusted system bneeds to be developed using very well defined goals and requirements. Lats time I checked, other than some rather broad sweeping statements (many eyes = fewer bugs) there were no hard-and-fast plans for the goals of the various free unicies.
Don't attack him for what you think he meant..it's well known in the security community. that trusted systems are built to very strict standards.
So get some standards and quit bitching.
-dave
This is not a sig. this is a duck. quack.
Academics loves formal methods and industry avoids it like a plague for the most part because there are no perceived benefit.
Grunt: I want to formally specify this program so we can do proof of correctness later".
Manager: "Does this mean the program will be bug free and, by the way, how long will take do do this formal specification and all that proof stuff?"
And the discussion degenerates from there...
Formal specification is very hard for any non-trivial sized programs (say 250KLOC+) and if anyone says otherwise, they are full of BS. OpenSource projects by their nature do not lend themselves to formal specification and testing. Does that means they are more secure than close source or vice versa? No, of course not. It all comes down to the quality of:
the requirement
the design
implementation
the testing
:-) but the requirements changes constantly as someone else enhance the S/W to do that other thing. Testing is uneven as normally there are no formal test plans.
:-)
For OpenSource projects, the middle 2 is usually done quite well (or someone else will redo it for you
6 years ago, in a different life, I started a project to close the gulf between specification and testing on real world sized programs. That work continues and may one day bear fruit. See http://www.ispras.ru/~RedVerst/ or the North American mirror at http://207.236.16.49/RedVerst/. The work is brutal both theoretically and practically and required far more brain cycles than what my poor little brain can generate. I am just glad I am not doing it.
What exactly do you trust OpenBSD to do correctly?
If you can't formally describe what it is supposed to do, then you can't trust it to do that. There is difference between the work trust as used by your mother to describe the safe predictability of the behavior of her family and the word trust used by computing scientists who make no assumptions.
I would agree that open-source systems have the greater opportunity to be more secure than their closed-source proprietary counterparts. However, security is not all or nothing. It's a matter of how much you need, and how much you can afford. A company needs to protect its trade secrets more than I need to protect my computer checkbook program. A government needs to protect its information more than a large company needs to protect any of its intellectual property. An Oracle Dbase on a pack of carefully administrated linux boxes is probably fine for a company to keep its important, sensitive information. However, a government and a military organization, in particular, need much more rigorous security. There are formal specifications for serious computer system security: http://www.radium.ncsc.mil/tpep/process/faq.html
For comparison, Microsoft NT, specially configured, was certified "Class C2: Controlled Access Protection". Sun's most secure OS, Trusted Solaris 1.2, made "Class B2: Structured Protection". Could an open-source project produce a B2 system? What about achieving "Class A1: Verified Design"?
They make it sound as though a system is either "trusted" or "non-trusted". However, how many formally-proven systems do you actually ever use? Probably not very many.
Of the remainder, I trust the open-source programs more than the closed-source ones as far as security goes.
--
Patrick Doyle
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
There seems to be some, confusion about2 22&threshold=0&commentsort=0&mode=thread &pid=198#206 for a better explanation than I can give.
what is meant by "Trust". Notice it's spelled with a capital "T"? It has a specific meaning. It's not "I trust my home firewall to protect me from most attacks", it's "This product has been built with XYZ design goals in mind, with strict auditing controls to ensure compliance". See Redfang's post http://slashdot.org/comments.pl?sid=00/06/21/1333
ObTagLine: The more you run over the 'possum, the flatter it gets.
A formal spec is a mathematical document (and a painful one at that; to define a stack takes several pages of symbolic gunk!). To learn how to write formal specs is at least an undergraduate course of its own-- to learn to do it well and fully is several courses of work.
There's a point to using a formal spec. Because of its mathematical nature, a formal spec can be verified for completeness. In addition, depending on the implementation language, a program can be mathematically verified to be compliant with the spec (this trick works best with ADA). That's the definition of trusted. Not only have we formally described what the software does, but there are rigorous mathematical/logical means of proving that the software does what it should.
This doesn't say that it's impossible to create trusted software with available source code. This does say that ad-hoc bugfixes are not verifiable mathematically. And I thought a college degree was a total waste of money :P
In summary, it's not that I don't use Linux. It's just that I wouldn't expect Open Source to produce a Hard Real Time OS for keeping the local nuclear power plant from exploding.
Open Source is good at ferreting out bugs, but for this purpose it is orthogonal to proper design.
The particular strength of Open Source is that it difficult to hide what the software is doing. This is improved by structuring the program well. Trapdoors become more difficult to conceal, etc.
If we claim that Open Source and Structured Design are orthogonal, then the optimal place of the matrix (optimax) is where they intersect. But please remember that degree of trust is a problem with more than two dimensions.
I think we've pushed this "anyone can grow up to be president" thing too far.
Just knowing that Windows NT has been successfully evaluated at C2 makes me doubt the validity and usefulness of the entire TPEP program. Might as well just design a new security spec(OSS-SEC) around the existing Linux kernel and submit the product for testing.
The point I wish to make is not something I think is happing but that it could happen and we all need to understand the problem and the solution. A close friend of mind told me of a story where Ken Thomson added back doors to UNIX by modifying the C compiler. The source code of the compiled programs where clean but the compiler added the back doors. He did this back in Bell Labs with the first C compiler. The whole in Free or Open Source software that is that you need to compile your program with a binary program not the source code. Even if you use GCC you still need to compile your fist GCC program with some other binary compiler you must get and trust form somewhere. You are stuck in this chicken egg problem in which you must trust some one else's compiler. In turn the person or company you got the compiler from must trust someone elses compiler. If the government or anyone else wanted to crack into the GNU/Linux world they would make a compiler that put in back doors in to GNU Login, Telnet, FTP, etc programs even the Kernel. They have the source code and often not changed. They know what to do. They will be able to make the compiler know how to recognize and these programs and how to modify them. Now for the scary part they also know how to put this ability into GCC. So when you compile GCC it becomes as corrupt as the first compiler. There is no way to know about the first binary program the compiler you must be able to trust. The solution to fix this is clear. The first compiler should be written in assembler. This allows the program to be dissembled and checked. It can be a very simple compiler for you can add the other features by compiling your GCC code with it. This way you have clean source code and clean first binary compiler and clean system that can be proven to be free of back doors. This problem is a threat to closed source software as well but the lack of open source code makes it harder to know what the compiler needs to recognize and how it needs to modify the programs. With the use of an assembled compiler you can take this weakness of Free, Open Source software and make it a very strong point. I do not know if a C compiler written is assembler is available. Maybe one needs to be written for every platform x86, PPC so on. I know that everyone I know and myself who has and does compile programs always use and trust their first binary compiler. Is this happening I do not know but as long as we don't have a provable clean first compiler we will never know.
Spaf is absolutely correct that 'Open Source' has no bearing on security. Free software is about freedom, and Open Source is a marketing ploy. Neither philosophy has anything to say about security.
I disagree that a trusted system must be designed from a specification. I assume Spaf is not foolish enough to think that a spec is any more magic than Free software in terms of assuring security. He seems to imply that a trusted system must be designed and built from scratch. This is most certainly not true. Reimplementing an OS from scratch is hardly necessary to ensure security. Certainly, it is necessary to have a formal specification that can guarantee the security of your system meets the proper criteria.
NSA uses COTS OS'es for classified work. What they have is a process which certifies that an OS meets some level of security. They also test the actual installation of the system, including covert channel analysis. While I am sure the NSA has 'purchased' a source license to all Microsoft products, there is hardly a need for them to build an OS from scratch.
Whether you use Windows, Unix, VMS, or Spaf's Trusted OS, the process for securing your system is the same.
Honestly, I would say the same thing about a lot of commercial software as well. Just because you sell something doesn't mean that it's been designed properly, and likely just because something is free doesn't mean it's been slapped together with duct tape. Further more I'd trust a program with source more than one without and many open source developers are always willing to accept a better design.
<rant>
I really wish people (especially slashdot editors) would get the terminology correct. It's commercial vs. non-profit and proprietary vs. free/open source. These are orthogonal concepts. There is nothing weird about a company that sells open source software. Lots of companies do it these days. RedHat (like all other software companies) sells nothing but commercial software (by definition).
</rant>
Regarding the topic of the article, I certainly wouldn't trust proprietary software. I can't even figure out how it works, let alone what it's supposed to do. I also wouldn't trust a car that didn't let me open the hood and see how it was constructed. I see nothing inherent in the open source model that prevents adherence to design goals, certifications or regulations.
I've said this before but I'll say it again:
It is not the responsibility of the Linux distribution or the OSS developers to make their software secure.
High security computing is a process, not an out-of-box solution you can buy or download from a website or FTP server.
GPL software is designed to be fixed and improved, and while Dr. Spafford may have a point with "infosec standards", I can give you an example where the GPL actually improved the security of the Linux kernel.
The following is available at www.rootshell.com:
[ http://www.rootshell.com/ ]
Date: Tue, 1 Jun 1999 17:43:17 +0200
From: Piotr Wilkin
Subject: Linux kernel 2.2.x vulnerability/exploit
I'm sorry if this has been noticed before, but since I did't find anything
in the archives, I post it here. There seems to be a bug in kernels 2.2.x
(tested on 2.2.7 and 2.2.9), that causes them to panic when they are sent a
large number of specific ICMP packages. I think the problem comes from the
combination of the mangled header length (shorter or longer ihl's don't
cause hangup) and the random ICMP packets (random type/subtype and source
address) this program sends. Windows 9x and FreeBSD 3.0 seem to be
unaffected.
When an ICMP denial-of-service attack threatened Linux kernels 2.2.9 and pre-2.2.9 (at that time, most distributions shipped with 2.2.9 or pre-2.2.9)
debian used 2.0.36 or something, the exploit was not only posted, but immediately fixed by none other than kernel hacker extraordinaire Alan Cox.
Besides the internet security alerts, CERT, rootshell, etc, i don't believe that this even made the evening news in most major markets. Unlike Outlook Express exploits, Linux bugs get fixed, and they get fixed quickly.
So if you want a secure system "solution", get a system and unplug it from the internet and build a brick wall around it, hire some armed guards, and only use one-time pad passwords. I'm not joking, and some of this is even suggested by Dr. Spafford and Simson Garfinkel in their seminal book, "Practical UNIX and Internet Security", which I read and enjoyed about 2 years ago.
Anyways, I think Bruce Schneier's article about OSS and security that appeared in Linux Magazine a while back was more informative and stressed the strengths of OSS for system security.
THANK YOU! The fact that this ridiculous, absurd and fallacious dichotomy between "macro-evolution" and "micro-evolution" has been so widely propagated (and, in fact, is accepted by pseudo-scientific creationists despite the huge amount of evidence against it, simply because it's a nice, cozy way to acknowledge the existence of the evolutionary process while still managing to shove a God of the Gaps into it) is a true tribute to the idiocy of today's "anything goes", "everything is true if you want it to be" postmodern society.
I, personally, have had enough of it. Nobody, I repeat nobody, gets to shove postmodern dogma down my throat.
To the editors: your English is as bad as your Perl. Please go back to grade school.
The real evaluation of a system should be in TESTING. So who cares if you didn't develop your software by a formal set of specifications? Draw up a comprehensive suite of tests that will "prove" the system to be reliable, and judge the trustworthiness of the system by its performance in these tests.
Unless, that is, you want to blow an inordinate amount of money on closed-source development. I imagine this argument for trustworthiness of software is used often in government agencies very big on documentation, process, etc...not that any of these are bad in moderation. But government agencies do have a budget to spend every year. If they operate efficiently in one period, they will be expected to do so in the future (i.e., their budget will be cut). "Oh, no! We've got to spend the taxpayers' money wisely!"
In the ABS example, simply run rigorous tests of the system to ensure that it behaves properly in all conditions. If it fails and the car smashes into a wall at 50 mph or the brakes lock up, no, of course you can't trust the system. If everything operates correctly, what the hell is the problem?
One of the reasons that I became a lawyer was to avoid ever having to hire one. -SPYvSPY
It would be nice to know what the requirements are of this spec. If the spec were or is an open spec it would then be possible to make Linux, OpenBSD, or any other OS abide by this spec.
I think that it is important to understand as some have pointed out that trusted does not mean secure. This is one of those english language semantic things. Trusted means that they have a set of requirements that this OS / program is supposed to do and it does them. Basically they can trust that if this happens the software will do what they wanted it to do. Secure means that if someone tries to hack in or exploit a buffer overrun then the system wont let them. OpenBSD is secure, NT is trusted. This does not mean that NT is not secure, it is in its own right, but I wont get into that. It also does not mean that OpenBSD cannot be made to be trusted either.
The advantage to them of Open Source would be that if the sytem is not trusted, they have the source and can make or have the system made into a trusted system.
Wouldn't it make more sense for them to take a secure system and make it trusted as well?
Just my .02 cents, but I think that the goverment needs to start rethinking some of its policies of doing things.
send flames > /dev/null
Only 'flamers' flame!
I also menitoned OpenBSD to him as an example of a secure system that was open source. I argued that it was exactly because of the OpenBSD/FreeBSD development model (i.e. closely controlled with a top down hierarchy) that it was able to be more secure. Dr. Spafford still felt that OpenBSD did not fit the criteria of a well-trusted system
What exactly does "Dr. Spafford" have a doctorate in? Whatever it is, it certainly hasn't got a thing to do with computer science. Maybe marketing. Maybe he has Ph.D in F.U.D.
That all programs have to be proven mathematically in order to work?
(Yes, I know that's not *exactly* what the guy was saying, but taking it a step further helps me prove my point.)
IIRC, just proving something correct or secure doesn't actually mean it will work. In the last book I read, an example was given of a program that would do word wrap for text. It went through the entire process of planning, documenting, and at each step they did proofs of correctness on their psuedo-code and their actual paper code before ever entering it into the computer. The actual program that they ended up typing up had countless errors (not working on one line pieces of text, really long words screwing it over). Working from those mistakes, they went back to the design process and tried to fix them, and re-proved the program "correct". As it turns out, even more bugs.
All that work for a 20 line program.
As I told my calculus professor once, "That's alot of work just to get it wrong."
Yes, proving something mathematically, or going through all the design processes to create a program can help make it stable, secure, and all those other great things, but the guy forget one of the most important things in finding holes and bugs. A test suite... and what better test suite then thousands of smart users using the program every day?
The long-winded AC
-gnp
www.arrogant.org - food for your brain
This notion, that a formal specification somehow implies good design and testing, has always been incomprehensible to me. I have read numerous specifications. In no case has one been sufficiently detailed that I would consider it a basis for trust of a system. I have literally never seen such a specification. Invariably, they are littered with inconsistencies, bugs, and ambiguities. Obtaining C2 trust, by following the "specification" tells me relatively little about how vulnerable the system actually is.
Reference implementations are another matter altogether. I can examine their specific semantics, find specific vulnerabilities and strengths, and in general evaluate them precisely.
Which points to the old adage - "There's no compiler for the specification" - which makes the point fairly well. Natural language is an awfully ambiguous instrument for specification, and even the most careful specifier makes errors which can go undetected in the specification for an indeterminate period.
I personally find open and available source a _far_ stronger basis for trust than any detailed specification and planning.
>Trusted systems are built according to a formal >specification and are tested and confirmed >against a formal testing and standards process. Most hacks are out exploited by two ways. 1) Poorly implemented standards, 2) creative uses of resources. When the standards are not open and completely available hackers will reverse engineer. The linux Creative Labs DXR-2 driver. Other Hack would involve creative, non-standard, or even informal uses of resources. Using programs or item for things they were not intended to do.
The posting above is just this
First, let me start off by saying that automation !(necessarily)= good testing. It can, but does not guarantee a trusted system. As for Dr. Spafford, I don't see why he thinks open source projects can't be put through rigorous (standardized) test to achieve "trustablility". Automation could take care of most of this, but it all goes back to design. If the code AND tests are not designed properly, then you don't have jack.
Are you talking about mixing testing and design with coding? That's a bad idea.
(please correct me if I'm misunderstanding) The quote above explains why Spoing has such a difficult time with automated scripts. My personal experience has shown me that the ONLY way to successfully automate a project is to have developers and testers working tightly together from the very start (including design phase). Without having QA review the initial design, and keep close contact/communication with the developers throughout the rest of the process, automation is useless.
When working this close, creating automated tests prior to handling the code no longer becomes theoretical. Scripts do not "break" as they are updated with the new changes before testing the next release. Yes, automation is a development project in itself, but can be worth it if done correctly. The idea that "Mixing coders and testers in the same group is just a bad idea on multiple levels" is what creates messy situations in regards to automation. However, if you're talking about coders testing their own project, then I agree. Otherwise, you're describing glorified beta testing (throwing code "over the wall" to testing).
What makes open source successful is the community. One strength of the community is a very large group of talented QA. If something does not work as it's suppose to, someone WILL catch it. (Who knows maybe even fix it). Now lets try this with life support systems, First you down load the latest code and put it on your life support system. You know there can be issues with it, but hey its free and lots of people worked on it, more so than any other life support system to date. But damn it doesn't work as its suppose to. Well just fix the code and check it back in.
What about missile guidance systems. I know of a software house in Ogden, Utah that writes such systems for the air force. From what I know, they have one hell of a development process that results in less than one bug in a million lines of code. I assume I don't have to explain why this is important to the air force. (Talk about mission critical software). From what I've heard about this development process is that it works, and works well.
The two examples I've given are of critical systems that have to be trusted by their nature. I'm not saying that trusted systems can't benefit from open source, they can. The way I see it, open source works best on high profile, very horizontal market (commodity) projects that don't expect the highest level of trust.
I think its arrogance to think that software development is only OS's, Web browsers and web servers; There's a lot more types of software written every day out there. Its also foolishness to think open source can solve all development problems. Yes tt's obvious that the two types of systems I named above would never be open source, all I'm doing is explaining some of the reasons why. Natak
However, this kind of formally verified system is extremely costly to develop, extremely difficult to adapt to changing circumstances (and retain the verified properties), and still doesn't guarantee that it does what you want it to do - mistakes in the specification or mistakes in the verification process are just as likely as mistakes in coding.
Frankly, for 99.9% of the software written in the world, this kind of thing is utterly impractical and will remain so. I don't mind consigning the remaining 0.1% to cathedral-style approaches (though open source can still help spot bugs that the verification doesn't catch).
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
A "spec" is just as complex, or more so, than the system it describes. Exactly how do mortal humans write a "spec" that does not itself have "bugs"?
In fact the source code is probably the most accurate "spec" around. At least we are guaranteed that the implementation matches...
This is all true, but there are bigger, closer dangers than invisible back doors. They're called buffer overflow exploits, and they're the #1 primo way of getting root on box. While a buffer overflows can be found on closed source systems (happens all the time), you can save a lot of hard work by looking at the code -- Plus it takes a lot less effort to turn a buffer overflow into a rootkit when you have the source. Instead of putting the effort into proving a good compiler, put the effort into the code that the compiler compiles. BTW, even things that people think are VERY secure have holes... I recently read about a buffer overflow exploit in Kerberos. Having your KDC rooted is a Bad Thing (tm)
-- Rich
Free your mind and your Ass will follow -- George Clinton
I believe that Open Source can be trusted, but not because it's Open Source. The software I have seen and downloaded have come from hard working ethical developers bent on providing the best software they are capable of. This compared to Windows shareware that tend to be crippled in ways that hide their bugs in the name of "not available in unregistered version".
/usr/local without being able to destroy other peoples files? If so, why doesn't anybody do it?
As of now, you can download any program from Freshmeat and use it without worring about it being malicious. Atleast right now.
But I am wondering about the future. Although a program running can only clobber files the user running it owns, installing programs generally require root. Any program that is installed by "make install" or "rpm -i" are going to require temporary root access during install.
What I am asking is, is there a way of installing shared applications on a system without root? Is it possible to log in as a user that is capable of installing applications into
Ozwald
Neither open source nor closed source by itself makes a system secure. There are way too many systems, both open ones and closed ones, that are swiss cheese, to even think that security can derive from either mechanism.
With regard to security, what open source would allow you to do is verify whether or not a given system truly is designed to a rigid trusted specification. None are now, and OpenBSD seems to have the greatest potential. But I'm absolutely NOT going to trust the security of a closed system just because the marketing folks, and their hired security consultant, says it's perfectly secure.
The question I think is this: If you do have a system you believe is truly secure, does making it open source compromise that security? I believe that if it did, it is flawed in design and can't possibly meet spec.
Where closed systems get an advantage with regard to security is when they are really not secure. That advantage gained is a delay between market introduction and discovery of its insecurity (perhaps by reverse engineering).
now we need to go OSS in diesel cars
Wah wah wah.
Would you want your pacemaker microcode to be writen by the people who created the burned-metal skins for XMMS? Me neither.
Trusted software is not worth the cost and is inappropriate for our 95% of what Linux users do. It helps to make my point if you substitute the words "Mathematically Proven Correct" for the word trusted.
It's a slight simplification, but it eliminates the notion that Linux isn't trustworthy, because of course it is. It is more than trustworthy enough for what we want it to do. It is vastly more trustworthy than any software developed in Redmond, WA.
Formal standards and procedures slow the evolution of a software product to a crawl. For a pacemaker this is fine. For a hype-versatile desktop OS this is silly.
My actual point, be careful what you wish for. Every version of RH software has more cool features added then the last 3 versions of HPUX. This is an excellent trade.
Read the decade of CERT advisories for Sendmail and BIND to convince yourself of this.
The notion of "root" is bad enough, but "set-UID to root" is worse. This results in far too much code being trusted. In particular, it should be impossible to run non-trusted code as root. This means no root log-ins, for example. In a secure system, as your privileges go up, the amount of software you're allowed to run goes down. In a sandbox, you can run anything. As administrator, you can only run a few tools that do very specific things with lots of checking. This is completely alien to UNIX.
A serious attacker will find their own holes, and will keep quiet about them until they break in and steal something. Fixing known holes protects against script kiddies.
DoD has a simple security model, which is reasonably enforceable. See the Orange Book. There's Linux support for it. You take a performance hit and can't run some popular software. But in that direction lies real security.
With discretionary security, users can turn off security. "chmod 777" is the usual way. With mandatory security, if you're processing SECRET information, nothing you or your programs can do makes it non-SECRET. The problem with discretionary security is that it's extremely difficult to tell if the system is in a secure state, and it's very easy to make a change that opens a security hole.
OK, you've got a secure system. Want to run Napster? No way; it's acting as a server and transmits your files. Want to download a game? If it will run in a sandbox, OK, but it can't talk to other players. Running a web browser may be OK, but the browser will be shot down if it tries to launch MS Word to read a
A secure open-source system is quite possible. But it won't be Linux as we know it.
Linux-privs
SGI's B1 code
So, the benefits of Open Source combined with the trusted security of specifications
For an example of a "Trusted System" you might want to look at something like MLS+ (which is the only trusted system I've ever had hands-on experience with). Once you see what a real trusted system is like you'd be very glad that Linux, et. al. aren't in the same catagory. It's not easy working with an OS that won't let you do things like cd or ls and such.
---
--
If I actually could spell I'd have spelled it right in the first place.
Trusted - Firm reliance on the integrity, ability, or character of a person or thing. Security - Freedom from doubt, anxiety, fear, risk or danger. Standard - An acknowledged measure of comparison for quantitative or qualitative value (dictionary.com) I have arrived at a place in my life where I can't and don't trust anyone or anything. The idea of trusting code is silly nonsense to me. So no, Open source cannot be trusted. Wen I explain the great divide between open source and commercial software, I say something like "Linux is a version of a virus that will eventually be responsible for bringing the current evil empire crumbling down. The barbarians from the north brought rome down, and a student from the north Linus Torvalds will be a God who returned to being a man after starting the fire. Linux was/is created/maintained for beauty sake never for the sake of profit or in adherence to a standard" I think Dr. Gene Spafford and the whole civilized would be crazy to rely on or trust the integrity of a work of art like code and should be damn scared of a world without their security and standards. I look forward to our species (human animals) abandoning technology and all other remnants of civilization when it comes time. Until then those of us who tell computers what to do, dont much care what their account balance reads, and really dislike being a user at the end of the day should throw our fuel/code/art into right fire. Chaotic = Beautiful Ordered = Enslaved Jeffro@iv20.com (Note to self, this is the first 2 cents you have contributed to that wonderful work of art know as slashdot, your interfacing with profitware to do it, you have been adding your art/code to the pile not the fire, and you are almost out of your cage/lease. We think it would be nice if you made to jump from Enslaved to Beautiful)
Fuck organized tests. Linux is developed in the real world to solve real problems. It doesn't really matter if it's been developed in a secure planed test lab--- Linux developers write code to work in the real world that protect against real world threats.
If you pay close attention to what that guy said, what he's done is *define* the words "Trusted System" to mean a system which has been verified as trustworthy by some well-defined producedure or test.
He can bake up any definition for "Trusted System" he wants - it doesnt mean he's right.
In the works is a trusted BSD, TrustedBSD. It is aiming for some of what that doctor wanted, if not all. Nice thing is you will be able to pull the changes (eventually) back into FreeBSD on which it is based.
this space for rent
As part of a paper that I put together a while back as a rebuttal to the "Linux Myths" thing by Microsoft (which, unfortunately, I never got around to releasing...), I seem to recall that one of the complaints was that Linux didn't comply to any formal security standards. The rebuttal that I used at the time was that is was solely through lack of money, and not through quality.
An approach that we could look at would be to have a free, (as in beer, as in speech), funded by donation, organization to test and issue security compliancy licenses in a well thought out, academically proven manner to open source software. While it would mean that the closed source world might not acknowledge it immediately as a standard, it would mean that we could then say "Hey, we're using academically developed processes, just under a different name, and ours might even be better than yours."
The real challenge would be figuring out if we can conduct an academic review under an open development model. That would be cool.
Nicholas
disclaimer: opinions contained therein are not neccessarily those of my employer.
If you cannot see the source code, then all the formal design or testing amounts to nothing. At best, you have someone's guarantee that the system is secure.
Also, empirical tests are insufficiently strong to prove anything. You can test the binaries ad nauseum and not find every security flaw.
So basically, this is just another bullshit attack on free software.
OTOH, if your design specs are broad, such as "Can survive many weeks on the Internet, while being subjected to review and/or attack by anybody, friendly or hostile without causing a loss of service or revealing sensitive data", I believe Linux and other free or open source software has the best chance of satisfying this requirement.
What I see here in the Author's question and Dr. Spafford's opinions is really a philocophical choice. In two dimensions, it's Darwinism vs. Creationism and Full Disclosure vs. Obscurity. I choose Darwinism + Full Disclosure.
cat
proprietary vs. free/open source
Nope. Proprietary vs. free. As Apple and Sun are trying to prove, open source != free. Open source is merely an attribute that can be attached to any program, and is often misleading because it _is_ attached to all free ones.
-- LoonXTall
~~~LXT~~~
Life is like a computer program: anything that can't happen, will.
OK. Can he demonstrate that he was constructed and tested to the same standards :-) If you know who did the work, you are trusting the person rather than the process. (Which still says you should be cautious ...)
It may be true that lot of free software starts its life chaotically. However, claiming that big, succesful projects are developed chaotically is complete nonsense. The proces of specifying the direction in which free software moves is different from what people working in traditional software developement may be used to. Maybe these new organisatory schemes are difficult for Dr. Spafford to understand, but claiming that developement of "Apache", "Gnome", "KDE"... are chaotic is complete nonsense.
As for the question wether Open-source project can become "thrusted" or not, this depends on only two factors:
If these two are in synch, chances are that Open source project will reach the state where you can trust it much faster than a project coded in traditional way.
I've crashed my NT desktop at work twice so far today. My Linux box at home never crashes. I think you definition of "TRUST" is too qualified and prefer my more emotional one.
I used to be a paranoid, now, I'm just a noid.
The way Linux and other open-source projects have been developed do not belong to any of the 'traditional,formal S/W development life cycles'(water-cycle model,etc). These are just evolving models. The metrics reliability & quality (if thats what they mean by trustedness)of a s/w are defenitely not judged just by "how many people are working and how many bugs have been debugged",but they are like how easily can we detect/fix a bug?how easily can we make modifications? etc. Thats what the CMM is also about.
All that he's trying to say is that if a s/w devpt. life cycle was rigorously followed, probably most of these bugs would not have arised.
But neverthless, this could be a new model of s/w development!!
Since, according to an article in Ars Technica, modern processors will effectively rewrite code at execution time, can any program or OS running on a recent processor be considered a "trusted system" by the definitions used by Dr. Spafford and others?
They are mixing up the development model with the final product.
Can "Linux" be trusted? What do you mean by "Linux"?
If you mean a particular kernel version, as released by Linus... there you have it. Can you trust it? depends on your criteria. Do you *need* to trust it, or can you simply take a certain version and stick with it?
Linux is more about a process than the technology.. open source is about lots of developers working together in a scientific (as opposed to market driven) way to produce better code and better software.
Software which has the source code released to the public is usually a lot easier to find security holes in than the commercial software. Lets think about it like this... If you were a l33t hax0r, would you try and disassemble/debug a commercial binary-only program looking for vulnerabilities, which you might have trouble even getting ahold of in the first place, or would you just open up the .c file of a free program and look for stupid places where things like sprintf are used unsafely? I know what I'd do! That doesn't mean there are more holes in free software, just that they're easier to find.
He also has a good point in that things like Linux aren't developed to any particular standards. If you look at something like OpenBSD, they have sacrificed progress in things like device drivers, hardware support, and new features. As much as someone may say this isn't a "standard", it sure is in my opinion. They have done this so they can spend time doing exhaustive security audits to make sure the system is safe. With Linux, it seems that getting new features, hardware support, applications, etc. is more important. You could call this a standard too. And, this is why Linux is more popular, but if I'm putting together a multi-user server, I know which OS I'll choose.
This Dude must get paid by Sun and HP to shoot his mouth off. Linux is as secure as you want it to be.
Plus it takes a lot less effort to turn a buffer overflow into a rootkit when you have the source.
Good point. However, for some mysterious reason I notice that the 'no such thing as security through obscurity' people have backed into the corner, put their fingers in their ears, and are chanting 'na na na na.'
Just because you open-source code and/or have a publicly defined set of criteria to match doesn't mean that it's good or secure. Unfortunately, most companies release software before doing rigorous testing and hire cheap Comp-Sci graduates with no experience to write their software. Just because it works doesn't mean it works well. If we want good and/or secure software, we have to convince software companies that it's what we actually want and we can wait. Trusted systems (Like Trusted Solaris or Sidewinder) just have to prove that they adhere to their development methodologies and the criteria set forth by the certifying party. Trusted doesn't necessarily mean secure.
dijit-at-half-truth.com
But I certainly build my own code to a very tight specification which I think out in painful detail ahead of time, even if I never actually write it down. Before my current project goes out the door, I'm making sure all comments are crystal-clear and sufficient to count as *documentation*; and I'm also putting in a separate file with suggestions on how to make modifications so as to be consistent with how I've implemented everything to date.
Zahlman Q. Namlhaz, esq. {:> "Zahl Incorporated - the Last Word in Everything(TM)"
..last post?
Mr. Last Post
Gee, one can't even trust Thomson these days ...
I (Basile S.) do agree with the poster. I do not claim that closed source is better. We all know it is worse (all things being equal). What is needed is more than OpenSource: it is reflexive systems. See www.tunes.org for more. Informally and in brief, a reflexive system knows about itself and can enhance, reason, prove, and check itself (or parts of it). I am convinced that reflexive system are the next step. They will supersede open source systems. (Actually, complete open source systems -such as a fully open, source form, Linux distributions- are already reflexive in an ill and poorly defined way, and perhaps some old Smalltalk or Lisp machines also where reflexive) (Proof-carrying code, a la Peter Lee, are also somehow partly reflexive). The difficult part is doing a full reflexive system. This mostly means start from scratch. Regards
Er, one thing. Z isn't a programming language, it's a specification system. I'm sure my Z lecturers would agree that I'm no expert on the subject, but from all I was ever taught about it there simply isn't enough information in there to produce code directly from the spec.
Don Knuth's comment is worth bearing in mind, but it's a distraction in many ways. He's saying - or at least appears to be saying - that he has proved that the fundamental design and architecture is correct, but isn't certain that, in the translation of specification to code, he hasn't made a typo or two. That's still possible, but a very different source of bugs.
The problem with the standard 'open source' development model is that it's too chaotic to tightly control adherence to specs, IMO. That's what our original source here seemed to be talking about when he doubted whether 'open source' development could ever produce trusted code.
Your last two paragraphs seem to miss the point somewhat, though. A trusted system needs to have the specification tightly drawn up before a single line of code is created, if we wish to have any serious prospect of trustworthiness. If you try and draw up a 'de facto' specification after the event, it's inevitably going to contain problems as you're merely documenting behaviour that isn't necessarily trustworthy in the first place. Trusted reimplementation may be possible, but I'd still want a new codebase.
BTW, before anyone gets annoyed, the only reason I've been referring to 'open source' development as opposed to open source development is that, in this context, it implies something about the structure of the development team and that's mostly what's relevant. I could produce a project with a tightly controlled, exclusively internal team which decided to publish its source as it was going along. We'd still have source which was open but it wouldn't be conforming to what's normally accepted as the open source development model.
Greg
(Inside a nuclear plant)
Aaaarrrggh! Run! The canary has mutated!
It's called OCL: Object Constraint Language, and it can be used to model formal limitations on methods accessing your objects. A usefull site might be: OCL Home
This language could be fit not only to specify your goals, but also to 'prove' in a mathematical way, that your implementation is following the specification. At the Univ of Karlsrühe, the Key project is specifically aimed at developing software while always checking the specs automatically.
Maybe that is the direction that secure software should take, whether it's Open Source or not: first specify a formal "Security Constraint" in OCL and then start programming.
--Grey
Aiee, kernel panic: unable to locate God. Universe is going down for reboot NOW!!!!
Isn't this really just an issue of semantics? What the Prof. is saying, is that a formal specification will define what security is. While this may work in the academic world, REAL security is only proven over time in application. -bk
For the rabid reader, I would just like to point out that Dr. Spafford NEVER disagreed with the 'more eyeballs means less bugs' tenet of faith that so many open source advocates preach. He just felt this was irrelevant to his point--how do you judge whether a system is more trusted than another system when there was no design spec or goals listed out to which to test the system against?
I don't see the problem.
The fact that the system is more trusted does in no way imply that it is actually more secure.
There is great number of people that trust win98 security model.