The ability to access the code of open-source applications may give attackers an edge in developing exploits for the software, according to a paper analyzing two years’ worth of attack data.
The paper, to be presented this week at the Workshop on the Economics of Information Security, correlated 400 million alerts from intrusion detection systems with known attributes of the targeted software and vulnerabilities. The data supports the assertion that flaws in open-source software tend to be attacked more quickly and more often than vulnerabilities in closed-source software, says Sam Ransbotham, assistant professor at Boston College’s Carroll School of Management and the author of the paper.
Using nonlinear regression and other models, Ransbotham found that attacks on vulnerabilities in open-source software occurred three days sooner and with nearly 50 percent greater frequency. Ransbotham argues that knowledge of how to exploit a particular vulnerability spreads similar to the diffusion of technological innovation.
“If you think about this whole thing as a game between the good guys and the bad guys, by reducing the effort for the bad guys, there is much greater incentive for them to exploit targets earlier and hit more firms,” says Ransbotham.
The paper will likely rekindle a debate between advocates of open-source and closed-source development models, who argue whether the open-source operating system Linux is more secure than Windows or whether Mozilla’s open-source Firefox browser is more secure than Microsoft’s Internet Explorer. Supporters of open-source argue that the accessibility of the code allows the good guys to find bugs faster, while critics argue that more attackers than defenders are poking through the code, so the net effect is worse security.
The research used alert data culled from intrusion-detection systems managed on behalf of 960 companies by security service provider SecureWorks. Ransbotham correlated the alerts with specific vulnerabilities in the National Vulnerability Database (NVD), a large collection of information on software flaws managed by the National Institute of Standards and Technology. While the NVD lists vulnerabilities in more than 13,000 software products for 2006 and 2007, the two years from which alert data was used, only half of the products could be classified as either open- or closed-source, Ransbotham says.
By linking that data to the intrusion detection systems’ ability to recognize an attack on a vulnerable system, Ransbotham compiled a list of 883 vulnerabilities in confirmed open- or closed-source software on which attacks could be recognized. He also classified the vulnerabilities by other attributes, such as how complex it would be for attackers to exploit the flaw and whether there was a signature available for the intrusion detection systems at the time the vulnerability was reported.
In the end, only 97 of the 883 vulnerabilities were targeted by attackers during the two-year period. However, this accounts for 111 million, or about a quarter, of the alerts. The remaining alerts could be attributed to attacks on software that could not be classified as open- or closed-source, attacks on vulnerabilities that did not have an identifying attribute, or false positives.