Free software is said to be more secure than the proprietary alternatives
for a number of reasons. Near the top of most peoples' lists is the
openness of the code: with all those eyeballs on the code, security
problems are found and fixed quickly. Over the years, however, we have
seen numerous signs that fewer people are actually looking at code than
many of us would like to believe. Too many vulnerabilities remain in our
programs for years for us to have any real confidence that comprehensive
auditing is going on.
There have been attempts to encourage developers to audit code.
Almost exactly two years ago, the announcement went out
for the Sardonix project. Sardonix was started after Crispin Cowan noted
that the Linux Security Audit Project
appeared to have stalled. Since auditing was not happening by itself,
Sardonix sought to provide some motivation in the form of infrastructure
and credit for auditors. With these incentives, it was hoped, some
large-scale code auditing would start to happen.
Thus, with a little help from a DARPA grant, the Sardonix portal was launched. The portal
would track the audit state of various free software programs and would
give credit to those who did the auditing work. Sufficiently skilled and
productive auditors would be able to accumulate a large "audit karma" to
show their friends - and help improve the security of free software at the
Two years later, the only auditing work which has been done on Sardonix was
a small set of projects assigned by a university professor to his
students. The last posting to the Sardonix mailing list was sent in
November, 2003. The DARPA money has run out. Sardonix, it seems, is a
project which has failed.
One can attribute this failure to a number of reasons. Certainly Sardonix
was never promoted very well; almost nothing was heard from the project
after the initial announcement. With an effort to jump-start the process
and a set of vulnerabilities found by Sardonix auditors posted on Bugtraq,
the project might just have achieved critical mass. As it is, Sardonix
vanished into obscurity shortly after its launch, and few people ever heard
of it again.
The sad fact remains, however, that, with or without Sardonix, very little
auditing is getting done. The continuing stream of vulnerability reports,
many for problems which have lurked undetected for years, make this clear.
Auditing code is difficult, tedious, and error-prone work. It also tends
to be thankless; strangely enough, many developers do not welcome news of
vulnerabilities in their work (though most do respond and fix the
problems). New vulnerability information requires careful handling; a
sustained effort may be required to get the developer to take the problem
seriously, but widespread disclosure of the problem must be avoided until
developers and distributors have had a chance to react. To top it off,
those who do seek out vulnerabilities in software are often seen as
promoting their own agendas and making the problem worse.
It is not
surprising that few people are stepping up and taking on this work.
The free software community has a lot of work to do if it wants to live up
to its promise of greater security. This battle must be fought on many
fronts: safer programming techniques, containment strategies, detection and
response, etc. But we also, somehow, have to find a way to get more
critical eyeballs looking at our code. As recent events have shown, the
black hats are already doing this work for their own purposes. If free
software wants to live up to its pretensions of being a more secure
alternative, it needs more developers reviewing the code.
to post comments)