How Open Should Open Source Be?

Details How Open Should Open Source Be? How Open Should Open Source Be?

2011-09-02

arxiv.org/abs/1109.0507v1

Computer Science

Cryptography and Security

19 pages, 27 figures

Scientific paper

Many open-source projects land security fixes in public repositories before shipping these patches to users. This paper presents attacks on such projects - taking Firefox as a case-study - that exploit patch metadata to efficiently search for security patches prior to shipping. Using access-restricted bug reports linked from patch descriptions, security patches can be immediately identified for 260 out of 300 days of Firefox 3 development. In response to Mozilla obfuscating descriptions, we show that machine learning can exploit metadata such as patch author to search for security patches, extending the total window of vulnerability by 5 months in an 8 month period when examining up to two patches daily. Finally we present strong evidence that further metadata obfuscation is unlikely to prevent information leaks, and we argue that open-source projects instead ought to keep security patches secret until they are ready to be released.

Affiliated with

Also associated with

No associations

Rating

How Open Should Open Source Be? does not yet have a rating. At this time, there are no reviews or comments for this scientific paper.

If you have personal experience with How Open Should Open Source Be?, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and How Open Should Open Source Be? will most certainly appreciate the feedback.

Rate now

Comments { 0 }

Profile ID: LFWR-SCP-O-688616