How Open Should Open Source Be?

Computer Science – Cryptography and Security

Scientific paper

Rate now

  [ 0.00 ] – not rated yet Voters 0   Comments 0

Details

19 pages, 27 figures

Scientific paper

Many open-source projects land security fixes in public repositories before shipping these patches to users. This paper presents attacks on such projects - taking Firefox as a case-study - that exploit patch metadata to efficiently search for security patches prior to shipping. Using access-restricted bug reports linked from patch descriptions, security patches can be immediately identified for 260 out of 300 days of Firefox 3 development. In response to Mozilla obfuscating descriptions, we show that machine learning can exploit metadata such as patch author to search for security patches, extending the total window of vulnerability by 5 months in an 8 month period when examining up to two patches daily. Finally we present strong evidence that further metadata obfuscation is unlikely to prevent information leaks, and we argue that open-source projects instead ought to keep security patches secret until they are ready to be released.

No associations

LandOfFree

Say what you really think

Search LandOfFree.com for scientists and scientific papers. Rate them and share your experience with other people.

Rating

How Open Should Open Source Be? does not yet have a rating. At this time, there are no reviews or comments for this scientific paper.

If you have personal experience with How Open Should Open Source Be?, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and How Open Should Open Source Be? will most certainly appreciate the feedback.

Rate now

     

Profile ID: LFWR-SCP-O-688616

  Search
All data on this website is collected from public sources. Our data reflects the most accurate information available at the time of publication.