On Tuesday 09 April 2002 09:09 pm, Crispin Cowan wrote: > Alan wrote: > >On Tuesday 09 April 2002 02:06 pm, Jere Retzer wrote: > >>Seems like everyone is going to philosophize so I might as well join: > >> > >>1) Security holes are proportional to bugs is proportional to lines of > >> code -- Win 2000 is what--30 million lines? > > > >Sometimes I think this "estimate" is used as an excuse for bad code. It > > makes it seem as if security flaws are inevitable, so why bother. With > > proper attention, this sort of problem should be a minor problem, not a > > regular occurrence. > > I'm not sure I get your point. W2K was about 30 MLOC (Million Lines Of > Code). XP is more like 45 MLOC. These numbers are "estimates" in that > they may be off by a million lines, here or there :) My point was that the bugs to lines of code is not a constant. Some code is worse than others. For everything below that, there is Microsoft... Actually with event driven code, the number is probably not linear, but something closer to a near exponential function. > It is indisputable that bugs happen. It's not an excuse for bad code, > bugs always happen. Diligence can reduce the rate at which bugs > happen, but a very, VERY low rate would be 1 per thousand lines of code. > That means 45,000 bugs in XP. I think it would depend on what the n lines of code was meant to do in the first place. Some code can hide more bugs than others. I guess I have always found that "truism" a little less than believable. When you try and found out where the number comes from, it seems like only their proctologist knows for sure. It really depends on the code and what it is being used for and how it was debugged in the first place. (If you remove n number of bugs, but do not reduce the number of lines of code, do the number of bugs stay constant or does the number increase due to the laws of computer etymology?) > And that, in turn, is why I'm ranting about bad design. The equivalent > piece of code in Linux (the kernel) is about 1 MLOC. So if we just > assume equivalent code quality (which is pretty generous considering > Microsoft's record) then XP will have approximately 45 TIMES as many > vulnerabilities as Linux. Sounds about right at last count... Also depends on whether the lines of code in XP counts all the driver code. (Which is included in the count for the Linux kernel.) > Of course its not that simple. In large part, comparing the size of the > kernels is meaningless, because most security vulnerabilities are in the > applications, not the kernel. So we would need some way to compare the > MLOCs of code running as root or as children of inetd on Linux against > the MLOCs of code that XP offers as services. That, in turn, is so > subject to configuration vagueries that we inevitably end up with an > apples/orange situation. Especially with Windows where you can have parts running under multiple privilege levels. (I am thinking specifically of IIS here.) IIS has (had?) a feature that allowed you to print from the web server. It was run with admin privileges. A number of questions come to mind here... Why did it need to have admin privs to print documents? Why was it turned on by default? How many people out there print documents from their web server? It is one of many weird security problems that have been found with IIS. > >>2) Microsoft philosophy of embrace, > >>extend, 3rd party developers makes it inherently easy to hack > > > >Microsoft makes a number of rules for developers as to what they can and > >cannot do. Unfortunately, they ignore those rules when it is to their own > >advantage. For example, in order to get MS Office to work on NT Terminal > >Server, you need to give everyone WRITE access to the system directory. > > That's another one of those failures to apply the Principle of Least > Privilege: Office should not require write access to such a sensitive > directory. Note also, that this is a security defect in Office, not > Windows. True. I wonder just how many security issues attributed to Linux as applications and not OS components as well. (With some parts, the distinction gets blurry. If it runs in userland, is it an application or a part of the OS?) I guess my point is that along with the principles of least principles, there needs to be a willingness for an OS manufacturer to follow the rules they force on others. Kind of a "principle of least hypocracy".
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:39:53 PDT