## Popularity of Free Software generating bug exploitation?

Posted by isilanes on November 22, 2006

[Esta entrada está también disponible en castellano|English PDF|PDF en castellano]

It is often said (by FLOSS-skeptics), that Free Software has less exploited bugs than the Proprietary Software because it is less popular. They argue that, since less people uses FLOSS, the crackers are less inclined to waste their time exploiting the bugs it could have. The greater user base of the proprietary software would also, in their words, make bugs more prominent, and their exploits spread faster. The corollary of this theory would be that popularization of FLOSS applications (e.g. Firefox), would lead to an increase in the number of bugs discovered and exploited, eventually reaching a proprietary-like state (e.g. *“Firefox will have as many bugs as IE, when Firefox is as popular as IE”*).

In this blog entry I will try to outline a mathematical model, proposed to demonstrate the utter nonsense of this theory. Specifically, I will argue that an increase in community size benefits a FLOSS project in at least 3 ways:

- Faster development
- Shorter average life of open bugs
- Shorter average life of exploited bugs

A more thorough explanation is available in PDF format. Recall that the math display in HTML is generally poor (much more so when I don’t have the time nor skills to tune it). If you like pretty formulas, the PDF is for you.

Both this blog entry and the linked PDF are released under the following license:

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 2.5 License.

What this basically means is that you are free to copy and/or modify this work, and redistribute it freely. The only limitations are that you can not make it for profit, and that you have to cite its original author (or at least link to this blog).

**1 – Propositions and derivations**

We have a FLOSS project *P*, new versions being released every T time, and each version incorporating G new bugs. Each new version will be released when all bugs from the previous release have been patched. At any point in time, there will be B open bugs (remaining from G).

The patching speed is assumed proportional to the size of the comunity of users (U):

dB/dt=-K_{p}U

**1.1 – Faster development**

From above, the time dependency of open bugs:

B = G – K_{p} U t

The inter-release period (T), from B = 0:

T = G/K_{p}U

So the inter-release time (T) is shortened for growing U.

**1.2 – Shorter average life of open bugs**

In a dt time period, (-dB/dt)dt bugs are patched, their age being t. If we call τ the average lifetime of bugs, we have the definition:

τ = (∫t(-dB/dt)dt)/(∫dB)

From that it follows:

τ = T/2

So, the average life of open bugs equals half the inter-release time, which (as stated above) has an inverse proportionality with U.

**1.3 – Fraction of bugs exploited before being patched**

We define the following bug exploitation speed, where B_{x} is the total amount of exploited bugs, K_{x} is the “exploiting efficiency” of the crackers (whose amount will be proportional to U), and B_{ou} is the amount of open and unexploited bugs:

dB_{x}/dt = K_{x} U B_{ou}

We also define α = B_{ox}/B, where B_{ox} is the amount of open and exploited bugs.

It can be derived the evolution of α with time:

α(t) = 1 – exp(-K_{x} U t)

We then define γ = K_{p}/K_{x}G, and derive the fraction of G bugs that end up exploited by time t:

B_{x}(t)/G = 1 – γ + (γ – 1 + t/T)exp(-K_{x} U t)

Solving for t=T, and taking into account that T=G/K_{p}U, we get the fraction of total bugs that gets exploited ever, during the inter-release period (F_{x}):

F_{x} = 1 – γ + γ exp(-1/γ)

Recall that F_{x} is **independent of U**, that is, increasing the size of the user community does not increase the fraction of total bugs that get exploited ever, even though the amount of crackers is increased along with the user base.

**1.4 – Shorter average life of exploited bugs**

We want to find out how long exploited bugs stay unpatched, calling this time τ_{x}. After some slightly complex algebra, but always deriving from the previously defined equations (see PDF version), we obtain a fairly simple expresion for τ_{x}:

τ_{x} = F_{x}τ

That is, the average exploitation time of exploited bugs is proportional to τ, which is to say it is proportional to T, or **inversely proportional to U**.

**2 – Conclusions**

The *“Increasing popularity = Increasing bugginess”* motto is a *non sequitur*. According to the simple model outlined here, the broader the user community of a FLOSS program, the faster bugs will be patched, even admitting that an increase in user base brings an equal increase in the number of crackers committed to doom it. Even for crackers that are more effective in their cracking work than the *bona fide* users in their patching work (K_{x} >>> K_{p}), increasing the community size **does** reduce how long the bugs stay unpatched and **also** how long the exploited bugs stay unpatched. No matter how clumsy the users, and how rapacious the crackers, the free model (whereby the users are granted access to the code, and thus empowered to contribute to the program), ensures that popularization **is** positive, for both the program and the community itself.

Compare that with a closed model, in which an increased user base may boost the number or crackers attacking a program, but certainly adds little, if anything, to the code patching and correcting speed. It is actually proprietary software that should **fear** popularization. It is easy to see that when a particular proprietary software piece grows over a certain “critical mass” of users, the crackers could potentially disrupt its evolution (say, τ_{x} = T, F_{x} = 1), because G, P and thus T, are kept constant (depend only on the sellers of the code).

This entry was posted on November 22, 2006 at 3:22 pm and is filed under Free software and related beasts. Tagged: en, floss/linux, logic, science, security, Software. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

## ¿Popularización de Software Libre acentúa explotación de bugs? « handyfloss said

[…] Comments Popularity of Free Software generating bug exploitation? « handyfloss on ¿Popularización de Software Libre acentúa explotación de bugs?My backups with rsync […]