Popularity of Free Software generating bug exploitation?
Posted by isilanes on November 22, 2006
It is often said (by FLOSS-skeptics), that Free Software has less exploited bugs than the Proprietary Software because it is less popular. They argue that, since less people uses FLOSS, the crackers are less inclined to waste their time exploiting the bugs it could have. The greater user base of the proprietary software would also, in their words, make bugs more prominent, and their exploits spread faster. The corollary of this theory would be that popularization of FLOSS applications (e.g. Firefox), would lead to an increase in the number of bugs discovered and exploited, eventually reaching a proprietary-like state (e.g. “Firefox will have as many bugs as IE, when Firefox is as popular as IE”).
In this blog entry I will try to outline a mathematical model, proposed to demonstrate the utter nonsense of this theory. Specifically, I will argue that an increase in community size benefits a FLOSS project in at least 3 ways:
- Faster development
- Shorter average life of open bugs
- Shorter average life of exploited bugs
A more thorough explanation is available in PDF format. Recall that the math display in HTML is generally poor (much more so when I don’t have the time nor skills to tune it). If you like pretty formulas, the PDF is for you.
Both this blog entry and the linked PDF are released under the following license:
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 2.5 License.
What this basically means is that you are free to copy and/or modify this work, and redistribute it freely. The only limitations are that you can not make it for profit, and that you have to cite its original author (or at least link to this blog).
1 – Propositions and derivations
We have a FLOSS project P, new versions being released every T time, and each version incorporating G new bugs. Each new version will be released when all bugs from the previous release have been patched. At any point in time, there will be B open bugs (remaining from G).
The patching speed is assumed proportional to the size of the comunity of users (U):
1.1 – Faster development
From above, the time dependency of open bugs:
B = G – Kp U t
The inter-release period (T), from B = 0:
T = G/KpU
So the inter-release time (T) is shortened for growing U.
1.2 – Shorter average life of open bugs
In a dt time period, (-dB/dt)dt bugs are patched, their age being t. If we call τ the average lifetime of bugs, we have the definition:
τ = (∫t(-dB/dt)dt)/(∫dB)
From that it follows:
τ = T/2
So, the average life of open bugs equals half the inter-release time, which (as stated above) has an inverse proportionality with U.
1.3 – Fraction of bugs exploited before being patched
We define the following bug exploitation speed, where Bx is the total amount of exploited bugs, Kx is the “exploiting efficiency” of the crackers (whose amount will be proportional to U), and Bou is the amount of open and unexploited bugs:
dBx/dt = Kx U Bou
We also define α = Box/B, where Box is the amount of open and exploited bugs.
It can be derived the evolution of α with time:
α(t) = 1 – exp(-Kx U t)
We then define γ = Kp/KxG, and derive the fraction of G bugs that end up exploited by time t:
Bx(t)/G = 1 – γ + (γ – 1 + t/T)exp(-Kx U t)
Solving for t=T, and taking into account that T=G/KpU, we get the fraction of total bugs that gets exploited ever, during the inter-release period (Fx):
Fx = 1 – γ + γ exp(-1/γ)
Recall that Fx is independent of U, that is, increasing the size of the user community does not increase the fraction of total bugs that get exploited ever, even though the amount of crackers is increased along with the user base.
1.4 – Shorter average life of exploited bugs
We want to find out how long exploited bugs stay unpatched, calling this time τx. After some slightly complex algebra, but always deriving from the previously defined equations (see PDF version), we obtain a fairly simple expresion for τx:
τx = Fxτ
That is, the average exploitation time of exploited bugs is proportional to τ, which is to say it is proportional to T, or inversely proportional to U.
2 – Conclusions
The “Increasing popularity = Increasing bugginess” motto is a non sequitur. According to the simple model outlined here, the broader the user community of a FLOSS program, the faster bugs will be patched, even admitting that an increase in user base brings an equal increase in the number of crackers committed to doom it. Even for crackers that are more effective in their cracking work than the bona fide users in their patching work (Kx >>> Kp), increasing the community size does reduce how long the bugs stay unpatched and also how long the exploited bugs stay unpatched. No matter how clumsy the users, and how rapacious the crackers, the free model (whereby the users are granted access to the code, and thus empowered to contribute to the program), ensures that popularization is positive, for both the program and the community itself.
Compare that with a closed model, in which an increased user base may boost the number or crackers attacking a program, but certainly adds little, if anything, to the code patching and correcting speed. It is actually proprietary software that should fear popularization. It is easy to see that when a particular proprietary software piece grows over a certain “critical mass” of users, the crackers could potentially disrupt its evolution (say, τx = T, Fx = 1), because G, P and thus T, are kept constant (depend only on the sellers of the code).
This entry was posted on November 22, 2006 at 3:22 pm and is filed under Free software and related beasts. Tagged: en, floss/linux, logic, science, security, Software. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.