| Abstract | It is more difficult to find errors when source code is secret.
More people search for errors when source code is
public. These counteracting effects are pivotal to the question
whether openness fosters security. Errors in software
are found by people with either constructive contribution or
exploitation in mind. Focusing exclusively on this discovery
aspect, we present a probabilistic model, which allows us to
compare the open source and closed source situations.
We start out with our assumptions explained using a simple
introductory model. We then extend this to what we
believe to be an adequate model of a bug-hunting process
conducted by multiple competing parties. The model employs
an asymmetric race paradigm. One of the surprising
results is that even an arbitrarily large group with good intentions
cannot safely dominate the evil attackers. Instead,
they are limited by a significant upper bound in their winning
chances.
|
weis2010_haertig.pdf
More...