What does Open Solaris mean for security vulnerabilities?

There are many ways "Open Solaris":http://opensolaris.org will change life around here. As they guy in charge of dealing with security vulnerabilities, people (both inside Sun and externally) keep asking me witty questions like “are you ready for this?” or “getting any sleep?”

There are a million predicitions of what opening Solaris will mean in a security sense. In a lot of ways it reminds me of the hype/hysteria around Y2K. The paranoid (Y2K will cause every computer on the planet to crash) types think once the bad guys can look at Solaris code they’ll find more security bugs than we can keep up with. The trusting (Y2K will be the biggest non event since Geraldo Rivera opened Al Capone’s vault) types figure Solaris source has been available for a fee or to universities for long enough that there aren’t any security bugs left.

Not surprisingly, I think the truth lies somewhere in the middle. Yes, I believe we’ve done a pretty good job over the years of fixing most of the obvious and even not-so-obvious security bugs. We’ve come a long way in inspecting our code with an eye towards how someone might try to break it. On the other hand, I certainly don’t believe our (or anyone’s for that matter) code is security bug free.

I believe there are 2 big unknowns with security and Open Solaris. The first is, what kind of people will find security bugs or ways to attack our product?

Will they be miscreants (either individuals or organized) who will quietly exploit what they find, or will they be friendly members of the community who will report things (to security-alert@sun.com if you’re wondering) so we can fix them.

The second big unknown I wonder about is the integrity of some of the unpublished and largely unused parts of our code. Occassionally our engineers have added or made use of unpublished interfaces (essentially undocumented features). No, these aren’t backdoors, or hidden video games behind the spreadsheets, they’re usually special code bits so some piece of hardware will work correctly or take advantage of something. I’m not as confident that over time these interfaces have been as rigorously inspected as they rest of the code base. And, while most of them are likely not even turned on by default, I wouldn’t be surprised if some enterprising bad guy out there comes up with some way of taking advantage of some of these.

The bottom line is, like many things with Open Solaris, I believe we’ll have to wait and see. The best we can do is make it easy to report potential security issues, and make sure we take them seriously, investigate them, and fix any bugs as quickly as we can.

Posted at 08:00AM Jun 14, 2005 by drscholl in General  |  Comments[0]