Monday, January 26, 2009

Closed Source Conspiracy

Many people in the industry have an innate fear of closed source (AKA proprietary software), which especially applies to everything crypto-related.

The usual arguments go this way: this (proprietary) crypto software is bad, because the vendor might have put some backdoors in there. And: only the open source crypto software, which can be reviewed by anyone, can be trusted! So, after my recent post, quite a few people wrote to me and asked how I could defend such an evil thing as BitLocker, which is proprietary, and, even worse, comes from Microsoft?

I personally think this way of reasoning sucks. In majority of cases, the fact something is distributed without the accompanying source code does not prevent others from analyzing the code. We do have advanced disassemblers and debuggers, and it is really not that difficult to make use of them as many people think.

Of course, some heavily obfuscated programs can be extremely difficult to analyze. Also, analyzing a chipset's firmware, when you do not even know the underlying CPU architecture and the I/O map might be hard. But these are special cases and do not apply to majority of software, that usually is not obfuscated at all.

It seems like the argument of Backdoored Proprietary Software usually comes from the open-source people, who are used to unlimited accesses to the source code, and consequently do not usually have much experience with advanced reverse engineer techniques, simply because they do not need them in their happy "Open Source Life". It's all Darwinism, after all ;)

On the other hand, some things are hard to analyze, regardless of whether the source code is available or not, think: crypto. Also, how many of you who actively use open source crypto software, e.g. TrueCrypt or GnuPG, have actually reviewed the source code? Anyone?

You might be thinking — maybe I haven't looked at the source code myself, but because it is open source, zillions of other users already have reviewed it. And if there was some backdoor in there, they would undoubtedly have found it already! Well, for all those open source fetishists, who blindly negate the value of anything that is not open source, I have only one word to say: Debian.

Keep in mind: I do not say closed source is more secure than open source — I only resist the open-source fundamentalism, that defines every proprietary software as inherently insecure, and everything open source as ultimately secure.

So, how should one (e.g. a government institution) verify security-level of a given crypto software, e.g. to ensure there are no built-in backdoors in there? I personally doubt it could be performed by one team, as it just usually happens that the same people who might be exceptionally skilled in code review, system-level security, etc, at the same time are average cryptographers and vice-versa.

Imagine e.g. that you need to find out if there are any weaknesses in your system drive encryption software, something like BitLocker. Even if you get access to the source code, you still would have to analyze a lot of system-level details — how is the trusted boot implemented (SRTM? DRTM? TPM interaction?), which system software is trusted, how the implementation withstands various not-crypto-related attacks (e.g. some of the attacks I described in my previous post), etc…

But this all is just system-level evaluation. What should come later is to analyze the actual crypto algorithms and protocols. Those later tasks fall into cryptography field and not into system-level security discipline, and consequently should be performed by some other team, the crypto experts.

So, no doubt, it is not an easy task, and the fact if there is or there is not C/C++ source code available, is usually one of the minor headaches (a good example is our attack on TXT, where we were able to discover bugs in Intel's specific system software, which, of course, is not open source).


Anonymous said...

I completely agree with you. The fallacy that all open source software has been so well vetted that it's safe is disproven every time another security flaw is discovered in open source software. Furthermore, the fact that SOMEONE may have vetted a certain program doesn't provide much comfort to someone like me who has no ability to determine the quality or extent of their work.

Even if I know the programmer personally, that's no guarantee that he or she hasn't unknowingly induced a serious flaw in the software, either through neglect, ignorance or human error. The role that you and others play in testing products is an invaluable part of the whole process.

Cd-MaN said...

I still prefer OSS over closed source any day. Yes, I can use a disassembler, but I'm just one of the select few. Being able to read the source code of the product has helped me out numerous times. What is the alternative? Script IDA with hex-rays to decompile every binary of the product? Good luck with that...

OSS might not be more secure, but the ease of development makes it still 100 times better than closed source.

PS. BitLocker uses standard crypto, so this argument doesn't apply to them, but just look at WEP to see what the "we can do crypto too" attitude can result in.

Anonymous said...

Very good post.
Perhaps because I have written something similar, but I totally agree with you.

Quality and security check made by the open source comunity are really more theorists that real.
And I fear they are destined to stay above all theoretical up to when there won't be a committee that will deal him with the matter.

But every control, every attempt of coordination with the aim to increase or check opensource software quality, is seen by the opensource community as an attack to the freedom.

Rasult? e.g. over 300 linux distributions....

Anonymous said...

But especially Microsoft has its dark history concerning backdoors and cryptography

Anonymous said...

What are you mumbling about?

It is uncomparable easier to conduct an source code inspection than any binary-blob-hex-dump-and-reverse-engineering-via-dissassembly masochism.

Good luck with yours (false) approach.

Joanna Rutkowska said...


Joanna Rutkowska said...

@Herbert: thanks for the link! After all, it just comes down to how subtle your backdoor should be. In case of the Debian Backdoor it apparently had to be more subtle;)

Anonymous said...

Ok, I usually agree with you, but I think that you got this one wrong.

Your argument that proprietary code can still be reviewed using disassemblers does not hold simply because you're not allowed to reverse-engineer proprietary code. And this is the whole point. In the specific case of Microsoft code, you may not "reverse engineer, decompile or disassemble the software, except and only to the extent that
applicable law expressly permits, despite this limitation;" (Vista Home Basic License found here:

If you consider that you have access to the code of proprietary software, there's no point in comparing it to open source.

Joanna Rutkowska said...

Roberto, that's a good point you raised. Unfortunately I'm not able to give any constructive feedback on this, as I'm not a lawyer myself... I can only consider technical feasibility of something, and not legal or ethical (at least here on this blog). Thanks for the comment anyway.

Roberto Scaccia said...


You are right. Under a law point of view the reverse engineering is a problem. But if you pay attention to law aspects you have to pay much more attention to the jungle of OSS licenses that exists.

You can easily READ the code, but modify it and use or pass to the community the update couldn't be so easy under the same law point of view.

I agree with Joanna. OSS modifiability is a myth. Few have the ability and the time to make this in a secure manner.

I mean: you can modify the code but are you sure this modify doesn't impact on the stability of the code?

I remember when the Windows kernel native APIs were decompiled with first pubblications 2000 year. After these Microsoft published in the MSDN more documentation on them.

Reverse engineering is not only for the ASM level. You can reverse engineer a Java compiled code and/or C# compiled code. Joanna is an hacker and she know it :-)

Anonymous said...

I agree, you go girl.

The risk of putting a backdoor into proprietary software is too big for the reason, if someone is able to reverse engineer -or I/O monitor the software for that matter- it will be quickly known. That exactly happened with the SONY rootkits, in case of Microsoft it would completely shatter their business-model and they will get sued for all they are worth.

So, you have my vote! it's more nuanced.


Gabriel said...

It is always good to reach some of sort of equibilirium on the discussion between propriarity and open source software. It seems the key-word in this discussion is: trust. Who do you trust more, corporate developers or the semi-professional OSS community? Who provides you the most assurance and why? How far are you willing to go to get this assurance?

I think it is better to trust no software at all; neither propriatity nor OSS....

Joanna Rutkowska said...

I think it is better to trust no software at all;

I would love to! Neither software nor hardware. Just the problem is... we sort of have no such choice, do we?

denis bider said...

Uh... the problem with open source is that the source code that others have reviewed is not necessarily the same source code that has been compiled into a running program on your machine.

For a consumer, the difference between proprietary software and open source is that, in the case of proprietary software, you can expect to get a code-signed executable that someone vouches for. In the case of open source, you get a glob of code from some half-anonymous intermediary who does not vouch for anything.

If one is a systems builder implementing their own product, then I can certainly see how one would prefer to build on components that are available in source code. In this case you have the resources and manpower to actually go through that source code and make sure that it is kosher.

As a consumer, though, one is not going to review all of the code one uses, and if we're not going to do that, then I think it is preferable to use closed-source software that someone at least vouches for, and has a clear financial motive to implement well, rather than floating-around open source software.

Who says CIA didn't insert backdoors into Linux? Doing that covertly would be about as easy for them as doing it with Microsoft.

Anonymous said...

Most of users do not recompile the Linux kernel. Do you investigate all the opened source you use? I do not. I don't have a time to do it. I don't know what there is.

Anonymous said...

I don't understand this whole thing here :) sec holes can be found in any systems, doesn't matter if they were made intentionally, by mistake or just because of evolution. I am using both systems MS and OSS and when you are not dumb teenager playing games all the time i don't see any reason why should i use MS.
I wonder what is behind this so like to be philosophical post, i would expect Joanna that you have this already sorted in your head, hm or maybe not.
One day this whole xware thing will fail anyway, because of increasing misusage (evil :) people getting profit from every hole, soft companies pushing people to their sick visions).

Anonymous said...

OSS systems give you more capabilities to manage your system and you are able better to watch your security levels. You can fix lots of bugs by yourself (changing source code, workarounds) thats different from waiting for patch from closed source :) nice that you are able to dig in, but what next? Getting money from MS that you find a hole? No thank you, this is not worthy way for me.
I would not blaim OSS developers, they are very often on much more higher level then people on the other side. Besides as you said on different post, when it comes to some fixes - more people needs to be involved because of all parts - programming, cryptology, design, etc.

Joanna Rutkowska said...

@anonymous (last one): I don't quite get your point (read your comment 3-times already).

Anonymous said...

hi there. i'm absolutely no oss fanatic (using osx to write this comment). i think you are crossing the line between logic and superstition. you say: public/legally available code != ease of inspection. c'mon... you don't really mean it, you are just trying to be "anticonformistic" your way

Joanna Rutkowska said...

@arrow: go back and re-read my post.

Anonymous said...

I would rather have a look at the source code in its entirety to determine whether it is to be trusted or not. Yes, it is all about trust when it comes to commercial proprietary software... I believe it is about who is doing the business here... I see Joanna softening her tone on Microsoft these days only because she fried this company to death over the past two good job..

Othman Esoul said...

I suggest reading Ken Thompson's article "Reflections on trusting trust ".

Anonymous said...

Nice essay, but it misses the main point: the question is not, whether it's easier to [i]break[/i] OSS security implementations or closed source security implementations; as far as i can see, this would only be a question of how smart you are. So from this point of view, preferring one over the other makes no difference.

But OSS has one advantage, not explicitely mentioned here: despite the fact, that breaking the code makes no difference whether it is OSS or not, it is a lot easier (anybody with appropriate skills can do it) to [i]fix[/i] the code. So if you found a sec-hole, you are invited to fix it, or at least proposing, how to fix it.

So, things could be done more easily and faster.

That's why i would [i]always[/i] prefer Open Source Software over closed source. I do not distrust closed source software per se, but to get things done, it is inefficient.

Kind regards.

Anonymous said...

Maybe you would like to read this - An expert’s guide to open source software security -

Anonymous said...

@denis bider

Very late response, sorry. But I can't let your comments about code signing go unchallenged.

You said:
For a consumer, the difference between proprietary software and open source is that, in the case of proprietary software, you can expect to get a code-signed executable that someone vouches for. In the case of open source, you get a glob of code from some half-anonymous intermediary who does not vouch for anything.

C'mon, really? Many (and most of the top-used) opensource distros *do* sign their software releases.

I'm not saying that every single line of code is reviewed by each distro in question, but your statements about OSS code signing (or lack thereof) are completely false.