English

How Open Should Open Source Be?

Cryptography and Security 2011-09-05 v1 Machine Learning

Abstract

Many open-source projects land security fixes in public repositories before shipping these patches to users. This paper presents attacks on such projects - taking Firefox as a case-study - that exploit patch metadata to efficiently search for security patches prior to shipping. Using access-restricted bug reports linked from patch descriptions, security patches can be immediately identified for 260 out of 300 days of Firefox 3 development. In response to Mozilla obfuscating descriptions, we show that machine learning can exploit metadata such as patch author to search for security patches, extending the total window of vulnerability by 5 months in an 8 month period when examining up to two patches daily. Finally we present strong evidence that further metadata obfuscation is unlikely to prevent information leaks, and we argue that open-source projects instead ought to keep security patches secret until they are ready to be released.

Cite

@article{arxiv.1109.0507,
  title  = {How Open Should Open Source Be?},
  author = {Adam Barth and Saung Li and Benjamin I. P. Rubinstein and Dawn Song},
  journal= {arXiv preprint arXiv:1109.0507},
  year   = {2011}
}

Comments

19 pages, 27 figures

R2 v1 2026-06-21T18:59:02.419Z