Software Complexity: Open Source vs Microsoft
In a readable and interesting paper titled CyberInsecurity: the cost of a monopoly seven notable security experts argue that the Microsoft's near monopoly in the desktop operating system and office productivity markets is creating a dangerous monoculture that exacerbates the effect of security vulnerabilities.
Furthermore, the authors argue that because the central enemy of reliability is complexity prevention of insecure operating modes in complex systems is difficult to do well and impossible to do cheaply: the defender has to counter all possible attacks; the attacker only has to find one unblocked means of attack. As complexity grows, it becomes ever more natural to simply assert that a system or a product is secure as it becomes less and less possible to actually provide security in the face of complexity. In the case of Microsoft's products Microsoft's corporate drive to maximize an automated, convenient user-level experience is hard to do – some would say un-doable except at the cost of serious internal complexity.
I decided to examine the alleged complexity of Microsoft's offerings by looking at the library dependencies of the Mozilla web browser and Microsoft's Internet Explorer.
I derived Mozilla's dependencies by calculating the transitive
closure of all library dependencies identified
in the FreeBSD ports collection starting from the Mozilla (1.3) port.
I also added by hand the missing Java 1.3 dependency, which is
reported through a warning message.
The resultant dependency graph is the following:
Next, I derived IE's dependencies by calculating the transitive
closure of all DLL imports found in the executables and DLLs starting
from iexplore.exe
.
From the list I removed by hand dependencies on
kernel32.dll
,
ntdll.dll
,
msvcrt.dll
, and
advapi32.dll
reasoning that these DLLs provide facilities similar to those found
in the the POSIX libraries that are linked by default in Unix-style
systems.
The resultant graph looked deceptively simple, and was missing
a number of obvious dependencies.
So, I searched for strings in the iexplore.exe
file to
locate libraries that were bound at run time.
By adding the respective DLLs the picture became more realistic, but still some
dependencies were missing.
Finally, by means of the following Outwit based shell script, I added some dependencies that are apparently created through in-process servers by means of registry lookup operations.
winreg HKEY_CLASSES_ROOT\\PROTOCOLS |
awk '/CLSID/{print $3}' |
while read i
do
winreg HKEY_CLASSES_ROOT\\CLSID\\$i\\InprocServer32
done |
awk '!/ThreadingModel/{print $3}' |
sort -u
msieftp.dll
is supposed to enter the picture.
The above picture demonstrates that there is indeed a significant complexity difference between the Internet Explorer and Mozilla. I was also expecting to see significant violations of the layering principle, but no obvious ones are apparent in the picture.
Read and post comments