blog dds

2003.10.03

Software Complexity: Open Source vs Microsoft

In a readable and interesting paper titled CyberInsecurity: the cost of a monopoly seven notable security experts argue that the Microsoft's near monopoly in the desktop operating system and office productivity markets is creating a dangerous monoculture that exacerbates the effect of security vulnerabilities.

Furthermore, the authors argue that because the central enemy of reliability is complexity prevention of insecure operating modes in complex systems is difficult to do well and impossible to do cheaply: the defender has to counter all possible attacks; the attacker only has to find one unblocked means of attack. As complexity grows, it becomes ever more natural to simply assert that a system or a product is secure as it becomes less and less possible to actually provide security in the face of complexity. In the case of Microsoft's products Microsoft's corporate drive to maximize an automated, convenient user-level experience is hard to do some would say un-doable except at the cost of serious internal complexity.

I decided to examine the alleged complexity of Microsoft's offerings by looking at the library dependencies of the Mozilla web browser and Microsoft's Internet Explorer.

I derived Mozilla's dependencies by calculating the transitive closure of all library dependencies identified in the FreeBSD ports collection starting from the Mozilla (1.3) port. I also added by hand the missing Java 1.3 dependency, which is reported through a warning message. The resultant dependency graph is the following:

Next, I derived IE's dependencies by calculating the transitive closure of all DLL imports found in the executables and DLLs starting from iexplore.exe. From the list I removed by hand dependencies on kernel32.dll, ntdll.dll, msvcrt.dll, and advapi32.dll reasoning that these DLLs provide facilities similar to those found in the the POSIX libraries that are linked by default in Unix-style systems. The resultant graph looked deceptively simple, and was missing a number of obvious dependencies.

So, I searched for strings in the iexplore.exe file to locate libraries that were bound at run time. By adding the respective DLLs the picture became more realistic, but still some dependencies were missing.

Finally, by means of the following Outwit based shell script, I added some dependencies that are apparently created through in-process servers by means of registry lookup operations.

winreg HKEY_CLASSES_ROOT\\PROTOCOLS | 
awk '/CLSID/{print $3}' |
while read i
do
	winreg HKEY_CLASSES_ROOT\\CLSID\\$i\\InprocServer32
done |
awk '!/ThreadingModel/{print $3}' |
sort -u
The following is the final Internet Explorer dependency graph. I still have not been able to determine how msieftp.dll is supposed to enter the picture.

The above picture demonstrates that there is indeed a significant complexity difference between the Internet Explorer and Mozilla. I was also expecting to see significant violations of the layering principle, but no obvious ones are apparent in the picture.

Read and post comments, or share through   


Creative Commons License Last modified: Friday, October 3, 2003 7:33 pm
Unless otherwise expressly stated, all original material on this page created by Diomidis Spinellis is licensed under a Creative Commons Attribution-Share Alike 3.0 Greece License.