Estimate for the total number of exploitable bugs in large linux distro?
What is an estimate for the total number of exploitable bugs in large linux distro? Also, does the total number decrease, increase or change in other way over time?
On Fri, Jul 14, 2017 at 12:30:56PM +0300, Georgi Guninski wrote:
What is an estimate for the total number of exploitable bugs in large linux distro?
Bugs that already have some PoC or other code to exploit the issue? Or the sum total of all exploitable bugs, discovered and undiscovered? The first case should be relatively small with a very current release.. the second case obviously could be different.
Also, does the total number decrease, increase or change in other way over time?
Without patching, discovered bugs will increase over time. The actual number of bugs stays the same of course (again, without patching). Obviously you're a fool if you don't maintain your software...
On Fri, Jul 14, 2017 at 10:22:32AM -0400, John Newman wrote:
Bugs that already have some PoC or other code to exploit the issue? Or the sum total of all exploitable bugs, discovered and undiscovered?
The first case should be relatively small with a very current release.. the second case obviously could be different.
I meant all bugs, including the unknown.
Also, does the total number decrease, increase or change in other way over time?
Without patching, discovered bugs will increase over time. The actual number of bugs stays the same of course (again, without patching).
Obviously you're a fool if you don't maintain your software...
Even with patching, adding new code introduces new bugs and versions change relatively often in general. There is some discussion on the oss-security mailing list, especially a short paper of @Dan Geer.
On 07/15/2017 04:54 AM, Georgi Guninski wrote:
On Fri, Jul 14, 2017 at 10:22:32AM -0400, John Newman wrote:
Bugs that already have some PoC or other code to exploit the issue? Or the sum total of all exploitable bugs, discovered and undiscovered?
The first case should be relatively small with a very current release.. the second case obviously could be different.
I meant all bugs, including the unknown.
The question reminds me of Donald Rumsfeld, with his "known knowns" threats (exploits in the wild, patches available or high priority works in progress), "known unknowns" (theoretically exploitable code but no exploits reported, patching or redesign proceeds at routine priority), and "unknown unknowns" (phantom fears and FUD). By definition, you can't count them all, and estimates will vary with the interests and motivations of whoever does the estimating. If I had to work up an estimate, I would want to look at all avaialble historical data for both raw counts of discovered exploitable coding errors and malfetures, and trends in the prevalence of same. I would also want to publish data developed by using the same protocol to produce figures for other widely deployed families of kernels, to make the information useful in practical contexts. :o)
participants (3)
-
Georgi Guninski -
John Newman -
Steve Kinney