Why COTS Software Increases Security Risks

Understanding the risks inherent in using COTS software is important because information systems to day are being built from ever greater amounts of reused and pre packaged code Security analysis of complex software systems has always been a serious challenge with many open research issues Unfortunately COTS software serves only to complicate matters Often code that is acquired from a vendor is delivered in exe cutable form with no source code making some tradi tional analyses impossible The upshot is that relying on today s COTS systems to ensure security is a risky proposition especially when such systems are meant to work over the Internet This short paper touches on the risks inherent some of today s more popular COTS systems including Operating Systems and Java Vir tual Machines COTS in Action or COTS Inaction Like the rest of the Department of Defense the United States Navy is mandated to use Commercial O The Shelf COTS technology in order to stan dardize and to save money The Navy s Smart Ship initiative which is currently being tested as a pilot study on the Aegis missile cruiser USS Yorktown is a prime example of the move to COTS A major part of the initiative is to migrate systems to the Microsoft Windows NT Operating System What recently hap pened to the Yorktown serves to underscore the nature of security risks inherent in COTS based systems In September the Yorktown was underway in maneuvers o the Virginia coast During the maneu vers the Yorktown su ered a serious systems failure caused by a divide by zero error in an NT application According to the RISKS digest Volume Issue the zero seems to have been an erroneous data item entered by a system user As a result of the error the ship was dead in the water for over two and a half hours This somewhat amusing anecdote would turn out to be a very serious and potentially deadly problem dur ing wartime Windows NT is known to have a number of failure modes any one of which could be leveraged into an Information Warfare weapon Nevertheless since NT is quickly becoming a de facto standard in industry the DoD is unlikely to abandon its e ort to adopt it Instead of becoming less likely problems such as those experienced on the Yorktown are a hint of things to come COTS Problems Percolate Up Despite the proliferation of NT Workstations in business critical and mission critical environments lit tle analysis of the software that comprises the NT plat form has been performed This implies that the ex tent to which NT has inherent security and robustness risks systems built with a COTS architecture that in clude NT inherit the same risks Operating Systems are not alone in this problem Any third party software included in a system has the same risk percolation property whether the soft ware is packaged at the component level or higher That means that COTS parts of electronic commerce systems now on the drawing board including Web browsers and Java Virtual Machines introduce sim ilar concerns Unfortunately if a vendor embeds COTS software in a product end users will not ab solve the vendor of blame for any system failures The real problem is this COTS often su er from dependability secu rity and safety problems What can we do to analyze COTS and measure them according to these properties This problem is exacerbated by the fact that COTS are usually delivered with no guarantees about their behavior in black box form It is hard enough to try to determine what a program will do given its source code Without the source code the problem becomes much harder