Hunting for vulnerabilities in large software : the OpenOffice suite

How much effort does it cost to find zero-day vulnerabilities in widely-deployed software? As an exercise, we searched for vulnerabilities in OpenOffice, a productivity suite used by about a hundred million people. Within a 4-month period, we found a total of 15 vulnerabilities, including buffer overflow errors, out-of-bound array index errors and null pointer dereferences, using publicly available analysis and debugging tools. About half of the total effort was invested upfront in learning the software and tools; thereafter we found exploitable bugs at a steady rate. This is worrying; if two first-year research students working for 4 months can increase by about 10% the total number of vulnerabilities ever discovered in a large program that has been available for a decade, this suggests that no more than a few years’ worth of security testing effort have been invested in total in this product – calling into question the ‘many eyes’ theory of open-source software security. It also suggests that, at equilibrium, the ‘market price’ for a zero-day exploit might be very reasonable. We discuss the challenges in analysing large software systems and suggest possible ways in which finding bugs might be made even cheaper.