Home > Uncategorized > Heartbleed: Critical infrastructure open source needs government funding

Heartbleed: Critical infrastructure open source needs government funding

Like most vulnerabilities the colorfully named Heartbleed vulnerability in OpenSSL is caused by an ‘obvious’ coding problem of the kind that has been occurring in practically all programs since homo sapiens first started writing software; the only thing remarkable about this vulnerability is its potential to generate huge amounts of financial damage. Some people might say that it is also remarkable that such a serious problem has not occurred in OpenSSL before, I don’t think anybody would describe OpenSSL as the most beautiful of code.

As always happens when a coding problem generates some publicity, there have been calls for:

  • More/better training: Most faults are simple mistakes that developers already know all about; training does not stop people making mistakes.
  • Switch to a better language: Several lifetimes could be spent discussing this one and a short coffee break would be enough to cover the inconclusive empirical evidence on ‘betterness’. Switching languages also implies rewriting lots of code and there is that annoying issue of newly written code being more likely to contain faults than code that has been heavily used for a long time.

The fact is that all software contains faults and the way to improve reliability is to actively search for and fix these faults. This will cost money and commercial companies have an incentive to spend money doing this; in whose interest is it to fix faults in open source tools such as OpenSSL? There are lots of organizations who would like these faults fixed, but getting money from these organizations to the people who could do the work is going to be complicated. The simple solution would be for some open source programs to be classified as critical infrastructure and have governments fund the active finding and fixing of the faults they contain.

Some people would claim that the solution is to rewrite the software to be more reliable. However, I suspect the economics will kill this proposal; apart from pathological cases it is invariably cheaper to fix what exists that start from scratch.

On behalf of the open source community can I ask that unless you have money to spend please go away and stop bothering us about these faults, we write this code for free because it is fun and fixing faults is boring.

  1. Kit Adams
    April 12th, 2014 at 06:06 | #1

    Why is so much open source code written in C when C++ has been around for over 30 years?

    The simple, cheap, safe solution is re-compile it with a modern C++ compiler and incrementally update the code to use modern C++(11) idioms and libraries, which make it very difficult to write code with out-of-range vulnerabilities. For instance, security sensitive code should be compiled with a checked C++ Standard Library. This will throw run time exceptions if the programmer manages to somehow work around the safety features built into the language at compile time (if you use the modern idioms).

  2. April 15th, 2014 at 12:39 | #2

    Derek, I have to disagree with you on one point – fixing faults is fun too.

    Trying to avoid them by brute force (copious documentation, reviews, “processes” etc.) *is* boring though.


  1. No trackbacks yet.

A question to answer *