Hunting for vulnerabilities in large software : the OpenOffice suite
How much effort does it cost to find zero-day vulnerabilities in widely-deployed software? As an exercise, we searched for vulnerabilities in OpenOffice, a productivity suite used by about a hundred million people. Within a 4-month period, we found a total of 15 vulnerabilities, including buffer overflow errors, out-of-bound array index errors and null pointer dereferences, using publicly available analysis and debugging tools. About half of the total effort was invested up front in learning the software and tools; thereafter we found exploitable bugs at a steady rate. This is worrying; if two first-year research students working for 4 months can increase by about 10% the total number of vulnerabilities ever discovered in a large program that has been available for a decade, this suggests that no more than a few years' worth of security testing effort have been invested in total in this product-calling into question the 'many eyes' theory of open-source software security. It also suggests that, at equilibrium, the 'market price' for a zero-day exploit might be very reasonable. We discuss the challenges in analysing large software systems and suggest possible ways in which finding bugs might be made even cheaper.
Tools to get started
A simple fuzzer for the OpenOffice suite.
File formats supported: .doc,.xls,.ppt,.png,.gif,.tif,.jpg,.wmf,.odt,.ods,.odp,.docx,.xlsx,.pptx