Sample Scientific Researches

Which database is more secure?
Oracle vs. Microsoft
David Litchfield [davidl@ngssoftware.com]

Summary:

The paper examined the differences between the security postures of Microsoft’s SQL Server and Oracle’s RDBMS based upon flaws reported by external security researchers. Only flaws affecting the database server software itself have been considered in compiling this data. A general comparison is made covering Oracle 8, 9 and 10 against SQL Server 7, 2000 and 2005.

The number of security flaws in the Oracle and Microsoft database servers that have been discovered and fixed since December 2000 until November 2006. Graphs indicate flaws that have been discovered by external security researchers in both vendors’ flagship database products – namely Oracle 10g Release 2 and SQL Server 2005. No security flaws have been announced for SQL Server 2005. It is immediately apparent from the result graphs that Microsoft SQL Server has a stronger security posture than the Oracle RDBMS. The conclusion is clear that if security robustness and a high degree of assurance are concerns when looking to purchase database server software, given the results one should not be looking at Oracle as a serious contender.

Evaluation:

In my standpoint, I believe having conducted such research is of assistance to users of database in opting which database is more functional in terms of security. Comparison of two particular databases’ security stance could provide acquaintance and information of how these databases perform security. Assessing the paper’s format and flow of study, I could say that it was more of a statistical study. I am not certain on how the results and data are acquired. The fact is, the paper did not provide proper definition of its methodology as well as its abstract. However, regardless of that issue, the study is a competent research. The study is definitely of great significance and contribution to the concerned database users but I would like to suggest that further enhancement on the construction of the paper should be practiced.

Analysis of an Electronic Voting System
Tadayoshi Kohno, Adam Stubblefielf, Aviel D. Rubin, Dan S. Wallach
February 2004

Summary:

The study is concerned with U.S. federal adopting paperless electronic voting systems. Analysis showed that this voting system is far below even the most minimal security standards applicable in other contexts. Researchers identify several problems including unauthorized privilege escalation, incorrect use of cryptography, vulnerabilities to network threats, and poor software development processes. The most fundamental problem with such a voting system is that the entire election hinges on the correctness, robustness, and security of the software within the voting terminal. They concluded that the voting system is unsuitable for use in a general election. Any paperless electronic voting system might suffer similar flaws, despite any “certification” it could have otherwise received.

Using publicly available source code, an analysis was performed of the April 2002 snapshot of Diebold’s AccuVote-TS 4.3.1 electronic voting system. Significant security flaws were found. Based on analysis of the development environment, including change logs and comments, an appropriate level of programming discipline for a project was not maintained. There appears to have been little quality control in the process. The model where individual vendors write proprietary code to run elections appears to be unreliable, and if the process of designing the voting systems is not changed, there will have no confidence that the election results will reflect the will of the electorate.

On the other hand, an open process would result in more careful development, as more scientists, software engineers, political activists, and others who value their democracy would be paying attention to the quality of the software that is used for their elections. Alternatively, security models such as the voter-verified audit trail allow for electronic voting systems that produce a paper trail that can be seen and verified by a voter. In such a system, the correctness burden on the voting terminal’s code is significantly less as voters can see and verify a physical object that describes their vote. They suggested that the best solutions are voting systems having a “voter-verifiable audit trail,” where a computerized voting system might print a paper ballot that can be read and verified by the voter.

Evaluation:

In accordance to perform a steadfast election, concerns on what and how a voting system is implemented is always being considered. With regard to the study, I deem that conduction of this kind of research is significant to the public and to the assurance of trustworthiness of an election. In conformity with evolving technology, an electronic voting system is being manipulated to try out the reliability of security of adopting paperless electronic voting system. Testing and simulation of the said system is done to be able to examine its security assurance. I actually find this research complicated to perform. Findings showed that such system may be unreliable and recommendations of exploiting open process and other particular system is advised. The study is commendable and I would like to propose that to further elaborate the function of the study, I think a number of systems should be taken into consideration to become subjects of the study.

Open Standards, Open Formats, and Open Source
Davide Cerri and Alfonso Fuggetta
CEFRIEL - Politecnico di Milano
January 2007

Summary:

The paper proposed some comments and reflections on the notion of “openness” and on how it relates to three important topics which are open standards, open formats, and open source. Often, these terms are considered equivalent and/or mutually implicated: “open source is the only way to enforce and exploit open standards”. This position is misleading, as it increases the confusion about this complex and extremely critical topic. The paper clarified the basic terms and concepts. This is instrumental to suggest a number of actions and practices aiming at promoting and defending openness in modern ICT products and services.

This paper concentrated on some of the issues and claims associated with open source. In particular, it will discuss the relationship among open source, open standards, open formats, and, in general, the protection of customers’ rights. Indeed, many consider open source as the most appropriate way to define and enforce open standards and open formats. In particular, the promotion of open standards and open formats is confused with the open source movement. Certainly, these issues are interrelated, but it is wrong to overlap them. For these reasons, the ultimate goal of the paper is to provide a coherent, even if preliminary, framework of concepts and proposals to promote the development of the market and to address customers’ needs and requests.

Evaluation:

It has always been an arguable issue about openness, open source and its relevant concerns. We too have discussed and tackled these issues. I believe the impact of this kind of study is favorable. It has identified a number of definitions for the term “open standard”, based on the different practices in the market. Moreover, the paper contains some proposals to deal with the different issues and challenges related to the notions of openness, customers’ right, and market development. The study used some historical data in compilation of various definitions of open standard. It is an evaluation or overview of related subjects of open standard. This study is somewhat a descriptive research.