Linux
Kernel Software Quality and Security Better than Most
Proprietary Enterprise Software, 4-Year Coverity Analysis
Finds
Stanford computer science researchers analyze 5.7 million
lines of software, identify 985 software bugs - most already
fixed by open source community
SAN FRANCISCO, December 14, 2004 –
Coverity, a software engineering company focused on
developing a better way to build software, today announced
results on Linux security compiled over four years of
source code analysis of the Linux kernel. Coverity discovered
985 bugs in 5.7 million lines of code in the recent
2.6 Linux production kernel now shipping in operating
system products from Novell and other major Linux software
companies.
The former director of cybersecurity for the U.S. Department
of Homeland Security, Amit Yoran, this month told a
Washington, D.C. conference on Homeland Security and
Information Assurance that automatic code debuggers
are required to make software secure.
As commercial software is developed, it typically contains
20 to 30 bugs for every thousand lines of code, according
to Carnegie Mellon University's CyLab Sustainable Computing
Consortium.
The Linux source code analysis project started in 2000
at the Stanford University Computer Science Research
Center as part of a massive research initiative to improve
core software engineering processes in the software
industry. The initiative continues on at Coverity, a
commercial software company started by five of the lead
Stanford researchers. Coverity customers include the
top vendors in networking, electronic design automation
and storage, among others.
As a public service, Coverity will start providing bug
analysis reports on a regular basis and make a summary
of the results freely available to the Linux development
community.
“This is a benefit to the Linux development community
and we appreciate Coverity's efforts to help us improve
the security and stability of Linux,” said Andrew Morton,
lead Linux kernel maintainer. “We've already addressed
the top priority bugs that Coverity has uncovered. It's
a very useful system for high quality code.”
“Key Linux developers can now use the same tools that
many of the world's largest commercial IT vendors have
integrated into their software development process,”
said Seth Hallem, CEO of Coverity. “Our findings show
that Linux contains 0.17 bugs per thousand lines of
code, which is an extremely low defect rate and is evidence
of the strong security of Linux. Many security holes
in software are the result of software bugs that can
be eliminated with good programming processes.”
Coverity found Linux bugs in five areas:
- crash causing defects,
- incorrect program behavior,
- performance degradation,
- Improper use of APIs,
- security flaws
Of the 985 bugs, 627 are in critical parts of the kernel
and are broken down as follows:
- Crash causing: 569
- Buffer overruns: 25
- Performance degradation (resource leaks): 33
- Security: 100
A summary of the bugs is available at http://linuxbugs.coverity.com
Active members of the Linux kernel development community
can obtain detailed bug reports by contacting Coverity.
About Coverity's Products
SWAT's core technology runs on a wide variety of hardware
and software platforms used by C and C++ developers.
It is unique amongst source code analysis solutions
in both its precision and scalability. Unlike many competing
technologies, SWAT simulates the effects that the operations
in the source code might have in the runtime environment,
rather than searching the source code for known, dangerous
coding patterns or potentially sloppy coding constructs.
The result is that the defects detected by SWAT's analysis
platform are potentially disastrous runtime errors that
must be fixed in the source code. In addition, SWAT
is designed to integrate easily into existing software
development practices without any changes to existing
build systems or existing development tools.
About Coverity
Coverity, Inc. (www.coverity.com) is a software engineering
company focused on developing a better way to build
software. While hardware design has always been considered
a difficult task that merits significant investments
in automation and verification, the notion that building
software is just as difficult has only recently gained
credibility in the marketplace. Coverity was founded
to meet that insight with a solution: analyze source
code with sophisticated, automatic tools that allow
software developers to identify defects that could cause
catastrophic failures or security breaches without imposing
any additional burden on the development cycle.
Media Contacts
Craig Oda
Page One PR for Coverity
Tel: 650-565-9800 x102
coda@pageonepr.com
David Park
dave@coverity.com
(415) 321-5204
« back to Press Releases Main
|
