Linux Kernel Security and Quality Improved Dramatically in Last Six Months, New Coverity Study Finds
SAN FRANCISCO, August 3, 2005 –
Coverity, Inc., makers of the world's most advanced
and scalable source code analysis solution today announced
results from a new study on the security and quality
of the Linux kernel. Six months ago Coverity analyzed
Linux kernel 2.6.9, the same version used in Red Hat
Enterprise Linux 4.0, and found six potentially critical
defects in the core filesystem and networking code.
Today's findings on the newest Linux kernel 2.6.12 show
that all critical defects have been fixed.
"Coverity has worked with the kernel community
to help identify a number of longstanding correctness
and security issues with the kernel", said Andrew
Morton, lead kernel maintainer of the 2.6 Linux kernel.
"Version 2.6.12 of the Linux kernel incorporates
numerous fixes relative to version 2.6.9 which have
resulted from Coverity's analysis. I appreciate the
fact that Coverity is able to determine that the kernel
is free from several classes of error and that we have
the means to avoid such errors creeping into the kernel
in the future".
"Although the size of the Linux kernel increased
over the six month study, we noticed a significant decrease
in the number of potentially serious defects in the
core Linux kernel," said Seth Hallem, CEO of Coverity.
"Although contributors introduced new defects,
these were primarily in non-critical device drivers."
Coverity's study focused on the main Linux kernel. Vendors
such as Red Hat and Novell take the base Linux kernel,
often making modifications to the software before distribution.
In the past, many IT system administrators have been
reluctant to apply the latest software patches because
of concerns that the patches would introduce new defects.
Coverity's study shows that although new defects were
introduced into the kernel, all the known potentially
serious defects were fixed.
Approximately 6 million lines of software were analyzed
in the study. Defect density decreased slightly by 2.2
percent from 0.17 defects thousand lines of code in
December of 2004 to 0.16 defects in July of 2005.
A summary of the findings is shown below:
|
Linux in December 2004 |
Linux in July 2005 |
Comment |
| Filesystem buffer overrun |
5 |
0 |
Serious defect |
| Network buffer overrun |
1 |
0 |
Serious defect |
| Lines of code |
5.76 million |
6.03 million |
4.7 percent increase |
| Total defects |
985 |
1,008 |
Slight increase in non-critical
defects |
| Defect density |
0.17 |
0.16 |
Smaller number is better |
More Information at LinuxWorld in San Francisco
Seth Hallem, CEO of Coverity will be giving a talk at LinuxWorld on his four year analysis of the security and quality of the Linux kernel. The talk will be given on August 9, 2005 at 10:15am in Moscone Center. Demonstrations of Coverity's analysis technology and explanations of the results of Linux study are available in Coverity's booth, #859.
Study Availability
Summary findings of number of defects by type are immediately available to the press and general public from Coverity. Technical details on specific defects are available to active Linux kernel developers. A report with a more detailed description of the analysis will be available at the end of August, 2005.
About Coverity
Coverity (www.coverity.com), makers of the world's most advanced and scalable source code analysis solution for pinpointing software defects and security vulnerabilities, is a privately-held company headquartered in San Francisco. Coverity was founded in 2002 by leading Stanford University scientists whose four-year research project resulted in a breakthrough approach for addressing the costliest problem in the software industry. That research breakthrough allows developers to quickly and precisely eliminate software defects and security vulnerabilities in tens of millions of lines of new or legacy code. Today, Coverity's solution is used by more than 75 leading companies to significantly improve the quality of their software, including Juniper Networks, VERITAS, McAfee, Synopsys, NASA, PalmOne, Sun Microsystems and Wind River.
Coverity is a registered
trademark, and Coverity Extend
and Coverity Prevent are trademarks
of Coverity, Inc. All other company and product names
are the property of their respective owners.
Media Contacts
Bret Clement
Page One PR for Coverity
bret@pageonepr.com
(303) 462-3057
David Park
dave@coverity.com
(415) 321-5204
« back to Press Releases Main
|
