Press Releases
Linux Kernel Security and Quality Improved Dramatically in Last Six Months, New Coverity Study Finds
SAN FRANCISCO, August 3, 2005 – Coverity, Inc., makers of the world's most advanced and scalable source code analysis solution today announced results from a new study on the security and quality of the Linux kernel. Six months ago Coverity analyzed Linux kernel 2.6.9, the same version used in Red Hat Enterprise Linux 4.0, and found six potentially critical defects in the core filesystem and networking code. Today's findings on the newest Linux kernel 2.6.12 show that all critical defects have been fixed.
"Coverity has worked with the kernel community to help identify a number of longstanding correctness and security issues with the kernel", said Andrew Morton, lead kernel maintainer of the 2.6 Linux kernel. "Version 2.6.12 of the Linux kernel incorporates numerous fixes relative to version 2.6.9 which have resulted from Coverity's analysis. I appreciate the fact that Coverity is able to determine that the kernel is free from several classes of error and that we have the means to avoid such errors creeping into the kernel in the future".
"Although the size of the Linux kernel increased over the six month study, we noticed a significant decrease in the number of potentially serious defects in the core Linux kernel," said Seth Hallem, CEO of Coverity. "Although contributors introduced new defects, these were primarily in non-critical device drivers."
Coverity's study focused on the main Linux kernel. Vendors such as Red Hat and Novell take the base Linux kernel, often making modifications to the software before distribution. In the past, many IT system administrators have been reluctant to apply the latest software patches because of concerns that the patches would introduce new defects. Coverity's study shows that although new defects were introduced into the kernel, all the known potentially serious defects were fixed.
Approximately 6 million lines of software were analyzed in the study. Defect density decreased slightly by 2.2 percent from 0.17 defects thousand lines of code in December of 2004 to 0.16 defects in July of 2005.
A summary of the findings is shown below:
| Linux in December 2004 | Linux in July 2005 | Comment | |
|---|---|---|---|
| Filesystem buffer overrun | 5 | 0 | Serious defect |
| Network buffer overrun | 1 | 0 | Serious defect |
| Lines of code | 5.76 million | 6.03 million | 4.7 percent increase |
| Total defects | 985 | 1,008 | Slight increase in non-critical defects |
| Defect density | 0.17 | 0.16 | Smaller number is better |
More Information at LinuxWorld in San Francisco
Seth Hallem, CEO of Coverity will be giving a talk at LinuxWorld on his four year analysis of the security and quality of the Linux kernel. The talk will be given on August 9, 2005 at 10:15am in Moscone Center. Demonstrations of Coverity's analysis technology and explanations of the results of Linux study are available in Coverity's booth, #859.
Study Availability
Summary findings of number of defects by type are immediately available to the press and general public from Coverity. Technical details on specific defects are available to active Linux kernel developers. A report with a more detailed description of the analysis will be available at the end of August, 2005.
About Coverity
Coverity (www.coverity.com), makers of the world's most advanced and scalable source code analysis solution for pinpointing software defects and security vulnerabilities, is a privately-held company headquartered in San Francisco. Coverity was founded in 2002 by leading Stanford University scientists whose four-year research project resulted in a breakthrough approach for addressing the costliest problem in the software industry. That research breakthrough allows developers to quickly and precisely eliminate software defects and security vulnerabilities in tens of millions of lines of new or legacy code. Today, Coverity's solution is used by more than 75 leading companies to significantly improve the quality of their software, including Juniper Networks, VERITAS, McAfee, Synopsys, NASA, PalmOne, Sun Microsystems and Wind River.
Coverity is a registered trademark, and Coverity Extend and Coverity Prevent are trademarks of Coverity, Inc. All other company and product names are the property of their respective owners.
Media Contacts
Bret Clement
Page One PR for Coverity
bret@pageonepr.com
(303) 462-3057
David Park
dave@coverity.com
(415) 321-5204
“Coverity has become a key component of our quality commitment.”
Gordon Thompson
Senior Development Director, ARRIS
Senior Development Director, ARRIS
