Linux Kernel Software Quality and Security Better than Most Proprietary
Enterprise Software, 4-Year Coverity Analysis Finds
Stanford computer science researchers analyze 5.7 million lines of software,
identify 985 software bugs most already fixed by open source community
SAN FRANCISCO, December 14, 2004 Coverity, a software engineering company
focused on developing a better way to build software, today announced results
on Linux security compiled over four years of source code analysis of the
Linux kernel. The recent 2.6 Linux production kernel now shipping in
operating system products from Novell and other major Linux software
companies contains 985 bugs in 5.7 million lines of code, well below the
industry average for commercial enterprise software.
Commercial software typically has 20 to 30 bugs for every thousand lines of
code, according to Carnegie Mellon University's CyLab Sustainable Computing
Consortium. This is equivalent to 114,000 to 171,000 bugs in 5.7 million
lines of code.
The former director of cybersecurity for the U.S. Department of Homeland
Security, Amit Yoran, this month told a Washington, D.C. conference on
Homeland Security and Information Assurance that automatic code debuggers are
required to make software secure.
The Linux source code analysis project started in 2000 at the Stanford
University Computer Science Research Center as part of a massive research
initiative to improve core software engineering processes in the software
industry. The initiative continues on at Coverity, a commercial software
company started by five of the lead Stanford researchers. Coverity customers
include the top vendors in networking, electronic design automation and
storage, among others.
As a public service, Coverity will start providing bug analysis reports on a
regular basis and make a summary of the results freely available to the Linux
"This is a benefit to the Linux development community and we appreciate
Coverity's efforts to help us improve the security and stability of Linux,"
said Andrew Morton, lead Linux kernel maintainer. "We've already addressed
the top priority bugs that Coverity has uncovered. It's a very useful system
for high quality code."
"Key Linux developers can now use the same tools that many of the world's
largest commercial IT vendors have integrated into their software development
process," said Seth Hallem, CEO of Coverity. "Our findings show that Linux
contains 0.17 bugs per thousand lines of code, which is an extremely low
defect rate and is evidence of the strong security of Linux. Many security
holes in software are the result of software bugs that can be eliminated with
good programming processes."
Coverity found Linux bugs in five areas:
crash causing defects,
incorrect program behavior,
Improper use of APIs,
Of the 985 bugs, 627 are in critical parts of the kernel and are broken down
Crash causing: 569
Buffer overruns: 25
Performance degradation (resource leaks): 33
A summary of the bugs is available at http://linuxbugs.coverity.com
Active members of the Linux kernel development community can obtain detailed
bug reports by contacting Coverity.
About Coverity's Products
SWAT's core technology is unique amongst source code analysis solutions in
both its precision and scalability. Unlike many competing technologies, SWAT
simulates the effects that the operations in the source code might have in
the runtime environment, rather than searching the source code for known,
dangerous coding patterns or potentially sloppy coding constructs. The result
is that the defects detected by SWAT's analysis platform are potentially
disastrous runtime errors that must be fixed in the source code. In addition,
SWAT is designed to integrate easily into existing software development
practices without any changes to existing build systems or existing
Coverity, Inc. (www.coverity.com) is a software engineering company focused
on developing a better way to build software. While hardware design has
always been considered a difficult task that merits significant investments
in automation and verification, the notion that building software is just as
difficult has only recently gained credibility in the marketplace. Coverity
was founded to meet that insight with a solution: analyze source code with
sophisticated, automatic tools that allow software developers to identify
defects that could cause catastrophic failures or security breaches without
imposing any additional burden on the development cycle.
to post comments)