Coverity, a software engineering company focused on developing a better way to build software, today announced results on Linux security compiled over four years of source code analysis of the Linux kernel. Coverity discovered 985 bugs in 5.7 million lines of code in the recent 2.6 Linux production kernel now shipping in operating system products from Novell and other major Linux software companies.
The former director of cybersecurity for the U.S. Department of Homeland Security, Amit Yoran, this month told a Washington, D.C. conference on Homeland Security and Information Assurance that automatic code debuggers are required to make software secure. As commercial software is developed, it typically contains 20 to 30 bugs for every thousand lines of code, according to Carnegie Mellon University's CyLab Sustainable Computing Consortium. The Linux source code analysis project started in 2000 at the Stanford University Computer Science Research Center as part of a massive research initiative to improve core software engineering processes in the software industry. The initiative continues on at Coverity, a commercial software company started by five of the lead Stanford researchers. Coverity customers include the top vendors in networking, electronic design automation and storage, among others. As a public service, Coverity will start providing bug analysis reports on a regular basis and make a summary of the results freely available to the Linux development community. "This is a benefit to the Linux development community and we appreciate Coverity's efforts to help us improve the security and stability of Linux," said Andrew Morton, lead Linux kernel maintainer. "We've already addressed the top priority bugs that Coverity has uncovered. It's a very useful system for high quality code." "Key Linux developers can now use the same tools that many of the world's largest commercial IT vendors have integrated into their software development process," said Seth Hallem, CEO of Coverity. "Our findings show that Linux contains 0.17 bugs per thousand lines of code, which is an extremely low defect rate and is evidence of the strong security of Linux. Many security holes in software are the result of software bugs that can be eliminated with good programming processes." Coverity found Linux bugs in five areas: -- crash causing defects, -- incorrect program behavior, -- performance degradation, -- Improper use of APIs, -- security flaws Of the 985 bugs, 627 are in critical parts of the kernel and are broken down as follows: -- Crash causing: 569 -- Buffer overruns: 25 -- Performance degradation (resource leaks): 33 -- Security: 100 The details can be located here : http://linuxbugs.coverity.com/linuxbugs.htm -- ______________________________________________________________________ Pune GNU/Linux Users Group Mailing List: ([EMAIL PROTECTED]) List Information: http://plug.org.in/mailing-list/listinfo/plug-mail Send 'help' to [EMAIL PROTECTED] for mailing instructions.
