Just in time to counter security taints from last weeks MySpooler worm, which spread via weak MySQL passwords on Windows installations, MySQL on Friday got a clean bill of health from code analysis firm Coverity Inc.
The five Stanford University researchers at Coverity, who analyzed the security of the Linux kernel over a period of four years, this month are planning to release an analysis of the security and quality of MySQL code that found the database to have an “excellent” bug density.
Coverity did the analysis at the request of MySQL AB, the company that markets and develops the code for the open-source database under a dual-licensing structure.
Coverity researchers analyzed MySQL Version 4.1.8 in January. The types of defects discovered were crash-causing defects, performance degradation and security vulnerabilities.
Out of 425,000 lines of code analyzed, Coverity identified 97 bugs, which included Deadcode, or unused code due to logic flaws, which can lead to improper system function; forward null, which can cause system crash; negative returns, static overrun and overrun dynamic, all of which can cause data corruption, possible crash or possible malicious attack; resource leak; reverse null; uninitialized variable; and unused value.
The company has used the same code-checking technology on source code from customers including Oracle Corp. and Veritas Software Corp., among others.
For comparisons sake, Coverity found more than 1,000 defects in the Linux kernel Version 2.4.1 in 2001, at a time when the source code contained 1.6 million lines of code.
Coverity CEO Seth Hallem said the relative cleanliness of MySQL code is likely attributable to a few things: First, it is shepherded by MySQL AB, the Uppsala, Sweden-based company that markets and develops the database under a dual-licensing structure. “Theyre putting their necks on the line,” he said. “Theyre certainly more interested than a project with less industry penetration or less of a profit motive.”
Next Page: MySQL gets high marks for alacrity in security response time.
Response Time
Second, the core of Linux is “as good as MySQL,” Hallem said, but the Linux project is “just a lot larger.”
“Linux has a lot of drivers out there that not many people use,” Hallem said. “Does that really impact the kernel as a whole? No, not at all.” In comparison, MySQL AB has managed to keep its code base small, he said.
Hallem said that, according to one developer, one of the MySQL flaws could be exploited by a sequence of SQL statements.
The problem, however, is moot, since all defects have been addressed by MySQL AB—in short order. “We gave them the results about two weeks ago,” Hallem said. “They had them all addressed in two days. It was a very fast turnaround.”
Zack Urlocker, vice president of marketing at MySQL, said the company was happy to find out about the flaws, and that fixes for all affected platforms and versions are now in place—even if the so-called problems are actually impossible to exploit.
“Some [defects] are theoretical and some are platform-specific,” he said. “They look for things that [could potentially happen, such as] calling functions not checking return value—[such things] where it may be theoretically impossible for it to cause problems, but well fix it anyway.”
