An extensive review of the Linux kernel using a source-code analysis tool found that the core components of the operating system contain far fewer security vulnerabilities than a typical commercial software package.
The review, begun in 2000, was done by Coverity Inc., a company that sells a source-code auditing tool and has been working with members of the open-source community to identify vulnerabilities before applications are released.
Researchers at the San Francisco-based company looked only at the Linux kernel, the common set of instructions that runs in every Linux implementation.
The team found that the Linux 2.6 kernel has 985 bugs in its 5.7 million lines of code. By way of comparison, most commercial software is generally thought to contain between 10 and 20 bugs for every 1,000 lines of code; the Linux kernel has 0.17 per 1,000 lines of code.
Coverity researchers began running audits of the Linux kernel four years ago, before the company even officially existed and while many of its founders still were graduate students at Stanford.
In that time, the number of bugs in the OS has dropped by nearly a factor of 10, officials said.
“In the critical parts of the kernel that have to run across every deployment, it has really improved. The bug densities used to be more than eight times what they are now,” said Seth Hallem, CEO of Coverity.
“I think the education level of the kernel maintainers has really improved. They benefit greatly from working in the open-source system. They have very intelligent people looking at the kernel, and they know what to look for.”
The relative security of Linux and Microsoft Corp.s Windows OS has been a topic of intense debate in the security and open-source communities for years, and this study will likely give more ammunition to the anti-Microsoft contingent. Critics of Microsoft contend that the company could quickly improve the security and quality of Windows by opening the source code to analysis by third parties.
The company has in fact hired outside security firms to review its code for security flaws and also runs its own analysis tool against the code, but has shown no interest in letting the rest of the world have a look at its most prized asset.
Of the nearly 1,000 bugs that Coverity found in the Linux kernel, little more than 10 percent were actually security flaws. More than half were bugs that caused the kernel to crash, 25 were buffer overruns—which are often considered security flaws—and 33 were problems that caused performance degradation.
The company said it will update the code analysis on a regular basis and also is planning to work with open-source teams such as the Mozilla Foundation to give them access to the companys SWAT analysis tool for free.