A new study has found that Linux is more secure than most commercial software — results that echo what its proponents have long said.
A four-year study released today by Coverity, reports Linux has a low bug count,
making the code more stable and secure. The 2.6 Linux production kernel, now being
shipped with software from Novell and other Linux vendors, contains 985 bugs in 5.7 million lines of code, far below the industry average, said Seth Hallem, Coverity’s CEO.
“Our findings show that Linux contains an extremely low defect rate and is
evidence of the strong security of Linux,” Hallem said. “Many security holes
in software are the result of software bugs that can be eliminated with good
programming processes.”
Commercial software contains 20 to 30 bugs for every thousand lines of code,
according to Carnegie Mellon University’s CyLab Sustainable Computing Consortium.
That is the equivalent to 114,000 to 171,000 bugs in 5.7 million lines of code.
“Linux has continually improved over the period since we first began analyzing
it,” Hallem said, adding that open source has a big advantage, because so many
eyes had the opportunity to search it for flaws.
Of the bugs found in the Linux production, 627 are found in critical parts
of the kernel; 569 could could result in a system crash; 100 were security
holes and 33 were buffer overruns, Coverity said.
Hallem said most of the bugs found during the study would be cleared by
members of the open source community.
Andrew Morton, lead Linux kernel maintainer, said developers had already
addressed the top-priority bugs discovered in the study.
“This is a benefit to the Linux development community, and we appreciate
Coverity’s efforts to help us improve the security and stability of Linux,”
he said in a statement.
Hallem says Coverity will begin providing bug analysis reports on a regular
basis and make a summary of the results freely available to the Linux
development community.
“Key Linux developers can now use the same tools that many of the world’s
largest commercial IT vendors have integrated into their software development
process,” Hallem said.
The Linux source code analysis project started in 2000 at the Stanford
University Computer Science Research Center as part of a research initiative
to improve software engineering processes in the software industry, said
Hallem.