[ISN] Linux: Fewer Bugs Than Rivals

InfoSec News isn at c4i.org
Wed Dec 15 03:26:20 EST 2004


http://www.wired.com/news/linux/0,1411,66022,00.html

By Michelle Delio
Dec. 14, 2004 

Linux advocates have long insisted that open-source development
results in better and more secure software. Now they have statistics
to back up their claims.

According to a four-year analysis of the 5.7 million lines of Linux
source code conducted by five Stanford University computer science
researchers, the Linux kernel programming code is better and more
secure than the programming code of most proprietary software.

The report, set to be released on Tuesday, states that the 2.6 Linux
production kernel, shipped with software from Red Hat, Novell and
other major Linux software vendors, contains 985 bugs in 5.7 million
lines of code, well below the industry average for commercial
enterprise software. Windows XP, by comparison, contains about 40
million lines of code, with new bugs found on a frequent basis.

Commercial software typically has 20 to 30 bugs for every 1,000 lines
of code, according to Carnegie Mellon University's CyLab Sustainable
Computing Consortium. This would be equivalent to 114,000 to 171,000
bugs in 5.7 million lines of code.

The study identified 0.17 bugs per 1,000 lines of code in the Linux
kernel. Of the 985 bugs identified, 627 were in critical parts of the
kernel. Another 569 could cause a system crash, 100 were security
holes, and 33 of the bugs could result in less-than-optimal system
performance.

Seth Hallem, CEO of Coverity, a provider of source-code analysis,
noted that the majority of the bugs documented in the study have
already been fixed by members of the open-source development
community.

"Our findings show that Linux contains an extremely low defect rate
and is evidence of the strong security of Linux," said Hallem. "Many
security holes in software are the result of software bugs that can be
eliminated with good programming processes."

The Linux source-code analysis project started in 2000 at the Stanford
University Computer Science Research Center as part of a large
research initiative to improve core software engineering processes in
the software industry.

The initiative now continues at Coverity, a software engineering
startup that now employs the five researchers who conducted the study.  
Coverity said it intends to start providing Linux bug analysis reports
on a regular basis and will make a summary of the results freely
available to the Linux development community.

"This is a benefit to the Linux development community, and we
appreciate Coverity's efforts to help us improve the security and
stability of Linux," said Andrew Morton, lead Linux kernel maintainer.  
Morton said developers have already addressed the top-priority bugs
uncovered in the study.





More information about the ISN mailing list