Serious security bugs in key parts of the latest Linux code have been fixed, but some small glitches have been introduced, according to a recent scan.
In December, Coverity looked at version 2.6.9 of the Linux kernel, the heart of the open source operating system, and found six critical defects in the core file system and networking code. In July, the code analysis company scanned the latest version of the Linux kernel, version 2.6.12, and found no such programming errors, Coverity chief executive Seth Hallem said.
However, 1,008 defects were discovered in other parts of version 2.6.12. These coding problems, which could indicate security flaws, rest mainly in drivers, Hallem said. That's a slight increase compared with the earlier analysis, when 985 total defects were found, according to San Francisco-based Coverity.
"The bugs that we reported that were in critical pieces of the kernel were fixed," Hallem said. "At the same time, people still write buggy code. As new code gets introduced, there are new bugs."
As a result, the overall bug density — the number of bugs per thousand lines of code — only decreased from 0.17 defects to 0.16 defects, according to Coverity's scan.
The results of the analysis are a sign that Linux is maturing as an operating system and in the security of its core code. That could make it a more attractive option for users, corporate ones especially, as rival OS maker Microsoft works to bolster the security in its own software.
Coverity's code analysis tools look for common mistakes in writing C and C++ programming code. The company did not give details on the scope of the flaws it found. It rated faults in the file system and networking code as more serious because those pieces will be used by all Linux users, Hallem said. The other coding mistakes are considered less critical because bugs in drivers, for example, will only put users at risk if they use those drivers.
The analysis can't be used to measure the security of Linux next to that of Microsoft's Windows operating system. The Windows kernel source code is not available for scanning by Coverity, making an equal comparison impossible.
Microsoft does use analysis tools similar to those in Coverity's study to vet its Windows code. One tool, known as Prefast, runs on each developer's workstation to check code for simple problems. The other tool, Prefix, is run every night on the Windows source code to catch more complex issues.
Like last time, Coverity plans to make the results of its analysis available to Linux developers so the bugs it found can be fixed, Hallem said.
