Security research suggests Linux has fewer flaws
Four years of research by a code-analysis firm finds that the latest open-source OS beats commercial software for quality.
The conclusion is the result of a four-year research project conducted by code-analysis company Coverity, which plans to release its report on Tuesday. The project found 985 bugs in the 5.7 million lines of code that make up the latest version of the Linux core operating system, or kernel. A typical commercial program of similar size usually has more than 5,000 flaws or defects, according to data from Carnegie Mellon University.
"Linux is a very good system in terms of bug density," said Seth Hallem, CEO of Coverity, a San Francisco company that makes flaw-detection tools for software written in C and C++ programming languages.
Code-analysis tools typically use software-design principles to analyze a program's source code and flag any possible problems. Microsoft already uses such tools widely in its internal development, and many compilers are starting to include rudimentary versions of the programs as well. The tools are also being used to tame the wild coding prevalent around the Web.
Though Coverity does not have any data about the relative frequency of flaws in Microsoft's Windows operating system, the latest data will likely feed the debate between the various proponents of Linux, Mac OS X and Windows over which operating system is more secure.
A recent report, for example, found that Red Hat Linux had fewer critical flaws than Microsoft Windows. Another research paper, prepared by Forrester Research and hosted on Microsoft's Web site, favored Windows. Yet another code analysis firm, however, last year analyzed the core networking code used in Linux and found few flaws.
Coverity has not analyzed the source code to Microsoft Windows because the company does not have access to the source code, Hallem said. Apple Computer's Mac OS X has a great deal of proprietary programming, but the core of the operating system is based on BSD, an open-source operating system similar to Linux.
Hallem stressed that the research on Linux--specifically, version 2.6 of the kernel--indicated that the open-source development process produced a secure operating system.
"There are other public reports that describe the bug density of Windows, and I would say that Linux is comparable or better than Windows," he said.
A representative of Microsoft could not immediately comment on the Coverity study.
The research suggests that the Linux kernel scored better than run-of-the-mill commercial code. Proprietary software, in general, has 1 to 7 flaws per thousand lines of code, according to an April report from the National Cybersecurity Partnership's Working Group on the Software Lifecycle, which cited an analysis of development methods by the Software Engineering Institute at Carnegie Mellon University.
For a 5.7 million-line program, such as version 2.6 of the Linux kernel, that roughly adds up to between 5,700 and 40,000 flaws.
Microsoft uses analysis tools similar to those in Coverity's study to vet its Windows code. One tool, known as PREfast, runs on each developer's workstation to check code for simple problems. The other tool, PREfix, is run every night on the Windows source code to catch more complex issues.
Coverity's Hallem acknowledged that by running similar tools to its own, Microsoft likely had reduced the number of defects in Windows.
Coverity plans to provide regular bug analysis reports on Linux and make a summary of the results available to the Linux developer community.