Coverity Scan 2010 Open Source Integrity Report Reveals High Risk Software Flaws in Android
November 2010 by Marc Jacob
Coverity announced the results of the Coverity Scan 2010 Open Source Integrity Report. This report is the result of the largest public-private sector research project focused on open source software integrity, originally initiated between Coverity and the U.S. Department of Homeland Security in 2006. The results from the 2010 edition of the Coverity Scan Open Source Integrity Report detail the findings of analyzing more than 61 million lines of open source code from 291 popular and widely-used open source projects such as Android, Linux, Apache, Samba and PHP, among others.
The Coverity Scan service uses Coverity® Static Analysis to automatically test open source code submitted by the open source community, and the report is the summary of findings from this analysis.
Highlights from the Coverity Scan 2010 Open Source Integrity Report include:
• The Android kernel tested by Coverity revealed 359 software defects, which is a sample of what might be shipping in popular mobile and other Android-based devices.
• 25 percent of the Android defects found are high risk with the potential to cause security breaches and crashes.
• Nearly half of the defects discovered in open source projects by Coverity Scan are classified as high risk.
• The high risk defects discovered in Android and other open source projects are the types typically eliminated by Coverity customers before shipping products.
• Common defects found in open source code continue to be flaws such as memory corruptions, NULL pointer dereferences, and resource leaks, which can cause system crashes and security vulnerabilities in products.
For the first time, Coverity will be releasing details on specific open source projects, starting with the Android kernel 2.6.32 ("Froyo") in the Coverity Scan 2010 Open Source Integrity Report. According to Google, more than 65,000 Android devices ship each day. Android is also expected to become the second-largest smartphone operating system by 2012, capturing 18% of global smartphone sales .
“Open source software, like Android, is cemented into the software supply chain of fast-moving OEMs in the mobile device industry. This creates heavy demand for visibility into the integrity of open source code shipping in modern mobile devices,” said Andy Chou, Chief Scientist and co-founder of Coverity. “Coverity’s goal is to help open source developers find and fix flaws in their software and to help our customers know what they are shipping in their products and services.”
“The Coverity Scan results for the Android kernel we tested show a better than average defect density, meaning this specific kernel is shipping with fewer defects than the industry average for software of this size,” continued Chou. “However, a significant number of these defects are the high risk types that our customers typically fix before shipping their products to market. We believe that highlighting these risks proactively provides developers and OEMs with an opportunity to fix these defects before they become a problem.”
Android Kernel Code Testing Details
The Coverity Software Integrity Report for the Android kernel is based upon analysis of the Android kernel 2.6.32 ("Froyo"). The analyzed kernel is used in smartphones, specifically the HTC Droid Incredible. In addition to the standard kernel, the version tested included support for wireless, touchscreen, and camera drivers. The kernel source was obtained from the HTC Developer Center . Coverity plans to retest the Android kernel and report on any changes in the defect density and state of high risk defects.