Reviewing -- and fixing -- Open Source code security holes

Published 11 January 2008

Popular open source projects such as Samba, the PHP, Perl, Tcl dynamic languages, and Amanda were found to have dozens or hundreds of security exposures; some are quicker than others in fixing the problem

Open source code, as is the case with its commercial counterpart, contains one security exposure for every 1,000 lines of code, according to a program launched by DHS to review and tighten up open source code’s security. Popular open source projects such as Samba, the PHP, Perl, and Tcl dynamic languages used to bind together elements of Web sites, and Amanda, the popular open source backup and recovery software running on half a million servers, were all found to have dozens or even hundreds of security exposures and quality defects. InformationWeek’s Charles Babcock writes that a total of 7,826 open source project defects have been fixed through DHS review — or one every two hours since the review was launched in 2006, according to David Maxwell, open source strategist for San Francisco, California-basedCoverity, maker of the source code checking system, the Prevent Software Quality System, which is being used in the review. At the same time, projects like Samba have been adept at correcting the vulnerabilities, once they were identified. Samba was found to have a total of 236 defects, a far lower rate than average for 450,000 lines of code. Of the 236 defects, 228 have been corrected, said Maxwell in an interview.

DHS granted a $300,000 contract to Coverity in March 2006 to review the code produced by 180 open source projects, many of which were frequently adopted by developers of government Web sites and application projects. Linux came in with far fewer defects than average as did a number of other open source projects. The version 2.6 of the Linux kernel had a security bug rate of .127 per thousand lines of code. The kernel scan covered 3,639,322 lines of code. As exposures were identified by repeated scans, 452 defects have been fixed by kernel developers; 48 have been verified but not yet fixed; another 413 remain to be verified and fixed, according to code scanning results posted on the Coverity Web site.

FreeBSD, sometimes posed as an alternative to Linux, has been slower to respond to the Coverity scans. In 1,582,166 lines of code, it has fixed zero defects, verified six and has another 605 to go. The Apache Web server includes 135,916 lines of code, which yielded a security defect rate of .14 bugs per thousand lines of code. Three have been fixed; seven have been verified but not fixed; 12 remain to be verified and fixed. The PostgreSQL database system contains 909,148 lines of code, with a .041 defect rate. Fifty-three bugs have been fixed; zero have been verified but not fixed; 37 remain to be verified and fixed.

Some open source projects have been quicker to respond to the Coverity scan results than others, noted Maxwell. About 116 of 180 projects being reviewed are making use of the Prevent SQS scans and eliminating the bugs. The near moribund Firebird project, for example, is listed with 195 identified defects, of which it has verified zero and fixed zero. The active Firefox browser project, on the other hand, has fixed 370 bugs, verified 56 and faces another 246 to verify and fix. The Free Software Foundation’s glibc or Gnu C Library has fixed 83 bugs and left zero unfixed. The Gnu C Library is used by many open source programmers working with Linux. It is one of the few open source projects to clock in at a zero existing rate of defects for its 588,931 lines of code. Likewise, the Amanda project now registers zero defects in 99,073 lines of code as did courier-maildir in 82,229 lines. Linux user interfaces also came in for a thorough review. The KDE interface contains 4,712,273 lines of code, has fixed 1,554 defects, has verified another 25 and has only 65 to go. Gnome contains 430,809 lines of code, has fixed 357 defects, verified 5 and has 214 to go. The popular MySQL open source database was not included in the scans for reasons that were not immediately evident. OpenVPN, a secure way to link to your central office, has verified the one defect found in its 69,223 lines of code, but hasn’t fixed it yet. OpenSSL, the open source form of Secure Sockets Layer, has fixed 24 bugs, verified one and has 24 remaining in its 221,194 lines of code.

To know the number of security exposures found within a popular piece of software is unusual, said Maxwell. Open source projects are different from commercial products in that commercial companies rarely acknowledge security defects in their code or whether they have been dealt with. “Our commercial customers wouldn’t like it too much if we aired the number of defects found in their code,” said Maxwell, when asked about the results from scans on 400 product lines of the firm’s private customers.