Death, taxes and open source software certainties

Open source software gets a lot of positive press. Along with death and taxes we can say that this is a fair certainty. But are there hidden and very blatant flaws that we should be looking out for and be aware of?

The Coverity Scan 2010 Open Source Integrity Report was launched at the end of last year to examine open source software integrity and was originally initiated between the company itself and the U.S. Department of Homeland Security.

The process for this report involved analysing more than 61 million lines of open source community-submitted code (using the Coverity Static Analysis tool) from 291 widely-used open source projects such as Android, Linux, Apache, Samba and PHP among others.

Android: 359 software defects found

The Android kernel, when tested by Coverity, revealed 359 software defects says the company. A total of 25 percent of the Android defects found (in Android kernel 2.6.32 “Froyo”) were listed as ‘high risk’ with the potential to cause security breaches and crashes. Further, nearly half of the defects discovered in all open source projects were also classified as high risk.

It sounds worrying yes — but how do these defects manifest themselves?

Coverity points to common flaws such as memory corruptions (or segmentation faults), null-pointer dereferences (or exceptions) and resource (or memory) leaks, which can cause system crashes and security vulnerabilities in products.

NB: That all sounds pretty technical, so for an easy-to-grasp explanation — the Open Web Application Security Project (OWASP) defines a null-pointer dereference as the moment when a pointer (a reference to a location in memory) with a value of NULL is used as though it pointed to a valid memory area.

… and this is the kind of thing actually happening in Android devices that have shipped and are shipping.

According to Google, more than 65,000 Android devices ship each day. Android is also expected to become the second-largest smartphone operating system by 2012, capturing 18% of global smartphone sales1.

“Open source software, like Android, is cemented into the software supply chain of OEMs in the mobile device industry. This creates heavy demand for visibility into the integrity of open source code shipping in modern mobile devices,” said Andy Chou, Coverity chief scientist and co-founder. “The Coverity Scan results for the Android kernel we tested show a better than average defect density, meaning this specific kernel is shipping with fewer defects than the industry average for software of this size. However, a significant number of these defects are the high risk types that our customers typically fix before shipping their products to market. We believe that highlighting these risks proactively provides developers and OEMs with an opportunity to fix these defects before they become a problem.”