Android kernel leaks like a colander
359 defects, 88 high risk
Security analysts at Coverity reckon the Android kernel is riddled with security holes, though they still rate it as twice as good as most open-source projects.
Taking the source code from the HTC Incredible, Coverity found .47 defects per 1,000 lines of code, compared with an industry average of 1 per 1,000. That totalled 359 defects, with 88 of those being high-risk items such as memory corruption, memory leaks and uninitialised variables. Buut Coverity won't be providing any details until the end of the year.
The company discovered the flaws though automated analysis of the source code, and will, in the name of responsible disclosure, provide early access to "the Android security team, OEMs, and security researchers" so they can apply fixes, or create proof-of-concept attacks, before the details go public in 60 days.
Until then, we're left to speculate what proportion of those bugs exist across Android kernel implementations – and how many could be usefully exploited for fun and profit. Manufacturers tweak the Android kernel to suit their hardware. The team only picked the HTC Incredible because they happened to have one handy, but the commonality of chip sets in Android handsets makes it likely the majority of flaws are common too.
Exploiting those flaws is another matter entirely. One can imagine a stack overflow allowing an application to break out of the sandbox security, but such an application would likely be quickly identified and (if distributed via the Marketplace) subsequently removed. It's possible that more-easily-exploited flaws exist too, but hopefully they'll be fixed before Coverity goes public.
Being open to scrutiny is one of the advantages of being open source, so this is no reason to trust your Android handset any less, and if you fancy yourself as a security researcher then drop Coverity a line to get more details. ®
"Coverity found .47 defects per 1,000 lines of code, compared with an industry average of 1 per 1,000. "
So it's less than half the industry average?
The thing is....
...that just because there are bugs in the Linux kernel does not mean that they are exploitable because *nix OSs generally have greater privilege separation between the kernel and user processes. Windows is getting better in this regard, but is still more likely to allow high level privileges to be granted to users on request, after all that's what UAC does whereas in a *nix OS if you don't know the root password then you're not doing it.
The very fact that this analysis has been done and that the Android devs are getting the results means that much of this will be cleaned up soon, which has to be good right?
Open Source is no guarantee that code is of high quality, but the key point is that the code can be reviewed and it can be fixed by anyone. Who knows what bugs are lurking in some commercial operating systems because they don't disclose the source code so that it can be reviewed. Making code proprietary certainly doesn't appear to increase security as can be seen merely by reviewing all the critical flaws that have affected in closed source projects over the years.