A purveyor of static code analysis wished to pitch his product to Samsung. What better way, he thought, than to run his product against the Samsung Tizen operating system, and demonstrate the results. The demonstration fell through, and the purveyor decided instead to publish his findings.
The purveyor is Andrey Karpov, CTO at “Program Verification Systems” Co Ltd and one of the developers of PVS-Studio. In a report published Wednesday, he claims that PVS-Studio would find 27,000 coding errors in Tizen. He actually checked only 3.3% of the code; but finding about 900 errors, he believes that would extrapolate to 27,000.
If his figures are correct, it could be a lot worse. He suggests that one use of PVS-Studio will detect “more than 10% of errors that are present in the code.” Regular use would push that up to about 20% of the errors — but either way, if his figures are correct, the implication is that Tizen potentially houses more than 250,000 bugs.
Tizen is a Linux-based open-source operating system designed for wide use in Samsung products: smartphones, tablets, smart TVs, smart watches, cameras and PCs. The project started in 2013, and by 2015 it had reached smartphones. Today it can be found on millions of devices and especially smart TVs.
Tizen is not new to controversy. Earlier this year security researcher Amihai Neiderman, then at Israeli firm Equus Technologies, reported the presence of 40 zero-day vulnerabilities in Tizen. “Right now, Tizen isn’t mature enough, isn’t ready enough to be sent to the public like this,” he commented. “If those vulnerabilities I found in a few hours of research, then somebody who’s really going to dedicate himself to be a Tizen researcher will find way more vulnerabilities.”
27,000 bugs do not translate to 27,000 vulnerabilities — but some of them could. For example, Karpov claims to have found 52 errors in which private data is not cleared. Only one is in the direct Samsung code — the rest are in third-party libraries used in Tizen. “I think this is a serious omission,” he writes, “since is does not matter which part of the program will be erroneous, when private data will remain somewhere in memory and then someone will use it.”
Karpov wrote an open letter to Samsung in May 2017. He described a number of the errors he had found, and said “Our team is willing to work on improving the quality of Tizen project. The text contains remarks to the code fragments, but this is not criticism. All projects have bugs. The aim was to show by real examples that we aren’t talking about abstract recommendations concerning the code improvement, but about real defects that we can find and fix.”
Samsung’s Youil Kim rejected the approach. Stating that “We currently have our own static analysis tool and run it regularly for Tizen,” Kim added, “However, we don’t agree with that Tizen has 27,000 defects that should be fixed.”
Karpov begs to differ.
SecurityWeek has reached out to Samsung for a statement on this issue, but has had no response at the time of writing. If one is received, it will be appended to the post.