TY - GEN
T1 - On the evolution of mobile computing software systems and C/C++ vulnerable code
T2 - 7th IEEE Annual Ubiquitous Computing, Electronics and Mobile Communication Conference, UEMCON 2016
AU - Alnaeli, Saleh M.
AU - Sarnowski, Melissa
AU - Aman, Md Sayedul
AU - Yelamarthi, Kumar
AU - Abdelgawad, Ahmed
AU - Jiang, Haowen
N1 - Publisher Copyright:
© 2016 IEEE.
PY - 2016/12/7
Y1 - 2016/12/7
N2 - A study is presented that examines the distribution and the usage of some unsafe functions that are known to cause security vulnerabilities in 15 software systems, written in C/C++. The systems are commonly used for mobile computing, and they comprise almost six million lines of code. A tool that uses a static analysis approach is applied to each system, and the number of calls to unsafe functions is determined and tabulated. The results show that vulnerable functions such as strcmp, strlen, and memcpy represent the vast majority of used unsafe functions that are banned by many companies (e.g., Microsoft) in the studied systems. This fact can help software trainers better design and plan training courses and materials on secure coding practices for software developers. Additionally, findings can help software engineers to conduct more effective refactoring processes that help to clean software systems from vulnerable code, and focus primarily on the removal of vulnerable code with higher usage for better outcomes. The historical data for a number of systems, subset, is presented over a five-year period. The data shows that few of the systems examined are increasing the number of unsafe function calls over time. This is somewhat contradictory to the literature, which claims that the use of vulnerable functions is decreasing in software systems. This fact demands that more attention and effort from software engineering and mobile computing communities be put towards addressing this phenomenon.
AB - A study is presented that examines the distribution and the usage of some unsafe functions that are known to cause security vulnerabilities in 15 software systems, written in C/C++. The systems are commonly used for mobile computing, and they comprise almost six million lines of code. A tool that uses a static analysis approach is applied to each system, and the number of calls to unsafe functions is determined and tabulated. The results show that vulnerable functions such as strcmp, strlen, and memcpy represent the vast majority of used unsafe functions that are banned by many companies (e.g., Microsoft) in the studied systems. This fact can help software trainers better design and plan training courses and materials on secure coding practices for software developers. Additionally, findings can help software engineers to conduct more effective refactoring processes that help to clean software systems from vulnerable code, and focus primarily on the removal of vulnerable code with higher usage for better outcomes. The historical data for a number of systems, subset, is presented over a five-year period. The data shows that few of the systems examined are increasing the number of unsafe function calls over time. This is somewhat contradictory to the literature, which claims that the use of vulnerable functions is decreasing in software systems. This fact demands that more attention and effort from software engineering and mobile computing communities be put towards addressing this phenomenon.
KW - Unsafe functions
KW - alternatives
KW - programming-style
KW - security
KW - vulnerability
UR - http://www.scopus.com/inward/record.url?scp=85010333047&partnerID=8YFLogxK
U2 - 10.1109/UEMCON.2016.7777883
DO - 10.1109/UEMCON.2016.7777883
M3 - Conference contribution
AN - SCOPUS:85010333047
T3 - 2016 IEEE 7th Annual Ubiquitous Computing, Electronics and Mobile Communication Conference, UEMCON 2016
BT - 2016 IEEE 7th Annual Ubiquitous Computing, Electronics and Mobile Communication Conference, UEMCON 2016
A2 - Saha, Himadri Nath
A2 - Chakrabarti, Satyajit
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 20 October 2016 through 22 October 2016
ER -