Source code vulnerabilities in IoT software systems

Saleh Mohamed Alnaeli, Melissa Sarnowski, Md Sayedul Aman, Ahmed Abdelgawad, Kumar Yelamarthi

Research output: Contribution to journalArticlepeer-review

8 Scopus citations


An empirical study that examines the usage of known vulnerable statements in software systems developed in C/C++ and used for IoT is presented. The study is conducted on 18 open source systems comprised of millions of lines of code and containing thousands of files. Static analysis methods are applied to each system to determine the number of unsafe commands (e.g., strcpy, strcmp, and strlen) that are well-known among research communities to cause potential risks and security concerns, thereby decreasing a system's robustness and quality. These unsafe statements are banned by many companies (e.g., Microsoft). The use of these commands should be avoided from the start when writing code and should be removed from legacy code over time as recommended by new C/C++ language standards. Each system is analyzed and the distribution of the known unsafe commands is presented. Historical trends in the usage of the unsafe commands of 7 of the systems are presented to show how the studied systems evolved over time with respect to the vulnerable code. The results show that the most prevalent unsafe command used for most systems is memcpy, followed by strlen. These results can be used to help train software developers on secure coding practices so that they can write higher quality software systems.

Original languageEnglish
Pages (from-to)1502-1507
Number of pages6
JournalAdvances in Science, Technology and Engineering Systems
Issue number3
StatePublished - 2017


  • Historical trends
  • Security
  • Static analysis
  • Unsafe commands
  • Vulnerable software scientific


Dive into the research topics of 'Source code vulnerabilities in IoT software systems'. Together they form a unique fingerprint.

Cite this