@inproceedings{fddd8dbe9c6a477887f2186a6302eae1,
title = "Vulnerable C/C++ code usage in IoT software systems",
abstract = "An empirical study that examines the usage of known vulnerable statements in software systems developed in C/C++ and used for IoT is presented. The study is conducted on 3 open source systems comprising more than one million lines of code and containing almost 5K files. Static analysis methods are applied to each system to determine the number of unsafe commands known among research communities to cause potential risks and security concerns, thereby decreasing a system's robustness and quality (i.e., strcpy, strcmp, and strlen). Some of those statements are banned by some companies (e.g., Microsoft). These commands are not supposed to be used in new code and should be removed from legacy code over time as recommended by new C/C++ language standards. Additionally, each system is analyzed and the distribution of the known unsafe commands is presented. Historical trends in the usage of the unsafe commands are presented to show how the studied systems evolved over time with respect to the vulnerable code. The results show that the most prevalent unsafe command used across all systems is memcpy, followed by strlen.",
keywords = "scientific, security, static analysis, unsafe commands, vulnerable software",
author = "Alnaeli, {Saleh M.} and Melissa Sarnowski and Aman, {Md Sayedul} and Ahmed Abdelgawad and Kumar Yelamarthi",
note = "Publisher Copyright: {\textcopyright} 2016 IEEE.; 3rd IEEE World Forum on Internet of Things, WF-IoT 2016 ; Conference date: 12-12-2016 Through 14-12-2016",
year = "2017",
month = feb,
day = "6",
doi = "10.1109/WF-IoT.2016.7845497",
language = "English",
series = "2016 IEEE 3rd World Forum on Internet of Things, WF-IoT 2016",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
pages = "348--352",
booktitle = "2016 IEEE 3rd World Forum on Internet of Things, WF-IoT 2016",
}