Vulnerable C/C++ code usage in IoT software systems

Saleh M. Alnaeli, Melissa Sarnowski, Md Sayedul Aman, Ahmed Abdelgawad, Kumar Yelamarthi

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

12 Scopus citations


An empirical study that examines the usage of known vulnerable statements in software systems developed in C/C++ and used for IoT is presented. The study is conducted on 3 open source systems comprising more than one million lines of code and containing almost 5K files. Static analysis methods are applied to each system to determine the number of unsafe commands known among research communities to cause potential risks and security concerns, thereby decreasing a system's robustness and quality (i.e., strcpy, strcmp, and strlen). Some of those statements are banned by some companies (e.g., Microsoft). These commands are not supposed to be used in new code and should be removed from legacy code over time as recommended by new C/C++ language standards. Additionally, each system is analyzed and the distribution of the known unsafe commands is presented. Historical trends in the usage of the unsafe commands are presented to show how the studied systems evolved over time with respect to the vulnerable code. The results show that the most prevalent unsafe command used across all systems is memcpy, followed by strlen.

Original languageEnglish
Title of host publication2016 IEEE 3rd World Forum on Internet of Things, WF-IoT 2016
PublisherInstitute of Electrical and Electronics Engineers Inc.
Number of pages5
ISBN (Electronic)9781509041305
StatePublished - Feb 6 2017
Event3rd IEEE World Forum on Internet of Things, WF-IoT 2016 - Reston, United States
Duration: Dec 12 2016Dec 14 2016

Publication series

Name2016 IEEE 3rd World Forum on Internet of Things, WF-IoT 2016


Conference3rd IEEE World Forum on Internet of Things, WF-IoT 2016
Country/TerritoryUnited States


  • scientific
  • security
  • static analysis
  • unsafe commands
  • vulnerable software


Dive into the research topics of 'Vulnerable C/C++ code usage in IoT software systems'. Together they form a unique fingerprint.

Cite this