Vulnerable C/C++ code usage in IoT software systems

An empirical study that examines the usage of known vulnerable statements in software systems developed in C/C++ and used for IoT is presented. The study is conducted on 3 open source systems comprising more than one million lines of code and containing almost 5K files. Static analysis methods are applied to each system to determine the number of unsafe commands known among research communities to cause potential risks and security concerns, thereby decreasing a system's robustness and quality (i.e., strcpy, strcmp, and strlen). Some of those statements are banned by some companies (e.g., Microsoft). These commands are not supposed to be used in new code and should be removed from legacy code over time as recommended by new C/C++ language standards. Additionally, each system is analyzed and the distribution of the known unsafe commands is presented. Historical trends in the usage of the unsafe commands are presented to show how the studied systems evolved over time with respect to the vulnerable code. The results show that the most prevalent unsafe command used across all systems is memcpy, followed by strlen.