www.astesj.com 1502 Source Code Vulnerabilities in IoT Software Systems Saleh Mohamed Alnaeli *,1 , Melissa Sarnowski 2 , Md Sayedul Aman 3 , Ahmed Abdelgawad 3 , Kumar Yelamarthi 3 1 CSEPA, University of Wisconsin-Colleges, 53715, USA 2 Computer Science, University of Wisconsin-Fox Valley, 54952, USA 3 College of Science and Engineering, Central Michigan University, 48859, USA A R T I C L E I N F O A B S T R A C T Article history: Received: 02 June, 2017 Accepted: 21 July, 2017 Online: 15 August, 2017 An empirical study that examines the usage of known vulnerable statements in software systems developed in C/C++ and used for IoT is presented. The study is conducted on 18 open source systems comprised of millions of lines of code and containing thousands of files. Static analysis methods are applied to each system to determine the number of unsafe commands (e.g., strcpy, strcmp, and strlen) that are well-known among research communities to cause potential risks and security concerns, thereby decreasing a system’s robustness and quality. These unsafe statements are banned by many companies (e.g., Microsoft). The use of these commands should be avoided from the start when writing code and should be removed from legacy code over time as recommended by new C/C++ language standards. Each system is analyzed and the distribution of the known unsafe commands is presented. Historical trends in the usage of the unsafe commands of 7 of the systems are presented to show how the studied systems evolved over time with respect to the vulnerable code. The results show that the most prevalent unsafe command used for most systems is memcpy, followed by strlen. These results can be used to help train software developers on secure coding practices so that they can write higher quality software systems. Keywords: unsafe commands vulnerable software scientific security static analysis historical trends 1. Introduction This paper was originally presented in 2016 IEEE 3rd World Forum on Internet of Things (WF-IoT) [1]. Additional research has been done to extend the research to examine the security of a much larger group of IoT software systems. While the IoT continues to grow to billions of devices running a huge variety of software systems, both open source and proprietary, security becomes a major concern for individuals and organizations who use the IoT in both academia and industry. The security of every software system becomes vital as each software system and device could be a target or an access point to hackers, or lawbreakers [2- 4]. Most of the software and embedded systems used for IoT applications are currently available as open source systems and are therefore developed by programmers from varying disciplines and with different backgrounds. Many of those programmers have little to no background on security challenges imposed by the usage of vulnerable source code in some programming languages (e.g., C/C++) caused by commands that are well known to the research community as being unsafe and are banned by companies such as Microsoft. According to [5, 6], most of the detected security threats are due to vulnerabilities in the code. Thus, minimizing usage of insecure commands can play an important role in protecting the software systems from any potential attacks. In order to minimize the use of unsafe commands at the source code level, developers need to be made aware of those unsafe commands and the security issues their usage can cause. Educating developers and ensuring that they follow good programming practices can minimize the time and effort spent on finding and fixing them in later stages, as well as lessen the expense of fixing a security issue if it’s exploited ASTESJ ISSN: 2415-6698 * Corresponding Author: Saleh Mohamed Alnaeli, 1478 Midway Rd, Menasha Wisconsin 54952, (920) 832-2615, USA | Email: saleh.alnaeli@uwc.edu Advances in Science, Technology and Engineering Systems Journal Vol. 2, No. 3, 1502-1507 (2017) www.astesj.com Special Issue on Recent Advances in Engineering Systems