The Presence, Trends, and Causes of Security Vulnerabilities in Operating Systems of IoT’s Low-End Devices

The Presence, Trends, and Causes of Security Vulnerabilities in Operating Systems of IoT’s Low-End Devices

Internet of Things Operating Systems (IoT OSs) run, manage and control IoT devices. Therefore, it is important to secure the source code for IoT OSs, especially if they are deployed on devices used for human care and safety. In this paper, we report the results of our investigations of the security...

Full description

Bibliographic Details
Main Authors: Abdullah Al-Boghdady, Khaled Wassif, Mohammad El-Ramly
Format: Article
Language:English
Published: MDPI AG 2021-03-01
Series:Sensors
Subjects:
internet of things security
internet of things operating systems
C/C++ static analysis
common weakness enumeration
security vulnerability
Online Access:https://www.mdpi.com/1424-8220/21/7/2329
id doaj-6bcf1e586d014bd2a4f6a2c74026e2c2
record_format Article
spelling doaj-6bcf1e586d014bd2a4f6a2c74026e2c22021-03-27T00:08:29ZengMDPI AGSensors1424-82202021-03-01212329232910.3390/s21072329The Presence, Trends, and Causes of Security Vulnerabilities in Operating Systems of IoT’s Low-End DevicesAbdullah Al-Boghdady0Khaled Wassif1Mohammad El-Ramly2Department of Computer Sciences, Faculty of Computers and Artificial Intelligence, Cairo University, 5, Ahmed Zewail Street, Dokki, Giza 12613, EgyptDepartment of Computer Sciences, Faculty of Computers and Artificial Intelligence, Cairo University, 5, Ahmed Zewail Street, Dokki, Giza 12613, EgyptDepartment of Computer Sciences, Faculty of Computers and Artificial Intelligence, Cairo University, 5, Ahmed Zewail Street, Dokki, Giza 12613, EgyptInternet of Things Operating Systems (IoT OSs) run, manage and control IoT devices. Therefore, it is important to secure the source code for IoT OSs, especially if they are deployed on devices used for human care and safety. In this paper, we report the results of our investigations of the security status and the presence of security vulnerabilities in the source code of the most popular open source IoT OSs. Through this research, three Static Analysis Tools (Cppcheck, Flawfinder and RATS) were used to examine the code of sixteen different releases of four different C/C++ IoT OSs, with 48 examinations, regarding the presence of vulnerabilities from the Common Weakness Enumeration (CWE). The examination reveals that IoT OS code still suffers from errors that lead to security vulnerabilities and increase the opportunity of security breaches. The total number of errors in IoT OSs is increasing from version to the next, while error density, i.e., errors per 1K of physical Source Lines of Code (SLOC) is decreasing chronologically for all IoT Oss, with few exceptions. The most prevalent vulnerabilities in IoT OS source code were CWE-561, CWE-398 and CWE-563 according to Cppcheck, (CWE-119!/CWE-120), CWE-120 and CWE-126 according to Flawfinder, and CWE-119, CWE-120 and CWE-134 according to RATS. Additionally, the CodeScene tool was used to investigate the development of the evolutionary properties of IoT OSs and the relationship between them and the presence of IoT OS vulnerabilities. CodeScene reveals strong positive correlation between the total number of security errors within IoT OSs and SLOC, as well as strong negative correlation between the total number of security errors and Code Health. CodeScene also indicates strong positive correlation between security error density (errors per 1K SLOC) and the presence of hotspots (frequency of code changes and code complexity), as well as strong negative correlation between security error density and the Qualitative Team Experience, which is a measure of the experience of the IoT OS developers.https://www.mdpi.com/1424-8220/21/7/2329internet of things securityinternet of things operating systemsC/C++ static analysiscommon weakness enumerationsecurity vulnerability
collection DOAJ
language English
format Article
sources DOAJ
author Abdullah Al-Boghdady
Khaled Wassif
Mohammad El-Ramly
spellingShingle Abdullah Al-Boghdady
Khaled Wassif
Mohammad El-Ramly
The Presence, Trends, and Causes of Security Vulnerabilities in Operating Systems of IoT’s Low-End Devices
Sensors
internet of things security
internet of things operating systems
C/C++ static analysis
common weakness enumeration
security vulnerability
author_facet Abdullah Al-Boghdady
Khaled Wassif
Mohammad El-Ramly
author_sort Abdullah Al-Boghdady
title The Presence, Trends, and Causes of Security Vulnerabilities in Operating Systems of IoT’s Low-End Devices
title_short The Presence, Trends, and Causes of Security Vulnerabilities in Operating Systems of IoT’s Low-End Devices
title_full The Presence, Trends, and Causes of Security Vulnerabilities in Operating Systems of IoT’s Low-End Devices
title_fullStr The Presence, Trends, and Causes of Security Vulnerabilities in Operating Systems of IoT’s Low-End Devices
title_full_unstemmed The Presence, Trends, and Causes of Security Vulnerabilities in Operating Systems of IoT’s Low-End Devices
title_sort presence, trends, and causes of security vulnerabilities in operating systems of iot’s low-end devices
publisher MDPI AG
series Sensors
issn 1424-8220
publishDate 2021-03-01
description Internet of Things Operating Systems (IoT OSs) run, manage and control IoT devices. Therefore, it is important to secure the source code for IoT OSs, especially if they are deployed on devices used for human care and safety. In this paper, we report the results of our investigations of the security status and the presence of security vulnerabilities in the source code of the most popular open source IoT OSs. Through this research, three Static Analysis Tools (Cppcheck, Flawfinder and RATS) were used to examine the code of sixteen different releases of four different C/C++ IoT OSs, with 48 examinations, regarding the presence of vulnerabilities from the Common Weakness Enumeration (CWE). The examination reveals that IoT OS code still suffers from errors that lead to security vulnerabilities and increase the opportunity of security breaches. The total number of errors in IoT OSs is increasing from version to the next, while error density, i.e., errors per 1K of physical Source Lines of Code (SLOC) is decreasing chronologically for all IoT Oss, with few exceptions. The most prevalent vulnerabilities in IoT OS source code were CWE-561, CWE-398 and CWE-563 according to Cppcheck, (CWE-119!/CWE-120), CWE-120 and CWE-126 according to Flawfinder, and CWE-119, CWE-120 and CWE-134 according to RATS. Additionally, the CodeScene tool was used to investigate the development of the evolutionary properties of IoT OSs and the relationship between them and the presence of IoT OS vulnerabilities. CodeScene reveals strong positive correlation between the total number of security errors within IoT OSs and SLOC, as well as strong negative correlation between the total number of security errors and Code Health. CodeScene also indicates strong positive correlation between security error density (errors per 1K SLOC) and the presence of hotspots (frequency of code changes and code complexity), as well as strong negative correlation between security error density and the Qualitative Team Experience, which is a measure of the experience of the IoT OS developers.
topic internet of things security
internet of things operating systems
C/C++ static analysis
common weakness enumeration
security vulnerability
url https://www.mdpi.com/1424-8220/21/7/2329
work_keys_str_mv AT abdullahalboghdady thepresencetrendsandcausesofsecurityvulnerabilitiesinoperatingsystemsofiotslowenddevices
AT khaledwassif thepresencetrendsandcausesofsecurityvulnerabilitiesinoperatingsystemsofiotslowenddevices
AT mohammadelramly thepresencetrendsandcausesofsecurityvulnerabilitiesinoperatingsystemsofiotslowenddevices
AT abdullahalboghdady presencetrendsandcausesofsecurityvulnerabilitiesinoperatingsystemsofiotslowenddevices
AT khaledwassif presencetrendsandcausesofsecurityvulnerabilitiesinoperatingsystemsofiotslowenddevices
AT mohammadelramly presencetrendsandcausesofsecurityvulnerabilitiesinoperatingsystemsofiotslowenddevices
_version_ 1724201500760080384

Similar Items