Cargando…

The Presence, Trends, and Causes of Security Vulnerabilities in Operating Systems of IoT’s Low-End Devices

Internet of Things Operating Systems (IoT OSs) run, manage and control IoT devices. Therefore, it is important to secure the source code for IoT OSs, especially if they are deployed on devices used for human care and safety. In this paper, we report the results of our investigations of the security...

Descripción completa

Detalles Bibliográficos
Autores principales: Al-Boghdady, Abdullah, Wassif, Khaled, El-Ramly, Mohammad
Formato: Online Artículo Texto
Lenguaje:English
Publicado: MDPI 2021
Materias:
Acceso en línea:https://www.ncbi.nlm.nih.gov/pmc/articles/PMC8037610/
https://www.ncbi.nlm.nih.gov/pubmed/33810605
http://dx.doi.org/10.3390/s21072329
_version_ 1783677184038141952
author Al-Boghdady, Abdullah
Wassif, Khaled
El-Ramly, Mohammad
author_facet Al-Boghdady, Abdullah
Wassif, Khaled
El-Ramly, Mohammad
author_sort Al-Boghdady, Abdullah
collection PubMed
description Internet of Things Operating Systems (IoT OSs) run, manage and control IoT devices. Therefore, it is important to secure the source code for IoT OSs, especially if they are deployed on devices used for human care and safety. In this paper, we report the results of our investigations of the security status and the presence of security vulnerabilities in the source code of the most popular open source IoT OSs. Through this research, three Static Analysis Tools (Cppcheck, Flawfinder and RATS) were used to examine the code of sixteen different releases of four different C/C++ IoT OSs, with 48 examinations, regarding the presence of vulnerabilities from the Common Weakness Enumeration (CWE). The examination reveals that IoT OS code still suffers from errors that lead to security vulnerabilities and increase the opportunity of security breaches. The total number of errors in IoT OSs is increasing from version to the next, while error density, i.e., errors per 1K of physical Source Lines of Code (SLOC) is decreasing chronologically for all IoT Oss, with few exceptions. The most prevalent vulnerabilities in IoT OS source code were CWE-561, CWE-398 and CWE-563 according to Cppcheck, (CWE-119!/CWE-120), CWE-120 and CWE-126 according to Flawfinder, and CWE-119, CWE-120 and CWE-134 according to RATS. Additionally, the CodeScene tool was used to investigate the development of the evolutionary properties of IoT OSs and the relationship between them and the presence of IoT OS vulnerabilities. CodeScene reveals strong positive correlation between the total number of security errors within IoT OSs and SLOC, as well as strong negative correlation between the total number of security errors and Code Health. CodeScene also indicates strong positive correlation between security error density (errors per 1K SLOC) and the presence of hotspots (frequency of code changes and code complexity), as well as strong negative correlation between security error density and the Qualitative Team Experience, which is a measure of the experience of the IoT OS developers.
format Online
Article
Text
id pubmed-8037610
institution National Center for Biotechnology Information
language English
publishDate 2021
publisher MDPI
record_format MEDLINE/PubMed
spelling pubmed-80376102021-04-12 The Presence, Trends, and Causes of Security Vulnerabilities in Operating Systems of IoT’s Low-End Devices Al-Boghdady, Abdullah Wassif, Khaled El-Ramly, Mohammad Sensors (Basel) Article Internet of Things Operating Systems (IoT OSs) run, manage and control IoT devices. Therefore, it is important to secure the source code for IoT OSs, especially if they are deployed on devices used for human care and safety. In this paper, we report the results of our investigations of the security status and the presence of security vulnerabilities in the source code of the most popular open source IoT OSs. Through this research, three Static Analysis Tools (Cppcheck, Flawfinder and RATS) were used to examine the code of sixteen different releases of four different C/C++ IoT OSs, with 48 examinations, regarding the presence of vulnerabilities from the Common Weakness Enumeration (CWE). The examination reveals that IoT OS code still suffers from errors that lead to security vulnerabilities and increase the opportunity of security breaches. The total number of errors in IoT OSs is increasing from version to the next, while error density, i.e., errors per 1K of physical Source Lines of Code (SLOC) is decreasing chronologically for all IoT Oss, with few exceptions. The most prevalent vulnerabilities in IoT OS source code were CWE-561, CWE-398 and CWE-563 according to Cppcheck, (CWE-119!/CWE-120), CWE-120 and CWE-126 according to Flawfinder, and CWE-119, CWE-120 and CWE-134 according to RATS. Additionally, the CodeScene tool was used to investigate the development of the evolutionary properties of IoT OSs and the relationship between them and the presence of IoT OS vulnerabilities. CodeScene reveals strong positive correlation between the total number of security errors within IoT OSs and SLOC, as well as strong negative correlation between the total number of security errors and Code Health. CodeScene also indicates strong positive correlation between security error density (errors per 1K SLOC) and the presence of hotspots (frequency of code changes and code complexity), as well as strong negative correlation between security error density and the Qualitative Team Experience, which is a measure of the experience of the IoT OS developers. MDPI 2021-03-26 /pmc/articles/PMC8037610/ /pubmed/33810605 http://dx.doi.org/10.3390/s21072329 Text en © 2021 by the authors. https://creativecommons.org/licenses/by/4.0/Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/ (https://creativecommons.org/licenses/by/4.0/) ).
spellingShingle Article
Al-Boghdady, Abdullah
Wassif, Khaled
El-Ramly, Mohammad
The Presence, Trends, and Causes of Security Vulnerabilities in Operating Systems of IoT’s Low-End Devices
title The Presence, Trends, and Causes of Security Vulnerabilities in Operating Systems of IoT’s Low-End Devices
title_full The Presence, Trends, and Causes of Security Vulnerabilities in Operating Systems of IoT’s Low-End Devices
title_fullStr The Presence, Trends, and Causes of Security Vulnerabilities in Operating Systems of IoT’s Low-End Devices
title_full_unstemmed The Presence, Trends, and Causes of Security Vulnerabilities in Operating Systems of IoT’s Low-End Devices
title_short The Presence, Trends, and Causes of Security Vulnerabilities in Operating Systems of IoT’s Low-End Devices
title_sort presence, trends, and causes of security vulnerabilities in operating systems of iot’s low-end devices
topic Article
url https://www.ncbi.nlm.nih.gov/pmc/articles/PMC8037610/
https://www.ncbi.nlm.nih.gov/pubmed/33810605
http://dx.doi.org/10.3390/s21072329
work_keys_str_mv AT alboghdadyabdullah thepresencetrendsandcausesofsecurityvulnerabilitiesinoperatingsystemsofiotslowenddevices
AT wassifkhaled thepresencetrendsandcausesofsecurityvulnerabilitiesinoperatingsystemsofiotslowenddevices
AT elramlymohammad thepresencetrendsandcausesofsecurityvulnerabilitiesinoperatingsystemsofiotslowenddevices
AT alboghdadyabdullah presencetrendsandcausesofsecurityvulnerabilitiesinoperatingsystemsofiotslowenddevices
AT wassifkhaled presencetrendsandcausesofsecurityvulnerabilitiesinoperatingsystemsofiotslowenddevices
AT elramlymohammad presencetrendsandcausesofsecurityvulnerabilitiesinoperatingsystemsofiotslowenddevices