On the evolution of mobile computing software systems and C/C++ vulnerable code: Empirical investigation

Abstract

A study is presented that examines the distribution and the usage of some unsafe functions that are known to cause security vulnerabilities in 15 software systems, written in C/C++. The systems are commonly used for mobile computing, and they comprise almost six million lines of code. A tool that uses a static analysis approach is applied to each system, and the number of calls to unsafe functions is determined and tabulated. The results show that vulnerable functions such as strcmp, strlen, and memcpy represent the vast majority of used unsafe functions that are banned by many companies (e.g., Microsoft) in the studied systems. This fact can help software trainers better design and plan training courses and materials on secure coding practices for software developers. Additionally, findings can help software engineers to conduct more effective refactoring processes that help to clean software systems from vulnerable code, and focus primarily on the removal of vulnerable code with higher usage for better outcomes. The historical data for a number of systems, subset, is presented over a five-year period. The data shows that few of the systems examined are increasing the number of unsafe function calls over time. This is somewhat contradictory to the literature, which claims that the use of vulnerable functions is decreasing in software systems. This fact demands that more attention and effort from software engineering and mobile computing communities be put towards addressing this phenomenon.