Abstract
Internet of Things Operating Systems (IoT OSs) run, manage and control IoT devices. Therefore, it is important to secure the source code for IoT OSs, especially if they are deployed on devices used for human care and safety. In this paper, we report the results of our investigations of the security status and the presence of security vulnerabilities in the source code of the most popular open source IoT OSs. Through this research, three Static Analysis Tools (Cppcheck, Flawfinder and RATS) were used to examine the code of sixteen different releases of four different C/C++ IoT OSs, with 48 examinations, regarding the presence of vulnerabilities from the Common Weakness Enumeration (CWE). The examination reveals that IoT OS code still suffers from errors that lead to security vulnerabilities and increase the opportunity of security breaches. The total number of errors in IoT OSs is increasing from version to the next, while error density, i.e., errors per 1K of physical Source Lines of Code (SLOC) is decreasing chronologically for all IoT Oss, with few exceptions. The most prevalent vulnerabilities in IoT OS source code were CWE-561, CWE-398 and CWE-563 according to Cppcheck, (CWE-119!/CWE-120), CWE-120 and CWE-126 according to Flawfinder, and CWE-119, CWE-120 and CWE-134 according to RATS. Additionally, the CodeScene tool was used to investigate the development of the evolutionary properties of IoT OSs and the relationship between them and the presence of IoT OS vulnerabilities. CodeScene reveals strong positive correlation between the total number of security errors within IoT OSs and SLOC, as well as strong negative correlation between the total number of security errors and Code Health. CodeScene also indicates strong positive correlation between security error density (errors per 1K SLOC) and the presence of hotspots (frequency of code changes and code complexity), as well as strong negative correlation between security error density and the Qualitative Team Experience, which is a measure of the experience of the IoT OS developers.
Highlights
The Internet of Things (IoT) is a dynamic global network of sensors, actuators, controllers and smart devices that act together to capture, filter and exchange data about their environment, taking advantage of Internet connection and integration capabilities
We briefly introduce each of the Internet of Things Operating Systems (IoT OSs) chosen for our study: roughly times the lowest (RIOT) [18], Contiki [19], FreeRTOS [20] and Amazon FreeRTOS [21]
This IoT OS had the least number of vulnerabilities per 1K Source Lines of Code (SLOC)
Summary
The Internet of Things (IoT) is a dynamic global network of sensors, actuators, controllers and smart devices that act together to capture, filter and exchange data about their environment, taking advantage of Internet connection and integration capabilities. The scope of this study is low-end IoT OSs, which play a vital role in operating and running low-end devices, taking into account the resource limitations of these devices. The targeted IoT OS should be: (1) among the Sensors 2021, 21, 2329 most commonly used low-end IoT OSs in the last four years, (2) well documented, (3) open source, and (4) basically developed in C/C++. We briefly introduce each of the IoT OSs chosen for our study: RIOT [18], Contiki [19], FreeRTOS [20] and Amazon FreeRTOS [21].
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
