The Presence, Trends, and Causes of Security Vulnerabilities in Operating Systems of IoT’s Low-End Devices

Al-Boghdady, Abdullah; Wassif, Khaled; El-Ramly, Mohammad

doi:10.3390/s21072329

Cited by 24 publications

(14 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In our study, we expect to identify that supporting evidence for finally establishing a link between TD and cycle times (i.e., Time-in-Development rather than lead times); since a prior student project reports that CodeScene's metric gives more significant results than the lower level issues reported by Sonar-Qube [14], our hypothesis is that our choice of code quality measure will have a significant effect on the lead times. The Code Health metric itself has been found to predict security vulnerabilities [1], but, to the best of our knowledge, no prior research has evaluated the relationship between code quality on a file level and the cycle Time-in-Development. With our study, we aim to provide numbers that present the wasted time in general terms, allowing development organizations to put a value on TD reducing activities and code quality in general.…”

Section: Related Workmentioning

confidence: 99%

“…To mitigate the threat to the construct validity of Code Health, we performed a Pearson correlation study to ensure that Code Health adds predictive value beyond LoC (see Section 2.1). As mentioned in Section 3, the Code Health metric has also been shown to find more significant issues than SonarQube -a widely adopted tool used by 200K development teams 8 -as well as predicting security vulnerabilities [1].…”

Section: Threats To Validitymentioning

confidence: 99%

“…In this paper, we report how code quality impacts development time in 39 proprietary production codebases. We do that by considering CodeScene's Code Health metric 1 as a proxy for code quality. Moreover, we explore an algorithm to capture the development time at the file level, we refer to this fine-granular metric as Timein-Development.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Code Red: The Business Impact of Code Quality -- A Quantitative Study of 39 Proprietary Production Codebases

Tornhill¹,

Borg²

2022

Preprint

View full text Add to dashboard Cite

Code quality remains an abstract concept that fails to get traction at the business level. Consequently, software companies keep trading code quality for time-to-market and new features. The resulting technical debt is estimated to waste up to 42% of developers' time. At the same time, there is a global shortage of software developers, meaning that developer productivity is key to software businesses. Our overall mission is to make code quality a business concern, not just a technical aspect. Our first goal is to understand how code quality impacts 1) the number of reported defects, 2) the time to resolve issues, and 3) the predictability of resolving issues on time. We analyze 39 proprietary production codebases from a variety of domains using the CodeScene tool based on a combination of source code analysis, version-control mining, and issue information from Jira. By analyzing activity in 30,737 files, we find that low quality code contains 15 times more defects than high quality code. Furthermore, resolving issues in low quality code takes on average 124% more time in development. Finally, we report that issue resolutions in low quality code involve higher uncertainty manifested as 9 times longer maximum cycle times. This study provides evidence that code quality cannot be dismissed as a technical concern. With 15 times fewer defects, twice the development speed, and substantially more predictable issue resolution times, the business advantage of high quality code should be unmistakably clear.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Threats To Validitymentioning

confidence: 99%

See 1 more Smart Citation

Code Red: The Business Impact of Code Quality -- A Quantitative Study of 39 Proprietary Production Codebases

Tornhill¹,

Borg²

2022

Preprint

View full text Add to dashboard Cite

show abstract

“…The main contribution of this research is developing iDetect, and to the best of our knowledge, it is the first tool that uses ML to detect vulnerabilities in IoT OSs. The second contribution of the research is creating a labeled dataset of IoT OS vulnerabilities based on our previous paper's results and findings 9 . Another contribution of this research is comparing three different ML models' ability to detect vulnerabilities.…”

Section: Introductionmentioning

confidence: 99%

“…The relevant background knowledge about low-end IoT OSs, CWE, and Static Analysis Tools (SATs) was discussed in detail in our previous work 9 . Therefore, this section aims to provide an overview of the remaining relevant background knowledge directly related to this research, mainly machine learning techniques used for vulnerability detection.…”

Section: Introductionmentioning

confidence: 99%

iDetect for vulnerability detection in internet of things operating systems using machine learning

Al-Boghdady

El-Ramly

Wassif

2022

Sci Rep

Self Cite

View full text Add to dashboard Cite

Internet of Things (IoT) 's devices are ubiquitous and operate in a heterogonous environment with potential security breaches. IoT Operating Systems (IoT OSs) are the backbone software for running such devices. If IoT OSs are vulnerable to security breaches, higher-level security measures may not help. This paper aims to use Machine Learning (ML) to create a tool called iDetect for detecting vulnerabilities in C/C++ source code of IoT OSs. The source code for 16 releases of IoT OSs (RIOT, Contiki, FreeRTOS, Amazon FreeRTOS) and the Software Assurance Reference Dataset (SARD) were used to create a labeled dataset of vulnerable and benign code with the reference being the Common Weakness Enumeration (CWE) vulnerabilities present in IoT OSs. Studies showed that only a subset of CWEs is present in the C/C++ source code of low-end IoT OSs.The labeled dataset was used to train three ML models for vulnerability detection: Random Forest (RF), Convolutional Neural Network (CNN), and Recurrent Neural Network (RNN). The three models were used independently and RF; compared to CNN and RNN, gave the highest accuracy during the testing phase for binary and multiclass classification. RF was chosen as iDetect's ML classifier. Further evaluation was done on an unseen dataset of 322 code snippets taken from TinyOS. iDetect achieved a macro-averaged F1 score (mF1) of 98.5% and weighted-average F1 score (wF1) of 98% for multiclass classification, F1 score (F1) of 97.8% for binary classification, and superior results compared to all three Static Analysis Tools (SATs) used to collect the training dataset.

show abstract

Future Threats and Conclusion

2023

Cyber Threat Intelligence

View full text Add to dashboard Cite

The Presence, Trends, and Causes of Security Vulnerabilities in Operating Systems of IoT’s Low-End Devices

Cited by 24 publications

References 21 publications

Code Red: The Business Impact of Code Quality -- A Quantitative Study of 39 Proprietary Production Codebases

Code Red: The Business Impact of Code Quality -- A Quantitative Study of 39 Proprietary Production Codebases

iDetect for vulnerability detection in internet of things operating systems using machine learning

Future Threats and Conclusion

Contact Info

Product

Resources

About