{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,1]],"date-time":"2026-04-01T18:30:33Z","timestamp":1775068233985,"version":"3.50.1"},"reference-count":133,"publisher":"Association for Computing Machinery (ACM)","issue":"3","funder":[{"name":"FCT","award":["2024.06022.BD, 2024.06014.BD, and I.P.\/MCTES"],"award-info":[{"award-number":["2024.06022.BD, 2024.06014.BD, and I.P.\/MCTES"]}]},{"name":"Portuguese Recovery and Resilience Plan","award":["C645112083-00000059 (investment project no. 53)"],"award-info":[{"award-number":["C645112083-00000059 (investment project no. 53)"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Comput. Surv."],"published-print":{"date-parts":[[2026,2,28]]},"abstract":"<jats:p>The growth of the Internet of Things (IoT) has provided significant advances in several areas of the industry, but security concerns have also increased due to this expansion. Many IoT devices are the target of cyber attacks due to various firmware, source code, and software vulnerabilities. In this context, static code analysis, leveraging various techniques, has emerged as an effective approach to examine and identify security vulnerabilities, including insecure functions, buffer overflows, and code injection. However, recent research has shown several challenges associated with this approach, such as limited understanding of vulnerabilities, inadequate threat detection, and insufficient semantic analysis of IoT device source code. Consequently, several IoT security research studies integrate static analysis with other methods, such as dynamic analysis, machine learning, and natural language processing, to enhance vulnerability analysis and detection. To provide a comprehensive understanding of the current state of static analysis in IoT security, this systematic literature review explores existing vulnerabilities, techniques, and methods while highlighting the challenges that hinder the extraction of meaningful insights from such analyses.<\/jats:p>","DOI":"10.1145\/3745019","type":"journal-article","created":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T06:07:43Z","timestamp":1750313263000},"page":"1-47","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":3,"title":["Static Code Analysis for IoT Security: A Systematic Literature Review"],"prefix":"10.1145","volume":"58","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-3944-0068","authenticated-orcid":false,"given":"Diego","family":"Gomes","sequence":"first","affiliation":[{"name":"Centre for Informatics and Systems of the University of Coimbra \/ Department of Informatics Engineering, University of Coimbra","place":["Coimbra, Portugal"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9916-1837","authenticated-orcid":false,"given":"Eduardo","family":"Felix","sequence":"additional","affiliation":[{"name":"Centre for Informatics and Systems of the University of Coimbra \/ Department of Informatics Engineering, University of Coimbra","place":["Coimbra, Portugal"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4007-3891","authenticated-orcid":false,"given":"Fernando","family":"Aires","sequence":"additional","affiliation":[{"name":"Department of Applied Computing, Federal Rural University of Pernambuco","place":["Recife, Brazil"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5103-8541","authenticated-orcid":false,"given":"Marco","family":"Vieira","sequence":"additional","affiliation":[{"name":"Department of Computer Science, The University of North Carolina at Charlotte","place":["Charlotte, United States"]}]}],"member":"320","published-online":{"date-parts":[[2025,9,10]]},"reference":[{"key":"e_1_3_3_2_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2014.02.001"},{"key":"e_1_3_3_3_2","volume-title":"Compilers: Principles, Techniques, and Tools","author":"Aho Alfred V.","year":"2006","unstructured":"Alfred V. Aho, Monica S. Lam, Ravi Sethi, and Jeffrey D. Ullman. 2006. Compilers: Principles, Techniques, and Tools (2nd ed.). Addison-Wesley Longman Publishing Co., Inc., USA."},{"key":"e_1_3_3_4_2","doi-asserted-by":"publisher","DOI":"10.3390\/iot5030026"},{"key":"e_1_3_3_5_2","doi-asserted-by":"publisher","DOI":"10.1038\/s41598-022-21325-x"},{"key":"e_1_3_3_6_2","doi-asserted-by":"publisher","DOI":"10.3390\/s21072329"},{"key":"e_1_3_3_7_2","doi-asserted-by":"publisher","DOI":"10.5381\/jot.2023.22.1.a1"},{"key":"e_1_3_3_8_2","doi-asserted-by":"publisher","DOI":"10.1109\/tse.2022.3179294"},{"key":"e_1_3_3_9_2","doi-asserted-by":"publisher","DOI":"10.1155\/2021\/2897565"},{"key":"e_1_3_3_10_2","first-page":"637","volume-title":"Proceedings of the 2016 IEEE 3rd World Forum on Internet of Things (WF-IoT)","author":"Alnaeli Saleh M.","year":"2016","unstructured":"Saleh M. Alnaeli, Melissa Sarnowski, Md Sayedul Aman, Ahmed Abdelgawad, and Kumar Yelamarthi. 2016. Vulnerable C\/C++ code usage in IoT software systems. In Proceedings of the 2016 IEEE 3rd World Forum on Internet of Things (WF-IoT). IEEE, 637\u2013642. DOI:10.1109\/WF-IoT.2016.7845497"},{"key":"e_1_3_3_11_2","doi-asserted-by":"publisher","DOI":"10.25046\/aj0203188"},{"key":"e_1_3_3_12_2","volume-title":"Modern Compiler Implementation in Java (2nd ed.)","author":"Appel Andrew W.","year":"2003","unstructured":"Andrew W. Appel and Jens Palsberg. 2003. Modern Compiler Implementation in Java (2nd ed.). Cambridge University Press, USA."},{"key":"e_1_3_3_13_2","doi-asserted-by":"publisher","DOI":"10.1145\/3444963"},{"key":"e_1_3_3_14_2","first-page":"1","volume-title":"Proceedings of the 19th International Conference on Availability, Reliability and Security (ARES 2024)","author":"Bianco Giuseppe Marco","year":"2024","unstructured":"Giuseppe Marco Bianco, Luca Ardito, and Michele Valsesia. 2024. A tool for IoT firmware certification. In Proceedings of the 19th International Conference on Availability, Reliability and Security (ARES 2024). ACM, New York, NY, USA, 1\u20137. DOI:10.1145\/3664476.3670469"},{"key":"e_1_3_3_15_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-49443-8_17"},{"key":"e_1_3_3_16_2","doi-asserted-by":"publisher","unstructured":"Luciano Gon\u00e7alves Carvalho and Marcelo Medeiros Eler. 2018. Security requirements and tests for smart toys. In Enterprise Information Systems ICEIS 2017 S. Hammoudi M. \u015amia\u0142ek O. Camp and J. Filipe (Eds.). Lecture Notes in Business Information Processing Vol 321. Springer International Publishing Cham Switzerland 291\u2013312. DOI:10.1007\/978-3-319-93375-7_14","DOI":"10.1007\/978-3-319-93375-7_14"},{"key":"e_1_3_3_17_2","first-page":"1687","volume-title":"Proceedings of the 27th USENIX Conference on Security Symposium (SEC\u201918)","author":"Celik Z. Berkay","year":"2018","unstructured":"Z. Berkay Celik, Leonardo Babun, Amit K. Sikder, Hidayet Aksu, Gang Tan, Patrick McDaniel, and A. Selcuk Uluagac. 2018. Sensitive information tracking in commodity IoT. In Proceedings of the 27th USENIX Conference on Security Symposium (SEC\u201918). USENIX Association, USA, 1687\u20131704."},{"key":"e_1_3_3_18_2","first-page":"147","volume-title":"Proceedings of the 2018 USENIX Conference on Usenix Annual Technical Conference (USENIX ATC \u201918)","author":"Celik Z. Berkay","year":"2018","unstructured":"Z. Berkay Celik, Patrick McDaniel, and Gang Tan. 2018. SOTERIA: Automated IoT safety and security analysis. In Proceedings of the 2018 USENIX Conference on Usenix Annual Technical Conference (USENIX ATC \u201918). USENIX Association, USA, 147\u2013158."},{"key":"e_1_3_3_19_2","doi-asserted-by":"publisher","DOI":"10.3837\/tiis.2020.06.003"},{"key":"e_1_3_3_20_2","first-page":"1","volume-title":"Proceedings of the 2023 IEEE 19th International Conference on Factory Communication Systems (WFCS)","author":"Cheminod Manuel","year":"2023","unstructured":"Manuel Cheminod and Lucia Seno. 2023. Static analysis of packet forwarding and filtering configurations in industrial networks. In Proceedings of the 2023 IEEE 19th International Conference on Factory Communication Systems (WFCS). IEEE, Brussels, Belgium, 1\u20138. DOI:10.1109\/WFCS57264.2023.10144115"},{"key":"e_1_3_3_21_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-50399-4_29"},{"key":"e_1_3_3_22_2","doi-asserted-by":"publisher","DOI":"10.1109\/tii.2024.3477563"},{"key":"e_1_3_3_23_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2022.103068"},{"key":"e_1_3_3_24_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-981-10-7605-3_121"},{"key":"e_1_3_3_25_2","doi-asserted-by":"publisher","DOI":"10.1002\/smr.2712"},{"key":"e_1_3_3_26_2","doi-asserted-by":"publisher","DOI":"10.1145\/3191737"},{"key":"e_1_3_3_27_2","volume-title":"Open Networking & the Security of Open Source Software Deployment","author":"Community Open Networking","year":"2021","unstructured":"Open Networking Community. 2021. Open Networking & the Security of Open Source Software Deployment. Technical Report. GSMA. Retrieved March 11, 2025 from https:\/\/www.gsma.com\/security"},{"key":"e_1_3_3_28_2","first-page":"31","volume-title":"Proceedings of the 2017 IEEE Security and Privacy Workshops (SPW)","author":"Costin Andrei","year":"2017","unstructured":"Andrei Costin. 2017. Lua code: Security overview and practical approaches to static analysis. In Proceedings of the 2017 IEEE Security and Privacy Workshops (SPW). IEEE, 31\u201336. DOI:10.1109\/spw.2017.38"},{"key":"e_1_3_3_29_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.comcom.2020.02.078"},{"key":"e_1_3_3_30_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-41702-4_14"},{"key":"e_1_3_3_31_2","first-page":"1","volume-title":"Proceedings of the 19th International Conference on Availability, Reliability and Security (ARES 2024)","author":"Delaitre Sabine","year":"2024","unstructured":"Sabine Delaitre and Jos\u00e9 Maria Pulgar Guti\u00e9rrez. 2024. Vulnerability detection tool in source code by building and leveraging semantic code graph. In Proceedings of the 19th International Conference on Availability, Reliability and Security (ARES 2024). ACM, New York, NY, USA, 1\u20139. DOI:10.1145\/3664476.3670942"},{"key":"e_1_3_3_32_2","unstructured":"Ryan Dewhurst. 2024. Static Code Analysis. Retrieved February 16 2024 from https:\/\/owasp.org\/www-community\/controls\/Static_Code_Analysis"},{"key":"e_1_3_3_33_2","volume-title":"Proceedings of the 2021 Network and Distributed System Security Symposium (NDSS 2021)","author":"Ding Wenbo","year":"2021","unstructured":"Wenbo Ding, Hongxin Hu, and Long Cheng. 2021. IoTSafe: Enforcing safety and security policy with real IoT physical interaction discovery. In Proceedings of the 2021 Network and Distributed System Security Symposium (NDSS 2021). Internet Society, Virtual. DOI:10.14722\/ndss.2021.24368"},{"key":"e_1_3_3_34_2","doi-asserted-by":"publisher","DOI":"10.1109\/access.2019.2951168"},{"key":"e_1_3_3_35_2","volume-title":"Good Practices for Security of IoT: Secure Software Development Lifecycle","year":"2019","unstructured":"ENISA. 2019. Good Practices for Security of IoT: Secure Software Development Lifecycle. Technical Report. European Union Agency for Cybersecurity (ENISA). Retrieved March 11, 2025 from https:\/\/www.enisa.europa.eu\/publications\/good-practices-for-security-of-iot"},{"key":"e_1_3_3_36_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10009-020-00592-x"},{"key":"e_1_3_3_37_2","volume-title":"Proceedings of the 2nd Italian Conference on Cybersecurity","author":"Ferrara Pietro","year":"2018","unstructured":"Pietro Ferrara and Fausto Spoto. 2018. Static analysis for GDPR compliance. In Proceedings of the 2nd Italian Conference on Cybersecurity . ITASEC, IT."},{"key":"e_1_3_3_38_2","first-page":"99","volume-title":"Proceedings of the 19th ACM-IEEE International Conference on Formal Methods and Models for System Design (MEMOCODE \u201921)","author":"Fowze Farhaan","year":"2021","unstructured":"Farhaan Fowze and Tuba Yavuz. 2021. SEESAW: A tool for detecting memory vulnerabilities in protocol stack implementations. In Proceedings of the 19th ACM-IEEE International Conference on Formal Methods and Models for System Design (MEMOCODE \u201921). ACM, Virtual Event, 99\u2013108. DOI:10.1145\/3487212.3487345"},{"key":"e_1_3_3_39_2","volume-title":"CIS Controls v8 Internet of Things Companion Guide","author":"Franklin Joshua M.","year":"2021","unstructured":"Joshua M. Franklin, Tony Krzyzewski, Maurice Turner, Kathleen Moriarty, and Robin Regnier. 2021. CIS Controls v8 Internet of Things Companion Guide. Technical Report. Center for Internet Security (CIS). Retrieved March 10, 2025 from https:\/\/www.cisecurity.org\/insights\/white-papers\/cis-controls-v8-internet-of-things-companion-guide"},{"key":"e_1_3_3_40_2","doi-asserted-by":"publisher","DOI":"10.3390\/app12136429"},{"key":"e_1_3_3_41_2","first-page":"15","volume-title":"Proceedings of the 2016 4th International Conference on Electrical & Electronics Engineering and Computer Science (ICEEECS 2016) (ICEEECS-16)","author":"Ge Guojian","year":"2016","unstructured":"Guojian Ge and Qingshu Xue. 2016. Security detection and research of intelligent hardware system. In Proceedings of the 2016 4th International Conference on Electrical & Electronics Engineering and Computer Science (ICEEECS 2016) (ICEEECS-16). Atlantis Press, Beijing, China, 15\u201320. DOI:10.2991\/iceeecs-16.2016.3"},{"key":"e_1_3_3_42_2","doi-asserted-by":"publisher","unstructured":"Diego R. Gomes Fernando A. Aires Lins and Marco Vieira. 2024. Static Analysis for IoT Security: A Systematic Literature Review - Dataset. DOI:10.17605\/OSF.IO\/H9JRV","DOI":"10.17605\/OSF.IO\/H9JRV"},{"key":"e_1_3_3_43_2","volume-title":"Open Source Software Security: A Research Summary","year":"2020","unstructured":"GSMA. 2020. Open Source Software Security: A Research Summary. Technical Report. GSMA. Retrieved March 11, 2025 from https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/security\/wp-content\/uploads\/2020\/12\/Open-Source-Software-Security-Research-Summary-v1.1.pdf"},{"key":"e_1_3_3_44_2","volume-title":"IoT Security Guidelines Overview - Version 1.0","year":"2024","unstructured":"GSMA. 2024. IoT Security Guidelines Overview - Version 1.0. Technical Report. GSM Association. Retrieved March 11, 2025 from https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/internet-of-things\/wp-content\/uploads\/2024\/07\/FS.60.pdf"},{"key":"e_1_3_3_45_2","volume-title":"Network Equipment Security Assurance Scheme - Audit Guidelines - Version 3.0","year":"2025","unstructured":"GSMA. 2025. Network Equipment Security Assurance Scheme - Audit Guidelines - Version 3.0. Technical Report. GSM Association. Retrieved March 11, 2025 from https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/security\/wp-content\/uploads\/2025\/04\/FS.46-v3.0.pdf"},{"key":"e_1_3_3_46_2","first-page":"1","volume-title":"Proceedings of the 2021 IEEE Wireless Communications and Networking Conference (WCNC)","author":"Guo Chen","year":"2021","unstructured":"Chen Guo, Yang Yang, Yanglin Zhou, Kuan Zhang, and Song Ci. 2021. A quantitative study of energy consumption for embedded security. In Proceedings of the 2021 IEEE Wireless Communications and Networking Conference (WCNC). IEEE, 1\u20136. DOI:10.1109\/WCNC49053.2021.9417382"},{"key":"e_1_3_3_47_2","doi-asserted-by":"publisher","DOI":"10.14569\/ijacsa.2022.0130781"},{"key":"e_1_3_3_48_2","doi-asserted-by":"publisher","DOI":"10.1109\/access.2024.3503493"},{"key":"e_1_3_3_49_2","doi-asserted-by":"publisher","DOI":"10.1109\/mnet.011.2000450"},{"key":"e_1_3_3_50_2","volume-title":"Proceedings of the 2019 4th International Conference on Intelligent Information Technology","author":"Hur Ara","year":"2019","unstructured":"Ara Hur, Jooeun Kim, and Yeonseung Ryu. 2019. Hiding vulnerabilities of internet of things software using anti-tamper technique. In Proceedings of the 2019 4th International Conference on Intelligent Information Technology. ACM. DOI:10.1145\/3321454.3321466"},{"key":"e_1_3_3_51_2","doi-asserted-by":"crossref","first-page":"71","DOI":"10.1109\/ICST57152.2023.00016","volume-title":"Proceedings of the 2023 IEEE Conference on Software Testing, Verification and Validation (ICST)","author":"In\u00e1cio Jo\u00e3o","year":"2023","unstructured":"Jo\u00e3o In\u00e1cio and Ib\u00e9ria Medeiros. 2023. CorCA: An automatic program repair tool for checking and removing effectively C flaws. In Proceedings of the 2023 IEEE Conference on Software Testing, Verification and Validation (ICST). IEEE, 71\u201382. DOI:10.1109\/icst57152.2023.00016"},{"key":"e_1_3_3_52_2","unstructured":"IoT Security Foundation. 2019. IoT Security Foundation - Secure Design Best Practice Guides - Release v2. Retrieved March 10 2025 from https:\/\/www.iotsecurityfoundation.org\/wp-content\/uploads\/2019\/12\/Best-Practice-Guides-Release-2_Digitalv3.pdf"},{"key":"e_1_3_3_53_2","unstructured":"IoT Security Foundation. 2021. IoT Security Foundation - IoT Security Assurance Framework - Release v3. Retrieved March 10 2025 from https:\/\/www.iotsecurityfoundation.org\/wp-content\/uploads\/2021\/11\/IoTSF-IoT-Security-Assurance-Framework-Release-3.0-Nov-2021-1.pdf"},{"key":"e_1_3_3_54_2","unstructured":"IoT Security Foundation. 2023. The State of Vulnerability Disclosure (VDP) Usage in Global Consumer IoT in 2023. Retrieved April 12 2024 from https:\/\/iotsecurityfoundation.org\/best-practice-guidelines\/"},{"key":"e_1_3_3_55_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-25538-0_35"},{"key":"e_1_3_3_56_2","doi-asserted-by":"publisher","DOI":"10.1109\/access.2022.3209355"},{"key":"e_1_3_3_57_2","volume-title":"Guidelines for Performing Systematic Literature Reviews in Software Engineering","author":"Kitchenham Barbara","year":"2007","unstructured":"Barbara Kitchenham and Stuart Charters. 2007. Guidelines for Performing Systematic Literature Reviews in Software Engineering. Technical Report. EBSE Technical Report, Keele University and University of Durham. Version 2.3."},{"key":"e_1_3_3_58_2","doi-asserted-by":"publisher","DOI":"10.1109\/access.2022.3170475"},{"key":"e_1_3_3_59_2","doi-asserted-by":"publisher","DOI":"10.1145\/3448977"},{"key":"e_1_3_3_60_2","doi-asserted-by":"publisher","DOI":"10.1109\/te.2013.2292570"},{"key":"e_1_3_3_61_2","volume-title":"Proceedings of the 2023 2nd International Conference on Networks, Communications and Information Technology (CNCIT 2023)","author":"Li Xixing","year":"2023","unstructured":"Xixing Li, Qiang Wei, Zehui Wu, and Wei Guo. 2023. A comprehensive survey of vulnerability detection method towards Linux-based IoT devices. In Proceedings of the 2023 2nd International Conference on Networks, Communications and Information Technology (CNCIT 2023). ACM, New York, NY, United States. DOI:10.1145\/3605801.3605808"},{"key":"e_1_3_3_62_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2023.103618"},{"key":"e_1_3_3_63_2","doi-asserted-by":"publisher","DOI":"10.1109\/access.2020.3006358"},{"key":"e_1_3_3_64_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-99277-8_17"},{"key":"e_1_3_3_65_2","doi-asserted-by":"publisher","DOI":"10.1109\/jiot.2020.3036232"},{"key":"e_1_3_3_66_2","first-page":"2029","volume-title":"IEEE INFOCOM 2024 - Proceedings of the IEEE Conference on Computer Communications","author":"Liu Kaizheng","year":"2024","unstructured":"Kaizheng Liu, Ming Yang, Zhen Ling, Yuan Zhang, Chongqing Lei, Lan Luo, and Xinwen Fu. 2024. Samba: Detecting SSL\/TLS API misuses in IoT binary applications. In IEEE INFOCOM 2024 - Proceedings of the IEEE Conference on Computer Communications. IEEE, 2029\u20132038. DOI:10.1109\/infocom52122.2024.10621138"},{"key":"e_1_3_3_67_2","volume-title":"Proceedings of the 54th Hawaii International Conference on System Sciences (HICSS)","author":"Long Stephanie","year":"2021","unstructured":"Stephanie Long, Richard Dill, and Barry Mullins. 2021. Security analysis of a medical IoT device: Data leakage to an eavesdropper. In Proceedings of the 54th Hawaii International Conference on System Sciences (HICSS). Hawaii International Conference on System Sciences, Kauai, Hawaii, USA. DOI:10.24251\/hicss.2021.827"},{"key":"e_1_3_3_68_2","doi-asserted-by":"publisher","DOI":"10.1109\/jiot.2020.3019812"},{"key":"e_1_3_3_69_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-88323-2_7"},{"key":"e_1_3_3_70_2","doi-asserted-by":"publisher","DOI":"10.3390\/app14062373"},{"key":"e_1_3_3_71_2","volume-title":"Proceedings of the 35th Annual ACM Symposium on Applied Computing (SAC\u201920)","author":"Mandal Amit","year":"2020","unstructured":"Amit Mandal, Pietro Ferrara, Yuliy Khlyebnikov, Agostino Cortesi, and Fausto Spoto. 2020. Cross-program taint analysis for IoT systems. In Proceedings of the 35th Annual ACM Symposium on Applied Computing (SAC\u201920). ACM, New York, NY, United States. DOI:10.1145\/3341105.3373924"},{"key":"e_1_3_3_72_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-54876-0_9"},{"key":"e_1_3_3_73_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-77571-0_50"},{"key":"e_1_3_3_74_2","first-page":"246","volume-title":"Proceedings of the 2024 IEEE International Conference on Information Reuse and Integration for Data Science (IRI)","author":"Maruf Md Al","year":"2024","unstructured":"Md Al Maruf, Akramul Azim, Nitin Auluck, and Mansi Sahi. 2024. FeaMod: Enhancing modularity, adaptability and code reuse in embedded software development. In Proceedings of the 2024 IEEE International Conference on Information Reuse and Integration for Data Science (IRI). IEEE, San Jose, CA, USA, 246\u2013251. DOI:10.1109\/iri62200.2024.00058"},{"key":"e_1_3_3_75_2","first-page":"278","volume-title":"Proceedings of the 2018 International Conference on Embedded Wireless Systems and Networks (EWSN \u201918)","author":"McBride Jack","year":"2018","unstructured":"Jack McBride, Budi Arief, and Julio Hernandez-Castro. 2018. Security analysis of Contiki IoT operating system. In Proceedings of the 2018 International Conference on Embedded Wireless Systems and Networks (EWSN \u201918). Junction Publishing, USA, 278\u2013283."},{"key":"e_1_3_3_76_2","first-page":"1","volume-title":"Proceedings of the 2024 7th Conference on Cloud and Internet of Things (CIoT)","author":"Minani Jean Baptiste","year":"2024","unstructured":"Jean Baptiste Minani, Yahia El Fellah, Sanam Ahmed, Fatima Sabir, Naouel Moha, and Yann-Ga\u00ebl Gu\u00e9h\u00e9neuc. 2024. An exploratory study on code quality, testing, data accuracy, and practical use cases of IoT wearables. In Proceedings of the 2024 7th Conference on Cloud and Internet of Things (CIoT). IEEE, 1\u20135. DOI:10.1109\/ciot63799.2024.10756966"},{"key":"e_1_3_3_77_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-981-15-8297-4_54"},{"key":"e_1_3_3_78_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.ijcip.2022.100552"},{"key":"e_1_3_3_79_2","unstructured":"National Institute of Standards and Technology (NIST). 2022. Source Code Security Analyzers. Retrieved March 11 2025 from https:\/\/www.nist.gov\/itl\/ssd\/software-quality-group\/source-code-security-analyzers"},{"key":"e_1_3_3_80_2","doi-asserted-by":"publisher","DOI":"10.1109\/access.2022.3192562"},{"key":"e_1_3_3_81_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-45572-3_4"},{"key":"e_1_3_3_82_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.icte.2020.04.005"},{"key":"e_1_3_3_83_2","first-page":"5609","volume-title":"Proceedings of the 33rd USENIX Security Symposium (USENIX Security 24)","author":"Nino Nicolas","year":"2024","unstructured":"Nicolas Nino, Ruibo Lu, Wei Zhou, Kyu Hyung Lee, Ziming Zhao, and Le Guan. 2024. Unveiling IoT security in reality: A firmware-centric journey. In Proceedings of the 33rd USENIX Security Symposium (USENIX Security 24). USENIX Association, Philadelphia, PA, 5609\u20135626. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity24\/presentation\/nino"},{"key":"e_1_3_3_84_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.measurement.2019.107139"},{"key":"e_1_3_3_85_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jnca.2019.102509"},{"key":"e_1_3_3_86_2","series-title":"CEUR Workshop Proceedings","first-page":"32","volume-title":"Proceedings of the 2024 Cyber Security and Data Protection (CSDP 2024)","volume":"3800","author":"Nyzhnyk Andrii","year":"2024","unstructured":"Andrii Nyzhnyk, Andrii Partyka, and Michal Podpora. 2024. Increase the cybersecurity of SCADA and IIoT devices with secure memory management. In Proceedings of the 2024 Cyber Security and Data Protection (CSDP 2024)(CEUR Workshop Proceedings, Vol. 3800). CEUR-WS, Lviv, 32\u201341. Code 203583."},{"key":"e_1_3_3_87_2","volume-title":"Proceedings of the 2017 26th International Conference on Computer Communication and Networks (ICCCN)","author":"Okano Kozo","year":"2017","unstructured":"Kozo Okano, Satoshi Harauchi, Toshifusa Sekizawa, Shinpei Ogata, and Shin Nakashima. 2017. Equivalence checking of Java methods: Toward ensuring IoT dependability. In Proceedings of the 2017 26th International Conference on Computer Communication and Networks (ICCCN). IEEE, Beijing, China. DOI:10.1109\/icccn.2017.8038505"},{"key":"e_1_3_3_88_2","volume-title":"Proceedings of the 2022 Symposium on Internet of Things (SIoT)","author":"Oliveira Fernando L.","year":"2022","unstructured":"Fernando L. Oliveira and J\u00falio C. B. Mattos. 2022. JSGuide: A tool to improve JavaScript algorithms focusing on IoT devices. In Proceedings of the 2022 Symposium on Internet of Things (SIoT). IEEE, Lima, Peru. DOI:10.1109\/siot56383.2022.10070155"},{"key":"e_1_3_3_89_2","unstructured":"OWASP Foundation. 2018. OWASP Internet of Things (IoT) Project. Retrieved February 16 2024 from https:\/\/wiki.owasp.org\/index.php\/OWASP_Internet_of_Things_Project"},{"key":"e_1_3_3_90_2","unstructured":"OWASP Foundation. 2022. Source Code Analysis Tools. Retrieved March 11 2025 from https:\/\/owasp.org\/www-community\/Source_Code_Analysis_Tools\/"},{"key":"e_1_3_3_91_2","unstructured":"OWASP Foundation. 2022. Vulnerability Scanning Tools. Retrieved March 11 2025 from https:\/\/owasp.org\/www-community\/Vulnerability_Scanning_Tools\/"},{"key":"e_1_3_3_92_2","unstructured":"OWASP Foundation. 2024. OWASP Community Pages: Vulnerability. Retrieved February 20 2024 from https:\/\/owasp.org\/www-community\/vulnerabilities\/"},{"key":"e_1_3_3_93_2","unstructured":"OWASP Foundation. 2024. OWASP Secure Coding Practices - Quick Reference Guide. Retrieved February 16 2024 from https:\/\/owasp.org\/www-project-secure-coding-practices-quick-reference-guide\/"},{"key":"e_1_3_3_94_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-99619-2_24"},{"key":"e_1_3_3_95_2","first-page":"103","volume-title":"Proceedings of the 28th Annual International Conference on Computer Science and Software Engineering (CASCON \u201918)","author":"Parizi Reza M.","year":"2018","unstructured":"Reza M. Parizi, Ali Dehghantanha, Kim-Kwang Raymond Choo, and Amritraj Singh. 2018. Empirical vulnerability analysis of automated smart contracts security testing on blockchains. In Proceedings of the 28th Annual International Conference on Computer Science and Software Engineering (CASCON \u201918). IBM Corp., USA, 103\u2013113. DOI:10.5555\/3291291.3291303"},{"key":"e_1_3_3_96_2","volume-title":"Proceedings of the European Conference\/Workshop on Wireless Sensor Networks","author":"Peyrard Alexandre","year":"2018","unstructured":"Alexandre Peyrard, Nikolai Kosmatov, Simon Duquennoy, and Shahid Raza. 2018. Towards formal verification of Contiki: Analysis of the AES-CCM* modules with frama-C. In Proceedings of the European Conference\/Workshop on Wireless Sensor Networks. Junction Publishing, United States. Retrieved from https:\/\/api.semanticscholar.org\/CorpusID:51614156"},{"key":"e_1_3_3_97_2","first-page":"1","volume-title":"Proceedings of the 2018 International Conference on Embedded Software (EMSOFT)","author":"Poroor Jayaraj","year":"2018","unstructured":"Jayaraj Poroor. 2018. Work-in-Progress: VerticalThings - a language-based microkernel for constrained IoT devices. In Proceedings of the 2018 International Conference on Embedded Software (EMSOFT). IEEE, 1\u20134. DOI:10.1109\/EMSOFT.2018.8537193"},{"key":"e_1_3_3_98_2","doi-asserted-by":"publisher","DOI":"10.1145\/3432893"},{"key":"e_1_3_3_99_2","unstructured":"Qatar Computing Research Institute. 2023. Rayyan. Retrieved January 15 2024 from https:\/\/www.rayyan.ai\/"},{"key":"e_1_3_3_100_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2023.103157"},{"key":"e_1_3_3_101_2","doi-asserted-by":"publisher","DOI":"10.1007\/s11227-024-06171-0"},{"key":"e_1_3_3_102_2","volume-title":"Proceedings of the 2021 IEEE Symposium on Security and Privacy (SP)","author":"Redini Nilo","year":"2021","unstructured":"Nilo Redini, Andrea Continella, Dipanjan Das, Giulio De Pasquale, Noah Spahn, Aravind Machiry, Antonio Bianchi, Christopher Kruegel, and Giovanni Vigna. 2021. Diane: Identifying fuzzing triggers in apps to generate under-constrained inputs for IoT devices. In Proceedings of the 2021 IEEE Symposium on Security and Privacy (SP). IEEE. DOI:10.1109\/sp40001.2021.00066"},{"key":"e_1_3_3_103_2","volume-title":"Proceedings of the 2020 IEEE Symposium on Security and Privacy (SP)","author":"Redini Nilo","year":"2020","unstructured":"Nilo Redini, Aravind Machiry, Ruoyu Wang, Chad Spensky, Andrea Continella, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2020. Karonte: Detecting insecure multi-binary interactions in embedded firmware. In Proceedings of the 2020 IEEE Symposium on Security and Privacy (SP). IEEE. DOI:10.1109\/sp40000.2020.00036"},{"key":"e_1_3_3_104_2","unstructured":"Research Rabbit Technologies. 2023. ResearchRabbitApp. Retrieved February 16 2024 from https:\/\/www.researchrabbit.ai\/"},{"key":"e_1_3_3_105_2","volume-title":"Automation in Cybersecurity Appel \u00e0 communications","author":"Robin David","year":"2021","unstructured":"David Robin, Jonathan Salwan, and Justin Bourroux. 2021. From source code to crash test-case through software testing automation. In Automation in Cybersecurity Appel \u00e0 communications (Rennes, FR). C&ESAR, FR."},{"key":"e_1_3_3_106_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-49622-1_8"},{"key":"e_1_3_3_107_2","doi-asserted-by":"crossref","first-page":"729","DOI":"10.1145\/3341105.3373930","volume-title":"Proceedings of the 35th Annual ACM Symposium on Applied Computing (SAC\u201920)","author":"Sachidananda Vinay","year":"2020","unstructured":"Vinay Sachidananda, Suhas Bhairav, and Yuval Elovici. 2020. OVER: Overhauling vulnerability detection for IoT through an adaptable and automated static analysis framework. In Proceedings of the 35th Annual ACM Symposium on Applied Computing (SAC\u201920). ACM, New York, NY, United States, 729\u2013738. DOI:10.1145\/3341105.3373930"},{"key":"e_1_3_3_108_2","volume-title":"Proceedings of the 2019 18th IEEE International Conference on Trust, Security and Privacy in Computing and Communications\/13th IEEE International Conference on Big Data Science and Engineering (TrustCom\/BigDataSE)","author":"Sachidananda Vinay","year":"2019","unstructured":"Vinay Sachidananda, Suhas Bhairav, Nirnay Ghosh, and Yuval Elovici. 2019. PIT: A probe into internet of things by comprehensive security analysis. In Proceedings of the 2019 18th IEEE International Conference on Trust, Security and Privacy in Computing and Communications\/13th IEEE International Conference on Big Data Science and Engineering (TrustCom\/BigDataSE). IEEE, New York, USA. DOI:10.1109\/trustcom\/bigdatase.2019.00076"},{"key":"e_1_3_3_109_2","volume-title":"Proceedings of the 2019 IEEE\/ACM 6th International Conference on Mobile Software Engineering and Systems (MOBILESoft)","author":"Schmeidl Florian","year":"2019","unstructured":"Florian Schmeidl, Bara Nazzal, and Manar H. Alalfi. 2019. Security analysis for SmartThings IoT applications. In Proceedings of the 2019 IEEE\/ACM 6th International Conference on Mobile Software Engineering and Systems (MOBILESoft). IEEE. DOI:10.1109\/mobilesoft.2019.00013"},{"key":"e_1_3_3_110_2","volume-title":"Proceedings of the Annual Computer Security Applications Conference","author":"Sivakumaran Pallavi","year":"2021","unstructured":"Pallavi Sivakumaran and Jorge Blasco. 2021. argXtract: Deriving IoT security configurations via automated static analysis of stripped ARM Cortex-M binaries. In Proceedings of the Annual Computer Security Applications Conference. ACM, New Orleans, LA, USA. DOI:10.1145\/3485832.3488007"},{"key":"e_1_3_3_111_2","first-page":"237","volume-title":"Proceedings of the 2021 IEEE International Conference on Smart Internet of Things (SmartIoT)","author":"Son Ha Xuan","year":"2021","unstructured":"Ha Xuan Son, Barbara Carminati, and Elena Ferrari. 2021. A risk assessment mechanism for android apps. In Proceedings of the 2021 IEEE International Conference on Smart Internet of Things (SmartIoT). IEEE, 237\u2013244. DOI:10.1109\/smartiot52359.2021.00044"},{"key":"e_1_3_3_112_2","doi-asserted-by":"publisher","DOI":"10.6028\/NIST.SP.800-218"},{"key":"e_1_3_3_113_2","first-page":"15","volume-title":"Proceedings of the 2nd International ACM Workshop on Security and Privacy for the Internet-of-Things (CCS\u201919)","author":"Srivastava Prashast","year":"2019","unstructured":"Prashast Srivastava, Hui Peng, Jiahao Li, Hamed Okhravi, Howard Shrobe, and Mathias Payer. 2019. FirmFuzz: Automated IoT firmware introspection and analysis. In Proceedings of the 2nd International ACM Workshop on Security and Privacy for the Internet-of-Things (CCS\u201919). ACM, New York, NY, USA, 15\u201321. DOI:10.1145\/3338507.3358616"},{"key":"e_1_3_3_114_2","unstructured":"Statista. 2023. Internet of Things - Worldwide. Retrieved March 10 2024 from https:\/\/www.statista.com\/outlook\/tmo\/internet-of-things\/worldwide"},{"key":"e_1_3_3_115_2","volume-title":"Proceedings of the 2020 IEEE 20th International Working Conference on Source Code Analysis and Manipulation (SCAM)","author":"Stievenart Quentin","year":"2020","unstructured":"Quentin Stievenart and Coen De Roover. 2020. Compositional information flow analysis for webassembly programs. In Proceedings of the 2020 IEEE 20th International Working Conference on Source Code Analysis and Manipulation (SCAM). IEEE, Amsterdam, Netherlands. DOI:10.1109\/scam51674.2020.00007"},{"key":"e_1_3_3_116_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2024.104097"},{"key":"e_1_3_3_117_2","volume-title":"Proceedings of the 2023 IEEE\/ACM 10th International Conference on Mobile Software Engineering and Systems (MOBILESoft)","author":"Sutter Thomas","year":"2023","unstructured":"Thomas Sutter and Bernhard Tellenbach. 2023. FirmwareDroid: Towards automated static analysis of pre-installed android apps. In Proceedings of the 2023 IEEE\/ACM 10th International Conference on Mobile Software Engineering and Systems (MOBILESoft). IEEE, Seoul, South Korea. DOI:10.1109\/mobilsoft59058.2023.00009"},{"key":"e_1_3_3_118_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-78621-2"},{"key":"e_1_3_3_119_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2021.106589"},{"key":"e_1_3_3_120_2","first-page":"1","volume-title":"Proceedings of the 2018 15th International Joint Conference on Computer Science and Software Engineering (JCSSE)","author":"Visoottiviseth Vasaka","year":"2018","unstructured":"Vasaka Visoottiviseth, Pongnapat Jutadhammakorn, Natthamon Pongchanchai, and Pongjarun Kosolyudhthasarn. 2018. Firmaster: Analysis tool for home router firmware. In Proceedings of the 2018 15th International Joint Conference on Computer Science and Software Engineering (JCSSE). IEEE, 1\u20136. DOI:10.1109\/jcsse.2018.8457340"},{"key":"e_1_3_3_121_2","first-page":"1","volume-title":"Proceedings of the 18th International Conference on Evaluation and Assessment in Software Engineering","author":"Wohlin Claes","year":"2014","unstructured":"Claes Wohlin. 2014. Guidelines for snowballing in systematic literature studies and a replication in software engineering. In Proceedings of the 18th International Conference on Evaluation and Assessment in Software Engineering. ACM, 1\u201310. DOI:10.1145\/2601248.2601268"},{"key":"e_1_3_3_122_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2022.106908"},{"key":"e_1_3_3_123_2","doi-asserted-by":"publisher","DOI":"10.1109\/jiot.2024.3490661"},{"key":"e_1_3_3_124_2","first-page":"769","volume-title":"Proceedings of the 2017 IEEE 23rd International Conference on Parallel and Distributed Systems (ICPADS)","volume":"51","author":"Xie Wei","year":"2017","unstructured":"Wei Xie, Yikun Jiang, Yong Tang, Ning Ding, and Yuanming Gao. 2017. Vulnerability detection in IoT firmware: A survey. In Proceedings of the 2017 IEEE 23rd International Conference on Parallel and Distributed Systems (ICPADS), Vol. 51 9. IEEE, 769\u2013772. DOI:10.1109\/icpads.2017.00104"},{"key":"e_1_3_3_125_2","volume-title":"Proceedings of the 2022 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC)","author":"Xie Xinguang","year":"2022","unstructured":"Xinguang Xie, Junjian Ye, Lifa Wu, and Rong Li. 2022. RTOSExtracter: Extracting user-defined functions in stripped RTOS-based firmware. In Proceedings of the 2022 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC). IEEE, New York, USA. DOI:10.1109\/cyberc55534.2022.00024"},{"key":"e_1_3_3_126_2","doi-asserted-by":"publisher","DOI":"10.6633\/IJNS.202305_25(3).07"},{"key":"e_1_3_3_127_2","doi-asserted-by":"publisher","DOI":"10.1109\/access.2023.3298672"},{"key":"e_1_3_3_128_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-50399-4_25"},{"key":"e_1_3_3_129_2","first-page":"1","volume-title":"Proceedings of the 2024 16th IIAI International Congress on Advanced Applied Informatics (IIAI-AAI)","volume":"117","author":"Yoda Minami","year":"2024","unstructured":"Minami Yoda, Shigeo Nakamura, Yutaka Matsuno, Yuichi Sei, Yasuyuki Tahara, and Akihiko Ohsuga. 2024. YODA: Middleware for improving setup and preprocessing in static analysis of IoT firmware. In Proceedings of the 2024 16th IIAI International Congress on Advanced Applied Informatics (IIAI-AAI), Vol. 117. IEEE, 1\u20138. DOI:10.1109\/iiai-aai63651.2024.00010"},{"key":"e_1_3_3_130_2","first-page":"33","volume-title":"Proceedings of the 2020 International Conference on Computing, Electronics & Communications Engineering (iCCECE)","author":"Yoda Minami","year":"2020","unstructured":"Minami Yoda, Shuji Sakuraba, Yuichi Sei, Yasuyuki Tahara, and Akihiko Ohsuga. 2020. Detection of the hardcoded login information from socket symbols. In Proceedings of the 2020 International Conference on Computing, Electronics & Communications Engineering (iCCECE). IEEE, 33\u201338. DOI:10.1109\/iccece49321.2020.9231177"},{"key":"e_1_3_3_131_2","doi-asserted-by":"crossref","first-page":"2385","DOI":"10.1109\/SP54263.2024.00013","volume-title":"Proceedings of the 2024 IEEE Symposium on Security and Privacy (SP)","author":"Yuan Bin","year":"2024","unstructured":"Bin Yuan, Zhanxiang Song, Yan Jia, Zhenyu Lu, Deqing Zou, Hai Jin, and Luyi Xing. 2024. MQTTactic: Security analysis and verification for logic flaws in MQTT implementations. In Proceedings of the 2024 IEEE Symposium on Security and Privacy (SP). IEEE, 2385\u20132403. DOI:10.1109\/sp54263.2024.00013"},{"key":"e_1_3_3_132_2","doi-asserted-by":"publisher","DOI":"10.1109\/tdsc.2024.3481433"},{"key":"e_1_3_3_133_2","first-page":"1","volume-title":"Proceedings of the 2019 IEEE 38th International Performance Computing and Communications Conference (IPCCC)","author":"Zheng Yaowen","year":"2019","unstructured":"Yaowen Zheng, Zhanwei Song, Yuyan Sun, Kai Cheng, Hongsong Zhu, and Limin Sun. 2019. An efficient greybox fuzzing scheme for linux-based IoT programs through binary static analysis. In Proceedings of the 2019 IEEE 38th International Performance Computing and Communications Conference (IPCCC). IEEE, San Diego, CA, USA, 1\u20136. DOI:10.1109\/IPCCC47392.2019.8958740"},{"key":"e_1_3_3_134_2","first-page":"243","volume-title":"Proceedings of the 2024 IEEE 17th International Conference on Signal Processing (ICSP)","author":"Zhou Yun","year":"2024","unstructured":"Yun Zhou, Junpeng Qi, and Jin Zhu. 2024. Improving smart contract analysis with large language models: The SLLM system. In Proceedings of the 2024 IEEE 17th International Conference on Signal Processing (ICSP). IEEE, 243\u2013246. DOI:10.1109\/icsp62129.2024.10846030"}],"container-title":["ACM Computing Surveys"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3745019","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,9,10]],"date-time":"2025-09-10T12:54:41Z","timestamp":1757508881000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3745019"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,9,10]]},"references-count":133,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2026,2,28]]}},"alternative-id":["10.1145\/3745019"],"URL":"https:\/\/doi.org\/10.1145\/3745019","relation":{},"ISSN":["0360-0300","1557-7341"],"issn-type":[{"value":"0360-0300","type":"print"},{"value":"1557-7341","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,9,10]]},"assertion":[{"value":"2024-12-24","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-06-12","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-09-10","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}