{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,10]],"date-time":"2026-06-10T06:40:33Z","timestamp":1781073633590,"version":"3.54.1"},"reference-count":49,"publisher":"MDPI AG","issue":"7","license":[{"start":{"date-parts":[[2021,3,26]],"date-time":"2021-03-26T00:00:00Z","timestamp":1616716800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Sensors"],"abstract":"<jats:p>Internet of Things Operating Systems (IoT OSs) run, manage and control IoT devices. Therefore, it is important to secure the source code for IoT OSs, especially if they are deployed on devices used for human care and safety. In this paper, we report the results of our investigations of the security status and the presence of security vulnerabilities in the source code of the most popular open source IoT OSs. Through this research, three Static Analysis Tools (Cppcheck, Flawfinder and RATS) were used to examine the code of sixteen different releases of four different C\/C++ IoT OSs, with 48 examinations, regarding the presence of vulnerabilities from the Common Weakness Enumeration (CWE). The examination reveals that IoT OS code still suffers from errors that lead to security vulnerabilities and increase the opportunity of security breaches. The total number of errors in IoT OSs is increasing from version to the next, while error density, i.e., errors per 1K of physical Source Lines of Code (SLOC) is decreasing chronologically for all IoT Oss, with few exceptions. The most prevalent vulnerabilities in IoT OS source code were CWE-561, CWE-398 and CWE-563 according to Cppcheck, (CWE-119!\/CWE-120), CWE-120 and CWE-126 according to Flawfinder, and CWE-119, CWE-120 and CWE-134 according to RATS. Additionally, the CodeScene tool was used to investigate the development of the evolutionary properties of IoT OSs and the relationship between them and the presence of IoT OS vulnerabilities. CodeScene reveals strong positive correlation between the total number of security errors within IoT OSs and SLOC, as well as strong negative correlation between the total number of security errors and Code Health. CodeScene also indicates strong positive correlation between security error density (errors per 1K SLOC) and the presence of hotspots (frequency of code changes and code complexity), as well as strong negative correlation between security error density and the Qualitative Team Experience, which is a measure of the experience of the IoT OS developers.<\/jats:p>","DOI":"10.3390\/s21072329","type":"journal-article","created":{"date-parts":[[2021,3,26]],"date-time":"2021-03-26T13:17:53Z","timestamp":1616764673000},"page":"2329","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":35,"title":["The Presence, Trends, and Causes of Security Vulnerabilities in Operating Systems of IoT\u2019s Low-End Devices"],"prefix":"10.3390","volume":"21","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-6378-8363","authenticated-orcid":false,"given":"Abdullah","family":"Al-Boghdady","sequence":"first","affiliation":[{"name":"Department of Computer Sciences, Faculty of Computers and Artificial Intelligence, Cairo University, 5 Ahmed Zewail Street, Dokki, Giza 12613, Egypt"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7401-5219","authenticated-orcid":false,"given":"Khaled","family":"Wassif","sequence":"additional","affiliation":[{"name":"Department of Computer Sciences, Faculty of Computers and Artificial Intelligence, Cairo University, 5 Ahmed Zewail Street, Dokki, Giza 12613, Egypt"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5076-3829","authenticated-orcid":false,"given":"Mohammad","family":"El-Ramly","sequence":"additional","affiliation":[{"name":"Department of Computer Sciences, Faculty of Computers and Artificial Intelligence, Cairo University, 5 Ahmed Zewail Street, Dokki, Giza 12613, Egypt"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"1968","published-online":{"date-parts":[[2021,3,26]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"1646","DOI":"10.1109\/COMST.2020.2988293","article-title":"A Survey of Machine and Deep Learning Methods for Internet of Things (IoT) Security","volume":"22","author":"Mohamed","year":"2020","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"ref_2","unstructured":"Columus, L. (2020, June 28). \u201cIoT Market,\u201d Forbes Media LLC. Available online: https:\/\/www.forbes.com\/sites\/louiscolumbus\/2018\/08\/16\/iot-market-predicted-to-double-by-2021-reaching-520b\/#3ecc8fc11f94."},{"key":"ref_3","unstructured":"Microsoft Azure (2021, February 15). Microsoft Azure IoT. Available online: https:\/\/azure.microsoft.com."},{"key":"ref_4","unstructured":"Amazon Web Services (2021, February 15). Amazon IoT. Available online: https:\/\/aws.amazon.com\/iot\/."},{"key":"ref_5","unstructured":"Cisco (2021, February 15). Cisco Jasper Control. Available online: www.jasper.com."},{"key":"ref_6","unstructured":"Google (2021, February 15). Build Smart Devices with Google. Available online: https:\/\/developers.google.com\/iot."},{"key":"ref_7","unstructured":"Apple (2021, February 15). Apple IOS. Available online: https:\/\/www.apple.com\/lae\/ios."},{"key":"ref_8","unstructured":"IBM Watson (2021, February 15). IBM Watson is AI for business. Available online: www.ibm.com\/watson."},{"key":"ref_9","unstructured":"AllJoyn Qualcomm (2021, February 15). About AllJoyn. Available online: https:\/\/www.qualcomm.com\/news\/onq\/2014\/06\/26\/about-alljoyn."},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"796","DOI":"10.1007\/s11036-018-1089-9","article-title":"Interoperability in Internet of Things: Taxonomies and Open Challenges","volume":"24","author":"Noura","year":"2019","journal-title":"Mob. Netw. Appl."},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"76","DOI":"10.1109\/MC.2017.62","article-title":"Botnets and internet of things security","volume":"50","author":"Bertino","year":"2017","journal-title":"Computer"},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"80","DOI":"10.1109\/MC.2017.201","article-title":"DDoS in the IoT: Mirai and other botnets","volume":"50","author":"Kolias","year":"2017","journal-title":"Computer"},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Gopal, T.S., Meerolla, M., Jyostna, G., Eswari, P.R.L., and Magesh, E. (2018, January 19\u201322). Mitigating Mirai Malware Spreading in IoT Environment. Proceedings of the International Conference on Advances in Computing, Communications and Informatics (ICACCI), Bangalore, India.","DOI":"10.1109\/ICACCI.2018.8554643"},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"50","DOI":"10.1109\/MSPEC.2015.7049440","article-title":"Can you trust your fridge?","volume":"52","author":"Grau","year":"2015","journal-title":"IEEE Spectr."},{"key":"ref_15","unstructured":"CVE (2019, July 25). Cybersecurity Products and Services from around the World. Available online: http:\/\/cve.mitre.org\/."},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Pr\u00e4hofer, H., Ramler, R., Lacheiner, H., and Grillenberger, F. (2012, January 17\u201321). Opportunities and challenges of static code analysis of IEC 61131-3 programs. Proceedings of the 2012 IEEE 17th International Conference on Emerging Technologies & Factory Automation (ETFA 2012), Krakow, Poland.","DOI":"10.1109\/ETFA.2012.6489535"},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"720","DOI":"10.1109\/JIOT.2015.2505901","article-title":"Operating Systems for Low-End Devices in the Internet of Things: A Survey","volume":"3","author":"Hahm","year":"2016","journal-title":"IEEE Internet Things J."},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"4428","DOI":"10.1109\/JIOT.2018.2815038","article-title":"RIOT: An Open Source Operating System for Low-End Embedded Devices in the IoT","volume":"5","author":"Baccelli","year":"2018","journal-title":"IEEE Internet Things J."},{"key":"ref_19","unstructured":"Contiki (2020, July 01). The Contiki Operating System. Available online: http:\/\/www.contiki-os.org\/."},{"key":"ref_20","unstructured":"AWS (2020, June 13). FreeRTOS IoT OS. Available online: https:\/\/www.freertos.org\/."},{"key":"ref_21","unstructured":"AWS (2020, July 01). Real-Time Operating System for Microcontrollers. Available online: https:\/\/aws.amazon.com\/freertos\/."},{"key":"ref_22","unstructured":"Eclipse.org (2020, July 01). IoT Developer Survey 2019 Report. Available online: https:\/\/www.slideshare.net\/Eclipse-IoT\/iot-developer-survey-2019-report."},{"key":"ref_23","unstructured":"Skerrett, I. (2020, July 01). IoT Developer Survey 2016, Marketing Consultant\u2014LinkedIn SlideShare. Available online: https:\/\/www.slideshare.net\/IanSkerrett\/iot-developer-survey-2016."},{"key":"ref_24","unstructured":"Skerrett, I. (2020, July 01). IoT Developer Survey 2017, Marketing Consultant\u2014LinkedIn SlideShare. Available online: https:\/\/www.slideshare.net\/IanSkerrett\/iot-developer-survey-2017."},{"key":"ref_25","unstructured":"Cab\u00e9, B. (2019, July 01). IoT Developer Survey 2018, IoT Program Manager at Eclipse Foundation. Available online: https:\/\/www.slideshare.net\/kartben\/iot-developer-survey-2018."},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Zikria, Y.B., Kim, S.W., Hahm, O., Afzal, M.K., and Aalsalem, M.Y. (2019). Internet of Things (IoT) Operating Systems Management: Opportunities, Challenges, and Solution. Sensors, 19.","DOI":"10.3390\/s19081793"},{"key":"ref_27","unstructured":"Imprint (2020, July 01). ROIT IoT Operating System. Available online: https:\/\/www.riot-os.org\/."},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"8459","DOI":"10.1109\/ACCESS.2018.2808324","article-title":"Survey on Resource Management in IoT Operating Systems","volume":"6","author":"Musaddiq","year":"2018","journal-title":"IEEE Access"},{"key":"ref_29","unstructured":"Dunkels, A., Gronvall, B., and Voigt, T. (2004, January 16\u201318). Contiki-a lightweight and flexible operating system for tiny networked sensors. Proceedings of the 29th Annual IEEE International Conference on Local Computers Networks, Tampa, FL, USA."},{"key":"ref_30","unstructured":"(2020, August 03). WolfSSL, Wolfssl CONTIKI OS Port. Available online: https:\/\/www.wolfssl.com\/wolfssl-contiki-os-port\/."},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Ibrahim, A., El-Ramly, M., and Badr, A. (2019, January 3\u20137). Beware of the Vulnerability! How Vulnerable are GitHub\u2019s Most Popular PHP Applications?. Proceedings of the IEEE\/ACS 16th International Conference on Computer Systems and Applications (AICCSA), Abu Dhabi, United Arab Emirates.","DOI":"10.1109\/AICCSA47632.2019.9035265"},{"key":"ref_32","unstructured":"WhiteSource (2021, January 18). What Are the Most Secure Programming Languages. Available online: https:\/\/resources.whitesourcesoftware.com\/research-reports\/what-are-the-most-secure-programming-languages."},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Wu, Y., Gandhi, R.A., and Siy, H. (2010). Using Semantic Templates to Study Vulnerabilities Recorded in Large Software Repositories. Proceedings of the ICSE Workshop on Software Engineering for Secure Systems, SESS \u201910, ACM.","DOI":"10.1145\/1809100.1809104"},{"key":"ref_34","unstructured":"(2020, August 15). Cppcheck2.1, a Tool for Static C\/C++ Code Analysis, SourceForge. Available online: http:\/\/cppcheck.sourceforge.net\/."},{"key":"ref_35","unstructured":"Wheeler, D. (2020, February 29). Flawfinder v. 2.0.11. Available online: https:\/\/dwheeler.com\/flawfinder\/."},{"key":"ref_36","unstructured":"(2020, November 01). RATS, Rough Auditing Tool for Security. Available online: https:\/\/security.web.cern.ch\/security\/recommendations\/en\/codetools\/rats.shtml."},{"key":"ref_37","unstructured":"Pereira, J.D.A., and Vieira, M. (2020, January 7\u201310). On the Use of Open-Source C\/C++ Static Analysis Tools in Large Projects. Proceedings of the 16th European Dependable Computing Conference (EDCC), Munich, Germany."},{"key":"ref_38","doi-asserted-by":"crossref","first-page":"2023","DOI":"10.1016\/j.procs.2020.04.217","article-title":"A Comparative Study of Static Code Analysis tools for Vulnerability Detection in C\/C++ and JAVA Source Code","volume":"171","author":"Kaur","year":"2020","journal-title":"Procedia Comput. Sci."},{"key":"ref_39","doi-asserted-by":"crossref","unstructured":"Wang, Y., Chen, G., Zhou, M., Gu, M., and Sun, J. (2019, January 11\u201315). smartGP: A Tool for Finding Memory Defects with Pointer Analysis. Proceedings of the 34th IEEE\/ACM International Conference on Automated Software Engineering (ASE), San Diego, CA, USA.","DOI":"10.1109\/ASE.2019.00129"},{"key":"ref_40","unstructured":"(2020, December 01). CodeScene, Guid for Code Health by CodeScene, Empear AB. Available online: https:\/\/codescene.io\/docs\/guides\/technical\/biomarkers.html."},{"key":"ref_41","doi-asserted-by":"crossref","unstructured":"Tornhill, A. (2018, January 9\u201313). Assessing Technical Debt in Automated Tests with CodeScene. Proceedings of the IEEE International Conference on Software Testing, Verification and Validation Workshops, V\u00e4ster\u00e5s, Sweden.","DOI":"10.1109\/ICSTW.2018.00039"},{"key":"ref_42","first-page":"348","article-title":"\u201cVulnerable C\/C++ code usage in IoT software systems","volume":"3","author":"Alnaeli","year":"2016","journal-title":"Ieee 3rd World Forum Internet Things (Wf-Iot)"},{"key":"ref_43","first-page":"1502","article-title":"Source Code Vulnerabilities in IoT Software Systems","volume":"2","author":"Alnaeli","year":"2017","journal-title":"Technol. Eng. Syst. J."},{"key":"ref_44","unstructured":"McBride, J., Arief, B., and Hernandez-Castro, J.C. (2018, January 14\u201316). Security Analysis of Contiki IoT Operating System. Proceedings of the International Conference on Embedded Wireless Systems and Networks (EWSN), Madrid, Spain."},{"key":"ref_45","doi-asserted-by":"crossref","unstructured":"Mullen, G., and Meany, L. (2019, January 17\u201321). Assessment of Buffer Overflow Based Attacks On an IoT Operating System. Proceedings of the Global IoT Summit (GIoTS), Aarhus, Denmark.","DOI":"10.1109\/GIOTS.2019.8766434"},{"key":"ref_46","unstructured":"Mahmood, R., and Mahmoud, Q. (2018). Evaluation of Static Analysis Tools for Finding Vulnerabilities in Java and C\/C++ Source. Arxiv Prepr."},{"key":"ref_47","unstructured":"(2020, December 01). Contiki OS Security Policy, Security Policy of Contiki. Available online: https:\/\/github.com\/contiki-os\/contiki\/security\/policy."},{"key":"ref_48","unstructured":"(2020, December 01). RIOT OS Security Policy, Security Policy of RIOT. Available online: https:\/\/github.com\/RIOT-OS\/RIOT\/security\/policy."},{"key":"ref_49","doi-asserted-by":"crossref","unstructured":"Barner, L. (2019, January 8\u201311). Application Software Cybersecurity Scanning. Proceedings of the 52nd Hawaii International Conference on System Sciences, Maui, HI, USA.","DOI":"10.24251\/HICSS.2019.884"}],"container-title":["Sensors"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1424-8220\/21\/7\/2329\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,13]],"date-time":"2025-10-13T13:53:07Z","timestamp":1760363587000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1424-8220\/21\/7\/2329"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,3,26]]},"references-count":49,"journal-issue":{"issue":"7","published-online":{"date-parts":[[2021,4]]}},"alternative-id":["s21072329"],"URL":"https:\/\/doi.org\/10.3390\/s21072329","relation":{},"ISSN":["1424-8220"],"issn-type":[{"value":"1424-8220","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,3,26]]}}}