TY - GEN
T1 - A study on the usage of unsafe functions in gcc compared to mobile software systems
AU - Sarnowski, Melissa M.
AU - Larson, Derrek
AU - Alnaeli, Saleh M.
AU - Sarrab, Mohamed K.
N1 - Funding Information:
ACKNOWLEDGMENT This work was partially supported by University of Wisconsin Colleges and University of Wisconsin-Fox Valley Professional Development Programs.
Publisher Copyright:
© 2017 IEEE.
PY - 2017/9/27
Y1 - 2017/9/27
N2 - A case study is presented that empirically analyzes the use of known unsafe functions in gcc, a well-known general purpose software system, along with their distribution over a 5-year period from, 2012 through 2016. The 5-year history of gcc studied is comprised of a total of over 26 million lines of code. gcc was statically analyzed with the use of srcML and a tool created by one of the authors. A count of each unsafe function type present in each year of the system was recorded, along with a count of safe replacement functions, and their distributions analyzed. The results were compared to findings from a previous study on networking and mobile systems. The results show free, strcmp, strlen, and memcpy to be the most prevalent unsafe functions used among the years of gcc studied. This information can help developers by showing where they should direct their attention when refactoring their system to improve security, and thereby improve the system's robustness, reliability, and overall quality. By focusing on the most prevalent unsafe functions, developers can plan their refactoring process to be more effective. The fact that unsafe functions are still being used despite there being safer alternatives shows a need for new security standards, better education about security and security issues, and supervision of programmers to ensure they follow those standards.
AB - A case study is presented that empirically analyzes the use of known unsafe functions in gcc, a well-known general purpose software system, along with their distribution over a 5-year period from, 2012 through 2016. The 5-year history of gcc studied is comprised of a total of over 26 million lines of code. gcc was statically analyzed with the use of srcML and a tool created by one of the authors. A count of each unsafe function type present in each year of the system was recorded, along with a count of safe replacement functions, and their distributions analyzed. The results were compared to findings from a previous study on networking and mobile systems. The results show free, strcmp, strlen, and memcpy to be the most prevalent unsafe functions used among the years of gcc studied. This information can help developers by showing where they should direct their attention when refactoring their system to improve security, and thereby improve the system's robustness, reliability, and overall quality. By focusing on the most prevalent unsafe functions, developers can plan their refactoring process to be more effective. The fact that unsafe functions are still being used despite there being safer alternatives shows a need for new security standards, better education about security and security issues, and supervision of programmers to ensure they follow those standards.
KW - evolution
KW - history
KW - safe replacements
KW - static analysis
KW - unsafe functions
KW - vulnerable code
UR - http://www.scopus.com/inward/record.url?scp=85033666021&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85033666021&partnerID=8YFLogxK
U2 - 10.1109/EIT.2017.8053345
DO - 10.1109/EIT.2017.8053345
M3 - Conference contribution
AN - SCOPUS:85033666021
T3 - IEEE International Conference on Electro Information Technology
SP - 138
EP - 142
BT - 2017 IEEE International Conference on Electro Information Technology, EIT 2017
PB - IEEE Computer Society
T2 - 2017 IEEE International Conference on Electro Information Technology, EIT 2017
Y2 - 14 May 2017 through 17 May 2017
ER -