analysis report on source code security defects of open source software

Posted by millikan at 2020-03-11

Focus on source code security, access to the latest information at home and abroad!

*Recently, CNCERT released the "open source software code security defect analysis report - Internet of things software topic". In this report, 20 well-known Internet of things software in the world are selected for source code security defect analysis, and the security of the project is evaluated based on the results of defect analysis tools and manual audit. The 360 code guard team provided technical support for this report.

The following is the full report:

Analysis report on source code security defects of open source software

——Internet of things software

1. Overview

With the rapid development of software technology, open source software has been widely used in the world. Data shows that 99% of organizations use open source software in their IT systems. Once the code of open source software has security problems, it will cause extensive and serious impact. In order to understand the security situation of open source software, CNCERT continues to analyze the source code security defects of widely used well-known open source software, and issues the quarterly security defect analysis report.

Since the International Telecommunication Union (ITU) formally proposed the concept of "Internet of things" (IOT) in 2005, IOT has been recognized rapidly all over the world. With the development and innovation of Internet of things technology, a large number of smart homes and wearable devices have entered people's lives, "everything connected" has become an important direction for the future development of global network. According to Gartner report, the number of Internet of things devices in the world will reach 26 billion in 2020. However, due to the lag of security standards and the lack of security awareness and investment of intelligent device manufacturers, the Internet of things has laid a great hidden danger, which brings serious security threats to personal privacy, enterprise information security and even national key infrastructure.

In this report, 20 well-known Internet of things software in the world are selected for source code security defect analysis, and the security of the project is evaluated based on the results of defect analysis tools and manual audit. From the evaluation results, compared with other open-source software in the past, Internet of things software has more security defects, and potential security problems can not be ignored. At the same time, the technical personnel randomly selected the security defects for manual utilization, found that there are security vulnerabilities that can be verified, through which they can obtain the rights of the Internet of things cloud server. Once the vulnerability is exploited by hackers, there is a security risk that the Internet of things devices are remotely manipulated.

2. Tested open source software

Considering the number of users, the degree of attention and update frequency, 20 representative open-source IOT software are selected. Table 1 lists the general situation of the tested open source Internet of things software projects, which are arranged in descending order according to the number of stars on GitHub. This test software covers C, C + +, Java, JavaScript (JS) and other programming languages. These open-source software projects are internationally known and have a wide range of users, including some developed by well-known software companies. Because most of these software have huge user groups, the security defects in the software are likely to cause serious consequences.

Table 1 overview of tested open source software projects

entry name

Version number

Main programming language

Function description

Number of lines of code

GitHub star number




Using serverless architecture to build the framework of web, mobile and Internet of things applications

Twenty thousand one hundred and fifty

Twenty-six thousand one hundred and twenty-four




Visualization tools for connecting the Internet of things

One hundred thousand eight hundred and forty

Six thousand four hundred and forty-seven




Super lightweight JavaScript engine for Internet of things

Ninety-seven thousand five hundred and fifty-nine

Three thousand two hundred and twenty-three




JSON Library of Internet of things

Twenty-seven thousand five hundred and eighty-three

Three thousand and seventy-eight




Cross platform C + + function library supporting networking application development on desktop, server, mobile, Internet of things and embedded system

Five hundred and twenty-six thousand seven hundred and twenty-one

Two thousand nine hundred and twenty-nine




A distributed SQL database can easily store and analyze a large number of machine data in real time

Three hundred and fourteen thousand nine hundred and eighty-four

Two thousand one hundred and thirty-one




An Internet of things platform for data collection, processing, visualization and device management

One hundred and twelve thousand seven hundred and four

One thousand nine hundred and eighty-seven


The 2018.10 Edition


Real time, multithreaded operating system supporting common Internet of things devices

One million three hundred and forty-one thousand five hundred and thirty-nine

One thousand nine hundred and seventy-nine

Blynk Library



Blynk library for embedded hardware. Blynk is an Internet of things application platform, which aims to simplify the construction of mobile or web applications of the Internet of things.

Seventeen thousand two hundred and six

One thousand eight hundred and thirty-one




Internet of things platform using JavaScript

Forty-two thousand nine hundred and ten

One thousand eight hundred and twenty-six




Openthread is an open source implementation of thread network protocol

Six hundred and sixty-one thousand six hundred and ninety-six

One thousand seven hundred and thirteen

Blynk Server



The java server based on netty is mainly used to deliver messages between blynk mobile applications and embedded devices.

Seventy-five thousand five hundred and fifty-five

One thousand and ninety-seven




Open source middleware platform for building, managing and integrating networked products and devices

Four hundred and sixty-one thousand five hundred and eleven

Nine hundred and eighty-four




Focus on providing DIY services of smart home and Internet of things

Seventeen thousand seven hundred and eighty-eight

Eight hundred and seventy-one




Flexible framework of smart home

Eight hundred and one thousand and fifty-three

Seven hundred and forty-five




The infrastructure of Internet of things middleware is used to support the flexible configuration and deployment of data collection, traffic cleaning, and event processing algorithms of networking devices

Two hundred and sixty-nine thousand three hundred and eighty-seven

Three hundred and sixty-nine




Open Internet of things framework

Two hundred and fifty-nine thousand seven hundred and eight

Two hundred and fifty-eight

Link Kit SDK



Alibaba cloud Internet of things Suite

Fifty-six thousand three hundred and eighty-four

Two hundred and fifty-seven




An industrial open source application support platform for the Internet of things

Two hundred and sixteen thousand seven hundred and ninety-six

Two hundred and thirty-five




The Android client based on XMPP realizes the interaction with IOT nodes

One hundred and thirty thousand six hundred and seven

One hundred and eighteen

3. Test content

3.1 types of safety defects

This test covers all kinds of common safety defects. According to the comprehensive consideration of the causes of defects, the possibility of being used, the degree of harm caused and the difficulty of solving, the common safety defects can be divided into eight categories:

1. Input validation

Input verification and representation problems are usually caused by special characters, encoding and number representation, which are caused by trust in input. These problems include buffer overflow, cross site scripting, SQL injection, command injection, etc.

2. API usage

API is a contract between the caller and the callee. Most of the misuse of API is caused by the caller's failure to understand the purpose of the contract. When the API is not used, it will also cause security problems.

3. Safety features

This category mainly includes authentication, access control, confidentiality, password use and privilege management.

4. Parallel computing

The interaction between threads and processes and the time sequence of executing tasks are often determined by the shared state, such as semaphores, variables, file systems, etc. The defects related to distributed computing include race condition, blocking misuse and so on.

5. Error and exception handling

This kind of defect is related to error and exception handling. One of the most common defects is that there is no proper handling error (or no handling error) which leads to unexpected termination of program operation. The other is that the generated error provides too much information to potential attackers.

6. Code quality

Poor code quality can lead to unpredictable behavior. For attackers, poor code allows them to threaten the system in unexpected ways. Common defects in this category include dead code, null pointer dereference, resource disclosure, etc.

7. Encapsulation and hiding

Reasonable encapsulation means to distinguish the verified data from the unchecked data, the data of different users, or the data that users can see and cannot see. Common defects include hidden domain, information leakage, Cross Site Request Forgery and so on.

8. Code running environment

Such defects are beyond the source code, such as running environment configuration, sensitive information management, and so on. They are still critical to product security.

The first seven types of defects are related to the security defects in the source code. They can be the targets of malicious attacks. Once they are used, they will cause serious consequences such as information disclosure, authority promotion, command execution and so on. The last kind of defects describe the security problems beyond the actual code, which are easy to cause serious problems such as abnormal operation of the software, data loss and so on.

3.2 safety defect level

We divide source code security into three levels: high, medium, and low. There are two dimensions to measure the level, confidence and severity. Confidence level refers to the possibility of finding out whether the problem is accurate. For example, the confidence level of marking every strcpy() call as a buffer overflow defect is very low. Severity refers to the severity of the detection problem under the assumption that the testing technology is authentic. For example, buffer overflow is usually a more serious security problem than null pointer reference. The combination of these two factors can accurately classify security issues, as shown in Figure 1.

Figure 1 Relationship between defect level, severity and confidence level

4. Security defects of open source Internet of things software project

4.1 overview of safety defects

Figure 2 defects of open source software project

It can be seen from this that the selected open-source software of the Internet of things has different degrees of security problems. A total of 667 high-risk defects and 3702 medium risk defects were found in these projects. The items with the highest number of defects are in a state that can be easily used by attackers. The actual users need to install patches or update versions to repair and upgrade.

Among all the tested software, blynk library, the function library of the Internet of things application platform, has the highest security (no high-risk defects, 3 medium risk defects). Internet of things application framework serverless, Internet of things development JS platform iot.js, Internet of things real-time operating system riot has fewer defects and higher overall security.

Openiot, the Internet of things middleware infrastructure platform, has the most high-risk defects in the 20 software tested, including 370 high-risk defects and 669 medium risk defects. Among them, there are 556 input verification defects, 283 of which are cross site scripting problems (high risk) and 344 resource non release problems (medium risk), suggesting that the project should strengthen the management of security defects, especially the filtering and verification of user input from outside the trust boundary; at the same time, the code quality should be further improved to prevent attackers from using resource disclosure Problem initiates a denial of service attack.

The largest number of medium and high risk defects is poco, which contains one high risk defect and 1380 medium risk defects. Among them, 748 "bit operations are performed on operands with different bits", 300 "unsafe memory copy functions are used" and 234 "symbol attributes are not defined when comparing character types" are detected. These problems will reduce the stability and portability of the program, may lead to unexpected behavior of the program, but also increase the security risks. It is suggested that the developers of the project should improve their security awareness and use the code defect scanning tool to improve the code quality and security during the development process.

Considering that the absolute number of defects in the project may be related to the project size, this report calculates the number of defects per thousand lines, and uses this data to reflect the distribution density of defects in the project. According to the data, the number of defects per thousand lines of IOT real-time operating system riot is only 0.002, with an average of less than one medium and high-risk defect per 100000 lines of code, which is the tested item with the lowest density of safety defects in the software under test. In addition, the projects with low density of code security defects include the Internet of things application framework serverless, the Internet of things development JS platform iot.js. On average, these projects have less than one medium and high-risk defect per 10000 lines of code. The projects with relatively high distribution density of security defects are mysensors (6.97), openiot (3.79), jerryscript (3.53), the JS engine of the Internet of things. On average, there are several medium and high-risk defects in every 1000 lines of code.

4.2 distribution of high-risk safety defects

This part analyzes the distribution of high-risk defects. Figure 3 shows the distribution of high-risk defects in the tested project. The data shows that most of the defects are "input verification" defects, which are mainly caused by insufficient verification of user input, and are prone to buffer overflow, path traversal, cross site scripting and various injection defects. Once an attacker constructs malicious input, it can cause serious security problems such as arbitrary command execution, arbitrary file reading, etc.

Figure 3 distribution of high-risk safety defects in the tested project (by category)

Figure 4 further shows the distribution of various specific high-risk safety defects in the tested project. For the convenience of display, the defects that occur no more than 10 times are classified as "others", mainly including cross-border access (9), hard coded password (6), etc. Among the 20 projects tested, there are several kinds of specific defects, which are cross site scripts (488), path traversal (76), and SQL injection (53). As the tested software in this phase is mainly the Internet of things application development framework, which provides Internet of things server-side services, these defects will greatly enhance the risk of the server being controlled by the attacker, resulting in the risk of the Internet of things devices being maliciously manipulated and the user's personal privacy disclosure.

Figure 4 distribution of high-risk safety defects in the tested project (divided by specific defects)

4.3. General distribution of safety defects

In view of the detection of high-risk defects in the tested project, the safety status of the project is analyzed. Generally speaking, compared with high-risk defects, medium risk defects in the actual operating environment are relatively less harmful, but still can not be ignored, and to a certain extent, it can reflect the code quality of the project, the attention of developers to code security issues. In order to have a more comprehensive understanding of the safety status of the tested project, this section further shows the overall distribution of safety defects, including medium risk defects.

Figure 5 shows the distribution of safety defects in the tested project. Compared with the distribution of defects in high-risk level, the proportion of defects in code quality and API usage is greatly increased. There are a lot of problems in the project, such as "improper bit operation", "improper character comparison", "resource not released", "using unsafe functions", which reflect the bad programming habits of developers. Compared with the problem of input verification, the threshold for attackers to exploit this kind of problem is relatively high, but once exploited, serious risks such as denial of service and arbitrary command execution still occur.

Figure 5 distribution of medium and high risk safety defects in the tested items (by category)

Table 2 further shows the distribution of various specific medium and high risk safety defects in the tested project. Due to the large number of defects detected this time, there are 85 kinds of medium and high risk defects in total. For the convenience of reading, only 50 kinds of defects are listed in the table.

Table 2 distribution of medium and high risk safety defects in the tested items

(classified according to specific types of safety defects)

Types of medium and high risk defects

Frequency of occurrence

Carry out bit operation on operands with different bits

One thousand and seventy-six

Cross site scripting

Five hundred and seventy-one

Resource not released

Five hundred and sixty-two

Unsafe memory copy function

Three hundred and fifty-two

Improper character type comparison

Two hundred and fifty-six

Empty finger dereference

One hundred and fifty-seven

Unsafe string handler

One hundred and thirty-two

path traversal


SQL injection


Thread safety of Servlet


XML external entity injection


Privacy leak


Improper format string


Hard coded password


Unchecked cycle conditions


5. Horizontal comparison of project safety in this year

This part makes a horizontal comparison between the Internet of things software projects tested in this period and the artificial intelligence and development framework software tested in previous periods of this year from the perspective of the average number of defects per thousand lines.

Figure 6 Comparison of defects per thousand lines of software tested in different fields in 2018

As shown in Figure 6, the density of software security defects in the Internet of things category is high, which reflects the relatively weak security awareness of intelligent device manufacturers to some extent, suggesting that developers of the Internet of things category should pay more attention to code security and take effective measures to improve software security.

6. Defect verification

For the security defects detected this time, the report preparation team randomly selected the defects for manual utilization, and found that there are security vulnerabilities that can be verified. This part takes blynk server path traversal vulnerability as an example to illustrate. Blynk server is a server-side component of the Internet of things, which is mainly used to deliver messages between blynk mobile applications and embedded devices.

Figure 7: screenshot of path traversal vulnerability in blynk server (version 0.39.6)

Figure 7 shows the code fragment in question. The code directly reads the URI (188 lines) entered by the user, and directly reads the file (210 lines) without any verification and filtering, so that the user can traverse the path of the server file system through ".. /" to obtain any file content. For example, as shown in Figure 8, sensitive content such as system account files can be obtained through the URL "/ static / JS /.. / etc / passwd". Due to Blynk Server is mainly used to deliver messages between the mobile application and the micro control panel of the IOT device. Once the attacker obtains the server permission, he will be able to intercept all messages from the IOT device, which will lead to the problem of personal privacy disclosure of the IOT device owner. In addition, the attacker can also tamper with and manipulate the instructions sent to the IOT device to achieve Remote control of Internet of things devices.

The vulnerability was confirmed by the blynk Server Developer and CVE (cve-2018-17785), which was fixed in 0.39.13 and later. Users of the software are advised to update to the latest version as soon as possible to avoid unnecessary security risks.

Figure 8: screenshot of path traversal vulnerability in blynk server (version 0.39.6)

7. Notes on this report

1、 This report only analyzes defects from the perspective of code. The statistical defects in this report refer to potential security risks that may be exploited by attackers due to improper code writing. In the actual system, due to the limitations of the actual deployment environment and security equipment, some defects may not be verified by penetration test.

2、 The defects in this report apply only to the specific software versions listed in Table 1. This report is no longer applicable when there is any update, modification and optimization of the software version.

3、 This report is supported by the 360 code guard team.

Recommended reading

Analysis report on source code security defects of open source software

Analysis report on source code security defects of open source software -- special topic of framework software

Analysis report on source code security defects of open source software

CNCERT issues analysis report on security defects of open source software code

Please indicate "transferred from 360 code guardian".