物联网安全静态代码分析：系统文献综述

IF 23.8 1区计算机科学 Q1 COMPUTER SCIENCE, THEORY & METHODS

ACM Computing Surveys Pub Date : 2025-06-19 DOI:10.1145/3745019

Diego Gomes, Eduardo Felix, Fernando Aires, Marco Vieira

{"title":"物联网安全静态代码分析：系统文献综述","authors":"Diego Gomes, Eduardo Felix, Fernando Aires, Marco Vieira","doi":"10.1145/3745019","DOIUrl":null,"url":null,"abstract":"The growth of the Internet of Things (IoT) has provided significant advances in several areas of the industry, but security concerns have also increased due to this expansion. Many IoT devices are the target of cyber attacks due to various firmware, source code, and software vulnerabilities. In this context, static code analysis, leveraging various techniques, has emerged as an effective approach to examine and identify security vulnerabilities, including insecure functions, buffer overflows, and code injection. However, recent research has shown several challenges associated with this approach, such as limited understanding of vulnerabilities, inadequate threat detection, and insufficient semantic analysis of IoT device source code. Consequently, several IoT security research studies integrate static analysis with other methods, such as dynamic analysis, machine learning, and natural language processing, to enhance vulnerability analysis and detection. To provide a comprehensive understanding of the current state of static analysis in IoT security, this systematic literature review explores existing vulnerabilities, techniques, and methods while highlighting the challenges that hinder the extraction of meaningful insights from such analyses.","PeriodicalId":50926,"journal":{"name":"ACM Computing Surveys","volume":"36 1","pages":""},"PeriodicalIF":23.8000,"publicationDate":"2025-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Static Code Analysis for IoT Security: A Systematic Literature Review\",\"authors\":\"Diego Gomes, Eduardo Felix, Fernando Aires, Marco Vieira\",\"doi\":\"10.1145/3745019\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The growth of the Internet of Things (IoT) has provided significant advances in several areas of the industry, but security concerns have also increased due to this expansion. Many IoT devices are the target of cyber attacks due to various firmware, source code, and software vulnerabilities. In this context, static code analysis, leveraging various techniques, has emerged as an effective approach to examine and identify security vulnerabilities, including insecure functions, buffer overflows, and code injection. However, recent research has shown several challenges associated with this approach, such as limited understanding of vulnerabilities, inadequate threat detection, and insufficient semantic analysis of IoT device source code. Consequently, several IoT security research studies integrate static analysis with other methods, such as dynamic analysis, machine learning, and natural language processing, to enhance vulnerability analysis and detection. To provide a comprehensive understanding of the current state of static analysis in IoT security, this systematic literature review explores existing vulnerabilities, techniques, and methods while highlighting the challenges that hinder the extraction of meaningful insights from such analyses.\",\"PeriodicalId\":50926,\"journal\":{\"name\":\"ACM Computing Surveys\",\"volume\":\"36 1\",\"pages\":\"\"},\"PeriodicalIF\":23.8000,\"publicationDate\":\"2025-06-19\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"ACM Computing Surveys\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://doi.org/10.1145/3745019\",\"RegionNum\":1,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, THEORY & METHODS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Computing Surveys","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1145/3745019","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, THEORY & METHODS","Score":null,"Total":0}

引用次数: 0

摘要

物联网（IoT）的发展在行业的多个领域取得了重大进展，但由于这种扩张，安全问题也随之增加。由于各种固件、源代码和软件漏洞，许多物联网设备成为网络攻击的目标。在这种情况下，利用各种技术的静态代码分析已经成为检查和识别安全漏洞（包括不安全的函数、缓冲区溢出和代码注入）的有效方法。然而，最近的研究表明，这种方法存在一些挑战，例如对漏洞的理解有限、威胁检测不足以及对物联网设备源代码的语义分析不足。因此，一些物联网安全研究将静态分析与其他方法（如动态分析、机器学习和自然语言处理）相结合，以增强漏洞分析和检测。为了全面了解物联网安全静态分析的现状，本系统的文献综述探讨了现有的漏洞、技术和方法，同时强调了阻碍从此类分析中提取有意义见解的挑战。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Static Code Analysis for IoT Security: A Systematic Literature Review

The growth of the Internet of Things (IoT) has provided significant advances in several areas of the industry, but security concerns have also increased due to this expansion. Many IoT devices are the target of cyber attacks due to various firmware, source code, and software vulnerabilities. In this context, static code analysis, leveraging various techniques, has emerged as an effective approach to examine and identify security vulnerabilities, including insecure functions, buffer overflows, and code injection. However, recent research has shown several challenges associated with this approach, such as limited understanding of vulnerabilities, inadequate threat detection, and insufficient semantic analysis of IoT device source code. Consequently, several IoT security research studies integrate static analysis with other methods, such as dynamic analysis, machine learning, and natural language processing, to enhance vulnerability analysis and detection. To provide a comprehensive understanding of the current state of static analysis in IoT security, this systematic literature review explores existing vulnerabilities, techniques, and methods while highlighting the challenges that hinder the extraction of meaningful insights from such analyses.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

ACM Computing Surveys 工程技术-计算机：理论方法

CiteScore

33.20

自引率

0.60%

发文量

372

审稿时长

12 months

期刊介绍： ACM Computing Surveys is an academic journal that focuses on publishing surveys and tutorials on various areas of computing research and practice. The journal aims to provide comprehensive and easily understandable articles that guide readers through the literature and help them understand topics outside their specialties. In terms of impact, CSUR has a high reputation with a 2022 Impact Factor of 16.6. It is ranked 3rd out of 111 journals in the field of Computer Science Theory & Methods. ACM Computing Surveys is indexed and abstracted in various services, including AI2 Semantic Scholar, Baidu, Clarivate/ISI: JCR, CNKI, DeepDyve, DTU, EBSCO: EDS/HOST, and IET Inspec, among others.