Internet of Things (IoT) is defined as the connection between places and physical objects (i.e., things) over the internet/network via smart computing devices. We observed that IoT software developers share solutions to programming questions as code examples on three Stack Exchange Q&A sites: Stack Overflow (SO), Arduino, and Raspberry Pi. Previous research studies found vulnerabilities/weaknesses in C/C++ code examples shared in Stack Overflow. However, the studies did not investigate C/C++ code examples related to IoT. The studies investigated SO code examples only. In this paper, we conduct a large-scale empirical study of all IoT C/C++ code examples shared in the three Stack Exchange sites, i.e., SO, Arduino, and Raspberry Pi. From the 11,329 obtained code snippets from the three sites, we identify 29 distinct CWE (Common Weakness Enumeration) types in 609 snippets. These CWE types can be categorized into 8 general weakness categories, and we observe that evaluation, memory, and initialization related weaknesses are the most common to be introduced by users when posting programming solutions. Furthermore, we find that 39.58% of the vulnerable code snippets contain instances of CWE types that can be mapped to real-world occurrences of those CWE types (i.e. CVE instances). The most number vulnerable IoT code examples was found in Arduino, followed by SO, and Raspberry Pi. Memory type vulnerabilities are on the rise in the sites. For example, from the 3595 mapped CVE instances, we find that 28.99% result in Denial of Service (DoS) errors, which is particularly harmful for network reliant IoT devices such as smart cars. Our study results can guide various IoT stakeholders to be aware of such vulnerable IoT code examples and to inform IoT researchers during their development of tools that can help prevent developers the sharing of such vulnerable code examples in the sites. [Abridged].

翻译：物联网（IoT）定义为通过智能计算设备，经由互联网/网络实现地点与物理对象（即物品）之间的连接。我们观察到，物联网软件开发者通过三个 Stack Exchange 问答网站：Stack Overflow（SO）、Arduino 和 Raspberry Pi，将编程问题的解决方案作为代码示例进行分享。先前的研究发现 Stack Overflow 上共享的 C/C++ 代码示例存在漏洞/弱点，但这些研究并未针对与物联网相关的 C/C++ 代码示例进行调查，且仅关注了 SO 代码示例。本文对三个 Stack Exchange 网站（即 SO、Arduino 和 Raspberry Pi）中所有物联网相关的 C/C++ 代码示例进行了大规模实证研究。从三个网站获取的 11,329 个代码片段中，我们识别出 609 个片段中存在 29 种不同的 CWE（常见弱点枚举）类型。这些 CWE 类型可归为 8 个通用弱点类别，并观察到与评估、内存及初始化相关的弱点是用户在发布编程解决方案时最常见引入的问题。此外，我们发现 39.58% 的易受攻击代码片段中包含可映射到现实世界中对应 CWE 类型实例（即 CVE 实例）的 CWE 类型。Arduino 中发现的易受攻击物联网代码示例数量最多，其次是 SO 和 Raspberry Pi。各网站中与内存类型相关的漏洞呈上升趋势。例如，在 3595 个已映射的 CVE 实例中，我们发现有 28.99% 导致拒绝服务（DoS）错误，这对智能汽车等依赖网络的物联网设备尤为有害。我们的研究结果可指导各类物联网利益相关者警惕此类易受攻击的物联网代码示例，并帮助物联网研究人员在开发工具时知晓相关信息，从而避免开发者在这些网站上共享此类易受攻击的代码示例。[节略版]