On the Effectiveness of Clone Detection for Detecting IoT-related Vulnerable Clones

TL;DR

This paper investigates whether existing clone detection tools can identify IoT-related vulnerable code clones, creating datasets and conducting preliminary tests to assess their effectiveness in detecting vulnerabilities.

Contribution

The study introduces IoT-specific vulnerable clone datasets and evaluates the capability of existing clone detection tools to identify these clones.

Findings

Existing tools can detect IoT-related vulnerable clones partially.

Created datasets demonstrate the presence of vulnerable clones in IoT code.

Preliminary results suggest room for improvement in clone detection for IoT vulnerabilities.

Abstract

Since IoT systems provide services over the Internet, they must continue to operate safely even if malicious users attack them. Since the computational resources of edge devices connected to the IoT are limited, lightweight platforms and network protocols are often used. Lightweight platforms and network protocols are less resistant to attacks, increasing the risk that developers will embed vulnerabilities. The code clone research community has been developing approaches to fix buggy (e.g., vulnerable) clones simultaneously. However, there has been little research on IoT-related vulnerable clones. It is unclear whether existing code clone detection techniques can perform simultaneous fixes of the vulnerable clones. In this study, we first created two datasets of IoT-related vulnerable code. We then conducted a preliminary investigation to show whether existing code clone detection tools (e.g., NiCaD, CCFinderSW) are capable of detecting IoT-related vulnerable clones by applying them to the created datasets. The preliminary result shows that the existing tools can detect them partially.