{"id":"https://openalex.org/W4288057749","doi":"https://doi.org/10.1109/sp46214.2022.9833610","title":"HEAPSTER: Analyzing the Security of Dynamic Allocators for Monolithic Firmware Images","display_name":"HEAPSTER: Analyzing the Security of Dynamic Allocators for Monolithic Firmware Images","publication_year":2022,"publication_date":"2022-05-01","ids":{"openalex":"https://openalex.org/W4288057749","doi":"https://doi.org/10.1109/sp46214.2022.9833610"},"language":"en","primary_location":{"id":"doi:10.1109/sp46214.2022.9833610","is_oa":false,"landing_page_url":"https://doi.org/10.1109/sp46214.2022.9833610","pdf_url":null,"source":{"id":"https://openalex.org/S4363606603","display_name":"2022 IEEE Symposium on Security and Privacy (SP)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"conference"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2022 IEEE Symposium on Security and Privacy (SP)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5056711455","display_name":"Fabio Gritti","orcid":null},"institutions":[{"id":"https://openalex.org/I154570441","display_name":"University of California, Santa Barbara","ror":"https://ror.org/02t274463","country_code":"US","type":"education","lineage":["https://openalex.org/I154570441"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Fabio Gritti","raw_affiliation_strings":["University of California,Santa Barbara","University of California, Santa Barbara"],"affiliations":[{"raw_affiliation_string":"University of California,Santa Barbara","institution_ids":["https://openalex.org/I154570441"]},{"raw_affiliation_string":"University of California, Santa Barbara","institution_ids":["https://openalex.org/I154570441"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5058787341","display_name":"Fabio Pagani","orcid":"https://orcid.org/0000-0002-4357-9804"},"institutions":[{"id":"https://openalex.org/I154570441","display_name":"University of California, Santa Barbara","ror":"https://ror.org/02t274463","country_code":"US","type":"education","lineage":["https://openalex.org/I154570441"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Fabio Pagani","raw_affiliation_strings":["University of California,Santa Barbara","University of California, Santa Barbara"],"affiliations":[{"raw_affiliation_string":"University of California,Santa Barbara","institution_ids":["https://openalex.org/I154570441"]},{"raw_affiliation_string":"University of California, Santa Barbara","institution_ids":["https://openalex.org/I154570441"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5074577020","display_name":"Ilya Grishchenko","orcid":"https://orcid.org/0000-0003-4744-7507"},"institutions":[{"id":"https://openalex.org/I154570441","display_name":"University of California, Santa Barbara","ror":"https://ror.org/02t274463","country_code":"US","type":"education","lineage":["https://openalex.org/I154570441"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Ilya Grishchenko","raw_affiliation_strings":["University of California,Santa Barbara","University of California, Santa Barbara"],"affiliations":[{"raw_affiliation_string":"University of California,Santa Barbara","institution_ids":["https://openalex.org/I154570441"]},{"raw_affiliation_string":"University of California, Santa Barbara","institution_ids":["https://openalex.org/I154570441"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5078303941","display_name":"Lukas Dresel","orcid":"https://orcid.org/0000-0003-0335-2602"},"institutions":[{"id":"https://openalex.org/I154570441","display_name":"University of California, Santa Barbara","ror":"https://ror.org/02t274463","country_code":"US","type":"education","lineage":["https://openalex.org/I154570441"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Lukas Dresel","raw_affiliation_strings":["University of California,Santa Barbara","University of California, Santa Barbara"],"affiliations":[{"raw_affiliation_string":"University of California,Santa Barbara","institution_ids":["https://openalex.org/I154570441"]},{"raw_affiliation_string":"University of California, Santa Barbara","institution_ids":["https://openalex.org/I154570441"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5035847553","display_name":"Nilo Redini","orcid":"https://orcid.org/0009-0002-6768-7380"},"institutions":[{"id":"https://openalex.org/I19268510","display_name":"Qualcomm (United Kingdom)","ror":"https://ror.org/04d3djg48","country_code":"GB","type":"company","lineage":["https://openalex.org/I19268510","https://openalex.org/I4210087596"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Nilo Redini","raw_affiliation_strings":["Qualcomm Technologies Inc"],"affiliations":[{"raw_affiliation_string":"Qualcomm Technologies Inc","institution_ids":["https://openalex.org/I19268510"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5022177364","display_name":"Christopher Kruegel","orcid":"https://orcid.org/0000-0001-5140-3414"},"institutions":[{"id":"https://openalex.org/I154570441","display_name":"University of California, Santa Barbara","ror":"https://ror.org/02t274463","country_code":"US","type":"education","lineage":["https://openalex.org/I154570441"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Christopher Kruegel","raw_affiliation_strings":["University of California,Santa Barbara","University of California, Santa Barbara"],"affiliations":[{"raw_affiliation_string":"University of California,Santa Barbara","institution_ids":["https://openalex.org/I154570441"]},{"raw_affiliation_string":"University of California, Santa Barbara","institution_ids":["https://openalex.org/I154570441"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5075685499","display_name":"Giovanni Vigna","orcid":"https://orcid.org/0000-0002-3422-5369"},"institutions":[{"id":"https://openalex.org/I154570441","display_name":"University of California, Santa Barbara","ror":"https://ror.org/02t274463","country_code":"US","type":"education","lineage":["https://openalex.org/I154570441"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Giovanni Vigna","raw_affiliation_strings":["University of California,Santa Barbara","University of California, Santa Barbara"],"affiliations":[{"raw_affiliation_string":"University of California,Santa Barbara","institution_ids":["https://openalex.org/I154570441"]},{"raw_affiliation_string":"University of California, Santa Barbara","institution_ids":["https://openalex.org/I154570441"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":7,"corresponding_author_ids":["https://openalex.org/A5056711455"],"corresponding_institution_ids":["https://openalex.org/I154570441"],"apc_list":null,"apc_paid":null,"fwci":2.0982,"has_fulltext":false,"cited_by_count":21,"citation_normalized_percentile":{"value":0.89193343,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":89,"max":99},"biblio":{"volume":null,"issue":null,"first_page":"1082","last_page":"1099"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9995999932289124,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12034","display_name":"Digital and Cyber Forensics","score":0.9969000220298767,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/firmware","display_name":"Firmware","score":0.9265342950820923},{"id":"https://openalex.org/keywords/allocator","display_name":"Allocator","score":0.9244393110275269},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8160862922668457},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.5811266899108887},{"id":"https://openalex.org/keywords/heap","display_name":"Heap (data structure)","score":0.5134292840957642},{"id":"https://openalex.org/keywords/embedded-system","display_name":"Embedded system","score":0.5124159455299377},{"id":"https://openalex.org/keywords/c-dynamic-memory-allocation","display_name":"C dynamic memory allocation","score":0.43162792921066284},{"id":"https://openalex.org/keywords/memory-management","display_name":"Memory management","score":0.21415555477142334},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.14900505542755127}],"concepts":[{"id":"https://openalex.org/C67212190","wikidata":"https://www.wikidata.org/wiki/Q104851","display_name":"Firmware","level":2,"score":0.9265342950820923},{"id":"https://openalex.org/C162262903","wikidata":"https://www.wikidata.org/wiki/Q343527","display_name":"Allocator","level":2,"score":0.9244393110275269},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8160862922668457},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.5811266899108887},{"id":"https://openalex.org/C134757568","wikidata":"https://www.wikidata.org/wiki/Q274089","display_name":"Heap (data structure)","level":2,"score":0.5134292840957642},{"id":"https://openalex.org/C149635348","wikidata":"https://www.wikidata.org/wiki/Q193040","display_name":"Embedded system","level":1,"score":0.5124159455299377},{"id":"https://openalex.org/C34339311","wikidata":"https://www.wikidata.org/wiki/Q1050390","display_name":"C dynamic memory allocation","level":4,"score":0.43162792921066284},{"id":"https://openalex.org/C176649486","wikidata":"https://www.wikidata.org/wiki/Q2308807","display_name":"Memory management","level":3,"score":0.21415555477142334},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.14900505542755127},{"id":"https://openalex.org/C136085584","wikidata":"https://www.wikidata.org/wiki/Q910289","display_name":"Overlay","level":2,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/sp46214.2022.9833610","is_oa":false,"landing_page_url":"https://doi.org/10.1109/sp46214.2022.9833610","pdf_url":null,"source":{"id":"https://openalex.org/S4363606603","display_name":"2022 IEEE Symposium on Security and Privacy (SP)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"conference"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2022 IEEE Symposium on Security and Privacy (SP)","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[],"funders":[{"id":"https://openalex.org/F4320337345","display_name":"Office of Naval Research","ror":"https://ror.org/00rk2pe57"}],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":43,"referenced_works":["https://openalex.org/W22858107","https://openalex.org/W1746694335","https://openalex.org/W2037051353","https://openalex.org/W2107147876","https://openalex.org/W2134633067","https://openalex.org/W2154795299","https://openalex.org/W2350778671","https://openalex.org/W2514974017","https://openalex.org/W2531090983","https://openalex.org/W2656537333","https://openalex.org/W2751137623","https://openalex.org/W2752929869","https://openalex.org/W2782780792","https://openalex.org/W2791018263","https://openalex.org/W2884769489","https://openalex.org/W2914982603","https://openalex.org/W2963125488","https://openalex.org/W2966799902","https://openalex.org/W2984993098","https://openalex.org/W2985831349","https://openalex.org/W2991548539","https://openalex.org/W3041936634","https://openalex.org/W3043236449","https://openalex.org/W3108723500","https://openalex.org/W3113108440","https://openalex.org/W3118666763","https://openalex.org/W3155102819","https://openalex.org/W3157039655","https://openalex.org/W3157154729","https://openalex.org/W3164551084","https://openalex.org/W4239035626","https://openalex.org/W6621201870","https://openalex.org/W6637777816","https://openalex.org/W6724342392","https://openalex.org/W6753984860","https://openalex.org/W6754459196","https://openalex.org/W6754597693","https://openalex.org/W6760116975","https://openalex.org/W6768128038","https://openalex.org/W6776032291","https://openalex.org/W6779448139","https://openalex.org/W6781817248","https://openalex.org/W6794636854"],"related_works":["https://openalex.org/W2920417665","https://openalex.org/W2167102554","https://openalex.org/W3033802101","https://openalex.org/W2146707680","https://openalex.org/W2766468145","https://openalex.org/W92825922","https://openalex.org/W2944895246","https://openalex.org/W4379518516","https://openalex.org/W4379141974","https://openalex.org/W3104774169"],"abstract_inverted_index":{"Dynamic":[0],"memory":[1,40,62,111,288],"allocators":[2,24,41,63,289],"are":[3,25,64,256],"critical":[4,262],"components":[5],"of":[6,36,94,107,116,140,190,210,240,275,286],"modern":[7],"systems,":[8,83],"and":[9,19,45,58,96,103,173,180,205,219,279],"developers":[10],"strive":[11],"to":[12,130,146,258],"find":[13],"a":[14,84,101,110,123,159,169,188,208,238,272],"balance":[15],"between":[16],"their":[17,20],"performance":[18],"security.":[21],"Unfortunately,":[22],"vulnerable":[23,257],"routinely":[26],"abused":[27],"as":[28,55,198],"building":[29],"blocks":[30],"in":[31,68,153,216,221,268],"complex":[32],"exploitation":[33],"chains.":[34],"Most":[35],"the":[37,79,90,147,164,217,253,284],"research":[38],"regarding":[39],"focuses":[42],"on":[43,187,207],"popular":[44],"standardized":[46],"heap":[47,98,133,165,232,263],"libraries,":[48],"generally":[49],"used":[50,67,167,197,220],"by":[51,168,248,291],"high-end":[52],"devices":[53],"such":[54],"desktop":[56],"systems":[57,70],"servers.":[59],"However,":[60],"dynamic":[61,287],"also":[65,206],"extensively":[66],"embedded":[69,82],"but":[71,143],"they":[72],"have":[73],"not":[74,144],"received":[75],"much":[76],"scrutiny":[77],"from":[78],"security":[80,176,245,277,285],"community.In":[81],"raw":[85],"firmware":[86,118,128,171,194,213],"image":[87],"is":[88,100],"often":[89],"only":[91],"available":[92],"piece":[93],"information,":[95],"finding":[97],"vulnerabilities":[99,134],"manual":[102],"tedious":[104],"process.":[105],"First":[106],"all,":[108],"recognizing":[109],"allocator":[112],"library":[113,166,234],"among":[114],"thousands":[115],"stripped":[117],"functions":[119,129],"can":[120],"quickly":[121],"become":[122],"daunting":[124],"task.":[125],"Moreover,":[126],"emulating":[127],"test":[131],"for":[132,201],"comes":[135],"with":[136,177],"its":[137,175],"own":[138],"set":[139],"challenges,":[141],"related,":[142],"limited,":[145],"re-hosting":[148],"problem.To":[149],"fill":[150],"this":[151,154,269],"gap,":[152],"paper":[155,270],"we":[156],"present":[157],"HEAPSTER,":[158],"system":[160],"that":[161,251],"automatically":[162],"identifies":[163],"monolithic":[170,193,212],"image,":[172],"tests":[174],"symbolic":[178],"execution":[179],"bounded":[181],"model":[182],"checking.":[183],"We":[184],"evaluate":[185],"HEAPSTER":[186,249],"dataset":[189,209],"20":[191],"synthetic":[192],"images":[195,214],"\u2014":[196,204],"ground":[199],"truth":[200],"our":[202,227],"analyses":[203],"799":[211],"collected":[215],"wild":[218],"real-world":[222],"devices.":[223,293],"Across":[224],"these":[225],"datasets,":[226],"tool":[228],"identified":[229,254],"11":[230],"different":[231,242],"management":[233],"(HML)":[235],"families":[236],"containing":[237],"total":[239],"48":[241],"variations.":[243],"The":[244,265],"testing":[246],"performed":[247],"found":[250],"all":[252],"variants":[255],"at":[259],"least":[260],"one":[261],"vulnerability.":[264],"results":[266],"presented":[267],"show":[271],"clear":[273],"pattern":[274],"poor":[276],"standards,":[278],"raise":[280],"some":[281],"concerns":[282],"over":[283],"employed":[290],"IoT":[292]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":11},{"year":2024,"cited_by_count":8},{"year":2023,"cited_by_count":1}],"updated_date":"2026-03-12T08:34:05.389933","created_date":"2025-10-10T00:00:00"}