{"id":"https://openalex.org/W4308479228","doi":"https://doi.org/10.1109/tcad.2022.3201471","title":"Vulnerability Detection of ICS Protocols via Cross-State Fuzzing","display_name":"Vulnerability Detection of ICS Protocols via Cross-State Fuzzing","publication_year":2022,"publication_date":"2022-11-01","ids":{"openalex":"https://openalex.org/W4308479228","doi":"https://doi.org/10.1109/tcad.2022.3201471"},"language":"en","primary_location":{"id":"doi:10.1109/tcad.2022.3201471","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tcad.2022.3201471","pdf_url":null,"source":{"id":"https://openalex.org/S100835903","display_name":"IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems","issn_l":"0278-0070","issn":["0278-0070","1937-4151"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5006395264","display_name":"Feilong Zuo","orcid":"https://orcid.org/0000-0003-2589-2255"},"institutions":[{"id":"https://openalex.org/I99065089","display_name":"Tsinghua University","ror":"https://ror.org/03cve4549","country_code":"CN","type":"education","lineage":["https://openalex.org/I99065089"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Feilong Zuo","raw_affiliation_strings":["KLISS, BNRist, School of Software, Tsinghua University, Beijing, China"],"raw_orcid":"https://orcid.org/0000-0003-2589-2255","affiliations":[{"raw_affiliation_string":"KLISS, BNRist, School of Software, Tsinghua University, Beijing, China","institution_ids":["https://openalex.org/I99065089"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5078630181","display_name":"Zhengxiong Luo","orcid":"https://orcid.org/0000-0001-6522-9269"},"institutions":[{"id":"https://openalex.org/I99065089","display_name":"Tsinghua University","ror":"https://ror.org/03cve4549","country_code":"CN","type":"education","lineage":["https://openalex.org/I99065089"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Zhengxiong Luo","raw_affiliation_strings":["KLISS, BNRist, School of Software, Tsinghua University, Beijing, China"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"KLISS, BNRist, School of Software, Tsinghua University, Beijing, China","institution_ids":["https://openalex.org/I99065089"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5091646340","display_name":"Junze Yu","orcid":"https://orcid.org/0009-0004-7427-5573"},"institutions":[{"id":"https://openalex.org/I99065089","display_name":"Tsinghua University","ror":"https://ror.org/03cve4549","country_code":"CN","type":"education","lineage":["https://openalex.org/I99065089"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Junze Yu","raw_affiliation_strings":["KLISS, BNRist, School of Software, Tsinghua University, Beijing, China"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"KLISS, BNRist, School of Software, Tsinghua University, Beijing, China","institution_ids":["https://openalex.org/I99065089"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100443178","display_name":"Ting Chen","orcid":"https://orcid.org/0000-0001-9165-8331"},"institutions":[{"id":"https://openalex.org/I150229711","display_name":"University of Electronic Science and Technology of China","ror":"https://ror.org/04qr3zq92","country_code":"CN","type":"education","lineage":["https://openalex.org/I150229711"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Ting Chen","raw_affiliation_strings":["School of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu, China"],"raw_orcid":"https://orcid.org/0000-0001-9165-8331","affiliations":[{"raw_affiliation_string":"School of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu, China","institution_ids":["https://openalex.org/I150229711"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5041407793","display_name":"Zichen Xu","orcid":"https://orcid.org/0000-0001-9293-8028"},"institutions":[{"id":"https://openalex.org/I141649914","display_name":"Nanchang University","ror":"https://ror.org/042v6xz23","country_code":"CN","type":"education","lineage":["https://openalex.org/I141649914"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Zichen Xu","raw_affiliation_strings":["School of Mathematics and Computer Science, Nanchang University, Nanchang, China"],"raw_orcid":"https://orcid.org/0000-0001-9293-8028","affiliations":[{"raw_affiliation_string":"School of Mathematics and Computer Science, Nanchang University, Nanchang, China","institution_ids":["https://openalex.org/I141649914"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5041347432","display_name":"Aiguo Cui","orcid":null},"institutions":[{"id":"https://openalex.org/I2250955327","display_name":"Huawei Technologies (China)","ror":"https://ror.org/00cmhce21","country_code":"CN","type":"company","lineage":["https://openalex.org/I2250955327"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Aiguo Cui","raw_affiliation_strings":["Godel Lab, Huawei Technologies Company Ltd., Shanghai, China"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Godel Lab, Huawei Technologies Company Ltd., Shanghai, China","institution_ids":["https://openalex.org/I2250955327"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5060117799","display_name":"Yu Jiang","orcid":"https://orcid.org/0000-0003-0955-503X"},"institutions":[{"id":"https://openalex.org/I99065089","display_name":"Tsinghua University","ror":"https://ror.org/03cve4549","country_code":"CN","type":"education","lineage":["https://openalex.org/I99065089"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Yu Jiang","raw_affiliation_strings":["KLISS, BNRist, School of Software, Tsinghua University, Beijing, China"],"raw_orcid":"https://orcid.org/0000-0003-0955-503X","affiliations":[{"raw_affiliation_string":"KLISS, BNRist, School of Software, Tsinghua University, Beijing, China","institution_ids":["https://openalex.org/I99065089"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":4,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":3.3052,"has_fulltext":false,"cited_by_count":29,"citation_normalized_percentile":{"value":0.93040546,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":99,"max":100},"biblio":{"volume":"41","issue":"11","first_page":"4457","last_page":"4468"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9940000176429749,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9940000176429749,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10743","display_name":"Software Testing and Debugging Techniques","score":0.9908999800682068,"subfield":{"id":"https://openalex.org/subfields/1712","display_name":"Software"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9898999929428101,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/fuzz-testing","display_name":"Fuzz testing","score":0.9474399089813232},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7385880351066589},{"id":"https://openalex.org/keywords/protocol","display_name":"Protocol (science)","score":0.5677100419998169},{"id":"https://openalex.org/keywords/implementation","display_name":"Implementation","score":0.49162155389785767},{"id":"https://openalex.org/keywords/state","display_name":"State (computer science)","score":0.48733076453208923},{"id":"https://openalex.org/keywords/automation","display_name":"Automation","score":0.4853867292404175},{"id":"https://openalex.org/keywords/embedded-system","display_name":"Embedded system","score":0.34360218048095703},{"id":"https://openalex.org/keywords/software-engineering","display_name":"Software engineering","score":0.32747653126716614},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.2827221155166626},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.24057137966156006},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.12942999601364136},{"id":"https://openalex.org/keywords/engineering","display_name":"Engineering","score":0.0871010422706604}],"concepts":[{"id":"https://openalex.org/C111065885","wikidata":"https://www.wikidata.org/wiki/Q1189053","display_name":"Fuzz testing","level":3,"score":0.9474399089813232},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7385880351066589},{"id":"https://openalex.org/C2780385302","wikidata":"https://www.wikidata.org/wiki/Q367158","display_name":"Protocol (science)","level":3,"score":0.5677100419998169},{"id":"https://openalex.org/C26713055","wikidata":"https://www.wikidata.org/wiki/Q245962","display_name":"Implementation","level":2,"score":0.49162155389785767},{"id":"https://openalex.org/C48103436","wikidata":"https://www.wikidata.org/wiki/Q599031","display_name":"State (computer science)","level":2,"score":0.48733076453208923},{"id":"https://openalex.org/C115901376","wikidata":"https://www.wikidata.org/wiki/Q184199","display_name":"Automation","level":2,"score":0.4853867292404175},{"id":"https://openalex.org/C149635348","wikidata":"https://www.wikidata.org/wiki/Q193040","display_name":"Embedded system","level":1,"score":0.34360218048095703},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.32747653126716614},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.2827221155166626},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.24057137966156006},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.12942999601364136},{"id":"https://openalex.org/C127413603","wikidata":"https://www.wikidata.org/wiki/Q11023","display_name":"Engineering","level":0,"score":0.0871010422706604},{"id":"https://openalex.org/C204787440","wikidata":"https://www.wikidata.org/wiki/Q188504","display_name":"Alternative medicine","level":2,"score":0.0},{"id":"https://openalex.org/C71924100","wikidata":"https://www.wikidata.org/wiki/Q11190","display_name":"Medicine","level":0,"score":0.0},{"id":"https://openalex.org/C142724271","wikidata":"https://www.wikidata.org/wiki/Q7208","display_name":"Pathology","level":1,"score":0.0},{"id":"https://openalex.org/C78519656","wikidata":"https://www.wikidata.org/wiki/Q101333","display_name":"Mechanical engineering","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/tcad.2022.3201471","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tcad.2022.3201471","pdf_url":null,"source":{"id":"https://openalex.org/S100835903","display_name":"IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems","issn_l":"0278-0070","issn":["0278-0070","1937-4151"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems","raw_type":"journal-article"}],"best_oa_location":null,"sustainable_development_goals":[{"score":0.6100000143051147,"id":"https://metadata.un.org/sdg/9","display_name":"Industry, innovation and infrastructure"}],"awards":[{"id":"https://openalex.org/G3167315294","display_name":null,"funder_award_id":"U1911401","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G3446613798","display_name":null,"funder_award_id":"62192730","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G4456633529","display_name":null,"funder_award_id":"92167101","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G5216889655","display_name":null,"funder_award_id":"62022046","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G7091651887","display_name":null,"funder_award_id":"62021002","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"}],"funders":[{"id":"https://openalex.org/F4320321001","display_name":"National Natural Science Foundation of China","ror":"https://ror.org/01h0zpd94"}],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":25,"referenced_works":["https://openalex.org/W1769343819","https://openalex.org/W1990067238","https://openalex.org/W2039427951","https://openalex.org/W2093594839","https://openalex.org/W2141175718","https://openalex.org/W2517087431","https://openalex.org/W2532335977","https://openalex.org/W2588341003","https://openalex.org/W2757104921","https://openalex.org/W2759656866","https://openalex.org/W2802709486","https://openalex.org/W2883395840","https://openalex.org/W2947182139","https://openalex.org/W2950911860","https://openalex.org/W2980096664","https://openalex.org/W2981360268","https://openalex.org/W2998321643","https://openalex.org/W3047947484","https://openalex.org/W3092129160","https://openalex.org/W3104664063","https://openalex.org/W3106519623","https://openalex.org/W3126449752","https://openalex.org/W4288057797","https://openalex.org/W6681015208","https://openalex.org/W6748870742"],"related_works":["https://openalex.org/W2511770387","https://openalex.org/W3120811337","https://openalex.org/W3203597304","https://openalex.org/W2990186179","https://openalex.org/W4385301282","https://openalex.org/W3023977444","https://openalex.org/W2766647240","https://openalex.org/W4210660460","https://openalex.org/W3119380829","https://openalex.org/W4385950235"],"abstract_inverted_index":{"Industrial":[0],"control":[1,14],"system":[2],"(ICS)":[3],"employs":[4,143],"complex":[5],"multistate":[6],"protocols":[7],"to":[8,74,117,147],"realize":[9],"high-reliability":[10],"communication":[11],"and":[12,57,65,192,204,230],"intelligent":[13],"over":[15,54,68],"automation":[16,33],"equipment.":[17],"ICS":[18,79,99,132,153,170,222],"has":[19,209],"been":[20,43,236],"widely":[21],"used":[22],"in":[23,37],"various":[24],"embedded":[25],"fields,":[26],"such":[27,50,184],"as":[28,51,185],"autonomous":[29,60],"vehicle":[30],"systems,":[31,34,61],"power":[32],"etc.":[35,179],"However,":[36],"recent":[38],"years,":[39],"many":[40],"attacks":[41],"have":[42,235],"performed":[44],"on":[45,125,167],"ICS,":[46],"especially":[47],"its":[48],"protocols,":[49,223],"the":[52,63,76,95,129,149,152],"hijacks":[53],"Jeep":[55],"Uconnect":[56],"Tesla":[58],"Autopilot":[59],"also":[62],"Stuxnet":[64],"DragonFly":[66],"viruses":[67],"national":[69],"infrastructures.":[70],"It":[71],"is":[72],"important":[73],"guarantee":[75],"security":[77,228],"of":[78,98,123,131,151,225],"protocols.":[80,133],"In":[81,102],"this":[82],"article,":[83],"we":[84,107,135],"present":[85],"<monospace":[86,103,164],"xmlns:mml=\"http://www.w3.org/1998/Math/MathML\"":[87,104,165],"xmlns:xlink=\"http://www.w3.org/1999/xlink\">Charon</monospace>":[88,105,166],",":[89,106],"an":[90,109],"efficient":[91],"fuzzing":[92,111,130],"platform":[93],"for":[94,159],"vulnerability":[96],"detection":[97],"protocol":[100,154,171],"implementations.":[101],"propose":[108],"innovative":[110],"strategy":[112],"that":[113,142],"leverages":[114],"state":[115],"guidance":[116],"maximize":[118],"cross-state":[119],"code":[120],"coverage":[121,198],"instead":[122],"focusing":[124],"isolated":[126],"states":[127],"during":[128],"Moreover,":[134,207],"devise":[136],"a":[137],"novel":[138],"feedback":[139],"collection":[140],"method":[141],"program":[144],"status":[145],"inferring":[146],"avoid":[148],"restart":[150],"at":[155],"each":[156],"iteration,":[157],"allowing":[158],"continuous":[160],"fuzzing.":[161],"We":[162],"evaluate":[163],"several":[168],"popular":[169],"implementations,":[172],"including":[173],"real-time":[174],"publish":[175],"subscribe,":[176],"IEC61850-MMS,":[177],"MQTT,":[178],"Compared":[180],"with":[181],"typical":[182],"fuzzers,":[183],"American":[186],"fuzzy":[187],"lop,":[188],"Polar,":[189],"AFLNET,":[190],"Boofuzz,":[191],"Peach,":[193],"it":[194,208],"averagely":[195],"improves":[196],"branch":[197],"by":[199],"234.2%,":[200],"194.4%,":[201],"215.9%,":[202],"52.58%,":[203],"35.18%,":[205],"respectively.":[206],"already":[210],"confirmed":[211],"21":[212],"previously":[213],"unknown":[214],"vulnerabilities":[215],"(e.g.,":[216],"stack":[217],"buffer":[218],"overflow)":[219],"among":[220],"these":[221],"most":[224],"which":[226],"are":[227],"critical":[229],"corresponding":[231],"patches":[232],"from":[233],"vendors":[234],"released":[237],"accordingly.":[238]},"counts_by_year":[{"year":2026,"cited_by_count":6},{"year":2025,"cited_by_count":9},{"year":2024,"cited_by_count":14}],"updated_date":"2026-07-01T08:55:40.977307","created_date":"2025-10-10T00:00:00"}
