{"id":"https://openalex.org/W4378194461","doi":"https://doi.org/10.1109/tdsc.2023.3279846","title":"One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware","display_name":"One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware","publication_year":2023,"publication_date":"2023-05-25","ids":{"openalex":"https://openalex.org/W4378194461","doi":"https://doi.org/10.1109/tdsc.2023.3279846"},"language":"en","primary_location":{"id":"doi:10.1109/tdsc.2023.3279846","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tdsc.2023.3279846","pdf_url":null,"source":{"id":"https://openalex.org/S133795288","display_name":"IEEE Transactions on Dependable and Secure Computing","issn_l":"1545-5971","issn":["1545-5971","1941-0018","2160-9209"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320439","host_organization_name":"IEEE Computer Society","host_organization_lineage":["https://openalex.org/P4310320439","https://openalex.org/P4310319808"],"host_organization_lineage_names":["IEEE Computer Society","Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Dependable and Secure Computing","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5103072795","display_name":"Binbin Zhao","orcid":"https://orcid.org/0000-0002-2025-1291"},"institutions":[{"id":"https://openalex.org/I130701444","display_name":"Georgia Institute of Technology","ror":"https://ror.org/01zkghx44","country_code":"US","type":"education","lineage":["https://openalex.org/I130701444"]},{"id":"https://openalex.org/I168879160","display_name":"Zhejiang University of Science and Technology","ror":"https://ror.org/05mx0wr29","country_code":"CN","type":"education","lineage":["https://openalex.org/I168879160"]}],"countries":["CN","US"],"is_corresponding":false,"raw_author_name":"Binbin Zhao","raw_affiliation_strings":["College of Computer Science and Technology, Zhejiang University, Hangzhou, Zhejiang, China","School of Electrical and Computer Engineering, Georgia Institute of Technology, Atlanta, GA, USA"],"raw_orcid":"https://orcid.org/0000-0002-2025-1291","affiliations":[{"raw_affiliation_string":"College of Computer Science and Technology, Zhejiang University, Hangzhou, Zhejiang, China","institution_ids":["https://openalex.org/I168879160"]},{"raw_affiliation_string":"School of Electrical and Computer Engineering, Georgia Institute of Technology, Atlanta, GA, USA","institution_ids":["https://openalex.org/I130701444"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5058611515","display_name":"Shouling Ji","orcid":"https://orcid.org/0000-0003-4268-372X"},"institutions":[{"id":"https://openalex.org/I130701444","display_name":"Georgia Institute of Technology","ror":"https://ror.org/01zkghx44","country_code":"US","type":"education","lineage":["https://openalex.org/I130701444"]},{"id":"https://openalex.org/I168879160","display_name":"Zhejiang University of Science and Technology","ror":"https://ror.org/05mx0wr29","country_code":"CN","type":"education","lineage":["https://openalex.org/I168879160"]}],"countries":["CN","US"],"is_corresponding":false,"raw_author_name":"Shouling Ji","raw_affiliation_strings":["College of Computer Science and Technology, Zhejiang University, Hangzhou, Zhejiang, China","School of Electrical and Computer Engineering, Georgia Institute of Technology, Atlanta, GA, USA"],"raw_orcid":"https://orcid.org/0000-0003-4268-372X","affiliations":[{"raw_affiliation_string":"College of Computer Science and Technology, Zhejiang University, Hangzhou, Zhejiang, China","institution_ids":["https://openalex.org/I168879160"]},{"raw_affiliation_string":"School of Electrical and Computer Engineering, Georgia Institute of Technology, Atlanta, GA, USA","institution_ids":["https://openalex.org/I130701444"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100622259","display_name":"Jiacheng Xu","orcid":"https://orcid.org/0000-0002-5201-1620"},"institutions":[{"id":"https://openalex.org/I168879160","display_name":"Zhejiang University of Science and Technology","ror":"https://ror.org/05mx0wr29","country_code":"CN","type":"education","lineage":["https://openalex.org/I168879160"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Jiacheng Xu","raw_affiliation_strings":["College of Computer Science and Technology, Zhejiang University, Hangzhou, Zhejiang, China"],"raw_orcid":"https://orcid.org/0000-0002-5201-1620","affiliations":[{"raw_affiliation_string":"College of Computer Science and Technology, Zhejiang University, Hangzhou, Zhejiang, China","institution_ids":["https://openalex.org/I168879160"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100716458","display_name":"Yuan Tian","orcid":"https://orcid.org/0000-0002-6435-564X"},"institutions":[{"id":"https://openalex.org/I161318765","display_name":"University of California, Los Angeles","ror":"https://ror.org/046rm7j60","country_code":"US","type":"education","lineage":["https://openalex.org/I161318765"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Yuan Tian","raw_affiliation_strings":["Electrical and Computer Engineering, University of California, Los Angeles, CA, USA"],"raw_orcid":"https://orcid.org/0000-0002-6435-564X","affiliations":[{"raw_affiliation_string":"Electrical and Computer Engineering, University of California, Los Angeles, CA, USA","institution_ids":["https://openalex.org/I161318765"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5115010714","display_name":"Qiuyang Wei","orcid":"https://orcid.org/0000-0002-1622-213X"},"institutions":[{"id":"https://openalex.org/I168879160","display_name":"Zhejiang University of Science and Technology","ror":"https://ror.org/05mx0wr29","country_code":"CN","type":"education","lineage":["https://openalex.org/I168879160"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Qiuyang Wei","raw_affiliation_strings":["College of Computer Science and Technology, Zhejiang University, Hangzhou, Zhejiang, China"],"raw_orcid":"https://orcid.org/0000-0002-1622-213X","affiliations":[{"raw_affiliation_string":"College of Computer Science and Technology, Zhejiang University, Hangzhou, Zhejiang, China","institution_ids":["https://openalex.org/I168879160"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5071457448","display_name":"Qinying Wang","orcid":"https://orcid.org/0000-0002-0010-0592"},"institutions":[{"id":"https://openalex.org/I168879160","display_name":"Zhejiang University of Science and Technology","ror":"https://ror.org/05mx0wr29","country_code":"CN","type":"education","lineage":["https://openalex.org/I168879160"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Qinying Wang","raw_affiliation_strings":["College of Computer Science and Technology, Zhejiang University, Hangzhou, Zhejiang, China"],"raw_orcid":"https://orcid.org/0000-0002-0010-0592","affiliations":[{"raw_affiliation_string":"College of Computer Science and Technology, Zhejiang University, Hangzhou, Zhejiang, China","institution_ids":["https://openalex.org/I168879160"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5043763521","display_name":"Chenyang Lyu","orcid":"https://orcid.org/0000-0002-3403-7050"},"institutions":[{"id":"https://openalex.org/I168879160","display_name":"Zhejiang University of Science and Technology","ror":"https://ror.org/05mx0wr29","country_code":"CN","type":"education","lineage":["https://openalex.org/I168879160"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Chenyang Lyu","raw_affiliation_strings":["College of Computer Science and Technology, Zhejiang University, Hangzhou, Zhejiang, China"],"raw_orcid":"https://orcid.org/0000-0002-3403-7050","affiliations":[{"raw_affiliation_string":"College of Computer Science and Technology, Zhejiang University, Hangzhou, Zhejiang, China","institution_ids":["https://openalex.org/I168879160"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101722406","display_name":"Xuhong Zhang","orcid":"https://orcid.org/0000-0002-8571-9780"},"institutions":[{"id":"https://openalex.org/I168879160","display_name":"Zhejiang University of Science and Technology","ror":"https://ror.org/05mx0wr29","country_code":"CN","type":"education","lineage":["https://openalex.org/I168879160"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Xuhong Zhang","raw_affiliation_strings":["College of Computer Science and Technology, Zhejiang University, Hangzhou, Zhejiang, China"],"raw_orcid":"https://orcid.org/0000-0002-8571-9780","affiliations":[{"raw_affiliation_string":"College of Computer Science and Technology, Zhejiang University, Hangzhou, Zhejiang, China","institution_ids":["https://openalex.org/I168879160"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5022316895","display_name":"Changting Lin","orcid":"https://orcid.org/0000-0002-8918-6299"},"institutions":[{"id":"https://openalex.org/I76130692","display_name":"Zhejiang University","ror":"https://ror.org/00a2xv884","country_code":"CN","type":"education","lineage":["https://openalex.org/I76130692"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Changting Lin","raw_affiliation_strings":["Zhejiang University, Hangzhou, China","Binjiang Institute of Zhejiang University, China"],"raw_orcid":"https://orcid.org/0000-0002-8918-6299","affiliations":[{"raw_affiliation_string":"Zhejiang University, Hangzhou, China","institution_ids":["https://openalex.org/I76130692"]},{"raw_affiliation_string":"Binjiang Institute of Zhejiang University, China","institution_ids":["https://openalex.org/I76130692"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101024367","display_name":"Jingzheng Wu","orcid":"https://orcid.org/0000-0001-5561-9829"},"institutions":[{"id":"https://openalex.org/I19820366","display_name":"Chinese Academy of Sciences","ror":"https://ror.org/034t30j35","country_code":"CN","type":"government","lineage":["https://openalex.org/I19820366"]},{"id":"https://openalex.org/I4210128818","display_name":"Institute of Software","ror":"https://ror.org/033dfsn42","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210128818"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Jingzheng Wu","raw_affiliation_strings":["Institute of Software, Chinese Academy of Sciences, Beijing, China"],"raw_orcid":"https://orcid.org/0000-0001-5561-9829","affiliations":[{"raw_affiliation_string":"Institute of Software, Chinese Academy of Sciences, Beijing, China","institution_ids":["https://openalex.org/I4210128818","https://openalex.org/I19820366"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5033073212","display_name":"Raheem Beyah","orcid":"https://orcid.org/0000-0002-9188-3464"},"institutions":[{"id":"https://openalex.org/I130701444","display_name":"Georgia Institute of Technology","ror":"https://ror.org/01zkghx44","country_code":"US","type":"education","lineage":["https://openalex.org/I130701444"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Raheem Beyah","raw_affiliation_strings":["College of Engineering, Georgia Institute of Technology, Atlanta, GA, USA"],"raw_orcid":"https://orcid.org/0000-0002-9188-3464","affiliations":[{"raw_affiliation_string":"College of Engineering, Georgia Institute of Technology, Atlanta, GA, USA","institution_ids":["https://openalex.org/I130701444"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":11,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":1.8476,"has_fulltext":false,"cited_by_count":10,"citation_normalized_percentile":{"value":0.86065371,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":98,"max":99},"biblio":{"volume":"21","issue":"3","first_page":"1372","last_page":"1389"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9993000030517578,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9993000030517578,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9887999892234802,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12034","display_name":"Digital and Cyber Forensics","score":0.9887999892234802,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/firmware","display_name":"Firmware","score":0.9848240613937378},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.6769424080848694},{"id":"https://openalex.org/keywords/microcode","display_name":"Microcode","score":0.5289554595947266},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.4240201711654663},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.21299788355827332}],"concepts":[{"id":"https://openalex.org/C67212190","wikidata":"https://www.wikidata.org/wiki/Q104851","display_name":"Firmware","level":2,"score":0.9848240613937378},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6769424080848694},{"id":"https://openalex.org/C22174128","wikidata":"https://www.wikidata.org/wiki/Q175869","display_name":"Microcode","level":2,"score":0.5289554595947266},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.4240201711654663},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.21299788355827332}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/tdsc.2023.3279846","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tdsc.2023.3279846","pdf_url":null,"source":{"id":"https://openalex.org/S133795288","display_name":"IEEE Transactions on Dependable and Secure Computing","issn_l":"1545-5971","issn":["1545-5971","1941-0018","2160-9209"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320439","host_organization_name":"IEEE Computer Society","host_organization_lineage":["https://openalex.org/P4310320439","https://openalex.org/P4310319808"],"host_organization_lineage_names":["IEEE Computer Society","Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Dependable and Secure Computing","raw_type":"journal-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G1317677795","display_name":null,"funder_award_id":"U1936215","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G2212660163","display_name":null,"funder_award_id":"62102363","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G2400130100","display_name":null,"funder_award_id":"LQ21F020010","funder_id":"https://openalex.org/F4320338464","funder_display_name":"Natural Science Foundation of Zhejiang Province"},{"id":"https://openalex.org/G2863549312","display_name":null,"funder_award_id":"62072404","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"}],"funders":[{"id":"https://openalex.org/F4320321001","display_name":"National Natural Science Foundation of China","ror":"https://ror.org/01h0zpd94"},{"id":"https://openalex.org/F4320338464","display_name":"Natural Science Foundation of Zhejiang Province","ror":"https://ror.org/01h0zpd94"}],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":36,"referenced_works":["https://openalex.org/W1942295288","https://openalex.org/W2024671287","https://openalex.org/W2043118292","https://openalex.org/W2062978452","https://openalex.org/W2091939272","https://openalex.org/W2100307718","https://openalex.org/W2111619626","https://openalex.org/W2112736324","https://openalex.org/W2116286374","https://openalex.org/W2180970301","https://openalex.org/W2532717356","https://openalex.org/W2532962075","https://openalex.org/W2576376563","https://openalex.org/W2577142429","https://openalex.org/W2733765803","https://openalex.org/W2749008552","https://openalex.org/W2766078311","https://openalex.org/W2792247670","https://openalex.org/W2805486984","https://openalex.org/W2884769489","https://openalex.org/W2926178846","https://openalex.org/W2955221586","https://openalex.org/W2957010138","https://openalex.org/W3102768552","https://openalex.org/W3105926539","https://openalex.org/W3112452874","https://openalex.org/W3161799213","https://openalex.org/W4210759690","https://openalex.org/W4226255934","https://openalex.org/W6637594488","https://openalex.org/W6666744930","https://openalex.org/W6678042037","https://openalex.org/W6697873463","https://openalex.org/W6753913816","https://openalex.org/W6776032291","https://openalex.org/W6799656188"],"related_works":["https://openalex.org/W1966431236","https://openalex.org/W608147619","https://openalex.org/W1984676852","https://openalex.org/W2068967940","https://openalex.org/W270731569","https://openalex.org/W4252104358","https://openalex.org/W2062160093","https://openalex.org/W2025981307","https://openalex.org/W1998626163","https://openalex.org/W2056006243"],"abstract_inverted_index":{"Currently,":[0],"the":[1,22,28,39,52,63,84,91,102,107,134,154,163,186,189],"development":[2,14],"of":[3,30,51,55,106,136,157,166,188],"IoT":[4,31,190],"firmware":[5,115,140,182,197],"heavily":[6],"depends":[7],"on":[8,95,113],"third-party":[9],"components":[10],"(TPCs)":[11],"to":[12,38,82],"improve":[13],"efficiency.":[15],"Nevertheless,":[16],"TPCs":[17,25,85,112,121,180],"are":[18,146],"not":[19],"secure,":[20],"and":[21,44,68,78,88,122,141,160],"vulnerabilities":[23,40,125,145,177],"in":[24,62,86,139,149,168,181],"will":[26],"influence":[27],"security":[29,53,108,137,164],"firmware.":[32,59,150],"Existing":[33],"works":[34],"pay":[35],"less":[36],"attention":[37],"caused":[41,126,178],"by":[42,111,127,179],"TPCs,":[43],"we":[45,66,100,152],"still":[46,147],"lack":[47],"a":[48],"comprehensive":[49],"understanding":[50],"impact":[54],"TPC":[56],"vulnerability":[57],"against":[58],"To":[60],"fill":[61],"knowledge":[64],"gap,":[65],"design":[67],"implement":[69],"<sc":[70,96],"xmlns:mml=\"http://www.w3.org/1998/Math/MathML\"":[71,97],"xmlns:xlink=\"http://www.w3.org/1999/xlink\">FirmSec</small>":[72,98],",":[73,99],"which":[74],"leverages":[75],"syntactical":[76],"features":[77,81],"control-flow":[79],"graph":[80],"detect":[83,119],"firmware,":[87],"then":[89],"recognizes":[90],"corresponding":[92],"vulnerabilities.":[93],"Based":[94],"present":[101],"first":[103],"large-scale":[104],"analysis":[105,132,173,193],"risks":[109,138],"raised":[110],"34,136":[114],"images.":[116],"We":[117],"successfully":[118],"584":[120],"identify":[123],"128,757":[124],"429":[128],"CVEs.":[129],"Our":[130,172],"in-depth":[131],"reveals":[133],"diversity":[135],"discovers":[142],"some":[143],"well-known":[144],"rooted":[148],"Besides,":[151],"explore":[153],"geographical":[155],"distribution":[156],"vulnerable":[158],"devices":[159,167],"confirm":[161],"that":[162,176],"situation":[165],"different":[169],"regions":[170],"varies.":[171],"also":[174],"indicates":[175],"keep":[183],"growing":[184],"with":[185],"boom":[187],"ecosystem.":[191],"Further":[192],"shows":[194],"2,478":[195],"commercial":[196],"images":[198],"have":[199],"potentially":[200],"violated":[201],"GPL/AGPL":[202],"licensing":[203],"terms.":[204]},"counts_by_year":[{"year":2025,"cited_by_count":10}],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2025-10-10T00:00:00"}