{"id":"https://openalex.org/W4414955721","doi":"https://doi.org/10.1109/tdsc.2025.3619200","title":"Nonstandard Sinks Matter: A Comprehensive and Efficient Taint Analysis Framework for Vulnerability Detection in Embedded Firmware","display_name":"Nonstandard Sinks Matter: A Comprehensive and Efficient Taint Analysis Framework for Vulnerability Detection in Embedded Firmware","publication_year":2025,"publication_date":"2025-10-08","ids":{"openalex":"https://openalex.org/W4414955721","doi":"https://doi.org/10.1109/tdsc.2025.3619200"},"language":"en","primary_location":{"id":"doi:10.1109/tdsc.2025.3619200","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tdsc.2025.3619200","pdf_url":null,"source":{"id":"https://openalex.org/S133795288","display_name":"IEEE Transactions on Dependable and Secure Computing","issn_l":"1545-5971","issn":["1545-5971","1941-0018","2160-9209"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320439","host_organization_name":"IEEE Computer Society","host_organization_lineage":["https://openalex.org/P4310320439","https://openalex.org/P4310319808"],"host_organization_lineage_names":["IEEE Computer Society","Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Dependable and Secure Computing","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5101458075","display_name":"Enzhou Song","orcid":"https://orcid.org/0000-0003-0810-0228"},"institutions":[{"id":"https://openalex.org/I169689159","display_name":"PLA Information Engineering University","ror":"https://ror.org/00mm1qk40","country_code":"CN","type":"education","lineage":["https://openalex.org/I169689159"]}],"countries":["CN"],"is_corresponding":true,"raw_author_name":"Enzhou Song","raw_affiliation_strings":["Information Engineering University, Zhengzhou, China","Information Engineering University, Zhengzhou, Henan, China"],"raw_orcid":"https://orcid.org/0000-0003-0810-0228","affiliations":[{"raw_affiliation_string":"Information Engineering University, Zhengzhou, China","institution_ids":["https://openalex.org/I169689159"]},{"raw_affiliation_string":"Information Engineering University, Zhengzhou, Henan, China","institution_ids":["https://openalex.org/I169689159"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5111066159","display_name":"Yuhao Zhao","orcid":null},"institutions":[{"id":"https://openalex.org/I169689159","display_name":"PLA Information Engineering University","ror":"https://ror.org/00mm1qk40","country_code":"CN","type":"education","lineage":["https://openalex.org/I169689159"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Yuhao Zhao","raw_affiliation_strings":["Information Engineering University, Zhengzhou, China","Information Engineering University, Zhengzhou, Henan, China"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Information Engineering University, Zhengzhou, China","institution_ids":["https://openalex.org/I169689159"]},{"raw_affiliation_string":"Information Engineering University, Zhengzhou, Henan, China","institution_ids":["https://openalex.org/I169689159"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100440843","display_name":"Can Zhang","orcid":"https://orcid.org/0000-0003-0154-0423"},"institutions":[{"id":"https://openalex.org/I169689159","display_name":"PLA Information Engineering University","ror":"https://ror.org/00mm1qk40","country_code":"CN","type":"education","lineage":["https://openalex.org/I169689159"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Can Zhang","raw_affiliation_strings":["Information Engineering University, Zhengzhou, China","Information Engineering University, Zhengzhou, Henan, China"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Information Engineering University, Zhengzhou, China","institution_ids":["https://openalex.org/I169689159"]},{"raw_affiliation_string":"Information Engineering University, Zhengzhou, Henan, China","institution_ids":["https://openalex.org/I169689159"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5116482668","display_name":"Jinyuan Zhai","orcid":null},"institutions":[{"id":"https://openalex.org/I169689159","display_name":"PLA Information Engineering University","ror":"https://ror.org/00mm1qk40","country_code":"CN","type":"education","lineage":["https://openalex.org/I169689159"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Jinyuan Zhai","raw_affiliation_strings":["Information Engineering University, Zhengzhou, China","Information Engineering University, Zhengzhou, Henan, China"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Information Engineering University, Zhengzhou, China","institution_ids":["https://openalex.org/I169689159"]},{"raw_affiliation_string":"Information Engineering University, Zhengzhou, Henan, China","institution_ids":["https://openalex.org/I169689159"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5041271227","display_name":"Ruijie Cai","orcid":null},"institutions":[{"id":"https://openalex.org/I169689159","display_name":"PLA Information Engineering University","ror":"https://ror.org/00mm1qk40","country_code":"CN","type":"education","lineage":["https://openalex.org/I169689159"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Ruijie Cai","raw_affiliation_strings":["Information Engineering University, Zhengzhou, China","Information Engineering University, Zhengzhou, Henan, China"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Information Engineering University, Zhengzhou, China","institution_ids":["https://openalex.org/I169689159"]},{"raw_affiliation_string":"Information Engineering University, Zhengzhou, Henan, China","institution_ids":["https://openalex.org/I169689159"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100348301","display_name":"Long Liu","orcid":"https://orcid.org/0000-0003-4662-6829"},"institutions":[{"id":"https://openalex.org/I169689159","display_name":"PLA Information Engineering University","ror":"https://ror.org/00mm1qk40","country_code":"CN","type":"education","lineage":["https://openalex.org/I169689159"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Long Liu","raw_affiliation_strings":["Information Engineering University, Zhengzhou, China","Information Engineering University, Zhengzhou, Henan, China"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Information Engineering University, Zhengzhou, China","institution_ids":["https://openalex.org/I169689159"]},{"raw_affiliation_string":"Information Engineering University, Zhengzhou, Henan, China","institution_ids":["https://openalex.org/I169689159"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5071035452","display_name":"Qichao Yang","orcid":"https://orcid.org/0000-0001-5368-4221"},"institutions":[{"id":"https://openalex.org/I169689159","display_name":"PLA Information Engineering University","ror":"https://ror.org/00mm1qk40","country_code":"CN","type":"education","lineage":["https://openalex.org/I169689159"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Qichao Yang","raw_affiliation_strings":["Information Engineering University, Zhengzhou, China","Information Engineering University, Zhengzhou, Henan, China"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Information Engineering University, Zhengzhou, China","institution_ids":["https://openalex.org/I169689159"]},{"raw_affiliation_string":"Information Engineering University, Zhengzhou, Henan, China","institution_ids":["https://openalex.org/I169689159"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Xiaokang Yin","orcid":"https://orcid.org/0000-0002-1617-4561"},"institutions":[{"id":"https://openalex.org/I169689159","display_name":"PLA Information Engineering University","ror":"https://ror.org/00mm1qk40","country_code":"CN","type":"education","lineage":["https://openalex.org/I169689159"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Xiaokang Yin","raw_affiliation_strings":["Information Engineering University, Zhengzhou, China","Information Engineering University, Zhengzhou, Henan, China"],"raw_orcid":"https://orcid.org/0000-0002-1617-4561","affiliations":[{"raw_affiliation_string":"Information Engineering University, Zhengzhou, China","institution_ids":["https://openalex.org/I169689159"]},{"raw_affiliation_string":"Information Engineering University, Zhengzhou, Henan, China","institution_ids":["https://openalex.org/I169689159"]}]},{"author_position":"last","author":{"id":null,"display_name":"Shengli Liu","orcid":"https://orcid.org/0009-0007-0603-4200"},"institutions":[{"id":"https://openalex.org/I169689159","display_name":"PLA Information Engineering University","ror":"https://ror.org/00mm1qk40","country_code":"CN","type":"education","lineage":["https://openalex.org/I169689159"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Shengli Liu","raw_affiliation_strings":["Information Engineering University, Zhengzhou, China","Information Engineering University, Zhengzhou, Henan, China"],"raw_orcid":"https://orcid.org/0009-0007-0603-4200","affiliations":[{"raw_affiliation_string":"Information Engineering University, Zhengzhou, China","institution_ids":["https://openalex.org/I169689159"]},{"raw_affiliation_string":"Information Engineering University, Zhengzhou, Henan, China","institution_ids":["https://openalex.org/I169689159"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":9,"corresponding_author_ids":["https://openalex.org/A5101458075"],"corresponding_institution_ids":["https://openalex.org/I169689159"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.32616598,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":"23","issue":"1","first_page":"1576","last_page":"1591"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9871000051498413,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9871000051498413,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9614999890327454,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9261000156402588,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/firmware","display_name":"Firmware","score":0.8963000178337097},{"id":"https://openalex.org/keywords/leverage","display_name":"Leverage (statistics)","score":0.5954999923706055},{"id":"https://openalex.org/keywords/crfs","display_name":"CRFS","score":0.4821999967098236},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.4584999978542328},{"id":"https://openalex.org/keywords/key","display_name":"Key (lock)","score":0.42480000853538513},{"id":"https://openalex.org/keywords/security-analysis","display_name":"Security analysis","score":0.4122999906539917},{"id":"https://openalex.org/keywords/identification","display_name":"Identification (biology)","score":0.3935999870300293}],"concepts":[{"id":"https://openalex.org/C67212190","wikidata":"https://www.wikidata.org/wiki/Q104851","display_name":"Firmware","level":2,"score":0.8963000178337097},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8468000292778015},{"id":"https://openalex.org/C153083717","wikidata":"https://www.wikidata.org/wiki/Q6535263","display_name":"Leverage (statistics)","level":2,"score":0.5954999923706055},{"id":"https://openalex.org/C2775953691","wikidata":"https://www.wikidata.org/wiki/Q5013874","display_name":"CRFS","level":3,"score":0.4821999967098236},{"id":"https://openalex.org/C149635348","wikidata":"https://www.wikidata.org/wiki/Q193040","display_name":"Embedded system","level":1,"score":0.4657999873161316},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.4584999978542328},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.42480000853538513},{"id":"https://openalex.org/C38369872","wikidata":"https://www.wikidata.org/wiki/Q7445009","display_name":"Security analysis","level":2,"score":0.4122999906539917},{"id":"https://openalex.org/C116834253","wikidata":"https://www.wikidata.org/wiki/Q2039217","display_name":"Identification (biology)","level":2,"score":0.3935999870300293},{"id":"https://openalex.org/C79403827","wikidata":"https://www.wikidata.org/wiki/Q3988","display_name":"Real-time computing","level":1,"score":0.36970001459121704},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.36559998989105225},{"id":"https://openalex.org/C93996380","wikidata":"https://www.wikidata.org/wiki/Q44127","display_name":"Server","level":2,"score":0.3452000021934509},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.328900009393692},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.3287000060081482},{"id":"https://openalex.org/C168065819","wikidata":"https://www.wikidata.org/wiki/Q845566","display_name":"Debugging","level":2,"score":0.2978000044822693},{"id":"https://openalex.org/C31395832","wikidata":"https://www.wikidata.org/wiki/Q1318674","display_name":"Testbed","level":2,"score":0.2816999852657318},{"id":"https://openalex.org/C63116202","wikidata":"https://www.wikidata.org/wiki/Q7676227","display_name":"Taint checking","level":3,"score":0.27720001339912415},{"id":"https://openalex.org/C22680326","wikidata":"https://www.wikidata.org/wiki/Q7444867","display_name":"Secure coding","level":5,"score":0.2745000123977661},{"id":"https://openalex.org/C170130773","wikidata":"https://www.wikidata.org/wiki/Q216378","display_name":"Usability","level":2,"score":0.2572000026702881}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/tdsc.2025.3619200","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tdsc.2025.3619200","pdf_url":null,"source":{"id":"https://openalex.org/S133795288","display_name":"IEEE Transactions on Dependable and Secure Computing","issn_l":"1545-5971","issn":["1545-5971","1941-0018","2160-9209"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320439","host_organization_name":"IEEE Computer Society","host_organization_lineage":["https://openalex.org/P4310320439","https://openalex.org/P4310319808"],"host_organization_lineage_names":["IEEE Computer Society","Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Dependable and Secure Computing","raw_type":"journal-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":22,"referenced_works":["https://openalex.org/W1563577331","https://openalex.org/W1970005004","https://openalex.org/W1992114977","https://openalex.org/W2043118292","https://openalex.org/W2117353399","https://openalex.org/W2159059513","https://openalex.org/W2166743230","https://openalex.org/W2514974017","https://openalex.org/W2576376563","https://openalex.org/W2782780792","https://openalex.org/W2791018263","https://openalex.org/W2882992559","https://openalex.org/W2963723316","https://openalex.org/W2986938475","https://openalex.org/W3015383024","https://openalex.org/W3111743984","https://openalex.org/W3153698034","https://openalex.org/W4210759690","https://openalex.org/W4251638477","https://openalex.org/W4308462374","https://openalex.org/W4384155508","https://openalex.org/W4391623949"],"related_works":[],"abstract_inverted_index":{"The":[0],"discovery":[1],"of":[2,124,131,168,187,210,229,240,244],"vulnerabilities":[3,61,72,197],"in":[4,58,74,184,232,242,248],"embedded":[5,250],"firmware":[6,60,138,251],"has":[7],"received":[8],"significant":[9],"attention":[10],"from":[11,21,146],"security":[12],"researchers.":[13],"However,":[14],"current":[15],"vulnerability":[16],"detection":[17,28],"methods":[18,154,231],"still":[19],"suffer":[20],"false":[22],"negatives":[23],"and":[24,30,45,78,100,119,143,157,193,200,246],"inefficiency,":[25],"which":[26,169],"limit":[27],"effectiveness":[29,130,228,245],"require":[31],"substantial":[32],"analysis":[33,48,118,183],"time.":[34],"To":[35,127],"alleviate":[36],"the":[37,56,109,121,129,188,208,227,238],"above":[38],"problems,":[39],"we":[40,92,114,133,219],"propose":[41],"a":[42,94],"bidirectional":[43],"path":[44],"data":[46,104],"flow":[47,105],"method,":[49],"named":[50],"BPDA,":[51,132],"that":[52,179,198],"effectively":[53],"compensates":[54],"for":[55],"limitations":[57],"detecting":[59,249],"at":[62],"nonstandard":[63,75],"sink":[64,97],"points.":[65],"Our":[66],"key":[67],"insight":[68],"is":[69],"that,":[70,113],"some":[71],"arise":[73],"library":[76],"sinks,":[77],"not":[79,203],"all":[80],"user":[81],"inputs":[82],"can":[83],"reach":[84],"each":[85],"corresponding":[86],"sink.":[87],"Guided":[88],"by":[89,174,191],"these":[90],"insights,":[91],"design":[93],"more":[95],"comprehensive":[96],"identification":[98],"algorithm":[99],"leverage":[101],"accurate":[102],"backward":[103],"tracking":[106],"to":[107,213,225],"eliminate":[108],"non-vulnerable":[110],"paths.":[111],"After":[112],"execute":[115],"forward":[116],"taint":[117,233],"generate":[120],"final":[122],"Proof":[123],"Concepts":[125],"(PoCs).":[126],"evaluate":[128],"evaluated":[134],"it":[135,151],"on":[136],"84":[137],"samples":[139],"(including":[140],"both":[141],"Linux":[142],"VxWorks":[144],"firmware)":[145],"8":[147],"major":[148],"brands,":[149],"comparing":[150],"with":[152],"state-of-the-art":[153],"(i.e.,":[155],"SaTC":[156,199],"Mango).":[158],"BPDA":[159,180,241],"discovered":[160],"163":[161],"real":[162],"vulnerabilities,":[163,167],"including":[164],"34":[165],"0-day":[166],"32":[170],"have":[171],"been":[172],"confirmed":[173],"CVE/CNVD.":[175],"Besides,":[176],"results":[177,236],"show":[178],"completed":[181],"its":[182],"just":[185],"6%":[186],"time":[189],"required":[190],"SaTC,":[192],"remarkably":[194],"identified":[195],"21":[196],"Mango":[201,211],"had":[202],"detected.":[204],"It":[205],"also":[206,220],"resolved":[207],"issue":[209],"failing":[212],"analyze":[214],"specific":[215],"firmware.":[216],"In":[217],"addition,":[218],"performed":[221],"an":[222],"ablation":[223],"study":[224],"verify":[226],"optimization":[230],"analysis.":[234],"These":[235],"demonstrate":[237],"superiority":[239],"terms":[243],"efficiency":[247],"vulnerabilities.":[252]},"counts_by_year":[],"updated_date":"2026-01-19T04:01:09.351973","created_date":"2025-10-10T00:00:00"}