{"id":"https://openalex.org/W4415049180","doi":"https://doi.org/10.1109/tifs.2025.3620120","title":"CGIFuzz: Enabling Gray-Box Fuzzing for Web CGI of IoT Devices","display_name":"CGIFuzz: Enabling Gray-Box Fuzzing for Web CGI of IoT Devices","publication_year":2025,"publication_date":"2025-01-01","ids":{"openalex":"https://openalex.org/W4415049180","doi":"https://doi.org/10.1109/tifs.2025.3620120"},"language":"en","primary_location":{"id":"doi:10.1109/tifs.2025.3620120","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tifs.2025.3620120","pdf_url":null,"source":{"id":"https://openalex.org/S61310614","display_name":"IEEE Transactions on Information Forensics and Security","issn_l":"1556-6013","issn":["1556-6013","1556-6021"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Information Forensics and Security","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5006498772","display_name":"Cheng Shi","orcid":null},"institutions":[{"id":"https://openalex.org/I76130692","display_name":"Zhejiang University","ror":"https://ror.org/00a2xv884","country_code":"CN","type":"education","lineage":["https://openalex.org/I76130692"]}],"countries":["CN"],"is_corresponding":true,"raw_author_name":"Cheng Shi","raw_affiliation_strings":["Zhejiang University, Hangzhou, China"],"affiliations":[{"raw_affiliation_string":"Zhejiang University, Hangzhou, China","institution_ids":["https://openalex.org/I76130692"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5058013874","display_name":"Jiongchi Yu","orcid":"https://orcid.org/0000-0002-2888-4499"},"institutions":[{"id":"https://openalex.org/I79891267","display_name":"Singapore Management University","ror":"https://ror.org/050qmg959","country_code":"SG","type":"education","lineage":["https://openalex.org/I79891267"]}],"countries":["SG"],"is_corresponding":false,"raw_author_name":"Jiongchi Yu","raw_affiliation_strings":["School of Computing and Information Systems, Singapore Management University, Singapore, Singapore"],"affiliations":[{"raw_affiliation_string":"School of Computing and Information Systems, Singapore Management University, Singapore, Singapore","institution_ids":["https://openalex.org/I79891267"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101902155","display_name":"Ziming Zhao","orcid":"https://orcid.org/0000-0003-1455-4330"},"institutions":[{"id":"https://openalex.org/I76130692","display_name":"Zhejiang University","ror":"https://ror.org/00a2xv884","country_code":"CN","type":"education","lineage":["https://openalex.org/I76130692"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Ziming Zhao","raw_affiliation_strings":["Zhejiang University, Hangzhou, China"],"affiliations":[{"raw_affiliation_string":"Zhejiang University, Hangzhou, China","institution_ids":["https://openalex.org/I76130692"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5071604690","display_name":"Jiongyi Chen","orcid":null},"institutions":[{"id":"https://openalex.org/I170215575","display_name":"National University of Defense Technology","ror":"https://ror.org/05d2yfz11","country_code":"CN","type":"education","lineage":["https://openalex.org/I170215575"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Jiongyi Chen","raw_affiliation_strings":["National University of Defense Technology, Changsha, China"],"affiliations":[{"raw_affiliation_string":"National University of Defense Technology, Changsha, China","institution_ids":["https://openalex.org/I170215575"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5100403380","display_name":"Fan Zhang","orcid":"https://orcid.org/0000-0001-6087-8243"},"institutions":[{"id":"https://openalex.org/I76130692","display_name":"Zhejiang University","ror":"https://ror.org/00a2xv884","country_code":"CN","type":"education","lineage":["https://openalex.org/I76130692"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Fan Zhang","raw_affiliation_strings":["Zhejiang University, Hangzhou, China"],"affiliations":[{"raw_affiliation_string":"Zhejiang University, Hangzhou, China","institution_ids":["https://openalex.org/I76130692"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":5,"corresponding_author_ids":["https://openalex.org/A5006498772"],"corresponding_institution_ids":["https://openalex.org/I76130692"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.4266144,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"1","last_page":"1"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12799","display_name":"Mobile and Web Applications","score":0.9298999905586243,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12799","display_name":"Mobile and Web Applications","score":0.9298999905586243,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T13382","display_name":"Robotics and Automated Systems","score":0.9222000241279602,"subfield":{"id":"https://openalex.org/subfields/2207","display_name":"Control and Systems Engineering"},"field":{"id":"https://openalex.org/fields/22","display_name":"Engineering"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/fuzz-testing","display_name":"Fuzz testing","score":0.96670001745224},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.5600000023841858},{"id":"https://openalex.org/keywords/component","display_name":"Component (thermodynamics)","score":0.4749000072479248},{"id":"https://openalex.org/keywords/the-internet","display_name":"The Internet","score":0.4496000111103058},{"id":"https://openalex.org/keywords/taint-checking","display_name":"Taint checking","score":0.4138999879360199},{"id":"https://openalex.org/keywords/internet-of-things","display_name":"Internet of Things","score":0.4036000072956085},{"id":"https://openalex.org/keywords/interface","display_name":"Interface (matter)","score":0.3968000113964081},{"id":"https://openalex.org/keywords/cross-site-scripting","display_name":"Cross-site scripting","score":0.38999998569488525},{"id":"https://openalex.org/keywords/intrusion-detection-system","display_name":"Intrusion detection system","score":0.38359999656677246},{"id":"https://openalex.org/keywords/program-analysis","display_name":"Program analysis","score":0.3804999887943268}],"concepts":[{"id":"https://openalex.org/C111065885","wikidata":"https://www.wikidata.org/wiki/Q1189053","display_name":"Fuzz testing","level":3,"score":0.96670001745224},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8572999835014343},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.5600000023841858},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.4871000051498413},{"id":"https://openalex.org/C168167062","wikidata":"https://www.wikidata.org/wiki/Q1117970","display_name":"Component (thermodynamics)","level":2,"score":0.4749000072479248},{"id":"https://openalex.org/C110875604","wikidata":"https://www.wikidata.org/wiki/Q75","display_name":"The Internet","level":2,"score":0.4496000111103058},{"id":"https://openalex.org/C63116202","wikidata":"https://www.wikidata.org/wiki/Q7676227","display_name":"Taint checking","level":3,"score":0.4138999879360199},{"id":"https://openalex.org/C81860439","wikidata":"https://www.wikidata.org/wiki/Q251212","display_name":"Internet of Things","level":2,"score":0.4036000072956085},{"id":"https://openalex.org/C113843644","wikidata":"https://www.wikidata.org/wiki/Q901882","display_name":"Interface (matter)","level":4,"score":0.3968000113964081},{"id":"https://openalex.org/C39569185","wikidata":"https://www.wikidata.org/wiki/Q371199","display_name":"Cross-site scripting","level":5,"score":0.38999998569488525},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.38359999656677246},{"id":"https://openalex.org/C98183937","wikidata":"https://www.wikidata.org/wiki/Q2112188","display_name":"Program analysis","level":2,"score":0.3804999887943268},{"id":"https://openalex.org/C118643609","wikidata":"https://www.wikidata.org/wiki/Q189210","display_name":"Web application","level":2,"score":0.3702000081539154},{"id":"https://openalex.org/C93996380","wikidata":"https://www.wikidata.org/wiki/Q44127","display_name":"Server","level":2,"score":0.36959999799728394},{"id":"https://openalex.org/C2777710495","wikidata":"https://www.wikidata.org/wiki/Q5527195","display_name":"Gateway (web page)","level":2,"score":0.36059999465942383},{"id":"https://openalex.org/C118530786","wikidata":"https://www.wikidata.org/wiki/Q1134732","display_name":"Instrumentation (computer programming)","level":2,"score":0.3605000078678131},{"id":"https://openalex.org/C169485995","wikidata":"https://www.wikidata.org/wiki/Q42283","display_name":"File Transfer Protocol","level":3,"score":0.34599998593330383},{"id":"https://openalex.org/C187713609","wikidata":"https://www.wikidata.org/wiki/Q2465461","display_name":"Default gateway","level":2,"score":0.32919999957084656},{"id":"https://openalex.org/C2776576444","wikidata":"https://www.wikidata.org/wiki/Q303569","display_name":"Attack surface","level":2,"score":0.3237999975681305},{"id":"https://openalex.org/C79974875","wikidata":"https://www.wikidata.org/wiki/Q483639","display_name":"Cloud computing","level":2,"score":0.31869998574256897},{"id":"https://openalex.org/C40842320","wikidata":"https://www.wikidata.org/wiki/Q19423","display_name":"Buffer overflow","level":2,"score":0.31279999017715454},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.310699999332428},{"id":"https://openalex.org/C89505385","wikidata":"https://www.wikidata.org/wiki/Q47146","display_name":"User interface","level":2,"score":0.2946000099182129},{"id":"https://openalex.org/C169468491","wikidata":"https://www.wikidata.org/wiki/Q146923","display_name":"Middleware (distributed applications)","level":2,"score":0.29339998960494995},{"id":"https://openalex.org/C31258907","wikidata":"https://www.wikidata.org/wiki/Q1301371","display_name":"Computer network","level":1,"score":0.28929999470710754},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.2800000011920929},{"id":"https://openalex.org/C11392498","wikidata":"https://www.wikidata.org/wiki/Q11288","display_name":"Web server","level":3,"score":0.27090001106262207},{"id":"https://openalex.org/C2779585090","wikidata":"https://www.wikidata.org/wiki/Q3457762","display_name":"Resilience (materials science)","level":2,"score":0.27070000767707825},{"id":"https://openalex.org/C167063184","wikidata":"https://www.wikidata.org/wiki/Q1400839","display_name":"Vulnerability assessment","level":3,"score":0.2671000063419342},{"id":"https://openalex.org/C149635348","wikidata":"https://www.wikidata.org/wiki/Q193040","display_name":"Embedded system","level":1,"score":0.26339998841285706},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.26170000433921814},{"id":"https://openalex.org/C195518309","wikidata":"https://www.wikidata.org/wiki/Q13424265","display_name":"Security testing","level":5,"score":0.2533999979496002}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/tifs.2025.3620120","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tifs.2025.3620120","pdf_url":null,"source":{"id":"https://openalex.org/S61310614","display_name":"IEEE Transactions on Information Forensics and Security","issn_l":"1556-6013","issn":["1556-6013","1556-6021"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Information Forensics and Security","raw_type":"journal-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":27,"referenced_works":["https://openalex.org/W1827330645","https://openalex.org/W1986071441","https://openalex.org/W2002934700","https://openalex.org/W2077937403","https://openalex.org/W2108303927","https://openalex.org/W2132574561","https://openalex.org/W2583874385","https://openalex.org/W2613274303","https://openalex.org/W2791018263","https://openalex.org/W2957905354","https://openalex.org/W2969468102","https://openalex.org/W2989837574","https://openalex.org/W3012111863","https://openalex.org/W3088278208","https://openalex.org/W3111743984","https://openalex.org/W4210367807","https://openalex.org/W4229077951","https://openalex.org/W4285298338","https://openalex.org/W4285358483","https://openalex.org/W4378591002","https://openalex.org/W4380926575","https://openalex.org/W4384154462","https://openalex.org/W4384948751","https://openalex.org/W4401906845","https://openalex.org/W4402264054","https://openalex.org/W4402264433","https://openalex.org/W4402443144"],"related_works":[],"abstract_inverted_index":{"Fuzz":[0],"testing":[1],"for":[2,86,112,123,171],"Internet":[3],"of":[4,13,62,98,141],"Things":[5],"(IoT)":[6],"devices":[7,17,48,147],"has":[8],"become":[9],"a":[10],"critical":[11,134],"area":[12],"research,":[14],"as":[15,42],"these":[16,47,75],"play":[18],"an":[19,43],"increasingly":[20],"vital":[21],"role":[22],"in":[23,55,89],"modern":[24],"networks":[25],"and":[26,127,152],"infrastructure.":[27],"While":[28],"significant":[29],"efforts":[30],"have":[31,65],"been":[32],"made,":[33],"the":[34,59,80,158],"Common":[35],"Gateway":[36],"Interface":[37],"(CGI)":[38],"programs":[39,64,88,100],"that":[40],"serve":[41],"important":[44],"component":[45],"within":[46],"remain":[49],"underexplored.":[50],"Despite":[51],"their":[52],"extensive":[53],"use":[54],"IoT":[56,91,146],"web":[57],"services,":[58],"specific":[60],"characteristics":[61],"CGI":[63,87,99],"posed":[66],"technical":[67],"challenges":[68],"to":[69,157],"existing":[70],"fuzzing":[71,83],"infrastructures.":[72],"To":[73],"address":[74],"gaps,":[76],"we":[77],"propose":[78],"CGIFuzz,":[79],"first":[81],"gray-box":[82],"framework":[84],"tailored":[85],"Linux-based":[90],"devices.":[92],"CGIFuzz":[93,120,142,162],"initially":[94],"enables":[95],"dynamic":[96],"instrumentation":[97],"through":[101],"<italic":[102],"xmlns:mml=\"http://www.w3.org/1998/Math/MathML\"":[103],"xmlns:xlink=\"http://www.w3.org/1999/xlink\">Relay-Pass":[104],"Instrumentation</i>,":[105],"then":[106],"leverages":[107],"Large":[108],"Language":[109],"Models":[110],"(LLM)":[111],"assisting":[113],"high-quality":[114],"fuzz":[115],"test":[116],"input":[117],"generation.":[118],"Furthermore,":[119],"devises":[121],"oracles":[122],"detecting":[124],"command":[125],"injection":[126],"memory":[128],"corruption":[129],"vulnerabilities":[130],"by":[131],"leveraging":[132],"multiple":[133],"features":[135],"during":[136],"program":[137],"execution.":[138],"Our":[139],"evaluation":[140],"on":[143],"ten":[144],"popular":[145],"demonstrates":[148],"superior":[149],"coverage":[150],"exploration":[151],"vulnerability":[153],"detection":[154],"capabilities":[155],"compared":[156],"state-of-the-art":[159],"fuzzers.":[160],"Notably,":[161],"discovered":[163],"69":[164],"vulnerabilities,":[165],"including":[166],"13":[167],"previously":[168],"unknown":[169],"ones":[170],"which":[172],"9":[173],"CVEs":[174],"were":[175],"assigned.":[176]},"counts_by_year":[],"updated_date":"2026-03-07T16:01:11.037858","created_date":"2025-10-11T00:00:00"}