{"id":"https://openalex.org/W7084751649","doi":"https://doi.org/10.1109/tse.2025.3615642","title":"Enhancing Real-Time Operating System Security Analysis via Slice-Based Fuzzing","display_name":"Enhancing Real-Time Operating System Security Analysis via Slice-Based Fuzzing","publication_year":2025,"publication_date":"2025-10-06","ids":{"openalex":"https://openalex.org/W7084751649","doi":"https://doi.org/10.1109/tse.2025.3615642"},"language":"en","primary_location":{"id":"doi:10.1109/tse.2025.3615642","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tse.2025.3615642","pdf_url":null,"source":{"id":"https://openalex.org/S8351582","display_name":"IEEE Transactions on Software Engineering","issn_l":"0098-5589","issn":["0098-5589","1939-3520","2326-3881"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320439","host_organization_name":"IEEE Computer Society","host_organization_lineage":["https://openalex.org/P4310320439","https://openalex.org/P4310319808"],"host_organization_lineage_names":["IEEE Computer Society","Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Software Engineering","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":null,"display_name":"Jialu Li","orcid":"https://orcid.org/0009-0006-7652-1947"},"institutions":[{"id":"https://openalex.org/I183067930","display_name":"Shanghai Jiao Tong University","ror":"https://ror.org/0220qvk04","country_code":"CN","type":"education","lineage":["https://openalex.org/I183067930"]}],"countries":["CN"],"is_corresponding":true,"raw_author_name":"Jialu Li","raw_affiliation_strings":["School of Computer Science, Shanghai Jiao Tong University, Shanghai, China"],"affiliations":[{"raw_affiliation_string":"School of Computer Science, Shanghai Jiao Tong University, Shanghai, China","institution_ids":["https://openalex.org/I183067930"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Haoyu Li","orcid":"https://orcid.org/0000-0003-0084-1718"},"institutions":[{"id":"https://openalex.org/I183067930","display_name":"Shanghai Jiao Tong University","ror":"https://ror.org/0220qvk04","country_code":"CN","type":"education","lineage":["https://openalex.org/I183067930"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Haoyu Li","raw_affiliation_strings":["School of Computer Science, Shanghai Jiao Tong University, Shanghai, China"],"affiliations":[{"raw_affiliation_string":"School of Computer Science, Shanghai Jiao Tong University, Shanghai, China","institution_ids":["https://openalex.org/I183067930"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Yuchong Xie","orcid":"https://orcid.org/0009-0008-0436-8183"},"institutions":[{"id":"https://openalex.org/I200769079","display_name":"Hong Kong University of Science and Technology","ror":"https://ror.org/00q4vv597","country_code":"HK","type":"education","lineage":["https://openalex.org/I200769079"]}],"countries":["HK"],"is_corresponding":false,"raw_author_name":"Yuchong Xie","raw_affiliation_strings":["Hong Kong University of Science and Technology, Hong Kong, China"],"affiliations":[{"raw_affiliation_string":"Hong Kong University of Science and Technology, Hong Kong, China","institution_ids":["https://openalex.org/I200769079"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Yanhao Wang","orcid":"https://orcid.org/0000-0002-6990-2972"},"institutions":[{"id":"https://openalex.org/I183067930","display_name":"Shanghai Jiao Tong University","ror":"https://ror.org/0220qvk04","country_code":"CN","type":"education","lineage":["https://openalex.org/I183067930"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Yanhao Wang","raw_affiliation_strings":["School of Computer Science, Shanghai Jiao Tong University, Shanghai, China"],"affiliations":[{"raw_affiliation_string":"School of Computer Science, Shanghai Jiao Tong University, Shanghai, China","institution_ids":["https://openalex.org/I183067930"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Qinsheng Hou","orcid":"https://orcid.org/0000-0002-1119-4766"},"institutions":[{"id":"https://openalex.org/I183067930","display_name":"Shanghai Jiao Tong University","ror":"https://ror.org/0220qvk04","country_code":"CN","type":"education","lineage":["https://openalex.org/I183067930"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Qinsheng Hou","raw_affiliation_strings":["School of Computer Science, Shanghai Jiao Tong University, Shanghai, China"],"affiliations":[{"raw_affiliation_string":"School of Computer Science, Shanghai Jiao Tong University, Shanghai, China","institution_ids":["https://openalex.org/I183067930"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Libo Chen","orcid":"https://orcid.org/0000-0003-3236-4805"},"institutions":[{"id":"https://openalex.org/I183067930","display_name":"Shanghai Jiao Tong University","ror":"https://ror.org/0220qvk04","country_code":"CN","type":"education","lineage":["https://openalex.org/I183067930"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Libo Chen","raw_affiliation_strings":["School of Computer Science, Shanghai Jiao Tong University, Shanghai, China"],"affiliations":[{"raw_affiliation_string":"School of Computer Science, Shanghai Jiao Tong University, Shanghai, China","institution_ids":["https://openalex.org/I183067930"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Bo Zhang","orcid":"https://orcid.org/0000-0002-6975-9184"},"institutions":[{"id":"https://openalex.org/I153473198","display_name":"North China Electric Power University","ror":"https://ror.org/04qr5t414","country_code":"CN","type":"education","lineage":["https://openalex.org/I153473198"]},{"id":"https://openalex.org/I4392738113","display_name":"China Electric Power Research Institute","ror":"https://ror.org/05ehpzy81","country_code":null,"type":"facility","lineage":["https://openalex.org/I17442442","https://openalex.org/I4392738113"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Bo Zhang","raw_affiliation_strings":["China Electric Power Research Institute, Beijing, China"],"affiliations":[{"raw_affiliation_string":"China Electric Power Research Institute, Beijing, China","institution_ids":["https://openalex.org/I153473198","https://openalex.org/I4392738113"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Shenghong Li","orcid":"https://orcid.org/0000-0002-0767-2307"},"institutions":[{"id":"https://openalex.org/I183067930","display_name":"Shanghai Jiao Tong University","ror":"https://ror.org/0220qvk04","country_code":"CN","type":"education","lineage":["https://openalex.org/I183067930"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Shenghong Li","raw_affiliation_strings":["School of Computer Science, Shanghai Jiao Tong University, Shanghai, China"],"affiliations":[{"raw_affiliation_string":"School of Computer Science, Shanghai Jiao Tong University, Shanghai, China","institution_ids":["https://openalex.org/I183067930"]}]},{"author_position":"last","author":{"id":null,"display_name":"Zhi Xue","orcid":"https://orcid.org/0000-0003-2875-304X"},"institutions":[{"id":"https://openalex.org/I183067930","display_name":"Shanghai Jiao Tong University","ror":"https://ror.org/0220qvk04","country_code":"CN","type":"education","lineage":["https://openalex.org/I183067930"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Zhi Xue","raw_affiliation_strings":["School of Computer Science, Shanghai Jiao Tong University, Shanghai, China"],"affiliations":[{"raw_affiliation_string":"School of Computer Science, Shanghai Jiao Tong University, Shanghai, China","institution_ids":["https://openalex.org/I183067930"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":9,"corresponding_author_ids":[],"corresponding_institution_ids":["https://openalex.org/I183067930"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.53606812,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":"51","issue":"12","first_page":"3467","last_page":"3485"},"is_retracted":false,"is_paratext":false,"is_xpac":true,"primary_topic":{"id":"https://openalex.org/T10952","display_name":"PI3K/AKT/mTOR signaling in cancer","score":0.23199999332427979,"subfield":{"id":"https://openalex.org/subfields/1312","display_name":"Molecular Biology"},"field":{"id":"https://openalex.org/fields/13","display_name":"Biochemistry, Genetics and Molecular Biology"},"domain":{"id":"https://openalex.org/domains/1","display_name":"Life Sciences"}},"topics":[{"id":"https://openalex.org/T10952","display_name":"PI3K/AKT/mTOR signaling in cancer","score":0.23199999332427979,"subfield":{"id":"https://openalex.org/subfields/1312","display_name":"Molecular Biology"},"field":{"id":"https://openalex.org/fields/13","display_name":"Biochemistry, Genetics and Molecular Biology"},"domain":{"id":"https://openalex.org/domains/1","display_name":"Life Sciences"}},{"id":"https://openalex.org/T11503","display_name":"Cytokine Signaling Pathways and Interactions","score":0.11469999700784683,"subfield":{"id":"https://openalex.org/subfields/2730","display_name":"Oncology"},"field":{"id":"https://openalex.org/fields/27","display_name":"Medicine"},"domain":{"id":"https://openalex.org/domains/4","display_name":"Health Sciences"}},{"id":"https://openalex.org/T11533","display_name":"Melanoma and MAPK Pathways","score":0.0272000003606081,"subfield":{"id":"https://openalex.org/subfields/1312","display_name":"Molecular Biology"},"field":{"id":"https://openalex.org/fields/13","display_name":"Biochemistry, Genetics and Molecular Biology"},"domain":{"id":"https://openalex.org/domains/1","display_name":"Life Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/fuzz-testing","display_name":"Fuzz testing","score":0.8130999803543091},{"id":"https://openalex.org/keywords/real-time-operating-system","display_name":"Real-time operating system","score":0.5587999820709229},{"id":"https://openalex.org/keywords/call-graph","display_name":"Call graph","score":0.5375999808311462},{"id":"https://openalex.org/keywords/debugging","display_name":"Debugging","score":0.5284000039100647},{"id":"https://openalex.org/keywords/slicing","display_name":"Slicing","score":0.4503999948501587},{"id":"https://openalex.org/keywords/source-code","display_name":"Source code","score":0.42399999499320984},{"id":"https://openalex.org/keywords/program-slicing","display_name":"Program slicing","score":0.4185999929904938},{"id":"https://openalex.org/keywords/static-analysis","display_name":"Static analysis","score":0.40639999508857727},{"id":"https://openalex.org/keywords/taint-checking","display_name":"Taint checking","score":0.39489999413490295}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8695999979972839},{"id":"https://openalex.org/C111065885","wikidata":"https://www.wikidata.org/wiki/Q1189053","display_name":"Fuzz testing","level":3,"score":0.8130999803543091},{"id":"https://openalex.org/C28472234","wikidata":"https://www.wikidata.org/wiki/Q213666","display_name":"Real-time operating system","level":2,"score":0.5587999820709229},{"id":"https://openalex.org/C102379954","wikidata":"https://www.wikidata.org/wiki/Q2589940","display_name":"Call graph","level":2,"score":0.5375999808311462},{"id":"https://openalex.org/C168065819","wikidata":"https://www.wikidata.org/wiki/Q845566","display_name":"Debugging","level":2,"score":0.5284000039100647},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.527999997138977},{"id":"https://openalex.org/C149635348","wikidata":"https://www.wikidata.org/wiki/Q193040","display_name":"Embedded system","level":1,"score":0.49470001459121704},{"id":"https://openalex.org/C2776190703","wikidata":"https://www.wikidata.org/wiki/Q488148","display_name":"Slicing","level":2,"score":0.4503999948501587},{"id":"https://openalex.org/C43126263","wikidata":"https://www.wikidata.org/wiki/Q128751","display_name":"Source code","level":2,"score":0.42399999499320984},{"id":"https://openalex.org/C91071405","wikidata":"https://www.wikidata.org/wiki/Q1413145","display_name":"Program slicing","level":3,"score":0.4185999929904938},{"id":"https://openalex.org/C97686452","wikidata":"https://www.wikidata.org/wiki/Q7604153","display_name":"Static analysis","level":2,"score":0.40639999508857727},{"id":"https://openalex.org/C63116202","wikidata":"https://www.wikidata.org/wiki/Q7676227","display_name":"Taint checking","level":3,"score":0.39489999413490295},{"id":"https://openalex.org/C2779343474","wikidata":"https://www.wikidata.org/wiki/Q3109175","display_name":"Context (archaeology)","level":2,"score":0.3765999972820282},{"id":"https://openalex.org/C27458966","wikidata":"https://www.wikidata.org/wiki/Q1187693","display_name":"Control flow graph","level":2,"score":0.3553999960422516},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.34279999136924744},{"id":"https://openalex.org/C98183937","wikidata":"https://www.wikidata.org/wiki/Q2112188","display_name":"Program analysis","level":2,"score":0.3425999879837036},{"id":"https://openalex.org/C53833338","wikidata":"https://www.wikidata.org/wiki/Q1061424","display_name":"Context switch","level":2,"score":0.33799999952316284},{"id":"https://openalex.org/C2780940931","wikidata":"https://www.wikidata.org/wiki/Q174989","display_name":"File system","level":2,"score":0.33340001106262207},{"id":"https://openalex.org/C132525143","wikidata":"https://www.wikidata.org/wiki/Q141488","display_name":"Graph","level":2,"score":0.31790000200271606},{"id":"https://openalex.org/C154908896","wikidata":"https://www.wikidata.org/wiki/Q2167404","display_name":"Security policy","level":2,"score":0.31130000948905945},{"id":"https://openalex.org/C2780870223","wikidata":"https://www.wikidata.org/wiki/Q1004415","display_name":"Runtime system","level":2,"score":0.31040000915527344},{"id":"https://openalex.org/C2778012447","wikidata":"https://www.wikidata.org/wiki/Q1034415","display_name":"Scope (computer science)","level":2,"score":0.3052999973297119},{"id":"https://openalex.org/C2776576444","wikidata":"https://www.wikidata.org/wiki/Q303569","display_name":"Attack surface","level":2,"score":0.27489998936653137},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.2736000120639801},{"id":"https://openalex.org/C35939892","wikidata":"https://www.wikidata.org/wiki/Q1139923","display_name":"Embedded operating system","level":3,"score":0.2728999853134155},{"id":"https://openalex.org/C139968098","wikidata":"https://www.wikidata.org/wiki/Q3055454","display_name":"Development environment","level":2,"score":0.2535000145435333}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/tse.2025.3615642","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tse.2025.3615642","pdf_url":null,"source":{"id":"https://openalex.org/S8351582","display_name":"IEEE Transactions on Software Engineering","issn_l":"0098-5589","issn":["0098-5589","1939-3520","2326-3881"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320439","host_organization_name":"IEEE Computer Society","host_organization_lineage":["https://openalex.org/P4310320439","https://openalex.org/P4310319808"],"host_organization_lineage_names":["IEEE Computer Society","Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Software Engineering","raw_type":"journal-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":31,"referenced_works":["https://openalex.org/W1497028280","https://openalex.org/W2071067812","https://openalex.org/W2171469152","https://openalex.org/W2514974017","https://openalex.org/W2571682498","https://openalex.org/W2574017551","https://openalex.org/W2576376563","https://openalex.org/W2577540292","https://openalex.org/W2580207986","https://openalex.org/W2664781091","https://openalex.org/W2765363641","https://openalex.org/W2766540688","https://openalex.org/W2794073659","https://openalex.org/W2795192879","https://openalex.org/W2891235722","https://openalex.org/W2989837574","https://openalex.org/W3000692790","https://openalex.org/W3008477014","https://openalex.org/W3015383024","https://openalex.org/W3108723500","https://openalex.org/W3111743984","https://openalex.org/W4244413641","https://openalex.org/W4308462374","https://openalex.org/W4388483003","https://openalex.org/W4391579662","https://openalex.org/W4394688545","https://openalex.org/W4405182819","https://openalex.org/W4406102731","https://openalex.org/W4410774465","https://openalex.org/W4411523030","https://openalex.org/W4413186951"],"related_works":[],"abstract_inverted_index":{"Real-Time":[0],"Operating":[1],"System":[2],"(RTOS)":[3],"has":[4,31],"become":[5],"the":[6,47,59,64,82,98,128,176,182,197,210,221,228,231,235,270,304],"main":[7],"category":[8],"of":[9,29,50,66,78,85,185,230,288],"embedded":[10],"systems.":[11],"It":[12],"is":[13,272],"widely":[14],"used":[15],"to":[16,58,63,74,121,174,209,217,226,233,256],"support":[17],"tasks":[18,89,132],"requiring":[19],"real-time":[20],"response":[21],"such":[22,204],"as":[23,35,205],"printers":[24],"and":[25,90,102,137,162,180,193,253,258,263,286],"switches.":[26],"The":[27],"security":[28,67,123],"RTOS":[30,54,86,131,284],"been":[32,291],"long":[33],"overlooked":[34],"it":[36,170,191,224,241],"was":[37],"running":[38],"in":[39,125,269],"special":[40],"environments":[41],"isolated":[42],"from":[43,160,166],"attackers.":[44],"However,":[45],"with":[46,158],"rapid":[48],"development":[49],"IoT":[51],"devices,":[52],"tremendous":[53],"devices":[55,70],"are":[56,71,133],"connected":[57],"public":[60],"network.":[61],"Due":[62],"lack":[65],"mechanisms,":[68],"these":[69,167,246],"extremely":[72],"vulnerable":[73],"a":[75,93,116,266,273],"wide":[76],"spectrum":[77],"attacks.":[79],"Even":[80],"worse,":[81],"monolithic":[83],"design":[84],"combines":[87],"various":[88],"services":[91],"into":[92],"single":[94],"binary,":[95],"which":[96],"hinders":[97],"current":[99],"program":[100],"testing":[101,311],"analysis":[103],"techniques":[104],"working":[105],"on":[106,245,282,310],"RTOS.":[107,126,312],"<p":[108],"xmlns:mml=\"http://www.w3.org/1998/Math/MathML\"":[109],"xmlns:xlink=\"http://www.w3.org/1999/xlink\">In":[110],"this":[111],"paper,":[112],"we":[113],"propose":[114],"SFUZZ++,":[115],"novel":[117],"slice-based":[118],"fuzzer":[119,271],"designed":[120],"detect":[122],"vulnerabilities":[124],"Leveraging":[127],"insight":[129],"that":[130,154,200,301],"typically":[134],"independent,":[135],"single-purpose,":[136],"deterministic,":[138],"SFUZZ++":[139,148,250,276,302],"extracts":[140],"task-specific":[141],"code":[142,247],"slices":[143,232],"for":[144],"targeted":[145],"testing.":[146],"Specifically,":[147],"first":[149],"identifies":[150],"external":[151],"input":[152,212],"points":[153,187],"manage":[155],"user":[156,211],"input,":[157],"assistance":[159],"LLMs,":[161],"constructs":[163],"call":[164,178,206],"graphs":[165],"points.":[168,219],"Then,":[169],"leverages":[171,251],"forward":[172,252],"slicing":[173,255],"build":[175],"sensitive":[177],"graph":[179],"prune":[181],"paths":[183],"independent":[184],"sink":[186,218],"(e.g.,":[188,308],"memcpy).":[189],"Further,":[190],"detects":[192],"handles":[194],"roadblocks":[195],"within":[196],"coarse-grain":[198],"scope":[199],"hinder":[201],"effective":[202],"fuzzing,":[203],"sites":[207],"unrelated":[208,216],"or":[213,294],"conditional":[214],"branches":[215],"At":[220],"same":[222],"time,":[223],"attempts":[225],"restore":[227],"context":[229],"recreate":[234],"actual":[236],"runtime":[237],"state.":[238],"And":[239],"then,":[240],"conducts":[242],"coverage-guided":[243],"fuzzing":[244],"snippets.":[248],"Finally,":[249],"backward":[254],"track":[257],"verify":[259],"each":[260],"path":[261],"constraint":[262],"determine":[264],"whether":[265],"bug":[267],"discovered":[268,278],"real":[274],"vulnerability.":[275],"successfully":[277],"82":[279],"zero-day":[280],"bugs":[281],"35":[283],"samples,":[285],"78":[287],"them":[289],"have":[290],"assigned":[292],"CVE":[293],"CNVD":[295],"IDs.":[296],"Our":[297],"empirical":[298],"evaluation":[299],"shows":[300],"outperforms":[303],"state-of-":[305],"the-art":[306],"tools":[307],"UnicornAFL)":[309]},"counts_by_year":[],"updated_date":"2026-03-27T05:58:40.876381","created_date":"2025-10-10T00:00:00"}