{"id":"https://openalex.org/W4285490487","doi":"https://doi.org/10.1145/3533767.3534366","title":"A large-scale empirical analysis of the vulnerabilities introduced by third-party components in IoT firmware","display_name":"A large-scale empirical analysis of the vulnerabilities introduced by third-party components in IoT firmware","publication_year":2022,"publication_date":"2022-07-15","ids":{"openalex":"https://openalex.org/W4285490487","doi":"https://doi.org/10.1145/3533767.3534366"},"language":"en","primary_location":{"id":"doi:10.1145/3533767.3534366","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3533767.3534366","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3533767.3534366","source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://dl.acm.org/doi/pdf/10.1145/3533767.3534366","any_repository_has_fulltext":null},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5103072795","display_name":"Binbin Zhao","orcid":"https://orcid.org/0000-0002-2025-1291"},"institutions":[{"id":"https://openalex.org/I130701444","display_name":"Georgia Institute of Technology","ror":"https://ror.org/01zkghx44","country_code":"US","type":"education","lineage":["https://openalex.org/I130701444"]},{"id":"https://openalex.org/I76130692","display_name":"Zhejiang University","ror":"https://ror.org/00a2xv884","country_code":"CN","type":"education","lineage":["https://openalex.org/I76130692"]}],"countries":["CN","US"],"is_corresponding":true,"raw_author_name":"Binbin Zhao","raw_affiliation_strings":["Zhejiang University, China / Georgia Institute of Technology, USA"],"affiliations":[{"raw_affiliation_string":"Zhejiang University, China / Georgia Institute of Technology, USA","institution_ids":["https://openalex.org/I130701444","https://openalex.org/I76130692"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5058611515","display_name":"Shouling Ji","orcid":"https://orcid.org/0000-0003-4268-372X"},"institutions":[{"id":"https://openalex.org/I76130692","display_name":"Zhejiang University","ror":"https://ror.org/00a2xv884","country_code":"CN","type":"education","lineage":["https://openalex.org/I76130692"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Shouling Ji","raw_affiliation_strings":["Zhejiang University, China"],"affiliations":[{"raw_affiliation_string":"Zhejiang University, China","institution_ids":["https://openalex.org/I76130692"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100622259","display_name":"Jiacheng Xu","orcid":"https://orcid.org/0000-0002-5201-1620"},"institutions":[{"id":"https://openalex.org/I76130692","display_name":"Zhejiang University","ror":"https://ror.org/00a2xv884","country_code":"CN","type":"education","lineage":["https://openalex.org/I76130692"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Jiacheng Xu","raw_affiliation_strings":["Zhejiang University, China"],"affiliations":[{"raw_affiliation_string":"Zhejiang University, China","institution_ids":["https://openalex.org/I76130692"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100716458","display_name":"Yuan Tian","orcid":"https://orcid.org/0000-0002-6435-564X"},"institutions":[{"id":"https://openalex.org/I51556381","display_name":"University of Virginia","ror":"https://ror.org/0153tk833","country_code":"US","type":"education","lineage":["https://openalex.org/I51556381"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Yuan Tian","raw_affiliation_strings":["University of Virginia, USA"],"affiliations":[{"raw_affiliation_string":"University of Virginia, USA","institution_ids":["https://openalex.org/I51556381"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5115010714","display_name":"Qiuyang Wei","orcid":"https://orcid.org/0000-0002-1622-213X"},"institutions":[{"id":"https://openalex.org/I76130692","display_name":"Zhejiang University","ror":"https://ror.org/00a2xv884","country_code":"CN","type":"education","lineage":["https://openalex.org/I76130692"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Qiuyang Wei","raw_affiliation_strings":["Zhejiang University, China"],"affiliations":[{"raw_affiliation_string":"Zhejiang University, China","institution_ids":["https://openalex.org/I76130692"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5071457448","display_name":"Qinying Wang","orcid":"https://orcid.org/0000-0002-0010-0592"},"institutions":[{"id":"https://openalex.org/I76130692","display_name":"Zhejiang University","ror":"https://ror.org/00a2xv884","country_code":"CN","type":"education","lineage":["https://openalex.org/I76130692"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Qinying Wang","raw_affiliation_strings":["Zhejiang University, China"],"affiliations":[{"raw_affiliation_string":"Zhejiang University, China","institution_ids":["https://openalex.org/I76130692"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5043763521","display_name":"Chenyang Lyu","orcid":"https://orcid.org/0000-0002-3403-7050"},"institutions":[{"id":"https://openalex.org/I76130692","display_name":"Zhejiang University","ror":"https://ror.org/00a2xv884","country_code":"CN","type":"education","lineage":["https://openalex.org/I76130692"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Chenyang Lyu","raw_affiliation_strings":["Zhejiang University, China"],"affiliations":[{"raw_affiliation_string":"Zhejiang University, China","institution_ids":["https://openalex.org/I76130692"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101722406","display_name":"Xuhong Zhang","orcid":"https://orcid.org/0000-0002-8571-9780"},"institutions":[{"id":"https://openalex.org/I76130692","display_name":"Zhejiang University","ror":"https://ror.org/00a2xv884","country_code":"CN","type":"education","lineage":["https://openalex.org/I76130692"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Xuhong Zhang","raw_affiliation_strings":["Zhejiang University, China"],"affiliations":[{"raw_affiliation_string":"Zhejiang University, China","institution_ids":["https://openalex.org/I76130692"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5022316895","display_name":"Changting Lin","orcid":"https://orcid.org/0000-0002-8918-6299"},"institutions":[{"id":"https://openalex.org/I76130692","display_name":"Zhejiang University","ror":"https://ror.org/00a2xv884","country_code":"CN","type":"education","lineage":["https://openalex.org/I76130692"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Changting Lin","raw_affiliation_strings":["Zhejiang University, China"],"affiliations":[{"raw_affiliation_string":"Zhejiang University, China","institution_ids":["https://openalex.org/I76130692"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101024367","display_name":"Jingzheng Wu","orcid":"https://orcid.org/0000-0001-5561-9829"},"institutions":[{"id":"https://openalex.org/I4210128818","display_name":"Institute of Software","ror":"https://ror.org/033dfsn42","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210128818"]},{"id":"https://openalex.org/I19820366","display_name":"Chinese Academy of Sciences","ror":"https://ror.org/034t30j35","country_code":"CN","type":"funder","lineage":["https://openalex.org/I19820366"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Jingzheng Wu","raw_affiliation_strings":["Institute of Software at Chinese Academy of Sciences, China"],"affiliations":[{"raw_affiliation_string":"Institute of Software at Chinese Academy of Sciences, China","institution_ids":["https://openalex.org/I4210128818","https://openalex.org/I19820366"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5033073212","display_name":"Raheem Beyah","orcid":"https://orcid.org/0000-0002-9188-3464"},"institutions":[{"id":"https://openalex.org/I130701444","display_name":"Georgia Institute of Technology","ror":"https://ror.org/01zkghx44","country_code":"US","type":"education","lineage":["https://openalex.org/I130701444"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Raheem Beyah","raw_affiliation_strings":["Georgia Institute of Technology, USA"],"affiliations":[{"raw_affiliation_string":"Georgia Institute of Technology, USA","institution_ids":["https://openalex.org/I130701444"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":11,"corresponding_author_ids":["https://openalex.org/A5103072795"],"corresponding_institution_ids":["https://openalex.org/I130701444","https://openalex.org/I76130692"],"apc_list":null,"apc_paid":null,"fwci":6.8501,"has_fulltext":true,"cited_by_count":47,"citation_normalized_percentile":{"value":0.9779945,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":96,"max":100},"biblio":{"volume":null,"issue":null,"first_page":"442","last_page":"454"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9998000264167786,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9998000264167786,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9940999746322632,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12034","display_name":"Digital and Cyber Forensics","score":0.9926000237464905,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/firmware","display_name":"Firmware","score":0.9880931973457336},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7143511772155762},{"id":"https://openalex.org/keywords/microcode","display_name":"Microcode","score":0.5567867755889893},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.4230157136917114},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.4095701575279236},{"id":"https://openalex.org/keywords/embedded-system","display_name":"Embedded system","score":0.32056450843811035},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.2750985324382782}],"concepts":[{"id":"https://openalex.org/C67212190","wikidata":"https://www.wikidata.org/wiki/Q104851","display_name":"Firmware","level":2,"score":0.9880931973457336},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7143511772155762},{"id":"https://openalex.org/C22174128","wikidata":"https://www.wikidata.org/wiki/Q175869","display_name":"Microcode","level":2,"score":0.5567867755889893},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.4230157136917114},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.4095701575279236},{"id":"https://openalex.org/C149635348","wikidata":"https://www.wikidata.org/wiki/Q193040","display_name":"Embedded system","level":1,"score":0.32056450843811035},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.2750985324382782}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3533767.3534366","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3533767.3534366","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3533767.3534366","source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis","raw_type":"proceedings-article"}],"best_oa_location":{"id":"doi:10.1145/3533767.3534366","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3533767.3534366","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3533767.3534366","source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis","raw_type":"proceedings-article"},"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G1231421488","display_name":null,"funder_award_id":"under","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G1317677795","display_name":null,"funder_award_id":"U1936215","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G2212660163","display_name":null,"funder_award_id":"62102363","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G2400130100","display_name":null,"funder_award_id":"LQ21F020010","funder_id":"https://openalex.org/F4320338464","funder_display_name":"Natural Science Foundation of Zhejiang Province"},{"id":"https://openalex.org/G2802911279","display_name":null,"funder_award_id":"Young","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G3317480652","display_name":null,"funder_award_id":"Science","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G37568934","display_name":null,"funder_award_id":"Grant","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G391238517","display_name":null,"funder_award_id":", and","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G5994120800","display_name":null,"funder_award_id":"Natural","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G6514321967","display_name":null,"funder_award_id":"U1936215","funder_id":"https://openalex.org/F4320338464","funder_display_name":"Natural Science Foundation of Zhejiang Province"},{"id":"https://openalex.org/G7407940640","display_name":null,"funder_award_id":"LR19F020003","funder_id":"https://openalex.org/F4320338464","funder_display_name":"Natural Science Foundation of Zhejiang Province"},{"id":"https://openalex.org/G760709964","display_name":null,"funder_award_id":"62102363","funder_id":"https://openalex.org/F4320338464","funder_display_name":"Natural Science Foundation of Zhejiang Province"},{"id":"https://openalex.org/G7726157001","display_name":null,"funder_award_id":"Grant No.","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G8951484681","display_name":null,"funder_award_id":"Grant","funder_id":"https://openalex.org/F4320335787","funder_display_name":"Fundamental Research Funds for the Central Universities"}],"funders":[{"id":"https://openalex.org/F4320321001","display_name":"National Natural Science Foundation of China","ror":"https://ror.org/01h0zpd94"},{"id":"https://openalex.org/F4320322927","display_name":"Zhejiang University","ror":"https://ror.org/00a2xv884"},{"id":"https://openalex.org/F4320335561","display_name":"Institute of Computing Technology, Chinese Academy of Sciences","ror":null},{"id":"https://openalex.org/F4320335787","display_name":"Fundamental Research Funds for the Central Universities","ror":null},{"id":"https://openalex.org/F4320338464","display_name":"Natural Science Foundation of Zhejiang Province","ror":"https://ror.org/01h0zpd94"}],"has_content":{"grobid_xml":true,"pdf":true},"content_urls":{"pdf":"https://content.openalex.org/works/W4285490487.pdf","grobid_xml":"https://content.openalex.org/works/W4285490487.grobid-xml"},"referenced_works_count":26,"referenced_works":["https://openalex.org/W1942295288","https://openalex.org/W2024671287","https://openalex.org/W2043118292","https://openalex.org/W2062978452","https://openalex.org/W2100307718","https://openalex.org/W2111619626","https://openalex.org/W2112736324","https://openalex.org/W2116286374","https://openalex.org/W2180970301","https://openalex.org/W2532717356","https://openalex.org/W2532962075","https://openalex.org/W2577142429","https://openalex.org/W2733765803","https://openalex.org/W2749008552","https://openalex.org/W2766078311","https://openalex.org/W2792247670","https://openalex.org/W2805486984","https://openalex.org/W2926178846","https://openalex.org/W2955221586","https://openalex.org/W2957010138","https://openalex.org/W3102768552","https://openalex.org/W3105926539","https://openalex.org/W3112452874","https://openalex.org/W3161799213","https://openalex.org/W4210759690","https://openalex.org/W4247950230"],"related_works":["https://openalex.org/W4220894477","https://openalex.org/W2364614178","https://openalex.org/W3204308301","https://openalex.org/W3084814329","https://openalex.org/W2007388836","https://openalex.org/W4247881240","https://openalex.org/W4287713996","https://openalex.org/W3203474640","https://openalex.org/W3042244411","https://openalex.org/W2371072962"],"abstract_inverted_index":{"As":[0],"the":[1,11,25,30,38,46,58,71,82,100,109,117,122,127,172,202,218,226],"core":[2],"of":[3,13,48,70,74,121,124,174,180,221,229],"IoT":[4,14,49],"devices,":[5,223],"firmware":[6,15,140,146,151,181,196,206,251],"is":[7,239],"undoubtedly":[8],"vital.":[9],"Currently,":[10,51],"development":[12,26],"heavily":[16],"depends":[17],"on":[18,113,138,213],"third-party":[19],"components":[20],"(TPCs),":[21],"which":[22,90],"significantly":[23],"improves":[24],"efficiency":[27],"and":[28,37,63,87,94,106,126,148,160,185,224,237],"reduces":[29],"cost.":[31],"Nevertheless,":[32],"TPCs":[33,41,101,125,159,203],"are":[34,190],"not":[35],"secure,":[36],"vulnerabilities":[39,59,129,163,189],"in":[40,81,104,130,194,205,231,243],"will":[42],"turn":[43],"back":[44],"influence":[45],"security":[47,72,175,227],"firmware.":[50,78,131],"existing":[52],"works":[53],"pay":[54],"less":[55],"attention":[56],"to":[57,98],"caused":[60,164],"by":[61,165,210],"TPCs,":[62],"we":[64,85,115,134,216],"still":[65,191],"lack":[66],"a":[67],"comprehensive":[68],"understanding":[69],"impact":[73],"TPC":[75],"vulnerability":[76],"against":[77],"To":[79],"fill":[80],"knowledge":[83],"gap,":[84],"design":[86],"implement":[88],"FirmSec,":[89,114],"leverages":[91],"syntactical":[92],"features":[93,97],"control-flow":[95],"graph":[96],"detect":[99,157],"at":[102],"version-level":[103],"firmware,":[105],"then":[107],"recognizes":[108],"corresponding":[110,128],"vulnerabilities.":[111],"Based":[112],"present":[116],"first":[118],"large-scale":[119],"analysis":[120,137,170,247],"usage":[123],"More":[132],"specifically,":[133],"perform":[135],"an":[136],"34,136":[139],"images,":[141,147],"including":[142],"11,086":[143],"publicly":[144],"accessible":[145],"23,050":[149],"private":[150],"images":[152,252],"from":[153,182],"TSmart.":[154],"We":[155,198],"successfully":[156],"584":[158],"identify":[161],"128,757":[162],"429":[166],"CVEs.":[167],"Our":[168],"in-depth":[169],"reveals":[171],"diversity":[173],"issues":[176],"for":[177],"different":[178],"kinds":[179],"various":[183],"vendors,":[184],"discovers":[186],"some":[187],"well-known":[188],"deeply":[192],"rooted":[193],"many":[195],"images.":[197],"also":[199],"find":[200],"that":[201],"used":[204],"have":[207,253],"fallen":[208],"behind":[209],"five":[211],"years":[212],"average.":[214],"Besides,":[215],"explore":[217],"geographical":[219],"distribution":[220],"vulnerable":[222],"confirm":[225],"situation":[228],"devices":[230],"several":[232],"regions,":[233],"e.g.,":[234],"South":[235],"Korea":[236],"China,":[238],"more":[240],"severe":[241],"than":[242],"other":[244],"regions.":[245],"Further":[246],"shows":[248],"2,478":[249],"commercial":[250],"potentially":[254],"violated":[255],"GPL/AGPL":[256],"licensing":[257],"terms.":[258]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":24},{"year":2024,"cited_by_count":15},{"year":2023,"cited_by_count":7}],"updated_date":"2026-04-16T08:26:57.006410","created_date":"2025-10-10T00:00:00"}