{"id":"https://openalex.org/W4416254940","doi":"https://doi.org/10.1145/3719027.3765125","title":"Protocol-Aware Firmware Rehosting for Effective Fuzzing of Embedded Network Stacks","display_name":"Protocol-Aware Firmware Rehosting for Effective Fuzzing of Embedded Network Stacks","publication_year":2025,"publication_date":"2025-11-19","ids":{"openalex":"https://openalex.org/W4416254940","doi":"https://doi.org/10.1145/3719027.3765125"},"language":"en","primary_location":{"id":"doi:10.1145/3719027.3765125","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3719027.3765125","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3719027.3765125","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["arxiv","crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://dl.acm.org/doi/pdf/10.1145/3719027.3765125","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5120354767","display_name":"Moritz Bley","orcid":"https://orcid.org/0009-0004-0138-279X"},"institutions":[{"id":"https://openalex.org/I4210128801","display_name":"Helmholtz Center for Information Security","ror":"https://ror.org/02njgxr09","country_code":"DE","type":"facility","lineage":["https://openalex.org/I1305996414","https://openalex.org/I4210128801"]}],"countries":["DE"],"is_corresponding":true,"raw_author_name":"Moritz Bley","raw_affiliation_strings":["CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany"],"affiliations":[{"raw_affiliation_string":"CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany","institution_ids":["https://openalex.org/I4210128801"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5073097614","display_name":"Tobias Scharnowski","orcid":"https://orcid.org/0009-0004-3944-9494"},"institutions":[{"id":"https://openalex.org/I4210128801","display_name":"Helmholtz Center for Information Security","ror":"https://ror.org/02njgxr09","country_code":"DE","type":"facility","lineage":["https://openalex.org/I1305996414","https://openalex.org/I4210128801"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Tobias Scharnowski","raw_affiliation_strings":["CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany"],"affiliations":[{"raw_affiliation_string":"CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany","institution_ids":["https://openalex.org/I4210128801"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5027325640","display_name":"Simon W\u00f6r\u00adner","orcid":"https://orcid.org/0009-0006-8480-8016"},"institutions":[{"id":"https://openalex.org/I4210128801","display_name":"Helmholtz Center for Information Security","ror":"https://ror.org/02njgxr09","country_code":"DE","type":"facility","lineage":["https://openalex.org/I1305996414","https://openalex.org/I4210128801"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Simon W\u00f6rner","raw_affiliation_strings":["CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany"],"affiliations":[{"raw_affiliation_string":"CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany","institution_ids":["https://openalex.org/I4210128801"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5069446947","display_name":"Moritz Schloegel","orcid":"https://orcid.org/0000-0003-1630-1687"},"institutions":[{"id":"https://openalex.org/I55732556","display_name":"Arizona State University","ror":"https://ror.org/03efmqc40","country_code":"US","type":"education","lineage":["https://openalex.org/I55732556"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Moritz Schloegel","raw_affiliation_strings":["Arizona State University, Tempe, USA"],"affiliations":[{"raw_affiliation_string":"Arizona State University, Tempe, USA","institution_ids":["https://openalex.org/I55732556"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5056790702","display_name":"Thorsten Holz","orcid":"https://orcid.org/0000-0002-2783-1264"},"institutions":[{"id":"https://openalex.org/I4210096592","display_name":"Max Planck Institute for Security and Privacy","ror":"https://ror.org/00bj0r217","country_code":"DE","type":"facility","lineage":["https://openalex.org/I149899117","https://openalex.org/I4210096592"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Thorsten Holz","raw_affiliation_strings":["Max Planck Institute for Security and Privacy, Bochum, Germany"],"affiliations":[{"raw_affiliation_string":"Max Planck Institute for Security and Privacy, Bochum, Germany","institution_ids":["https://openalex.org/I4210096592"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":5,"corresponding_author_ids":["https://openalex.org/A5120354767"],"corresponding_institution_ids":["https://openalex.org/I4210128801"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":true,"cited_by_count":0,"citation_normalized_percentile":{"value":0.35780193,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"4484","last_page":"4498"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10743","display_name":"Software Testing and Debugging Techniques","score":0.536300003528595,"subfield":{"id":"https://openalex.org/subfields/1712","display_name":"Software"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10743","display_name":"Software Testing and Debugging Techniques","score":0.536300003528595,"subfield":{"id":"https://openalex.org/subfields/1712","display_name":"Software"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.1607999950647354,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.13189999759197235,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/fuzz-testing","display_name":"Fuzz testing","score":0.9801999926567078},{"id":"https://openalex.org/keywords/firmware","display_name":"Firmware","score":0.9508000016212463},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.5435000061988831},{"id":"https://openalex.org/keywords/network-packet","display_name":"Network packet","score":0.5400000214576721},{"id":"https://openalex.org/keywords/focus","display_name":"Focus (optics)","score":0.45890000462532043},{"id":"https://openalex.org/keywords/code","display_name":"Code (set theory)","score":0.4458000063896179},{"id":"https://openalex.org/keywords/buffer-overflow","display_name":"Buffer overflow","score":0.4000000059604645},{"id":"https://openalex.org/keywords/communications-protocol","display_name":"Communications protocol","score":0.39070001244544983}],"concepts":[{"id":"https://openalex.org/C111065885","wikidata":"https://www.wikidata.org/wiki/Q1189053","display_name":"Fuzz testing","level":3,"score":0.9801999926567078},{"id":"https://openalex.org/C67212190","wikidata":"https://www.wikidata.org/wiki/Q104851","display_name":"Firmware","level":2,"score":0.9508000016212463},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.769599974155426},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.5435000061988831},{"id":"https://openalex.org/C158379750","wikidata":"https://www.wikidata.org/wiki/Q214111","display_name":"Network packet","level":2,"score":0.5400000214576721},{"id":"https://openalex.org/C149635348","wikidata":"https://www.wikidata.org/wiki/Q193040","display_name":"Embedded system","level":1,"score":0.5038999915122986},{"id":"https://openalex.org/C192209626","wikidata":"https://www.wikidata.org/wiki/Q190909","display_name":"Focus (optics)","level":2,"score":0.45890000462532043},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.4458000063896179},{"id":"https://openalex.org/C40842320","wikidata":"https://www.wikidata.org/wiki/Q19423","display_name":"Buffer overflow","level":2,"score":0.4000000059604645},{"id":"https://openalex.org/C12269588","wikidata":"https://www.wikidata.org/wiki/Q132364","display_name":"Communications protocol","level":2,"score":0.39070001244544983},{"id":"https://openalex.org/C31258907","wikidata":"https://www.wikidata.org/wiki/Q1301371","display_name":"Computer network","level":1,"score":0.3711000084877014},{"id":"https://openalex.org/C22927095","wikidata":"https://www.wikidata.org/wiki/Q1784206","display_name":"Stateful firewall","level":3,"score":0.3693000078201294},{"id":"https://openalex.org/C182590292","wikidata":"https://www.wikidata.org/wiki/Q989632","display_name":"Network security","level":2,"score":0.3441999852657318},{"id":"https://openalex.org/C168167062","wikidata":"https://www.wikidata.org/wiki/Q1117970","display_name":"Component (thermodynamics)","level":2,"score":0.3416999876499176},{"id":"https://openalex.org/C22174128","wikidata":"https://www.wikidata.org/wiki/Q175869","display_name":"Microcode","level":2,"score":0.3409999907016754},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.3237999975681305},{"id":"https://openalex.org/C120314980","wikidata":"https://www.wikidata.org/wiki/Q180634","display_name":"Distributed computing","level":1,"score":0.313400000333786},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.2888000011444092},{"id":"https://openalex.org/C25343380","wikidata":"https://www.wikidata.org/wiki/Q277521","display_name":"Relation (database)","level":2,"score":0.26170000433921814},{"id":"https://openalex.org/C43126263","wikidata":"https://www.wikidata.org/wiki/Q128751","display_name":"Source code","level":2,"score":0.2615000009536743},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.25200000405311584}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1145/3719027.3765125","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3719027.3765125","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3719027.3765125","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},{"id":"pmh:oai:arXiv.org:2509.13740","is_oa":true,"landing_page_url":"http://arxiv.org/abs/2509.13740","pdf_url":"https://arxiv.org/pdf/2509.13740","source":{"id":"https://openalex.org/S4393918464","display_name":"ArXiv.org","issn_l":"2331-8422","issn":["2331-8422"],"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":null,"raw_type":"text"}],"best_oa_location":{"id":"doi:10.1145/3719027.3765125","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3719027.3765125","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3719027.3765125","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G10928504","display_name":"CAREER: Achieving Autonomous Symbolic Execution through Learning from Humans","funder_award_id":"2442984","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G1863729912","display_name":"Dissertation Research:  Molecular and Anatomical Systematics of Leafless Vandeae (Orchidaceae)","funder_award_id":"0104566","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G18682879","display_name":null,"funder_award_id":"390781972","funder_id":"https://openalex.org/F4320320879","funder_display_name":"Deutsche Forschungsgemeinschaft"},{"id":"https://openalex.org/G5106512922","display_name":null,"funder_award_id":"Deutsche Forschungsgemeinschaft (DFG","funder_id":"https://openalex.org/F4320320879","funder_display_name":"Deutsche Forschungsgemeinschaft"},{"id":"https://openalex.org/G5717916917","display_name":null,"funder_award_id":"39078197","funder_id":"https://openalex.org/F4320320879","funder_display_name":"Deutsche Forschungsgemeinschaft"},{"id":"https://openalex.org/G6411643898","display_name":"CICI: TCR: Improving the Robustness of Cyberinfrastructure via Scalable Vulnerability Discovery and Mitigation on \"Big Binaries\"","funder_award_id":"2232915","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G762232396","display_name":null,"funder_award_id":"Project","funder_id":"https://openalex.org/F4320320879","funder_display_name":"Deutsche Forschungsgemeinschaft"},{"id":"https://openalex.org/G8049548440","display_name":"CAREER: Re-configurable, Source-Language-Agnostic Decompilation for Binary Programs","funder_award_id":"2146568","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G848032724","display_name":null,"funder_award_id":"Science","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"}],"funders":[{"id":"https://openalex.org/F4320306076","display_name":"National Science Foundation","ror":"https://ror.org/021nxhr62"},{"id":"https://openalex.org/F4320320879","display_name":"Deutsche Forschungsgemeinschaft","ror":"https://ror.org/018mejw64"},{"id":"https://openalex.org/F4320332815","display_name":"Advanced Research Projects Agency","ror":"https://ror.org/02caytj08"}],"has_content":{"grobid_xml":true,"pdf":true},"content_urls":{"pdf":"https://content.openalex.org/works/W4416254940.pdf","grobid_xml":"https://content.openalex.org/works/W4416254940.grobid-xml"},"referenced_works_count":2,"referenced_works":["https://openalex.org/W3113108440","https://openalex.org/W3207926955"],"related_works":[],"abstract_inverted_index":{"One":[0],"of":[1,6,43,63,76,127,161,175,195],"the":[2,41,64,77,83,125,136,152,162,192],"biggest":[3],"attack":[4],"surfaces":[5],"embedded":[7,22,45,65,201],"systems":[8,23],"is":[9,69],"their":[10,19,98,104],"network":[11,46,94,128,138,145,202],"interfaces,":[12],"which":[13,72],"enable":[14],"communication":[15,35],"with":[16],"other":[17],"devices.Unlike":[18],"general-purpose":[20],"counterparts,":[21],"are":[24],"designed":[25],"for":[26,39,200],"specialized":[27],"use":[28,126],"cases,":[29],"resulting":[30],"in":[31,130,220,225],"unique":[32],"and":[33,55,123,172,210],"diverse":[34],"stacks.Unfortunately,":[36],"current":[37],"approaches":[38],"evaluating":[40],"security":[42],"these":[44],"stacks":[47,95],"require":[48],"manual":[49],"effort":[50],"or":[51,182],"access":[52],"to":[53,91,97,106,120,155,184],"hardware,":[54],"they":[56],"generally":[57],"focus":[58],"only":[59],"on":[60],"small":[61],"parts":[62],"system.A":[66],"promising":[67],"alternative":[68],"firmware":[70,79,131,163,176],"rehosting,":[71],"enables":[73,167],"fuzz":[74],"testing":[75],"entire":[78],"by":[80],"generically":[81],"emulating":[82],"physical":[84],"hardware.However,":[85],"existing":[86,197],"rehosting":[87,198],"methods":[88],"often":[89],"struggle":[90],"meaningfully":[92],"explore":[93],"due":[96],"complex,":[99],"multi-layered":[100],"input":[101,154],"formats.This":[102],"limits":[103],"ability":[105],"uncover":[107],"deeply":[108,222],"nested":[109,223],"software":[110,215],"faults.To":[111],"address":[112],"this":[113],"problem,":[114],"we":[115],"introduce":[116],"a":[117,168],"novel":[118],"method":[119],"automatically":[121,134],"detect":[122],"handle":[124],"protocols":[129],"called":[132],"Pemu.By":[133],"deducing":[135],"available":[137],"protocols,":[139],"Pemu":[140,189],"can":[141],"transparently":[142],"generate":[143],"valid":[144],"packets":[146],"that":[147,178,188],"encapsulate":[148],"fuzzing":[149,153],"data,":[150],"allowing":[151],"flow":[156],"directly":[157],"into":[158],"deeper":[159],"layers":[160],"logic.Our":[164],"approach":[165],"thus":[166],"deeper,":[169],"more":[170],"targeted,":[171],"layer-by-layer":[173],"analysis":[174],"components":[177],"were":[179],"previously":[180,213],"difficult":[181],"impossible":[183],"test.Our":[185],"evaluation":[186],"demonstrates":[187],"consistently":[190],"improves":[191],"code":[193],"coverage":[194],"three":[196],"tools":[199],"stacks.Furthermore,":[203],"our":[204],"fuzzer":[205],"rediscovered":[206],"several":[207],"known":[208],"vulnerabilities":[209],"identified":[211],"five":[212],"unknown":[214],"faults,":[216],"highlighting":[217],"its":[218],"effectiveness":[219],"uncovering":[221],"bugs":[224],"network-exposed":[226],"code.":[227]},"counts_by_year":[],"updated_date":"2026-03-27T05:58:40.876381","created_date":"2025-10-10T00:00:00"}