{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,29]],"date-time":"2026-05-29T12:53:11Z","timestamp":1780059191638,"version":"3.54.0"},"publisher-location":"Cham","reference-count":44,"publisher":"Springer International Publishing","isbn-type":[{"value":"9783319406664","type":"print"},{"value":"9783319406671","type":"electronic"}],"license":[{"start":{"date-parts":[[2016,1,1]],"date-time":"2016-01-01T00:00:00Z","timestamp":1451606400000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2016]]},"DOI":"10.1007\/978-3-319-40667-1_5","type":"book-chapter","created":{"date-parts":[[2016,6,11]],"date-time":"2016-06-11T11:19:03Z","timestamp":1465643943000},"page":"78-97","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":5,"title":["Towards Vulnerability Discovery Using Staged Program Analysis"],"prefix":"10.1007","author":[{"given":"Bhargava","family":"Shastry","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Fabian","family":"Yamaguchi","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Konrad","family":"Rieck","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Jean-Pierre","family":"Seifert","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"297","published-online":{"date-parts":[[2016,6,12]]},"reference":[{"key":"5_CR1","unstructured":"Bugzilla@Mozilla, Bug 1168091. https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1168091"},{"key":"5_CR2","unstructured":"Chromium Issue Tracker, Issue 411177. https:\/\/code.google.com\/p\/chromium\/issues\/detail?id=411177"},{"key":"5_CR3","unstructured":"Chromium Issue Tracker, Issue 436035. https:\/\/code.google.com\/p\/chromium\/issues\/detail?id=436035"},{"key":"5_CR4","unstructured":"Clang Static Analyzer. http:\/\/clang-analyzer.llvm.org\/. Accessed 25 Mar 2015"},{"key":"5_CR5","unstructured":"Coverity inc. http:\/\/www.coverity.com\/"},{"key":"5_CR6","unstructured":"HAVOC. http:\/\/research.microsoft.com\/en-us\/projects\/havoc\/"},{"key":"5_CR7","unstructured":"PHP Bug Bounty Program. https:\/\/hackerone.com\/php"},{"key":"5_CR8","unstructured":"PHP::Sec Bug, 67492. https:\/\/bugs.php.net\/bug.php?id=67492"},{"key":"5_CR9","unstructured":"PHP::Sec Bug, 69085. https:\/\/bugs.php.net\/bug.php?id=69085"},{"key":"5_CR10","unstructured":"PHP::Sec Bug, 69152. https:\/\/bugs.php.net\/bug.php?id=69152"},{"key":"5_CR11","unstructured":"Report 73245: Type-confusion Vulnerability in SoapClient. https:\/\/hackerone.com\/reports\/73245"},{"key":"5_CR12","unstructured":"Scan-build. http:\/\/clang-analyzer.llvm.org\/scan-build.html"},{"key":"5_CR13","unstructured":"The LLVM Compiler Infrastructure. http:\/\/llvm.org\/"},{"key":"5_CR14","unstructured":"WLLVM: Whole-program LLVM. https:\/\/github.com\/travitch\/whole-program-llvm"},{"key":"5_CR15","unstructured":"Avgerinos, T., Cha, S.K., Hao, B.L.T., Brumley, D.: AEG: automatic exploit generation. In: NDSS, vol. 11, pp. 59\u201366 (2011)"},{"key":"5_CR16","doi-asserted-by":"crossref","unstructured":"Bacon, D.F., Sweeney, P.F.: Fast static analysis of c++ virtual function calls. In: Proceedings of the 11th ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications, OOPSLA 1996, pp. 324\u2013341. ACM, New York (1996). http:\/\/doi.acm.org\/10.1145\/236337.236371","DOI":"10.1145\/236337.236371"},{"key":"5_CR17","doi-asserted-by":"crossref","unstructured":"Ball, T., Rajamani, S.K.: The s lam project: debugging system software via static analysis. In: ACM SIGPLAN Notices, vol. 37, pp. 1\u20133. ACM (2002)","DOI":"10.1145\/565816.503274"},{"key":"5_CR18","unstructured":"Cadar, C., Dunbar, D., Engler, D.R.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: OSDI, vol. 8, pp. 209\u2013224 (2008)"},{"key":"5_CR19","doi-asserted-by":"crossref","unstructured":"Cifuentes, C., Scholz, B.: Parfait: designing a scalable bug checker. In: Proceedings of the 2008 Workshop on Static Analysis, pp. 4\u201311. ACM (2008)","DOI":"10.1145\/1394504.1394505"},{"key":"5_CR20","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"77","DOI":"10.1007\/3-540-49538-X_5","volume-title":"ECOOP 1995 Object-Oriented Programming","author":"J Dean","year":"1995","unstructured":"Dean, J., Grove, D., Chambers, C.: Optimization of object-oriented programs using static class hierarchy analysis. In: Tokoro, M., Pareschi, R. (eds.) ECOOP 1995 Object-Oriented Programming. LNCS, vol. 952, pp. 77\u2013101. Springer, Heidelberg (1995)"},{"key":"5_CR21","doi-asserted-by":"crossref","unstructured":"Engler, D., Chelf, B., Chou, A., Hallem, S.: Checking system rules using system-specific, programmer-written compiler extensions. In: Proceedings of the 4th Conference on Symposium on Operating System Design & Implementation, vol. 4, p. 1. USENIX Association (2000)","DOI":"10.21236\/ADA419626"},{"key":"5_CR22","unstructured":"Foster, J.S., Johnson, R., Kodumal, J., Terauchi, T., Shankar, U., Talwar, K., Wagner, D., Aiken, A., Elsman, M., Harrelson, C.: CQUAL: a tool for adding type qualifiers to C (2003). https:\/\/www.cs.umd.edu\/~jfoster\/cqual\/. Accessed 26 Mar 2015"},{"key":"5_CR23","unstructured":"GrammaTech: CodeSonar. http:\/\/www.grammatech.com\/codesonar"},{"key":"5_CR24","doi-asserted-by":"crossref","unstructured":"Hallem, S., Chelf, B., Xie, Y., Engler, D.: A system and language for building system-specific, static analyses. In: Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation, PLDI 2002, pp. 69\u201382. ACM, New York (2002). http:\/\/doi.acm.org\/10.1145\/512529.512539","DOI":"10.1145\/512529.512539"},{"issue":"3","key":"5_CR25","doi-asserted-by":"publisher","first-page":"74","DOI":"10.1109\/MSP.2011.70","volume":"9","author":"S Heelan","year":"2011","unstructured":"Heelan, S.: Vulnerability detection systems: think cyborg, not robot. IEEE Secur. Priv. 9(3), 74\u201377 (2011)","journal-title":"IEEE Secur. Priv."},{"key":"5_CR26","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"235","DOI":"10.1007\/3-540-44829-2_17","volume-title":"Model Checking Software","author":"TA Henzinger","year":"2003","unstructured":"Henzinger, T.A., Jhala, R., Majumdar, R., Sutre, G.: Software verification with BLAST. In: Ball, T., Rajamani, S.K. (eds.) SPIN 2003. LNCS, vol. 2648, pp. 235\u2013239. Springer, Heidelberg (2003)"},{"key":"5_CR27","unstructured":"Hewlett Packard: Fortify Static Code Analyzer. http:\/\/www8.hp.com\/us\/en\/software-solutions\/static-code-analysis-sast\/"},{"key":"5_CR28","volume-title":"The Security Development Lifecycle","author":"M Howard","year":"2009","unstructured":"Howard, M., Lipner, S.: The Security Development Lifecycle. O\u2019Reilly Media, Incorporated, Sebastopol (2009)"},{"key":"5_CR29","volume-title":"Lint, a C Program Checker","author":"S Johnson","year":"1977","unstructured":"Johnson, S.: Lint, a C Program Checker. Bell Telephone Laboratories, Murray Hill (1977)"},{"key":"5_CR30","unstructured":"Knoop, J., Steffen, B.: Efficient and optimal bit vector data flow analyses: a uniform interprocedural framework. Inst. f\u00fcr Informatik und Praktische Mathematik (1993)"},{"key":"5_CR31","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"295","DOI":"10.1007\/3-540-44898-5_16","volume-title":"Static Analysis","author":"T Kremenek","year":"2003","unstructured":"Kremenek, T., Engler, D.: Z-Ranking: using statistical analysis to counter the impact of static analysis approximations. In: Cousot, R. (ed.) SAS 2003. LNCS, vol. 2694, pp. 295\u2013315. Springer, Heidelberg (2003). http:\/\/dl.acm.org\/citation.cfm?id=1760267.1760289"},{"key":"5_CR32","unstructured":"Lattner, C., Adve, V.: Llvm: a compilation framework for lifelong program analysis & transformation. In: International Symposium on Code Generation and Optimization, 2004, CGO 2004, pp. 75\u201386. IEEE (2004)"},{"key":"5_CR33","unstructured":"Lee, B., Song, C., Kim, T., Lee, W.: Type casting verification: stopping an emerging attack vector. In: 24th USENIX Security Symposium (USENIX Security 15), Washington, D.C, August 2015, pp. 81\u201396. USENIX Association. https:\/\/www.usenix.org\/conference\/usenixsecurity15\/technical-sessions\/presentation\/lee"},{"key":"5_CR34","doi-asserted-by":"crossref","unstructured":"Nethercote, N., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation. In: ACM Sigplan Notices, vol. 42, pp. 89\u2013100. ACM (2007)","DOI":"10.1145\/1273442.1250746"},{"key":"5_CR35","unstructured":"NIST: SAMATE - Software Assurance Metrics And Tool Evaluation. http:\/\/samate.nist.gov\/Main_Page.html"},{"key":"5_CR36","unstructured":"NIST: Test Suites, Software Assurance Reference Dataset. http:\/\/samate.nist.gov\/SRD\/testsuite.php"},{"key":"5_CR37","doi-asserted-by":"crossref","unstructured":"Reps, T., Horwitz, S., Sagiv, M.: Precise interprocedural dataflow analysis via graph reachability. In: Proceedings of the 22nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 49\u201361. ACM (1995)","DOI":"10.1145\/199448.199462"},{"key":"5_CR38","doi-asserted-by":"crossref","unstructured":"Schwartz, E.J., Avgerinos, T., Brumley, D.: All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 317\u2013331. IEEE (2010)","DOI":"10.1109\/SP.2010.26"},{"key":"5_CR39","unstructured":"Serebryany, K., Bruening, D., Potapenko, A., Vyukov, D.: Addresssanitizer: a fast address sanity checker. In: Proceedings of the 2012 USENIX Conference on Annual Technical Conference, USENIX ATC 2012, Berkeley, CA, USA, p. 28. USENIX Association (2012). http:\/\/dl.acm.org\/citation.cfm?id=2342821.2342849"},{"key":"5_CR40","doi-asserted-by":"crossref","unstructured":"Stepanov, E., Serebryany, K.: Memorysanitizer: fast detector of uninitialized memory use in c++. In: 2015 IEEE\/ACM International Symposium on Code Generation and Optimization (CGO), pp. 46\u201355. IEEE (2015)","DOI":"10.1109\/CGO.2015.7054186"},{"issue":"6","key":"5_CR41","doi-asserted-by":"publisher","first-page":"81","DOI":"10.1109\/MSP.2005.159","volume":"3","author":"K Tsipenyuk","year":"2005","unstructured":"Tsipenyuk, K., Chess, B., McGraw, G.: Seven pernicious kingdoms: a taxonomy of software security errors. IEEE Secur. Priv. 3(6), 81\u201384 (2005)","journal-title":"IEEE Secur. Priv."},{"key":"5_CR42","doi-asserted-by":"crossref","unstructured":"Viega, J., Bloch, J., Kohno, Y., McGraw, G.: Its4: a static vulnerability scanner for c and c++ code. In: 2000 16th Annual Conference on Computer Security Applications, ACSAC 2000, pp. 257\u2013267, December 2000","DOI":"10.1109\/ACSAC.2000.898880"},{"key":"5_CR43","unstructured":"Wilkerson, D.: CQUAL++. https:\/\/daniel-wilkerson.appspot.com\/oink\/qual.html. Accessed 26 Mar 2015"},{"key":"5_CR44","doi-asserted-by":"crossref","unstructured":"Yamaguchi, F., Lottmann, M., Rieck, K.: Generalized vulnerability extrapolation using abstract syntax trees. In: Proceedings of the 28th Annual Computer Security Applications Conference, pp. 359\u2013368. ACM (2012)","DOI":"10.1145\/2420950.2421003"}],"container-title":["Lecture Notes in Computer Science","Detection of Intrusions and Malware, and Vulnerability Assessment"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-319-40667-1_5","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,3]],"date-time":"2025-06-03T21:28:35Z","timestamp":1748986115000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-319-40667-1_5"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2016]]},"ISBN":["9783319406664","9783319406671"],"references-count":44,"URL":"https:\/\/doi.org\/10.1007\/978-3-319-40667-1_5","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2016]]},"assertion":[{"value":"12 June 2016","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}}]}}