{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,2]],"date-time":"2026-04-02T13:19:38Z","timestamp":1775135978938,"version":"3.50.1"},"publisher-location":"Singapore","reference-count":27,"publisher":"Springer Nature Singapore","isbn-type":[{"value":"9789819584161","type":"print"},{"value":"9789819584178","type":"electronic"}],"license":[{"start":{"date-parts":[[2026,1,1]],"date-time":"2026-01-01T00:00:00Z","timestamp":1767225600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2026,1,1]],"date-time":"2026-01-01T00:00:00Z","timestamp":1767225600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2026]]},"DOI":"10.1007\/978-981-95-8417-8_9","type":"book-chapter","created":{"date-parts":[[2026,4,2]],"date-time":"2026-04-02T12:31:08Z","timestamp":1775133068000},"page":"111-127","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["X-ECU: Unlocking In-Vehicle ECU Firmware Vulnerabilities for\u00a0Exploitation"],"prefix":"10.1007","author":[{"given":"Yuhao","family":"Qiu","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Haonan","family":"Miao","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Xiangxue","family":"Li","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2026,4,3]]},"reference":[{"key":"9_CR1","unstructured":"ISO 11898, road vehicles\u2014controller area network (CAN). https:\/\/www.iso.org\/standard\/86384.html"},{"key":"9_CR2","doi-asserted-by":"crossref","unstructured":"Foruhandeh, M., Man, Y.: SIMPLE: single-frame based physical layer identification for intrusion detection and prevention on in-vehicle networks. In: 35th Annual Computer Security Applications Conference, pp. 229\u2013244 (2019)","DOI":"10.1145\/3359789.3359834"},{"key":"9_CR3","doi-asserted-by":"crossref","unstructured":"N\u00fcrnberger, S., Rossow, C.: vatiCAN - vetted, authenticated CAN bus. In: CHES 2016, pp. 106\u2013124 (2016)","DOI":"10.1007\/978-3-662-53140-2_6"},{"key":"9_CR4","doi-asserted-by":"crossref","unstructured":"Radu, A.-I., Garcia, F.D.: LeiA: a lightweight authentication protocol for CAN. In: ESORICS 2016, pp. 283\u2013300 (2016)","DOI":"10.1007\/978-3-319-45741-3_15"},{"key":"9_CR5","doi-asserted-by":"crossref","unstructured":"Cho, K.-T., Shin, K.G.: Error handling of in-vehicle networks makes them vulnerable. In: 2016 ACM CCS, pp. 1044\u20131055 (2016)","DOI":"10.1145\/2976749.2978302"},{"key":"9_CR6","unstructured":"Serag, K., Bhatia, R., Kumar, V., Berkay Celik, Z., Xu, D.: Exposing new vulnerabilities of error handling mechanism in CAN. In: 30th USENIX Security Symposium, pp. 4241\u20134258 (2021)"},{"key":"9_CR7","doi-asserted-by":"crossref","unstructured":"Kulandaivel, S., Jain, S., Guajardo, J., Sekar, V.: CANNON: reliable and stealthy remote shutdown attacks via unaltered automotive microcontrollers. In: 42nd IEEE Symposium on Security and Privacy, SP 2021, pp. 195\u2013210 (2021)","DOI":"10.1109\/SP40001.2021.00122"},{"key":"9_CR8","doi-asserted-by":"crossref","unstructured":"Wen, H., Zhao, Q., Chen, A., Lin, Z.: Automated cross-platform reverse engineering of CAN bus commands from mobile apps. In: 27th NDSS 2020 (2020)","DOI":"10.14722\/ndss.2020.24231"},{"key":"9_CR9","unstructured":"Checkoway, S., et al.: Comprehensive experimental analyses of automotive attack surfaces. In: 20th USENIX Security Symposium (2011)"},{"key":"9_CR10","unstructured":"IDA pro. https:\/\/hex-rays.com\/products\/ida\/support\/idadoc\/index.shtml"},{"key":"9_CR11","unstructured":"Fast library identification and recognition technology (flirt). https:\/\/hex-rays.com\/products\/ida\/tech\/flirt\/"},{"issue":"2","key":"9_CR12","doi-asserted-by":"publisher","first-page":"187","DOI":"10.1109\/TSE.2015.2470241","volume":"42","author":"J Qiu","year":"2016","unstructured":"Qiu, J., Xiaohong, S., Ma, P.: Using reduced execution flow graph to identify library functions in binary code. IEEE Trans. Softw. Eng. 42(2), 187\u2013202 (2016)","journal-title":"IEEE Trans. Softw. Eng."},{"key":"9_CR13","unstructured":"Tricore instruction set. https:\/\/www.infineon.com\/dgdl\/tc1_6__architecture_vol2.pdf?fileId=db3a3043372d5cc801374ad9c0653ad9"},{"key":"9_CR14","unstructured":"TC275 user manual. https:\/\/www.infineon.com\/dgdl\/Infineon-AURIX_TC275_Lite_Kit-UserManual-v01_02-EN.pdf?fileId=5546d46272e49d2a017305871f9464ab"},{"key":"9_CR15","unstructured":"Bindiff manual. https:\/\/www.zynamics.com\/bindiff\/manual\/"},{"key":"9_CR16","unstructured":"Inline function. https:\/\/www.geeksforgeeks.org\/inline-functions-cpp\/"},{"key":"9_CR17","unstructured":"TC275 illd usermanual. https:\/\/www.infineon.com\/cms\/en\/tools\/aurix-embedded-sw\/aurix-illd-drivers\/#!?fileId=8ac78c8c8779172a0187e6944d6c160b"},{"key":"9_CR18","unstructured":"MSP432 SDK. https:\/\/www.ti.com\/tool\/SIMPLELINK-MSP432-SDK?keyMatch=MSP432%20DRIVERLIB"},{"key":"9_CR19","unstructured":"ARMv7-M architecture reference manual. https:\/\/developer.arm.com\/documentation\/ddi0403\/ee?lang=en"},{"key":"9_CR20","doi-asserted-by":"crossref","unstructured":"Wen, H., Lin, Z., Zhang, Y.: FirmXRay: detecting bluetooth link layer vulnerabilities from bare-metal firmware. In: CCS 2020, pp. 167\u2013180 (2020)","DOI":"10.1145\/3372297.3423344"},{"key":"9_CR21","doi-asserted-by":"crossref","unstructured":"Hernandez, G., Fowze, F., Tian, D., Yavuz, T., Butler, K.R.B.: FirmUSB: vetting USB device firmware using domain informed symbolic execution. In: 2017 ACM CCS, pp. 2245\u20132262 (2017)","DOI":"10.1145\/3133956.3134050"},{"key":"9_CR22","unstructured":"ECU tuning case. https:\/\/www.bimmer-tech.net\/blog\/item\/193-bmw-n20-engine-tuning-case-study"},{"key":"9_CR23","unstructured":"Yu, L., et al.: Towards automatically reverse engineering vehicle diagnostic protocols. In: 31st USENIX Security Symposium, pp. 1939\u20131956 (2022)"},{"key":"9_CR24","unstructured":"ISO 14229, unified diagnostic services (UDS). https:\/\/www.iso.org\/standard\/72439.html"},{"key":"9_CR25","unstructured":"ISO 14230, keyword protocol 2000. https:\/\/www.iso.org\/standard\/23919.html"},{"key":"9_CR26","unstructured":"Bao, T., Burket, J., Woo, M., Turner, R., Brumley, D.: BYTEWEIGHT: learning to recognize functions in binary code. In: 23rd USENIX Security Symposium, pp. 845\u2013860 (2014)"},{"key":"9_CR27","doi-asserted-by":"publisher","first-page":"103312","DOI":"10.1016\/j.cose.2023.103312","volume":"132","author":"L Binosi","year":"2023","unstructured":"Binosi, L., Polino, M., Carminati, M., Zanero, S.: BINO: automatic recognition of inline binary functions from template classes. Comput. Secu. 132, 103312 (2023)","journal-title":"Comput. Secu."}],"container-title":["Lecture Notes in Computer Science","Algorithms and Architectures for Parallel Processing"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-981-95-8417-8_9","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,4,2]],"date-time":"2026-04-02T12:31:14Z","timestamp":1775133074000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-981-95-8417-8_9"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026]]},"ISBN":["9789819584161","9789819584178"],"references-count":27,"URL":"https:\/\/doi.org\/10.1007\/978-981-95-8417-8_9","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026]]},"assertion":[{"value":"3 April 2026","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"ICA3PP","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Algorithms and Architectures for Parallel Processing","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Zhengzhou","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"China","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2025","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"30 October 2025","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2 November 2025","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"25","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"ica3pp2025","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/ieee-cybermatics.org\/2025\/ica3pp\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}