{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,13]],"date-time":"2026-07-13T18:04:23Z","timestamp":1783965863189,"version":"3.55.0"},"reference-count":94,"publisher":"Elsevier BV","license":[{"start":{"date-parts":[[2026,11,1]],"date-time":"2026-11-01T00:00:00Z","timestamp":1793491200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/tdm\/userlicense\/1.0\/"},{"start":{"date-parts":[[2026,11,1]],"date-time":"2026-11-01T00:00:00Z","timestamp":1793491200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/legal\/tdmrep-license"},{"start":{"date-parts":[[2026,6,8]],"date-time":"2026-06-08T00:00:00Z","timestamp":1780876800000},"content-version":"vor","delay-in-days":0,"URL":"http:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/100006423","name":"Food Allergy Research and Education","doi-asserted-by":"publisher","award":["CUP D53D23008380006"],"award-info":[{"award-number":["CUP D53D23008380006"]}],"id":[{"id":"10.13039\/100006423","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100006423","name":"Food Allergy Research and Education","doi-asserted-by":"publisher","award":["PNRR M4.C2.1.1 PRIN 2022"],"award-info":[{"award-number":["PNRR M4.C2.1.1 PRIN 2022"]}],"id":[{"id":"10.13039\/100006423","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100006423","name":"Food Allergy Research and Education","doi-asserted-by":"publisher","award":["202225BZJC"],"award-info":[{"award-number":["202225BZJC"]}],"id":[{"id":"10.13039\/100006423","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100006423","name":"Food Allergy Research and Education","doi-asserted-by":"publisher","award":["104 02.02.2022"],"award-info":[{"award-number":["104 02.02.2022"]}],"id":[{"id":"10.13039\/100006423","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100000780","name":"European Commission","doi-asserted-by":"publisher","award":["PE00000014"],"award-info":[{"award-number":["PE00000014"]}],"id":[{"id":"10.13039\/501100000780","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100000780","name":"European Commission","doi-asserted-by":"publisher","award":["CUP B53D23026000001"],"award-info":[{"award-number":["CUP B53D23026000001"]}],"id":[{"id":"10.13039\/501100000780","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100000780","name":"European Commission","doi-asserted-by":"publisher","award":["P202233M9Z"],"award-info":[{"award-number":["P202233M9Z"]}],"id":[{"id":"10.13039\/501100000780","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100000780","name":"European Commission","doi-asserted-by":"publisher","award":["1409 14.09.2022"],"award-info":[{"award-number":["1409 14.09.2022"]}],"id":[{"id":"10.13039\/501100000780","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100031478","name":"NextGenerationEU","doi-asserted-by":"publisher","id":[{"id":"10.13039\/100031478","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["elsevier.com","sciencedirect.com"],"crossmark-restriction":true},"short-container-title":["Computers &amp; Security"],"published-print":{"date-parts":[[2026,11]]},"DOI":"10.1016\/j.cose.2026.105003","type":"journal-article","created":{"date-parts":[[2026,6,6]],"date-time":"2026-06-06T23:06:50Z","timestamp":1780787210000},"page":"105003","update-policy":"https:\/\/doi.org\/10.1016\/elsevier_cm_policy","source":"Crossref","is-referenced-by-count":0,"special_numbering":"C","title":["STAFF: Stateful Taint-Assisted Full-system Firmware Fuzzing"],"prefix":"10.1016","volume":"170","author":[{"ORCID":"https:\/\/orcid.org\/0009-0006-5502-5514","authenticated-orcid":false,"given":"Alessio","family":"Izzillo","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3835-9679","authenticated-orcid":false,"given":"Riccardo","family":"Lazzeretti","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8094-871X","authenticated-orcid":false,"given":"Emilio","family":"Coppa","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"78","reference":[{"key":"10.1016\/j.cose.2026.105003_b1","series-title":"Sulley: Pure python fully automated and unattended fuzzing framework","author":"Amini","year":"2017"},{"key":"10.1016\/j.cose.2026.105003_b2","series-title":"Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis","article-title":"SnapFuzz: high-throughput fuzzing of network applications","author":"Andronidis","year":"2022"},{"key":"10.1016\/j.cose.2026.105003_b3","series-title":"Proceedings of the 32nd USENIX Security Symposium","article-title":"FirmSolo: enabling dynamic analysis of binary linux-based IoT kernel modules","author":"Angelakopoulos","year":"2023"},{"key":"10.1016\/j.cose.2026.105003_b4","series-title":"Proceedings of the 33rd USENIX Security Symposium","article-title":"Pandawan: Quantifying progress in linux-based firmware rehosting","author":"Angelakopoulos","year":"2024"},{"key":"10.1016\/j.cose.2026.105003_b5","series-title":"Proceedings of the 26th Annual Network and Distributed System Security Symposium","article-title":"REDQUEEN: Fuzzing with input-to-state correspondence","author":"Aschermann","year":"2019"},{"key":"10.1016\/j.cose.2026.105003_b6","doi-asserted-by":"crossref","DOI":"10.1109\/ACCESS.2025.3575691","article-title":"Bare-metal firmware fuzzing: A survey of techniques and approaches","author":"Asmita","year":"2025","journal-title":"IEEE Access"},{"key":"10.1016\/j.cose.2026.105003_b7","series-title":"Proceedings of the 31st USENIX Security Symposium","article-title":"Stateful greybox fuzzing","author":"Ba","year":"2022"},{"key":"10.1016\/j.cose.2026.105003_b8","article-title":"A Survey of Symbolic Execution Techniques","author":"Baldoni","year":"2018","journal-title":"ACM Comput. Surv."},{"key":"10.1016\/j.cose.2026.105003_b9","series-title":"Proceedings of the 5th IEEE International Conference on Software Testing, Verification and Validation","article-title":"A taint based approach for smart fuzzing","author":"Bekrar","year":"2012"},{"key":"10.1016\/j.cose.2026.105003_b10","series-title":"Proceedings of the 2005 USENIX Annual Technical Conference","article-title":"QEMU, a fast and portable dynamic translator","author":"Bellard","year":"2005"},{"key":"10.1016\/j.cose.2026.105003_b11","series-title":"Proceedings of the 21st International Conference on Security and Cryptography","article-title":"Do you Trust your Device? Open Challenges in IoT Security Analysis","author":"Binosi","year":"2024"},{"key":"10.1016\/j.cose.2026.105003_b12","series-title":"Proceedings of the 43rd International Conference on Software Engineering","article-title":"Fuzzing Symbolic Expressions","author":"Borzacchiello","year":"2021"},{"key":"10.1016\/j.cose.2026.105003_b13","series-title":"Testing Embedded Software","author":"Broekman","year":"2003"},{"key":"10.1016\/j.cose.2026.105003_b14","series-title":"Proceedings of the 36th Annual Computer Security Applications Conference","article-title":"Device-agnostic firmware execution is possible: A concolic execution approach for peripheral emulation","author":"Cao","year":"2020"},{"key":"10.1016\/j.cose.2026.105003_b15","series-title":"Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security","article-title":"Poster: Yfuzz: Data-driven fuzzing","author":"Chang","year":"2024"},{"key":"10.1016\/j.cose.2026.105003_b16","series-title":"Proceedings of the 39th IEEE Symposium on Security and Privacy","article-title":"Angora: Efficient fuzzing by principled search","author":"Chen","year":"2018"},{"key":"10.1016\/j.cose.2026.105003_b17","series-title":"Proceedings of the 25th Annual Network and Distributed System Security Symposium","article-title":"IoTFuzzer: Discovering memory corruptions in IoT through app-based fuzzing","author":"Chen","year":"2018"},{"key":"10.1016\/j.cose.2026.105003_b18","article-title":"SaTC: Shared-keyword aware taint checking for detecting bugs in embedded systems","author":"Chen","year":"2024","journal-title":"IEEE Trans. Dependable Secur. Comput."},{"key":"10.1016\/j.cose.2026.105003_b19","series-title":"Proceedings of the 23th Annual Network and Distributed System Security Symposium","article-title":"Towards automated dynamic analysis for linux-based embedded firmware","author":"Chen","year":"2016"},{"key":"10.1016\/j.cose.2026.105003_b20","series-title":"Proceedings of the 5th Workshop on CPS&IoT Security and Privacy","article-title":"Firmulti fuzzer: Discovering multi-process vulnerabilities in IoT devices with full system emulation and VMI","author":"Cheng","year":"2023"},{"key":"10.1016\/j.cose.2026.105003_b21","series-title":"Proceedings of the 2007 International Symposium on Software Testing and Analysis","article-title":"Dytan: a generic dynamic taint analysis framework","author":"Clause","year":"2007"},{"key":"10.1016\/j.cose.2026.105003_b22","series-title":"Proceedings of the 29th USENIX Security Symposium","article-title":"HALucinator: Firmware re-hosting through abstraction layer emulation","author":"Clements","year":"2020"},{"key":"10.1016\/j.cose.2026.105003_b23","doi-asserted-by":"crossref","DOI":"10.1016\/j.jss.2024.112001","article-title":"Testing concolic execution through consistency checks","author":"Coppa","year":"2024","journal-title":"J. Syst. Softw."},{"key":"10.1016\/j.cose.2026.105003_b24","series-title":"Proceedings of the 20th IEEE Symposium on Visualization for Cyber Security","article-title":"FuzzPlanner: Visually Assisting the Design of Firmware Fuzzing Campaigns","author":"Coppa","year":"2023"},{"key":"10.1016\/j.cose.2026.105003_b25","series-title":"Proceedings of the 37th IEEE\/ACM International Conference on Automated Software Engineering","article-title":"SymFusion: Hybrid Instrumentation for Concolic Execution","author":"Coppa","year":"2022"},{"key":"10.1016\/j.cose.2026.105003_b26","series-title":"TSD firmware download","author":"D-Link","year":"2025"},{"key":"10.1016\/j.cose.2026.105003_b27","series-title":"Proceedings of the 22nd International Symposium on Research in Attacks, Intrusions and Defenses","article-title":"DECAF++: Elastic whole-system dynamic taint analysis","author":"Davanian","year":"2019"},{"key":"10.1016\/j.cose.2026.105003_b28","series-title":"Proceedings of the 32nd USENIX Security Symposium","article-title":"ARMore: Pushing Love back into binaries","author":"Di Bartolomeo","year":"2023"},{"key":"10.1016\/j.cose.2026.105003_b29","series-title":"Proceedings of the 41st IEEE Symposium on Security and Privacy","article-title":"RetroWrite: Statically instrumenting COTS binaries for fuzzing and sanitization","author":"Dinesh","year":"2020"},{"key":"10.1016\/j.cose.2026.105003_b30","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2022.102889","article-title":"AflIot: Fuzzing on linux-based IoT device with binary-level instrumentation","author":"Du","year":"2022","journal-title":"Comput. Secur."},{"key":"10.1016\/j.cose.2026.105003_b31","series-title":"Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation","article-title":"Binary rewriting without control flow recovery","author":"Duck","year":"2020"},{"key":"10.1016\/j.cose.2026.105003_b32","series-title":"Proceedings of the 10th IEEE International Conference on Information, Communication and Networks","article-title":"CinfoFuzz: Fuzzing method based on web service correlation information of embedded devices","author":"Feng","year":"2022"},{"key":"10.1016\/j.cose.2026.105003_b33","series-title":"Proceedings of the 29th USENIX Security Symposium","article-title":"P2IM: Scalable and hardware-independent firmware testing via automatic peripheral interface modeling","author":"Feng","year":"2020"},{"key":"10.1016\/j.cose.2026.105003_b34","article-title":"Detecting vulnerability on IoT device firmware: A survey","author":"Feng","year":"2022","journal-title":"IEEE\/CAA J. Autom. Sin."},{"key":"10.1016\/j.cose.2026.105003_b35","series-title":"Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis","article-title":"WEIZZ: Automatic Grey-box Fuzzing for Structured Binary Formats","author":"Fioraldi","year":"2020"},{"key":"10.1016\/j.cose.2026.105003_b36","series-title":"Proceedings of the 14th USENIX Conference on Offensive Technologies","article-title":"AFL++: combining incremental steps of fuzzing research","author":"Fioraldi","year":"2020"},{"key":"10.1016\/j.cose.2026.105003_b37","doi-asserted-by":"crossref","DOI":"10.1145\/367390.367400","article-title":"Trie memory","author":"Fredkin","year":"1960","journal-title":"Commun. ACM"},{"key":"10.1016\/j.cose.2026.105003_b38","doi-asserted-by":"crossref","DOI":"10.1002\/cpe.5756","article-title":"Fw-fuzz: A code coverage-guided fuzzing framework for network protocols on firmware","author":"Gao","year":"2022","journal-title":"Concurr. Comput.: Pr. Exp."},{"key":"10.1016\/j.cose.2026.105003_b39","series-title":"Proceedings of the 38th Annual Computer Security Applications Conference","article-title":"Snappy: Efficient fuzzing with adaptive and mutable snapshots","author":"Geretto","year":"2022"},{"key":"10.1016\/j.cose.2026.105003_b40","doi-asserted-by":"crossref","DOI":"10.1145\/3363824","article-title":"Fuzzing: hack, art, and science","author":"Godefroid","year":"2020","journal-title":"Commun. ACM"},{"key":"10.1016\/j.cose.2026.105003_b41","series-title":"Taking the next step: OSS-fuzz in 2023","author":"Google","year":"2023"},{"key":"10.1016\/j.cose.2026.105003_b42","article-title":"FIRMCORN: Vulnerability-oriented fuzzing of IoT firmware via optimized virtual execution","author":"Gui","year":"2020","journal-title":"IEEE Access"},{"key":"10.1016\/j.cose.2026.105003_b43","doi-asserted-by":"crossref","unstructured":"Hernandez, G., Muench, M., Maier, D., Milburn, A., Park, S., Scharnowski, T., Tucker, T., Traynor, P., Butler, K., 2022. FirmWire: Transparent Dynamic Analysis for Cellular Baseband Firmware. In: Proceedings of the 29th Annual Network and Distributed System Security Symposium. NDSS \u201922.","DOI":"10.14722\/ndss.2022.23136"},{"key":"10.1016\/j.cose.2026.105003_b44","series-title":"Embedded Operating Systems","author":"Holt","year":"2014"},{"key":"10.1016\/j.cose.2026.105003_b45","series-title":"Proceedings of the 30th USENIX Security Symposium","article-title":"Jetset: Targeted firmware rehosting for embedded systems","author":"Johnson","year":"2021"},{"key":"10.1016\/j.cose.2026.105003_b46","series-title":"Proceedings of the 36th Annual Computer Security Applications Conference","article-title":"FirmAE: Towards large-scale emulation of IoT firmware for dynamic analysis","author":"Kim","year":"2020"},{"key":"10.1016\/j.cose.2026.105003_b47","series-title":"Proceedings of the 43rd IEEE Symposium on Security and Privacy","article-title":"PATA: Fuzzing with path aware taint analysis","author":"Liang","year":"2022"},{"key":"10.1016\/j.cose.2026.105003_b48","series-title":"Botnets continue exploiting CVE-2023-1389 for wide-scale spread","author":"Lin","year":"2024"},{"key":"10.1016\/j.cose.2026.105003_b49","series-title":"Proceedings of the 36th IEEE\/ACM International Conference on Automated Software Engineering","article-title":"FirmGuide: boosting the capability of rehosting embedded linux kernels through model-guided kernel execution","author":"Liu","year":"2022"},{"key":"10.1016\/j.cose.2026.105003_b50","series-title":"LibFuzzer","author":"LLVM-project","year":"2023"},{"key":"10.1016\/j.cose.2026.105003_b51","series-title":"Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks","article-title":"BaseSAFE: baseband sanitized fuzzing through emulation","author":"Maier","year":"2020"},{"key":"10.1016\/j.cose.2026.105003_b52","article-title":"The art, science, and engineering of fuzzing: A survey","author":"Man\u00e8s","year":"2019","journal-title":"IEEE Trans. Softw. Eng."},{"key":"10.1016\/j.cose.2026.105003_b53","series-title":"Proceedings of the 31st Annual Network and Distributed System Security Symposium)","article-title":"Large language model guided protocol fuzzing","author":"Meng","year":"2024"},{"key":"10.1016\/j.cose.2026.105003_b54","series-title":"Proceedings of the 30th USENIX Security Symposium","article-title":"Breaking through binaries: Compiler-quality instrumentation for better binary-only fuzzing","author":"Nagy","year":"2021"},{"key":"10.1016\/j.cose.2026.105003_b55","doi-asserted-by":"crossref","DOI":"10.1007\/s10664-022-10233-3","article-title":"StateAFL: Greybox fuzzing for stateful network servers","author":"Natella","year":"2022","journal-title":"Empir. Softw. Eng."},{"key":"10.1016\/j.cose.2026.105003_b56","series-title":"Zyxel security advisory for OS command injection vulnerability in aps and security router devices","author":"Networks","year":"2024"},{"key":"10.1016\/j.cose.2026.105003_b57","unstructured":"Newsome, J., Song, D., 2005. Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software. In: Proceedings of the 12th Annual Network and Distributed System Security Symposium. NDSS \u201905."},{"key":"10.1016\/j.cose.2026.105003_b58","series-title":"Technical paper on internet of things (IoT)","author":"Organisation","year":"2022"},{"key":"10.1016\/j.cose.2026.105003_b59","series-title":"Boofuzz: A fork and successor of the sulley fuzzing framework","author":"Pereyda","year":"2015"},{"key":"10.1016\/j.cose.2026.105003_b60","series-title":"Proceedings of the 13th IEEE International Conference on Software Testing, Validation and Verification","article-title":"AFLNET: A greybox fuzzer for network protocols","author":"Pham","year":"2020"},{"key":"10.1016\/j.cose.2026.105003_b61","series-title":"Triforceafl","author":"Plc","year":"2017"},{"key":"10.1016\/j.cose.2026.105003_b62","series-title":"Hexagon fuzz: Full-system emulated fuzzing of qualcomm basebands","author":"Produit","year":"2025"},{"key":"10.1016\/j.cose.2026.105003_b63","series-title":"Proceedings of the 24th Annual Network and Distributed System Security Symposium","article-title":"Vuzzer: Application-aware evolutionary fuzzing","author":"Rawat","year":"2017"},{"key":"10.1016\/j.cose.2026.105003_b64","series-title":"Proceedings of the 42nd IEEE Symposium on Security and Privacy","article-title":"Diane: Identifying fuzzing triggers in apps to generate under-constrained inputs for IoT devices","author":"Redini","year":"2021"},{"key":"10.1016\/j.cose.2026.105003_b65","series-title":"Proceedings of the 41st IEEE Symposium on Security and Privacy","article-title":"KARONTE: Detecting insecure multi-binary interactions in embedded firmware","author":"Redini","year":"2020"},{"key":"10.1016\/j.cose.2026.105003_b66","series-title":"General purpose operating system (GPOS) - embedded software market statistics","author":"Research","year":"2024"},{"key":"10.1016\/j.cose.2026.105003_b67","series-title":"Proceedings of the 31st USENIX Security Symposium","article-title":"Fuzzware: Using precise MMIO modeling for effective firmware fuzzing","author":"Scharnowski","year":"2022"},{"key":"10.1016\/j.cose.2026.105003_b68","series-title":"Proceedings of the 26th USENIX Security Symposium","article-title":"kAFL: Hardware-assisted feedback fuzzing for OS kernels","author":"Schumilo","year":"2017"},{"key":"10.1016\/j.cose.2026.105003_b69","series-title":"Proceedings of the 17th European Conference on Computer Systems","article-title":"Nyx-net: network fuzzing with incremental snapshots","author":"Schumilo","year":"2022"},{"key":"10.1016\/j.cose.2026.105003_b70","series-title":"Proceedings of the 32nd USENIX Security Symposium","article-title":"Forming faster firmware fuzzers","author":"Seidel","year":"2023"},{"key":"10.1016\/j.cose.2026.105003_b71","series-title":"OSS-Fuzz - google\u2019s continuous fuzzing service for open source software","author":"Serebryany","year":"2017"},{"key":"10.1016\/j.cose.2026.105003_b72","doi-asserted-by":"crossref","DOI":"10.1109\/TCAD.2022.3198910","article-title":"Tardis: Coverage-guided embedded operating system fuzzing","author":"Shen","year":"2022","journal-title":"IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst."},{"key":"10.1016\/j.cose.2026.105003_b73","series-title":"Proceedings of the 29th USENIX Security Symposium","article-title":"Agamotto: accelerating kernel driver fuzzing with lightweight virtual machine checkpoints","author":"Song","year":"2020"},{"key":"10.1016\/j.cose.2026.105003_b74","series-title":"Proceedings of the 2nd International ACM Workshop on Security and Privacy for the Internet-of-Things","article-title":"FirmFuzz: Automated IoT firmware introspection and analysis","author":"Srivastava","year":"2019"},{"key":"10.1016\/j.cose.2026.105003_b75","series-title":"Proceedings of the 32nd USENIX Security Symposium","article-title":"Greenhouse: Single-service rehosting of Linux-Based firmware binaries in User-Space emulation","author":"Tay","year":"2023"},{"key":"10.1016\/j.cose.2026.105003_b76","series-title":"Proceeding of the IEEE 13th International Conference on Mobile Ad Hoc and Sensor Systems","article-title":"A testbed for security and privacy analysis of IoT devices","author":"Tekeoglu","year":"2016"},{"key":"10.1016\/j.cose.2026.105003_b77","series-title":"Firmware download center","author":"TP-Link","year":"2025"},{"key":"10.1016\/j.cose.2026.105003_b78","article-title":"Challenges in firmware re-hosting, emulation, and analysis","author":"Wright","year":"2021","journal-title":"ACM Comput. Surv."},{"key":"10.1016\/j.cose.2026.105003_b79","series-title":"Proceedings of the 46th IEEE Symposium on Security and Privacy","article-title":"HouseFuzz: Service-aware grey-box fuzzing for vulnerability detection in linux-based firmware","author":"Xiao","year":"2025"},{"key":"10.1016\/j.cose.2026.105003_b80","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2025.104467","article-title":"DFirmSan: A lightweight dynamic memory sanitizer for linux-based firmware","author":"Yang","year":"2025","journal-title":"Comput. Secur."},{"key":"10.1016\/j.cose.2026.105003_b81","series-title":"Proceedings of the 3rd World Congress on Software Engineering","article-title":"LeakMiner: Detect information leakage on android with static taint analysis","author":"Yang","year":"2012"},{"key":"10.1016\/j.cose.2026.105003_b82","series-title":"Proceedings of the 2021 Design, Automation & Test in Europe Conference & Exhibition","article-title":"Towards automated detection of higher-order memory corruption vulnerabilities in embedded devices","author":"Yu","year":"2021"},{"key":"10.1016\/j.cose.2026.105003_b83","doi-asserted-by":"crossref","DOI":"10.4018\/IJDCF.286755","article-title":"Towards automated detection of higher-order command injection vulnerabilities in IoT devices: Fuzzing with dynamic data flow analysis","author":"Yu","year":"2021","journal-title":"Int. J. Digit. Crime Forensics"},{"key":"10.1016\/j.cose.2026.105003_b84","article-title":"Fuzzing of embedded systems: A survey","author":"Yun","year":"2022","journal-title":"ACM Comput. Surv."},{"key":"10.1016\/j.cose.2026.105003_b85","series-title":"American fuzzy lop","author":"Zalewski","year":"2021"},{"key":"10.1016\/j.cose.2026.105003_b86","series-title":"The Fuzzing Book","author":"Zeller","year":"2019"},{"key":"10.1016\/j.cose.2026.105003_b87","series-title":"Proceedings of the 35th Annual Computer Security Applications Conference","article-title":"SRFuzzer: an automatic fuzzing framework for physical SOHO router devices to discover multi-type vulnerabilities","author":"Zhang","year":"2019"},{"key":"10.1016\/j.cose.2026.105003_b88","article-title":"A survey of protocol fuzzing","author":"Zhang","year":"2024","journal-title":"ACM Comput. Surv."},{"key":"10.1016\/j.cose.2026.105003_b89","series-title":"Proceedings of the 6th International Conference on Computer Science, Engineering, and Education","article-title":"FirmAEHF: A dynamic analysis method for embedded IoT firmware based on simulation and hybrid fuzzing","author":"Zhao","year":"2025"},{"key":"10.1016\/j.cose.2026.105003_b90","series-title":"Proceedings of the 28th USENIX Security Symposium","article-title":"FIRM-AFL: High-throughput greybox fuzzing of IoT firmware via augmented process emulation","author":"Zheng","year":"2019"},{"key":"10.1016\/j.cose.2026.105003_b91","series-title":"Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis","article-title":"Efficient greybox fuzzing of applications in linux-based IoT devices via enhanced user-mode emulation","author":"Zheng","year":"2022"},{"key":"10.1016\/j.cose.2026.105003_b92","series-title":"Proceedings of the 30th USENIX Security Symposium","article-title":"Automatic firmware emulation through invalidity-guided knowledge inference","author":"Zhou","year":"2021"},{"key":"10.1016\/j.cose.2026.105003_b93","doi-asserted-by":"crossref","DOI":"10.1145\/3512345","article-title":"Fuzzing: A survey for roadmap","author":"Zhu","year":"2022","journal-title":"ACM Comput. Surv."},{"key":"10.1016\/j.cose.2026.105003_b94","doi-asserted-by":"crossref","DOI":"10.1109\/JAS.2024.124971","article-title":"When software security meets large language models: A survey","author":"Zhu","year":"2025","journal-title":"IEEE\/CAA J. Autom. Sin."}],"container-title":["Computers &amp; Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0167404826001793?httpAccept=text\/xml","content-type":"text\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0167404826001793?httpAccept=text\/plain","content-type":"text\/plain","content-version":"vor","intended-application":"text-mining"}],"deposited":{"date-parts":[[2026,7,13]],"date-time":"2026-07-13T17:13:38Z","timestamp":1783962818000},"score":1,"resource":{"primary":{"URL":"https:\/\/linkinghub.elsevier.com\/retrieve\/pii\/S0167404826001793"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,11]]},"references-count":94,"alternative-id":["S0167404826001793"],"URL":"https:\/\/doi.org\/10.1016\/j.cose.2026.105003","relation":{},"ISSN":["0167-4048"],"issn-type":[{"value":"0167-4048","type":"print"}],"subject":[],"published":{"date-parts":[[2026,11]]},"assertion":[{"value":"Elsevier","name":"publisher","label":"This article is maintained by"},{"value":"STAFF: Stateful Taint-Assisted Full-system Firmware Fuzzing","name":"articletitle","label":"Article Title"},{"value":"Computers & Security","name":"journaltitle","label":"Journal Title"},{"value":"https:\/\/doi.org\/10.1016\/j.cose.2026.105003","name":"articlelink","label":"CrossRef DOI link to publisher maintained version"},{"value":"article","name":"content_type","label":"Content Type"},{"value":"\u00a9 2026 The Authors. Published by Elsevier Ltd.","name":"copyright","label":"Copyright"}],"article-number":"105003"}}