{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,11]],"date-time":"2026-03-11T08:37:48Z","timestamp":1773218268411,"version":"3.50.1"},"reference-count":66,"publisher":"IEEE","license":[{"start":{"date-parts":[[2022,5,1]],"date-time":"2022-05-01T00:00:00Z","timestamp":1651363200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-009"},{"start":{"date-parts":[[2022,5,1]],"date-time":"2022-05-01T00:00:00Z","timestamp":1651363200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-001"}],"funder":[{"DOI":"10.13039\/100000006","name":"Office of Naval Research","doi-asserted-by":"publisher","id":[{"id":"10.13039\/100000006","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2022,5]]},"DOI":"10.1109\/sp46214.2022.9833610","type":"proceedings-article","created":{"date-parts":[[2022,7,27]],"date-time":"2022-07-27T19:28:05Z","timestamp":1658950085000},"page":"1082-1099","source":"Crossref","is-referenced-by-count":20,"title":["HEAPSTER: Analyzing the Security of Dynamic Allocators for Monolithic Firmware Images"],"prefix":"10.1109","author":[{"given":"Fabio","family":"Gritti","sequence":"first","affiliation":[{"name":"University of California,Santa Barbara"}]},{"given":"Fabio","family":"Pagani","sequence":"additional","affiliation":[{"name":"University of California,Santa Barbara"}]},{"given":"Ilya","family":"Grishchenko","sequence":"additional","affiliation":[{"name":"University of California,Santa Barbara"}]},{"given":"Lukas","family":"Dresel","sequence":"additional","affiliation":[{"name":"University of California,Santa Barbara"}]},{"given":"Nilo","family":"Redini","sequence":"additional","affiliation":[{"name":"Qualcomm Technologies Inc."}]},{"given":"Christopher","family":"Kruegel","sequence":"additional","affiliation":[{"name":"University of California,Santa Barbara"}]},{"given":"Giovanni","family":"Vigna","sequence":"additional","affiliation":[{"name":"University of California,Santa Barbara"}]}],"member":"263","reference":[{"key":"ref1","volume-title":"libc malloc.","year":"2012"},{"key":"ref2","volume-title":"nanomalloc.","year":"2012"},{"key":"ref3","first-page":"583","article-title":"An in-depth analysis of disassembly on full-scale x86\/x64 binaries","volume-title":"25th USENIX Security Symposium","author":"Andriesse"},{"key":"ref4","volume-title":"The Great ARM CFG Challenge 1","year":"2020"},{"key":"ref5","volume-title":"The Great ARM CFG Challenge 2","year":"2020"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.1145\/3092627.3092635"},{"key":"ref7","volume-title":"Cortex-m3 embedded software development","year":"2007"},{"key":"ref8","volume-title":"Cortex-m3 vector table","year":"2007"},{"key":"ref9","volume-title":"Default hml used by mbed ide","year":"2021"},{"key":"ref10","year":"2021","journal-title":"mbed ide. ide.mbed.com"},{"key":"ref11","first-page":"845","article-title":"BYTEWEIGHT: Learning to recognize functions in binary code","volume-title":"23rd USENIX Security Symposium USENIX Security 14)","author":"Bao"},{"key":"ref12","volume-title":"Firmware-specificbug#5:Heapfragmentation","year":"2010"},{"key":"ref13","article-title":"The slab allocator: An object-caching kernel memory allocator","volume":"16","author":"Bonwick","year":"1994","journal-title":"USENIX summer"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1145\/2408776.2408795"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1145\/3427228.3427280"},{"key":"ref16","article-title":"CEA IT Security (IT Security at the French Alternative Energies and Atomic Energy Commission)","year":"2019","journal-title":"Sibyl: A miasm2 based function divination"},{"key":"ref17","volume-title":"Safe-linking - eliminating a 20 year-old malloc() exploit primitive","year":"2020"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23159"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1109\/WCRE.2013.6671326"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363212"},{"key":"ref21","first-page":"1201","article-title":"Halucinator: Firmware re-hosting through abstraction layer emulation","volume-title":"29th USENIX Security Symposium USENIX Security 20)","author":"Clements"},{"key":"ref22","article-title":"HALucinator: Firmware Re-hosting through Abstraction Layer Emulation","volume-title":"USENIX Security Symposium","author":"Clements"},{"key":"ref23","volume-title":"Security implications of tcache","author":"Eckert","year":"2018"},{"key":"ref24","first-page":"99","article-title":"Heaphopper: Bringing bounded model checking to heap implementation security","volume-title":"27th USENIX Security Symposium USENIX Security 18)","author":"Eckert"},{"key":"ref25","volume-title":"Question of the week: Do you use or allow dynamic memory allocation in your embedded design?","year":"2012"},{"key":"ref26","article-title":"Jetset: Targeted firmware rehosting for embedded systems","volume-title":"30th USENIX Security Symposium (USENIX Security 21)","author":"Evan"},{"key":"ref27","volume-title":"Chris Evans. glibc patch","year":"2017"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1145\/3433210.3453093"},{"key":"ref29","article-title":"P 2 im: Scalable and hardware-independent firmware testing via automatic peripheral interface modeling","volume-title":"Proceedings of the 29th USENIX Security Symposium","author":"Feng"},{"key":"ref30","volume-title":"Fitbit","year":"2022"},{"key":"ref31","volume-title":"Bindiff manual","year":"2020"},{"key":"ref32","volume-title":"The gnu c library (glibc)","year":"2021"},{"key":"ref33","first-page":"135","article-title":"Toward the analysis of embedded firmware through automated re-hosting","volume-title":"22nd International Symposium on Research in Attacks, Intrusions and Defenses ({RAID} 2019)","author":"Gustafson"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354224"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.1109\/MSEC.2019.2926462"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.1145\/3395363.3397377"},{"key":"ref37","volume-title":"Cortex-M Processors and the Internet of Things (IoT)","author":"Joseph","year":"2013"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1145\/2968455.2968505"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1145\/3361525.3361532"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.1145\/1064978.1065034"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2019.00121"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.14722\/bar.2018.23017"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23166"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1145\/1273442.1250746"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1145\/1866307.1866371"},{"key":"ref46","volume-title":"Security implications of tcache","year":"2018"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1109\/SP40001.2021.00066"},{"key":"ref48","volume-title":"Isoalloc.","year":"2020"},{"key":"ref49","volume-title":"lwip malloc.","year":"2013"},{"key":"ref50","first-page":"19","article-title":"Frankenstein: Advanced wireless fuzzing to exploit new bluetooth escalation targets","volume-title":"29th USENIX Security Symposium USENIX Security 20)","author":"Ruge"},{"key":"ref51","volume-title":"Fuzzware: Using precise mmio modeling for effective firmware fuzzing","author":"Scharnowski"},{"key":"ref52","volume-title":"Secure Mobile Networking Lab (Seemoo-lab). Collection of fitness firmware","year":"2021"},{"key":"ref53","volume-title":"Educational heap exploitation","year":"2020"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.17"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3133957"},{"key":"ref56","first-page":"117","article-title":"Guarder: A tunable secure allocator","volume-title":"27th USENIX Security Symposium USENIX Security 18)","author":"Silvestro"},{"key":"ref57","volume-title":"CSAW Embedded Security Challenge","year":"2019"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-23808-6_34"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3423344"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.1145\/3423167"},{"key":"ref61","first-page":"781","article-title":"FUZE: Towards facilitating exploit generation for kernel use-after-free vulnerabilities","volume-title":"27th USENIX Security Symposium USENIX Security 18)","author":"Wu"},{"key":"ref62","article-title":"MAZE: Towards automated heap feng shui","volume-title":"30th USENIX Security Symposium (USENIX Security 21)","author":"Yan"},{"key":"ref63","article-title":"Automatic techniques to systematically discover new heap exploitation primitives","volume-title":"29th USENIX Security Symposium USENIX Security 20)","author":"Yun"},{"key":"ref64","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-52683-2_5"},{"key":"ref65","article-title":"Automatic firmware emulation through invalidity-guided knowledge inference","volume-title":"30th USENIX Security Symposium (USENIX Security 21)","author":"Zhou"},{"key":"ref66","volume-title":"Zynamics bindiff.","year":"2020"}],"event":{"name":"2022 IEEE Symposium on Security and Privacy (SP)","location":"San Francisco, CA, USA","start":{"date-parts":[[2022,5,22]]},"end":{"date-parts":[[2022,5,26]]}},"container-title":["2022 IEEE Symposium on Security and Privacy (SP)"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/9833550\/9833558\/09833610.pdf?arnumber=9833610","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,1,12]],"date-time":"2024-01-12T02:33:33Z","timestamp":1705026813000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/9833610\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,5]]},"references-count":66,"URL":"https:\/\/doi.org\/10.1109\/sp46214.2022.9833610","relation":{},"subject":[],"published":{"date-parts":[[2022,5]]}}}