{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,2]],"date-time":"2026-07-02T06:59:27Z","timestamp":1782975567572,"version":"3.54.5"},"reference-count":74,"publisher":"IEEE","license":[{"start":{"date-parts":[[2026,5,18]],"date-time":"2026-05-18T00:00:00Z","timestamp":1779062400000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2026,5,18]],"date-time":"2026-05-18T00:00:00Z","timestamp":1779062400000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2026,5,18]]},"DOI":"10.1109\/sp63933.2026.00001","type":"proceedings-article","created":{"date-parts":[[2026,7,1]],"date-time":"2026-07-01T19:34:20Z","timestamp":1782934460000},"page":"3320-3339","source":"Crossref","is-referenced-by-count":0,"title":["Bridge: High-Order Taint Vulnerabilities Detection in Linux-Based IoT Firmware"],"prefix":"10.1109","author":[{"given":"Jiaqian","family":"Peng","sequence":"first","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Puzhuo","family":"Liu","sequence":"additional","affiliation":[{"name":"Ant Group"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Yicheng","family":"Zeng","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Kai","family":"Cheng","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Yongji","family":"Liu","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Yun","family":"Yang","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Hongsong","family":"Zhu","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"263","reference":[{"key":"ref1","first-page":"2025","year":"2024","journal-title":"Internet of things (iot) - statistics and facts"},{"key":"ref2","first-page":"2025","author":"Verge","year":"2020","journal-title":"Ring cameras suffered a hacking incident"},{"key":"ref3","first-page":"2025","year":"2023","journal-title":"Eufy cameras uploaded footage to cloud"},{"key":"ref4","first-page":"2025","author":"Intelligence","year":"2024","journal-title":"Vulnerability roundup: April 10, 2024"},{"key":"ref5","first-page":"2022","author":"Association","year":"2022","journal-title":"The food and drug administration reports potential cybersecurity risk in insulin pump system"},{"key":"ref6","first-page":"2025","author":"Dive","year":"2023","journal-title":"vulnerability in cardiac data workflow system"},{"key":"ref7","first-page":"2025","year":"2023","journal-title":"Exploring a zero-click rce vulnerability in tesla\u2019s tpms"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.54"},{"key":"ref9","first-page":"7123","article-title":"Operation mango: Scalable discovery of taint-style vulnerabilities in binary firmware services","volume-title":"33rd USENIX Security Symposium (USENIX Security 24)","author":"Gibbs"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1145\/3658644.3690307"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.1145\/3597926.3598062"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2024.24346"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2024.3434667"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2018.00052"},{"key":"ref15","year":"2019","journal-title":"CVE-2019\u20137297: A second-order command injection vulnerability in the D-Link DIR-823G device"},{"key":"ref16","year":"2023","journal-title":"CVE-2023\u201333239: A second-order command injection vulnerability in the Moxa TN-4900\/TN-5900 firmware"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484798"},{"key":"ref18","first-page":"989","article-title":"Static detection of second-order vulnerabilities in web applications","volume-title":"23rd USENIX Security Symposium (USENIX Security 14)","author":"Dahse"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813680"},{"key":"ref20","first-page":"303","article-title":"Sharing more and checking less: Leveraging common input keywords to detect bugs in embedded systems","volume-title":"30th USENIX Security Symposium (USENIX Security 21)","author":"Chen"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2024.24935"},{"key":"ref22","article-title":"Bridge-artifact-evaluation","volume-title":"Zenodo","author":"Peng","year":"2025"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00013"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1145\/3623278.3624759"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00036"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.1145\/3359789.3359826"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.23919\/DATE51398.2021.9473979"},{"key":"ref28","first-page":"2025","year":"2016","journal-title":"D-Link DCS-932L Day\/Night Cloud Camera"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1109\/ICC45855.2022.9839008"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1109\/SPW.2014.34"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1145\/2818000.2818035"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.1145\/3358227"},{"key":"ref33","first-page":"2025","author":"Contributors","year":"2025","journal-title":"Control table and its structure"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1109\/MCOM.2013.6461195"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24080"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.1145\/3488932.3517423"},{"key":"ref37","first-page":"2025","year":"2024","journal-title":"Bashlex"},{"key":"ref38","first-page":"49","article-title":"Under-constrained symbolic execution: Correctness checking for real code","volume-title":"24th USENIX Security Symposium (USENIX Security 15)","author":"Ramos"},{"key":"ref39","first-page":"2025","year":"2024","journal-title":"Binwalk"},{"key":"ref40","first-page":"2025","year":"2024","journal-title":"IDA Pro: The Interactive Disassembler"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.17"},{"key":"ref42","first-page":"2024","year":"2025","journal-title":"VulDB - The Number One Vulnerability Database"},{"key":"ref43","first-page":"2025","year":"2025","journal-title":"MITRE Corporation"},{"key":"ref44","first-page":"2025","year":"2025","journal-title":"National Vulnerability Database (NVD)"},{"key":"ref45","first-page":"5627","article-title":"Your firmware has arrived: A study of firmware update vulnerabilities","volume-title":"33rd USENIX Security Symposium (USENIX Security 24)","author":"Wu"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1145\/2897845.2897900"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1109\/SP61157.2025.00213"},{"key":"ref48","first-page":"2025","year":"2024","journal-title":"The best embedded programming languages for engineers now"},{"key":"ref49","first-page":"5791","article-title":"Greenhouse: Single-service rehosting of linux-based firmware binaries in userspace emulation","volume-title":"32nd USENIX Security Symposium (USENIX Security 23)","author":"Tay"},{"key":"ref50","doi-asserted-by":"publisher","DOI":"10.1145\/3597503.3639158"},{"key":"ref51","first-page":"7103","article-title":"Sok: Security of programmable logic controllers","volume-title":"33rd USENIX Security Symposium (USENIX Security 24)","author":"L\u00f3pez-Morales"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.1145\/3503222.3507768"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560612"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243866"},{"key":"ref55","first-page":"99","article-title":"Neural nets can learn function type signatures from binaries","volume-title":"26th USENIX Security Symposium (USENIX Security 17)","author":"Chua"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1145\/3427228.3427294"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.1145\/3658644.3670342"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.1145\/3092703.3092729"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354244"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.1145\/3359789.3359797"},{"key":"ref61","first-page":"5877","article-title":"Deeptype: Refining indirect call targets with strong multi-layer type analysis","volume-title":"33rd USENIX Security Symposium (USENIX Security 24)","author":"Xia"},{"key":"ref62","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.24386"},{"key":"ref63","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-51482-1_20"},{"key":"ref64","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-70896-1_1"},{"key":"ref65","doi-asserted-by":"publisher","DOI":"10.1145\/3711816"},{"key":"ref66","doi-asserted-by":"publisher","DOI":"10.1145\/3641847"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23159"},{"key":"ref68","doi-asserted-by":"publisher","DOI":"10.1109\/SP40001.2021.00066"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484543"},{"key":"ref70","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00127"},{"key":"ref71","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23229"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23415"},{"key":"ref73","first-page":"1099","article-title":"Firmafl: High-throughput greybox fuzzing of iot firmware via augmented process emulation","volume-title":"28th USENIX Security Symposium (USENIX Security 19)","author":"Zheng"},{"key":"ref74","doi-asserted-by":"publisher","DOI":"10.1145\/3533767.3534414"}],"event":{"name":"2026 IEEE Symposium on Security and Privacy (SP)","location":"San Francisco, CA, USA","start":{"date-parts":[[2026,5,18]]},"end":{"date-parts":[[2026,5,21]]}},"container-title":["2026 IEEE Symposium on Security and Privacy (SP)"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/11573355\/11573356\/11573396.pdf?arnumber=11573396","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,7,2]],"date-time":"2026-07-02T05:27:12Z","timestamp":1782970032000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/11573396\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,5,18]]},"references-count":74,"URL":"https:\/\/doi.org\/10.1109\/sp63933.2026.00001","relation":{},"subject":[],"published":{"date-parts":[[2026,5,18]]}}}