{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,25]],"date-time":"2026-03-25T10:53:18Z","timestamp":1774435998318,"version":"3.50.1"},"reference-count":131,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","issue":"11","license":[{"start":{"date-parts":[[2022,11,1]],"date-time":"2022-11-01T00:00:00Z","timestamp":1667260800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["61761136003"],"award-info":[{"award-number":["61761136003"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IIEEE Trans. Software Eng."],"published-print":{"date-parts":[[2022,11,1]]},"DOI":"10.1109\/tse.2021.3121994","type":"journal-article","created":{"date-parts":[[2021,12,14]],"date-time":"2021-12-14T19:57:18Z","timestamp":1639511838000},"page":"4569-4589","source":"Crossref","is-referenced-by-count":13,"title":["Automated Use-After-Free Detection and Exploit Mitigation: How Far Have We Gone?"],"prefix":"10.1109","volume":"48","author":[{"given":"Binfa","family":"Gui","sequence":"first","affiliation":[{"name":"School of Computer Science and Engineering, Nanjing University of Science and Technology, Nanjing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4324-3382","authenticated-orcid":false,"given":"Wei","family":"Song","sequence":"additional","affiliation":[{"name":"School of Computer Science and Engineering, Nanjing University of Science and Technology, Nanjing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8544-4994","authenticated-orcid":false,"given":"Hailong","family":"Xiong","sequence":"additional","affiliation":[{"name":"School of Computer Science and Engineering, Nanjing University of Science and Technology, Nanjing, China"}]},{"given":"Jeff","family":"Huang","sequence":"additional","affiliation":[{"name":"Parasol Laboratory, Texas A&M University, College Station, TX, USA"}]}],"member":"263","reference":[{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1109\/DESEC.2018.8625135"},{"key":"ref38","first-page":"815","article-title":"Oscar: A practical page-permissions-based scheme for thwarting dangling pointers","author":"dang","year":"2017","journal-title":"Proc Usenix Secur Symp"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1145\/3297858.3304017"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.1145\/3352460.3358288"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243826"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1145\/3064176.3064211"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1145\/1133981.1134000"},{"key":"ref36","first-page":"177","article-title":"Cling: A memory allocator to mitigate dangling pointers","author":"akritidis","year":"2010","journal-title":"Proc Usenix Secur Symp"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.1145\/2366231.2337181"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1145\/1806651.1806657"},{"key":"ref28","year":"0"},{"key":"ref27","year":"0"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1145\/2338965.2336769"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-014-0203-1"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1109\/ARES.2015.61"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1145\/3134600.3134620"},{"key":"ref24","first-page":"209","article-title":"KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs","author":"cadar","year":"2008","journal-title":"Proc USENIX Symp Oper Syst Des Implementation"},{"key":"ref23","first-page":"233","article-title":"Frama-c - A software analysis perspective","author":"cuoq","year":"2012","journal-title":"Proc Int'l Conf Software Eng and Formal Methods"},{"key":"ref101","doi-asserted-by":"publisher","DOI":"10.1016\/S0065-2458(03)58003-2"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.1016\/j.scico.2012.10.011"},{"key":"ref100","doi-asserted-by":"publisher","DOI":"10.1145\/3338906.3338927"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-54862-8_26"},{"key":"ref50","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00010"},{"key":"ref51","first-page":"1","article-title":"Safelnit: Comprehensive and practical mitigation of uninitialized read vulnerabilities","author":"milburn","year":"2017","journal-title":"Proc 24th Annu Netw Distrib Syst Secur Symp"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.1145\/1287624.1287654"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.1145\/2970276.2970337"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2012.08.063"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1145\/1165389.945468"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.1109\/ASE.2015.30"},{"key":"ref54","first-page":"255","article-title":"Effective static analysis of concurrency use-after-free bugs in linux device drivers","author":"bai","year":"2019","journal-title":"Proc USENIX Annu Techn Conf"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813637"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.1145\/178243.178446"},{"key":"ref40","first-page":"117","article-title":"Guarder: A tunable secure allocator","author":"silvestro","year":"2018","journal-title":"Proc Secur Symp"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2015.23190"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1145\/3180155.3180178"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.1145\/3377811.3380386"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.1145\/3427228.3427645"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-67531-2_18"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1145\/2991079.2991121"},{"key":"ref7","first-page":"57","article-title":"Mudflap: Pointer use checking for C\/C++","author":"eigler","year":"2003","journal-title":"Proc 1st Annu GCC Developers’ Summit"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1145\/3180155.3180225"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1145\/2664243.2664249"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1145\/3092703.3092729"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2015.23297"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23287"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.1002\/spe.4380180902"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1145\/3361525.3361532"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23541"},{"key":"ref43","article-title":"A garbage collector for C and C++","author":"boehm","year":"2002"},{"key":"ref127","article-title":"Abusing silent mitigations","author":"hariri","year":"2015","journal-title":"BlackHat USA"},{"key":"ref126","doi-asserted-by":"publisher","DOI":"10.1145\/3219617.3219662"},{"key":"ref125","doi-asserted-by":"publisher","DOI":"10.1145\/3316482.3326356"},{"key":"ref124","year":"0","journal-title":"MemGC Use-after-free exploit mitigation in Edge and IE on Windows 10"},{"key":"ref73","doi-asserted-by":"publisher","DOI":"10.1145\/1065887.1065892"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.1145\/3192366.3192388"},{"key":"ref129","article-title":"Heap feng shui in javascript","author":"sotirov","year":"2007","journal-title":"Black Hat Europe'06"},{"key":"ref71","doi-asserted-by":"publisher","DOI":"10.1145\/3275219.3275231"},{"key":"ref128","article-title":"Engineering heap overflow exploits with javascript","author":"daniel","year":"2008","journal-title":"Proc 2nd USENIX Workshop Offensive Technol"},{"key":"ref70","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2015.23238"},{"key":"ref76","doi-asserted-by":"publisher","DOI":"10.1145\/1029894.1029913"},{"key":"ref130","year":"0"},{"key":"ref77","doi-asserted-by":"publisher","DOI":"10.1145\/940071.940113"},{"key":"ref74","doi-asserted-by":"publisher","DOI":"10.1145\/503272.503286"},{"key":"ref75","doi-asserted-by":"publisher","DOI":"10.1002\/spe.2105"},{"key":"ref131","doi-asserted-by":"publisher","DOI":"10.1145\/3418295"},{"key":"ref78","first-page":"1507","article-title":"Cornucopia: Temporal safety for CHERI heaps","author":"filardo","year":"2020","journal-title":"Proc IEEE Symp Secur Privacy"},{"key":"ref79","doi-asserted-by":"publisher","DOI":"10.1145\/2544137.2544147"},{"key":"ref60","first-page":"141","article-title":"Two parallel euler run time models: The dangling reference, impostor environment, and label problems","author":"chirica","year":"1973","journal-title":"Proc ACM SIGPLAN Notices"},{"key":"ref62","doi-asserted-by":"publisher","DOI":"10.1145\/781131.781157"},{"key":"ref61","doi-asserted-by":"publisher","DOI":"10.1016\/0096-0551(77)90002-9"},{"key":"ref63","doi-asserted-by":"publisher","DOI":"10.1145\/1542476.1542505"},{"key":"ref64","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23164"},{"key":"ref65","doi-asserted-by":"publisher","DOI":"10.1145\/2892208.2892235"},{"key":"ref66","doi-asserted-by":"publisher","DOI":"10.1145\/390013.808479"},{"key":"ref67","article-title":"Dangling pointer: Smashing the pointer for fun and profit","author":"afek","year":"2007"},{"key":"ref68","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2015.23099"},{"key":"ref2","first-page":"2453","article-title":"Preventing use-after-free attacks with fast forward allocation","author":"wickman","year":"2021","journal-title":"Proc 30th USENIX Secur Symp"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2019.2908022"},{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00058"},{"key":"ref109","year":"0"},{"key":"ref95","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP51992.2021.00049"},{"key":"ref108","article-title":"Efficient, transparent, and comprehensive runtime code manipulation","author":"bruening","year":"2004"},{"key":"ref94","first-page":"1","article-title":"Cfixx: Object type integrity for C++ virtual dispatch","author":"burow","year":"2018","journal-title":"Proc Symp Network and Distributed System Security"},{"key":"ref107","year":"0"},{"key":"ref93","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23421"},{"key":"ref106","year":"0"},{"key":"ref92","first-page":"1","article-title":"Smart pointers: They’re smart, but they’re not pointers","author":"edelson","year":"1992","journal-title":"Proc C++ Conf"},{"key":"ref105","article-title":"Finding software bugs with the clang static analyzer","author":"kremenek","year":"2008","journal-title":"Apple Inc"},{"key":"ref91","doi-asserted-by":"publisher","DOI":"10.1145\/1133981.1133999"},{"key":"ref104","article-title":"Cppcheck: A tool for static C\/C++ code analysis","author":"marjam\u00e4ki","year":"2013"},{"key":"ref90","doi-asserted-by":"publisher","DOI":"10.1145\/512529.512563"},{"key":"ref103","doi-asserted-by":"publisher","DOI":"10.1145\/3182657"},{"key":"ref102","first-page":"1","article-title":"Comparing model checking and static program analysis: A case study in error detection approaches","author":"vorobyov","year":"2010","journal-title":"Proc SSV"},{"key":"ref111","year":"0"},{"key":"ref112","article-title":"American fuzzy lop","author":"zalewski","year":"2014"},{"key":"ref110","year":"0"},{"key":"ref98","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-92994-1_8"},{"key":"ref99","doi-asserted-by":"publisher","DOI":"10.1145\/3156685.3092269"},{"key":"ref96","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2662394"},{"key":"ref97","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2020.2990197"},{"key":"ref10","first-page":"309","article-title":"AddressSanitizer: A fast address sanity checker","author":"serebryany","year":"2012","journal-title":"Proc USENIX Annu Techn Conf"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.1145\/1791194.1791203"},{"key":"ref12","first-page":"110","article-title":"Dynamic race detection with LLVM compiler","author":"serebryany","year":"2011","journal-title":"Proc Int'l Conf Runtime Verification"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00009"},{"key":"ref14","first-page":"133","article-title":"Egalito: Layout-agnostic binary recompilation","author":"w -king","year":"2020","journal-title":"Proc 6th Int Conf Archit Support Program Lang Oper Syst"},{"key":"ref15","first-page":"213","article-title":"Practical memory checking with dr.memory","author":"bruening","year":"2011","journal-title":"Proc Annu IEEE\/ACM Int Symp Code Gener Opti"},{"key":"ref118","first-page":"47","article-title":"Binary-level directed fuzzing for use-after-free vulnerabilities","author":"nguyen","year":"2020","journal-title":"Proc 23rd Int Symp Res Attacks Intrusions Defenses"},{"key":"ref16","first-page":"125","article-title":"Purify: Fast detection of memory leaks and access errors","author":"hastings","year":"1991","journal-title":"Proc Winter Usenix Conf"},{"key":"ref82","doi-asserted-by":"publisher","DOI":"10.1145\/1346281.1346296"},{"key":"ref117","first-page":"745","article-title":"QSYM: A practical concolic execution engine tailored for hybrid fuzzing","author":"yun","year":"2018","journal-title":"Proc Usenix Secur Symp"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1145\/2884781.2884784"},{"key":"ref81","doi-asserted-by":"publisher","DOI":"10.1109\/ISSRE.2010.22"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1145\/1250734.1250746"},{"key":"ref84","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3133957"},{"key":"ref119","doi-asserted-by":"publisher","DOI":"10.1145\/2594291.2594315"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1109\/SecDev45635.2020.00019"},{"key":"ref83","doi-asserted-by":"publisher","DOI":"10.1145\/1866307.1866371"},{"key":"ref114","doi-asserted-by":"publisher","DOI":"10.1145\/3238147.3238176"},{"key":"ref113","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2017.2785841"},{"key":"ref116","first-page":"1949","article-title":"MOPT: Optimized mutation scheduling for fuzzers","author":"lyu","year":"2019","journal-title":"Proc Usenix Secur Symp"},{"key":"ref80","first-page":"291","article-title":"Address obfuscation: An efficient approach to combat a broad range of memory error exploits","author":"bhatkar","year":"2003","journal-title":"Proc Usenix Secur Symp"},{"key":"ref115","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00046"},{"key":"ref120","doi-asserted-by":"crossref","first-page":"337","DOI":"10.1007\/978-3-540-78800-3_24","article-title":"Z3: An efficient SMT solver","author":"de moura","year":"2008","journal-title":"Proc Int Conf Tools Algorithms Construction Anal Syst"},{"key":"ref89","first-page":"275","article-title":"Cyclone: A safe dialect of c","author":"jim","year":"2002","journal-title":"Proc USENIX Annu Techn Conf Gen Track"},{"key":"ref121","doi-asserted-by":"publisher","DOI":"10.1145\/3427228.3427645"},{"key":"ref122","doi-asserted-by":"publisher","DOI":"10.1109\/ISCA45697.2020.00068"},{"key":"ref123","doi-asserted-by":"publisher","DOI":"10.1145\/2509136.2509550"},{"key":"ref85","article-title":"Understanding the low fragmentation heap","author":"valasek","year":"2010","journal-title":"Black Hat USA"},{"key":"ref86","doi-asserted-by":"publisher","DOI":"10.1145\/3274694.3274705"},{"key":"ref87","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2006.31"},{"key":"ref88","article-title":"Understanding IE’s new exploit mitigations: The memory protector and the isolated heap","author":"yason","year":"2014"}],"container-title":["IEEE Transactions on Software Engineering"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/32\/9946941\/09583875.pdf?arnumber=9583875","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,12,12]],"date-time":"2022-12-12T19:35:51Z","timestamp":1670873751000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/9583875\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,11,1]]},"references-count":131,"journal-issue":{"issue":"11"},"URL":"https:\/\/doi.org\/10.1109\/tse.2021.3121994","relation":{},"ISSN":["0098-5589","1939-3520","2326-3881"],"issn-type":[{"value":"0098-5589","type":"print"},{"value":"1939-3520","type":"electronic"},{"value":"2326-3881","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,11,1]]}}}