{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,18]],"date-time":"2025-12-18T12:49:55Z","timestamp":1766062195321,"version":"3.48.0"},"reference-count":59,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","issue":"12","license":[{"start":{"date-parts":[[2025,12,1]],"date-time":"2025-12-01T00:00:00Z","timestamp":1764547200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2025,12,1]],"date-time":"2025-12-01T00:00:00Z","timestamp":1764547200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2025,12,1]],"date-time":"2025-12-01T00:00:00Z","timestamp":1764547200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"name":"National Key Research and Development Program of China","award":["2024YFB3108500"],"award-info":[{"award-number":["2024YFB3108500"]}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62372297"],"award-info":[{"award-number":["62372297"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IIEEE Trans. Software Eng."],"published-print":{"date-parts":[[2025,12]]},"DOI":"10.1109\/tse.2025.3615642","type":"journal-article","created":{"date-parts":[[2025,10,6]],"date-time":"2025-10-06T17:36:26Z","timestamp":1759772186000},"page":"3467-3485","source":"Crossref","is-referenced-by-count":0,"title":["Enhancing Real-Time Operating System Security Analysis via Slice-Based Fuzzing"],"prefix":"10.1109","volume":"51","author":[{"ORCID":"https:\/\/orcid.org\/0009-0006-7652-1947","authenticated-orcid":false,"given":"Jialu","family":"Li","sequence":"first","affiliation":[{"name":"School of Computer Science, Shanghai Jiao Tong University, Shanghai, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0084-1718","authenticated-orcid":false,"given":"Haoyu","family":"Li","sequence":"additional","affiliation":[{"name":"School of Computer Science, Shanghai Jiao Tong University, Shanghai, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0008-0436-8183","authenticated-orcid":false,"given":"Yuchong","family":"Xie","sequence":"additional","affiliation":[{"name":"Hong Kong University of Science and Technology, Hong Kong, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6990-2972","authenticated-orcid":false,"given":"Yanhao","family":"Wang","sequence":"additional","affiliation":[{"name":"School of Computer Science, Shanghai Jiao Tong University, Shanghai, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1119-4766","authenticated-orcid":false,"given":"Qinsheng","family":"Hou","sequence":"additional","affiliation":[{"name":"School of Computer Science, Shanghai Jiao Tong University, Shanghai, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3236-4805","authenticated-orcid":false,"given":"Libo","family":"Chen","sequence":"additional","affiliation":[{"name":"School of Computer Science, Shanghai Jiao Tong University, Shanghai, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6975-9184","authenticated-orcid":false,"given":"Bo","family":"Zhang","sequence":"additional","affiliation":[{"name":"China Electric Power Research Institute, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0767-2307","authenticated-orcid":false,"given":"Shenghong","family":"Li","sequence":"additional","affiliation":[{"name":"School of Computer Science, Shanghai Jiao Tong University, Shanghai, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2875-304X","authenticated-orcid":false,"given":"Zhi","family":"Xue","sequence":"additional","affiliation":[{"name":"School of Computer Science, Shanghai Jiao Tong University, Shanghai, China"}]}],"member":"263","reference":[{"key":"ref1","first-page":"209","article-title":"KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs","volume-title":"Proc. OSDI","author":"Cadar","year":"2008"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.1145\/1961296.1950396"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1145\/2522920.2522925"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2017.2659751"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.17"},{"key":"ref6","article-title":"VxWorks: The Leading RTOS for the Intelligent Edge."},{"key":"ref7","article-title":"Real-time operating system for microcontrollers."},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.37"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1145\/3658644.3670362"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23107"},{"key":"ref11","first-page":"21","article-title":"Is your firmware real or re-hosted?","volume-title":"Proc. Workshop Binary Anal. Res. (BAR)","volume":"2021","author":"Clements","year":"2021"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00036"},{"key":"ref13","article-title":"Home \u2013 Armis."},{"article-title":"Critical vulnerabilities to remotely compromise Vxworks, the most popular RTOS","year":"2019","author":"Seri","key":"ref14"},{"year":"2021","key":"ref15","article-title":"Command & data-handling systems"},{"key":"ref16","article-title":"From an URGENT\/11 vulnerability to a full take-down of a factory, using a single packet","volume-title":"Proc. Black Hat Asia","author":"Hadad","year":"2020"},{"key":"ref17","article-title":"Dive into Vxworks based IoT device: Debug the undebugable device","volume-title":"Proc. Black Hat Asia","author":"Zhu","year":"2019"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3423344"},{"key":"ref19","first-page":"381","article-title":"$\\mu$\u03bcSBS: Static binary sanitization of bare-metal embedded devices for fault observability","volume-title":"Proc. 23rd Int. Symp. Res. Attacks, Intrusions, Defenses (RAID)","author":"Salehi","year":"2020"},{"key":"ref20","first-page":"303","article-title":"Sharing more and checking less: leveraging common input keywords to detect bugs in embedded systems","volume-title":"Proc. 30th USENIX Secur. Symp. (USENIX Security)","author":"Chen","year":"2021"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23415"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1145\/3427228.3427294"},{"key":"ref23","first-page":"1099","article-title":"FIRM-AFL: High-throughput greybox fuzzing of IoT firmware via augmented process emulation","volume-title":"Proc. 28th USENIX Secur. Symp. (USENIX Security)","author":"Zheng","year":"2019"},{"key":"ref24","first-page":"1201","article-title":"HALucinator: Firmware re-hosting through abstraction layer emulation","volume-title":"Proc. 29th USENIX Secur. Symp. (USENIX Security)","author":"Clements","year":"2020"},{"key":"ref25","first-page":"2271","article-title":"FuzzGen: Automatic fuzzer generation","volume-title":"Proc. 29th USENIX Secur. Symp. (USENIX Security)","author":"Ispoglou","year":"2020"},{"author":"Voss","key":"ref26","article-title":"afl-unicorn: Fuzzing arbitrary binary code."},{"key":"ref27","first-page":"49","article-title":"Under-constrained symbolic execution: Correctness checking for real code","volume-title":"Proc. 24th USENIX Secur. Symp. (USENIX Security)","author":"Ramos","year":"2015"},{"key":"ref28","first-page":"199","article-title":"Redundant state detection for dynamic symbolic execution","volume-title":"Proc. USENIX Conf. Annu. Tech. Conf. (USENIX ATC)","author":"Bugrara","year":"2013"},{"key":"ref29","first-page":"689","article-title":"CAB-Fuzz: Practical concolic testing techniques for COTS operating systems","volume-title":"Proc. USENIX Conf. Annu. Tech. Conf. (USENIX ATC)","author":"Kim","year":"2017"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23368"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23118"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23066"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00056"},{"key":"ref34","first-page":"2849","article-title":"DDRace: Finding concurrency UAF vulnerabilities in Linux drivers with directed fuzzing","volume-title":"Proc. 32nd USENIX Secur. Symp.","author":"Yuan","year":"2023"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.1109\/ASE56229.2023.00051"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24422"},{"key":"ref37","article-title":"AFL."},{"key":"ref38","article-title":"eCos Home Page."},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.1145\/3359789.3359826"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1109\/SecDev.2017.14"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134020"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243849"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1109\/ASE.2019.00100"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-78800-3_28"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-78800-3_27"},{"key":"ref47","first-page":"63","article-title":"StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks","volume-title":"Proc. USENIX Secur. Symp.","volume":"98","author":"Cowan","year":"1998"},{"year":"2006","key":"ref48","article-title":"Data Execution Prevention (DEP)"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3559367"},{"key":"ref50","doi-asserted-by":"publisher","DOI":"10.1145\/3597503.3623321"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.1016\/j.icte.2025.05.008"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.14722\/bar.2025.23014"},{"key":"ref53","first-page":"7067","article-title":"Leveraging semantic relations in code and data to enhance taint analysis of embedded systems","volume-title":"Proc. 33rd USENIX Secur. Symp.","author":"Zhao","year":"2024"},{"key":"ref54","first-page":"7123","article-title":"Operation mango: Scalable discovery of taint-style vulnerabilities in binary firmware services","volume-title":"Proc. 33rd USENIX Secur. Symp.","author":"Gibbs","year":"2024"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.3390\/fi17010019"},{"key":"ref56","first-page":"5591","article-title":"CO3: Concolic co-execution for firmware","volume-title":"Proc. 33rd USENIX Secur. Symp.","author":"Liu","year":"2024"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.3390\/electronics13081433"},{"key":"ref58","first-page":"1239","article-title":"Fuzzware: Using precise MMIO modeling for effective firmware fuzzing","volume-title":"Proc. 31st USENIX Secur. Symp.","author":"Scharnowski","year":"2022"},{"key":"ref59","first-page":"2885","article-title":"Hoedur: Embedded firmware fuzzing using multi-stream inputs","volume-title":"Proc. 32nd USENIX Secur. Symp.","author":"Scharnowski"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.1145\/3728916"}],"container-title":["IEEE Transactions on Software Engineering"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/32\/11298241\/11185190.pdf?arnumber=11185190","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,12,18]],"date-time":"2025-12-18T12:45:14Z","timestamp":1766061914000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/11185190\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,12]]},"references-count":59,"journal-issue":{"issue":"12"},"URL":"https:\/\/doi.org\/10.1109\/tse.2025.3615642","relation":{},"ISSN":["0098-5589","1939-3520","2326-3881"],"issn-type":[{"type":"print","value":"0098-5589"},{"type":"electronic","value":"1939-3520"},{"type":"electronic","value":"2326-3881"}],"subject":[],"published":{"date-parts":[[2025,12]]}}}