{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,4]],"date-time":"2026-03-04T16:46:00Z","timestamp":1772642760403,"version":"3.50.1"},"reference-count":188,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2021,1,2]],"date-time":"2021-01-02T00:00:00Z","timestamp":1609545600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000015","name":"U.S. Department of Energy","doi-asserted-by":"crossref","award":["SAND2020-10079 J"],"award-info":[{"award-number":["SAND2020-10079 J"]}],"id":[{"id":"10.13039\/100000015","id-type":"DOI","asserted-by":"crossref"}]},{"name":"National Nuclear Security","award":["DE-NA0003525"],"award-info":[{"award-number":["DE-NA0003525"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Comput. Surv."],"published-print":{"date-parts":[[2022,1,31]]},"abstract":"<jats:p>System emulation and firmware re-hosting have become popular techniques to answer various security and performance related questions, such as determining whether a firmware contain security vulnerabilities or meet timing requirements when run on a specific hardware platform. While this motivation for emulation and binary analysis has previously been explored and reported, starting to either work or research in the field is difficult. To this end, we provide a comprehensive guide for the practitioner or system emulation researcher. We layout common challenges faced during firmware re-hosting, explaining successive steps and surveying common tools used to overcome these challenges. We provide classification techniques on five different axes, including emulator methods, system type, fidelity, emulator purpose, and control. These classifications and comparison criteria enable the practitioner to determine the appropriate tool for emulation. We use our classifications to categorize popular works in the field and present 28 common challenges faced when creating, emulating, and analyzing a system from obtaining firmwares to post emulation analysis.<\/jats:p>","DOI":"10.1145\/3423167","type":"journal-article","created":{"date-parts":[[2021,1,2]],"date-time":"2021-01-02T17:08:21Z","timestamp":1609607301000},"page":"1-36","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":51,"title":["Challenges in Firmware Re-Hosting, Emulation, and Analysis"],"prefix":"10.1145","volume":"54","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-2592-0407","authenticated-orcid":false,"given":"Christopher","family":"Wright","sequence":"first","affiliation":[{"name":"Purdue University"}]},{"given":"William A.","family":"Moeglein","sequence":"additional","affiliation":[{"name":"Sandia National Laboratories"}]},{"given":"Saurabh","family":"Bagchi","sequence":"additional","affiliation":[{"name":"Purdue University"}]},{"given":"Milind","family":"Kulkarni","sequence":"additional","affiliation":[{"name":"Purdue University"}]},{"given":"Abraham A.","family":"Clements","sequence":"additional","affiliation":[{"name":"Sandia National Laboratories"}]}],"member":"320","published-online":{"date-parts":[[2021,1,2]]},"reference":[{"key":"e_1_2_1_1_1","unstructured":"2017. $20M in Bounties Paid and $100M In Sight. Retrieved from https:\/\/www.hackerone.com\/blog\/20M-in-bounties-paid-and-100M-in-sight.  2017. $20M in Bounties Paid and $100M In Sight. Retrieved from https:\/\/www.hackerone.com\/blog\/20M-in-bounties-paid-and-100M-in-sight."},{"key":"e_1_2_1_2_1","unstructured":"AFL-Fuzz. [n.d.]. afl-fuzz. Retrieved from https:\/\/github.com\/google\/AFL.  AFL-Fuzz. [n.d.]. afl-fuzz. Retrieved from https:\/\/github.com\/google\/AFL."},{"key":"e_1_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1109\/MC.2012.325"},{"key":"e_1_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/3175492"},{"key":"e_1_2_1_5_1","unstructured":"angr. [n.d.]. boyscout. Retrieved from https:\/\/github.com\/angr\/angr\/blob\/master\/angr\/analyses\/boyscout.py.  angr. [n.d.]. boyscout. Retrieved from https:\/\/github.com\/angr\/angr\/blob\/master\/angr\/analyses\/boyscout.py."},{"key":"e_1_2_1_6_1","unstructured":"angr. [n.d.]. girlscout. Retrieved from https:\/\/github.com\/angr\/angr\/blob\/master\/angr\/analyses\/girlscout.py.  angr. [n.d.]. girlscout. Retrieved from https:\/\/github.com\/angr\/angr\/blob\/master\/angr\/analyses\/girlscout.py."},{"key":"e_1_2_1_7_1","volume-title":"Camil Demetrescu, and Irene Finocchi.","author":"Baldoni Roberto","year":"2018","unstructured":"Roberto Baldoni , Emilio Coppa , Daniele Cono D\u2019elia , Camil Demetrescu, and Irene Finocchi. 2018 . A survey of symbolic execution techniques. Comput. Surv. 51, 3, Article 50 (May 2018), 39 pages. DOI:https:\/\/doi.org\/10.1145\/3182657 10.1145\/3182657 Roberto Baldoni, Emilio Coppa, Daniele Cono D\u2019elia, Camil Demetrescu, and Irene Finocchi. 2018. A survey of symbolic execution techniques. Comput. Surv. 51, 3, Article 50 (May 2018), 39 pages. DOI:https:\/\/doi.org\/10.1145\/3182657"},{"key":"e_1_2_1_8_1","volume-title":"Proceedings of the 23rd USENIX Security Symposium. 845--860","author":"Bao Tiffany","year":"2014","unstructured":"Tiffany Bao , Jonathan Burket , Maverick Woo , Rafael Turner , and David Brumley . 2014 . BYTEWEIGHT: Learning to recognize functions in binary code . In Proceedings of the 23rd USENIX Security Symposium. 845--860 . Tiffany Bao, Jonathan Burket, Maverick Woo, Rafael Turner, and David Brumley. 2014. BYTEWEIGHT: Learning to recognize functions in binary code. In Proceedings of the 23rd USENIX Security Symposium. 845--860."},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.67"},{"key":"e_1_2_1_10_1","unstructured":"BE-PUM. [n.d.]. BE-PUM. Retrieved from https:\/\/github.com\/NMHai\/BE-PUM.  BE-PUM. [n.d.]. BE-PUM. Retrieved from https:\/\/github.com\/NMHai\/BE-PUM."},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.5555\/1247360.1247401"},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/2024716.2024718"},{"key":"e_1_2_1_13_1","unstructured":"BitBlaze. [n.d.]. FuzzBALL. Retrieved from https:\/\/github.com\/bitblaze-fuzzball\/fuzzball.  BitBlaze. [n.d.]. FuzzBALL. Retrieved from https:\/\/github.com\/bitblaze-fuzzball\/fuzzball."},{"key":"e_1_2_1_14_1","unstructured":"boofuzz. [n.d.]. boofuzz.Retrieved from https:\/\/github.com\/jtpereyda\/boofuzz.  boofuzz. [n.d.]. boofuzz.Retrieved from https:\/\/github.com\/jtpereyda\/boofuzz."},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/2491411.2491433"},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/2786805.2786842"},{"key":"e_1_2_1_17_1","first-page":"086","article-title":"Method and Iimplementation for Intercepting and Processing System Calls in Programmed Digital Computer to Emulate Retrograde operating System","volume":"6","author":"Broome Jonathan","year":"2000","unstructured":"Jonathan Broome and David Marx . 2000 . Method and Iimplementation for Intercepting and Processing System Calls in Programmed Digital Computer to Emulate Retrograde operating System . US Patent 6 , 086 ,623. Jonathan Broome and David Marx. 2000. Method and Iimplementation for Intercepting and Processing System Calls in Programmed Digital Computer to Emulate Retrograde operating System. US Patent 6,086,623.","journal-title":"US Patent"},{"key":"e_1_2_1_18_1","volume-title":"Schwartz","author":"Brumley David","year":"2011","unstructured":"David Brumley , Ivan Jager , Thanassis Avgerinos , and Edward J . Schwartz . 2011 . BAP : A binary analysis platform. In Proceedings of the International Conference on Computer Aided Verification. Springer , 463--469. David Brumley, Ivan Jager, Thanassis Avgerinos, and Edward J. Schwartz. 2011. BAP: A binary analysis platform. In Proceedings of the International Conference on Computer Aided Verification. Springer, 463--469."},{"key":"e_1_2_1_19_1","volume-title":"Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation. USENIX Association","author":"Cadar Cristian","year":"2008","unstructured":"Cristian Cadar , Daniel Dunbar , and Dawson Engler . 2008 . KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs . In Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation. USENIX Association , Berkeley, CA, 209--224. http:\/\/dl.acm.org\/citation.cfm?id= 1855741.1855756 Cristian Cadar, Daniel Dunbar, and Dawson Engler. 2008. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation. USENIX Association, Berkeley, CA, 209--224. http:\/\/dl.acm.org\/citation.cfm?id=1855741.1855756"},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/1985793.1985995"},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382217"},{"key":"e_1_2_1_22_1","unstructured":"Capstone. [n.d.]. Capstone Disassembler. Retrieved from http:\/\/www.capstone-engine.org\/.  Capstone. [n.d.]. Capstone Disassembler. Retrieved from http:\/\/www.capstone-engine.org\/."},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.31"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23415"},{"key":"e_1_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2018.00052"},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1109\/40.671403"},{"key":"e_1_2_1_28_1","first-page":"1","article-title":"S2E: A platform for in-vivo multi-path analysis of software systems","volume":"39","author":"Chipounov Vitaly","year":"2011","unstructured":"Vitaly Chipounov , Volodymyr Kuznetsov , and George Candea . 2011 . S2E: A platform for in-vivo multi-path analysis of software systems . SIGARCH Comput. Arch. News 39 , 1 (March 2011), 265--278. DOI:https:\/\/doi.org\/10.1145\/1961295.1950396 10.1145\/1961295.1950396 Vitaly Chipounov, Volodymyr Kuznetsov, and George Candea. 2011. S2E: A platform for in-vivo multi-path analysis of software systems. SIGARCH Comput. Arch. News 39, 1 (March 2011), 265--278. DOI:https:\/\/doi.org\/10.1145\/1961295.1950396","journal-title":"SIGARCH Comput. Arch. News"},{"key":"e_1_2_1_29_1","volume-title":"Proceedings of the 26th USENIX Security Symposium. 99--116","author":"Chua Zheng Leong","year":"2017","unstructured":"Zheng Leong Chua , Shiqi Shen , Prateek Saxena , and Zhenkai Liang . 2017 . Neural nets can learn function type signatures from binaries . In Proceedings of the 26th USENIX Security Symposium. 99--116 . Zheng Leong Chua, Shiqi Shen, Prateek Saxena, and Zhenkai Liang. 2017. Neural nets can learn function type signatures from binaries. In Proceedings of the 26th USENIX Security Symposium. 99--116."},{"key":"e_1_2_1_30_1","unstructured":"Catalin Cimpanu. 2019. Android Exploits Are Now Worth More Than iOS Exploits For The First Time. Retrieved from https:\/\/www.zdnet.com\/article\/android-exploits-are-now-worth-more-than-ios-exploits-for-the-first-time\/.  Catalin Cimpanu. 2019. Android Exploits Are Now Worth More Than iOS Exploits For The First Time. Retrieved from https:\/\/www.zdnet.com\/article\/android-exploits-are-now-worth-more-than-ios-exploits-for-the-first-time\/."},{"key":"e_1_2_1_31_1","unstructured":"Cisco. [n.d.]. Joy. Retrieved from https:\/\/github.com\/cisco\/joy.  Cisco. [n.d.]. Joy. Retrieved from https:\/\/github.com\/cisco\/joy."},{"key":"e_1_2_1_32_1","unstructured":"Cisomag. 2020. Tesla Offers US$1 Million and a Car to Hack its Model 3 Car. Retrieved from https:\/\/www.cisomag.com\/tesla-offers-us1-million-and-a-car-as-bug-bounty-reward\/.  Cisomag. 2020. Tesla Offers US$1 Million and a Car to Hack its Model 3 Car. Retrieved from https:\/\/www.cisomag.com\/tesla-offers-us1-million-and-a-car-as-bug-bounty-reward\/."},{"key":"e_1_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/1273463.1273490"},{"key":"e_1_2_1_34_1","first-page":"S1","article-title":"Automatic classification of object code using machine learning","volume":"14","author":"Clemens John","year":"2015","unstructured":"John Clemens . 2015 . Automatic classification of object code using machine learning . Dig. Invest. 14 , S1 (August 2015), S156\u2013S162. DOI:https:\/\/doi.org\/10.1016\/j.diin.2015.05.007 10.1016\/j.diin.2015.05.007 John Clemens. 2015. Automatic classification of object code using machine learning. Dig. Invest. 14, S1 (August 2015), S156\u2013S162. DOI:https:\/\/doi.org\/10.1016\/j.diin.2015.05.007","journal-title":"Dig. Invest."},{"key":"e_1_2_1_35_1","volume-title":"29th USENIX Security Symposium (USENIX Security'20)","author":"Clements Abraham","year":"2020","unstructured":"Abraham Clements , Eric Gustafson , Tobias Scharnowski , Paul Grosen , David Fritz , Christopher Kruegel , Giovanni Vigna , Saurabh Bagchi , and Mathias Payer . 2020 . HALucinator: Firmware re-hosting through abstraction layer emulation . In 29th USENIX Security Symposium (USENIX Security'20) . USENIX Association, 1201--1218. https:\/\/www.usenix.org\/conference\/usenixsecurity20\/presentation\/clements. Abraham Clements, Eric Gustafson, Tobias Scharnowski, Paul Grosen, David Fritz, Christopher Kruegel, Giovanni Vigna, Saurabh Bagchi, and Mathias Payer. 2020. HALucinator: Firmware re-hosting through abstraction layer emulation. In 29th USENIX Security Symposium (USENIX Security'20). USENIX Association, 1201--1218. https:\/\/www.usenix.org\/conference\/usenixsecurity20\/presentation\/clements."},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/2818000.2818035"},{"key":"e_1_2_1_37_1","unstructured":"Comsecuris. [n.d.]. GDB Ghidra. Retrieved from https:\/\/github.com\/Comsecuris\/gdbghidra.  Comsecuris. [n.d.]. GDB Ghidra. Retrieved from https:\/\/github.com\/Comsecuris\/gdbghidra."},{"key":"e_1_2_1_38_1","unstructured":"ConsenSys. [n.d.]. Mythril. Retrieved from https:\/\/github.com\/ConsenSys\/mythril.  ConsenSys. [n.d.]. Mythril. Retrieved from https:\/\/github.com\/ConsenSys\/mythril."},{"key":"e_1_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134069"},{"key":"e_1_2_1_40_1","volume-title":"Proceedings of the 27th USENIX Security Symposium. USENIX Association","author":"Corteggiani Nassim","year":"2018","unstructured":"Nassim Corteggiani , Giovanni Camurati , and Aur\u00e9lien Francillon . 2018 . Inception: System-wide security testing of real-world embedded systems software . In Proceedings of the 27th USENIX Security Symposium. USENIX Association , Baltimore, MD, 309--326. https:\/\/www.usenix.org\/conference\/usenixsecurity18\/presentation\/corteggiani. Nassim Corteggiani, Giovanni Camurati, and Aur\u00e9lien Francillon. 2018. Inception: System-wide security testing of real-world embedded systems software. In Proceedings of the 27th USENIX Security Symposium. USENIX Association, Baltimore, MD, 309--326. https:\/\/www.usenix.org\/conference\/usenixsecurity18\/presentation\/corteggiani."},{"key":"e_1_2_1_41_1","unstructured":"Andrei Costin and Jonas Zaddach. 2013. Embedded devices security and firmware reverse engineering. In black hat USA 2013 Workshop. blackhat.com. https:\/\/media.blackhat.com\/us-13\/US-13-Zaddach-Workshop-on-Embedded-Devices-Security-and-Firmware-Reverse-Engineering-WP.pdf.  Andrei Costin and Jonas Zaddach. 2013. Embedded devices security and firmware reverse engineering. In black hat USA 2013 Workshop. blackhat.com. https:\/\/media.blackhat.com\/us-13\/US-13-Zaddach-Workshop-on-Embedded-Devices-Security-and-Firmware-Reverse-Engineering-WP.pdf."},{"key":"e_1_2_1_42_1","unstructured":"Andrei Costin Jonas Zaddach Aur\u00e9lien Francillon and Davide Balzarotti. [n.d.]. firmware.re. http:\/\/firmware.re\/usenixsec14\/.  Andrei Costin Jonas Zaddach Aur\u00e9lien Francillon and Davide Balzarotti. [n.d.]. firmware.re. http:\/\/firmware.re\/usenixsec14\/."},{"key":"e_1_2_1_43_1","volume-title":"Proceedings of the 23rd USENIX Security Symposium. USENIX Association","author":"Costin Andrei","year":"2014","unstructured":"Andrei Costin , Jonas Zaddach , Aur\u00e9lien Francillon , and Davide Balzarotti . 2014 . A large-scale analysis of the security of embedded firmwares . In Proceedings of the 23rd USENIX Security Symposium. USENIX Association , San Diego, CA, 95--110. https:\/\/www.usenix.org\/conference\/usenixsecurity14\/technical-sessions\/presentation\/costin. Andrei Costin, Jonas Zaddach, Aur\u00e9lien Francillon, and Davide Balzarotti. 2014. A large-scale analysis of the security of embedded firmwares. In Proceedings of the 23rd USENIX Security Symposium. USENIX Association, San Diego, CA, 95--110. https:\/\/www.usenix.org\/conference\/usenixsecurity14\/technical-sessions\/presentation\/costin."},{"key":"e_1_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1145\/2897845.2897900"},{"key":"e_1_2_1_45_1","volume-title":"ICT Systems Security and Privacy Protection, Sabrina De Capitani di Vimercati and Fabio Martinelli (Eds.)","author":"Costin Andrei","unstructured":"Andrei Costin , Apostolis Zarras , and Aur\u00e9lien Francillon . 2017. Towards automated classification of firmware images and identification of embedded devices . In ICT Systems Security and Privacy Protection, Sabrina De Capitani di Vimercati and Fabio Martinelli (Eds.) . Springer International Publishing , Cham , 233--247. Andrei Costin, Apostolis Zarras, and Aur\u00e9lien Francillon. 2017. Towards automated classification of firmware images and identification of embedded devices. In ICT Systems Security and Privacy Protection, Sabrina De Capitani di Vimercati and Fabio Martinelli (Eds.). Springer International Publishing, Cham, 233--247."},{"key":"e_1_2_1_46_1","unstructured":"Craig. 2012. Emulating NVRAM in Qemu. Retrieved from http:\/\/www.devttys0.com\/2012\/03\/emulating-nvram-in-qemu\/.  Craig. 2012. Emulating NVRAM in Qemu. Retrieved from http:\/\/www.devttys0.com\/2012\/03\/emulating-nvram-in-qemu\/."},{"key":"e_1_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1109\/SANER.2016.43"},{"key":"e_1_2_1_48_1","volume-title":"Proceedings of the 22nd USENIX Security Symposium. USENIX Association","author":"Davidson Drew","year":"2013","unstructured":"Drew Davidson , Benjamin Moench , Thomas Ristenpart , and Somesh Jha . 2013 . FIE on firmware: Finding vulnerabilities in embedded systems using symbolic execution . In Proceedings of the 22nd USENIX Security Symposium. USENIX Association , Berkeley, CA, 463--478. Drew Davidson, Benjamin Moench, Thomas Ristenpart, and Somesh Jha. 2013. FIE on firmware: Finding vulnerabilities in embedded systems using symbolic execution. In Proceedings of the 22nd USENIX Security Symposium. USENIX Association, Berkeley, CA, 463--478."},{"key":"e_1_2_1_49_1","volume-title":"ELISA: ELiciting ISA of raw binaries for fine-grained code and data separation. In Detection of Intrusions and Malware, and Vulnerability Assessment, Cristiano Giuffrida, S\u00e9bastien Bardin","author":"Nicolao Pietro De","year":"2018","unstructured":"Pietro De Nicolao , Marcello Pogliani , Mario Polino , Michele Carminati , Davide Quarta , and Stefano Zanero . 2018 . ELISA: ELiciting ISA of raw binaries for fine-grained code and data separation. In Detection of Intrusions and Malware, and Vulnerability Assessment, Cristiano Giuffrida, S\u00e9bastien Bardin , and Gregory Blanc (Eds.). Springer International Publishing , Cham , 351--371. Pietro De Nicolao, Marcello Pogliani, Mario Polino, Michele Carminati, Davide Quarta, and Stefano Zanero. 2018. ELISA: ELiciting ISA of raw binaries for fine-grained code and data separation. In Detection of Intrusions and Malware, and Vulnerability Assessment, Cristiano Giuffrida, S\u00e9bastien Bardin, and Gregory Blanc (Eds.). Springer International Publishing, Cham, 351--371."},{"key":"e_1_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/2843859.2843867"},{"key":"e_1_2_1_51_1","unstructured":"Christopher Domas. 2017. Breaking the x86 ISA. In black hat USA 2017 Workshop. blackhat.com. https:\/\/www. blackhat.com\/docs\/us-17\/thursday\/us-17-Domas-Breaking-The-x86-Instruction-Set-wp.pdf.  Christopher Domas. 2017. Breaking the x86 ISA. In black hat USA 2017 Workshop. blackhat.com. https:\/\/www. blackhat.com\/docs\/us-17\/thursday\/us-17-Domas-Breaking-The-x86-Instruction-Set-wp.pdf."},{"key":"e_1_2_1_52_1","unstructured":"DOSBox. [n.d.]. DOSBox. Retrieved from https:\/\/www.dosbox.com\/.  DOSBox. [n.d.]. DOSBox. Retrieved from https:\/\/www.dosbox.com\/."},{"key":"e_1_2_1_53_1","unstructured":"DroidSniff. [n.d.]. DroidSniff. Retrieved from https:\/\/github.com\/evozi\/DroidSniff.  DroidSniff. [n.d.]. DroidSniff. Retrieved from https:\/\/github.com\/evozi\/DroidSniff."},{"key":"e_1_2_1_54_1","volume-title":"REIL: A platform-independent intermediate representation of disassembled code for static code analysis. Zynamics. https:\/\/static.googleusercontent.com\/media\/www.zynamics.com\/en\/\/downloads\/csw09.pdf.","author":"Dullien Thomas","year":"2009","unstructured":"Thomas Dullien and Sebastian Porst . 2009 . REIL: A platform-independent intermediate representation of disassembled code for static code analysis. Zynamics. https:\/\/static.googleusercontent.com\/media\/www.zynamics.com\/en\/\/downloads\/csw09.pdf. Thomas Dullien and Sebastian Porst. 2009. REIL: A platform-independent intermediate representation of disassembled code for static code analysis. Zynamics. https:\/\/static.googleusercontent.com\/media\/www.zynamics.com\/en\/\/downloads\/csw09.pdf."},{"key":"e_1_2_1_55_1","unstructured":"EtherApe. [n.d.]. EtherApe. Retrieved from https:\/\/etherape.sourceforge.io\/.  EtherApe. [n.d.]. EtherApe. Retrieved from https:\/\/etherape.sourceforge.io\/."},{"key":"e_1_2_1_56_1","unstructured":"FaceDancer. [n.d.]. FaceDancer. Retrieved fom https:\/\/github.com\/usb-tools\/Facedancer.  FaceDancer. [n.d.]. FaceDancer. Retrieved fom https:\/\/github.com\/usb-tools\/Facedancer."},{"key":"e_1_2_1_57_1","unstructured":"Bo Feng Alejandro Mera and Long Lu. 2019. P2IM: Scalable and hardware-independent firmware testing via automatic peripheral interface modeling (extended version). arXiv abs\/1909.06472. Retrieved from https:\/\/arxiv.org\/abs\/1909.06472.  Bo Feng Alejandro Mera and Long Lu. 2019. P2IM: Scalable and hardware-independent firmware testing via automatic peripheral interface modeling (extended version). arXiv abs\/1909.06472. Retrieved from https:\/\/arxiv.org\/abs\/1909.06472."},{"key":"e_1_2_1_58_1","unstructured":"Firmadyne. 2018. firmadyne\/libnvram. Retrieved from https:\/\/github.com\/firmadyne\/libnvram.  Firmadyne. 2018. firmadyne\/libnvram. Retrieved from https:\/\/github.com\/firmadyne\/libnvram."},{"key":"e_1_2_1_59_1","unstructured":"firminsight. [n.d.]. Retrieved from https:\/\/github.com\/ilovepp\/firminsight.  firminsight. [n.d.]. Retrieved from https:\/\/github.com\/ilovepp\/firminsight."},{"key":"e_1_2_1_60_1","unstructured":"firmware-mod-kit. [n.d.]. Retrieved from https:\/\/github.com\/rampageX\/firmware-mod-kit.  firmware-mod-kit. [n.d.]. Retrieved from https:\/\/github.com\/rampageX\/firmware-mod-kit."},{"key":"e_1_2_1_61_1","volume-title":"Proceedings of the ACM on Principles of Programming Languages 3, Article 66 (January","author":"Santos Jos\u00e9 Fragoso","year":"2019","unstructured":"Jos\u00e9 Fragoso Santos , Petar Maksimovi\u0107 , Gabriela Sampaio , and Philippa Gardner . 2019 . JaVerT 2.0: Compositional symbolic execution for JavaScript . In Proceedings of the ACM on Principles of Programming Languages 3, Article 66 (January 2019), 31 pages. DOI:https:\/\/doi.org\/10.1145\/3290379 10.1145\/3290379 Jos\u00e9 Fragoso Santos, Petar Maksimovi\u0107, Gabriela Sampaio, and Philippa Gardner. 2019. JaVerT 2.0: Compositional symbolic execution for JavaScript. In Proceedings of the ACM on Principles of Programming Languages 3, Article 66 (January 2019), 31 pages. DOI:https:\/\/doi.org\/10.1145\/3290379"},{"key":"e_1_2_1_62_1","unstructured":"Prashant Gandhi Somesh Khanna and Sree Ramaswamy. 2017. Which Industries Are the Most Digital (and Why)? Retrieved from https:\/\/hbr.org\/2016\/04\/a-chart-that-shows-which-industries-are-the-most-digital-and-why.  Prashant Gandhi Somesh Khanna and Sree Ramaswamy. 2017. Which Industries Are the Most Digital (and Why)? Retrieved from https:\/\/hbr.org\/2016\/04\/a-chart-that-shows-which-industries-are-the-most-digital-and-why."},{"key":"e_1_2_1_63_1","volume-title":"Proceedings of the Network and Distributed Systems Security Symposium.","author":"Godefroid Patrice","year":"2008","unstructured":"Patrice Godefroid , Michael Y. Levin , and David Molnar . 2008 . Automated whitebox fuzz testing . In Proceedings of the Network and Distributed Systems Security Symposium. Patrice Godefroid, Michael Y. Levin, and David Molnar. 2008. Automated whitebox fuzz testing. In Proceedings of the Network and Distributed Systems Security Symposium."},{"key":"e_1_2_1_64_1","unstructured":"Google. [n.d.]. clusterfuzz. Retrieved from https:\/\/github.com\/google\/clusterfuzz.  Google. [n.d.]. clusterfuzz. Retrieved from https:\/\/github.com\/google\/clusterfuzz."},{"key":"e_1_2_1_65_1","unstructured":"Google. [n.d.]. domato. Retrieved from https:\/\/github.com\/googleprojectzero\/domato.  Google. [n.d.]. domato. Retrieved from https:\/\/github.com\/googleprojectzero\/domato."},{"key":"e_1_2_1_66_1","unstructured":"Google. [n.d.]. fuzzilli. Retrieved from https:\/\/github.com\/googleprojectzero\/fuzzilli.  Google. [n.d.]. fuzzilli. Retrieved from https:\/\/github.com\/googleprojectzero\/fuzzilli."},{"key":"e_1_2_1_67_1","unstructured":"Google. [n.d.]. gofuzz. Retrieved from https:\/\/github.com\/google\/gofuzz.  Google. [n.d.]. gofuzz. Retrieved from https:\/\/github.com\/google\/gofuzz."},{"key":"e_1_2_1_68_1","unstructured":"Google. [n.d.]. honggfuzz. Retrieved from https:\/\/github.com\/google\/honggfuzz.  Google. [n.d.]. honggfuzz. Retrieved from https:\/\/github.com\/google\/honggfuzz."},{"key":"e_1_2_1_69_1","unstructured":"Google. [n.d.]. syzkaller. Retrieved from https:\/\/github.com\/google\/syzkaller.  Google. [n.d.]. syzkaller. Retrieved from https:\/\/github.com\/google\/syzkaller."},{"key":"e_1_2_1_70_1","unstructured":"Google. [n.d.]. winafl. Retrieved from https:\/\/github.com\/googleprojectzero\/winafl.  Google. [n.d.]. winafl. Retrieved from https:\/\/github.com\/googleprojectzero\/winafl."},{"key":"e_1_2_1_71_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976002.2976017"},{"key":"e_1_2_1_72_1","volume-title":"Proceedings of the 22nd International Symposium on Research in Attacks, Intrusions and Defenses.","author":"Gustafson Eric","year":"2020","unstructured":"Eric Gustafson , Marius Muench , Chad Spensky , Nilo Redini , Aravind Machiry , Yanick Fratantonio , Davide Balzarotti , Aurelien Francillon , Yung Ryn Choe , Christophe Kruegel , et\u00a0al. 2020 . Toward the analysis of embedded firmware through automated re-hosting . In Proceedings of the 22nd International Symposium on Research in Attacks, Intrusions and Defenses. Eric Gustafson, Marius Muench, Chad Spensky, Nilo Redini, Aravind Machiry, Yanick Fratantonio, Davide Balzarotti, Aurelien Francillon, Yung Ryn Choe, Christophe Kruegel, et\u00a0al. 2020. Toward the analysis of embedded firmware through automated re-hosting. In Proceedings of the 22nd International Symposium on Research in Attacks, Intrusions and Defenses."},{"key":"e_1_2_1_73_1","unstructured":"Jim Hall. [n.d.]. HP LaserJet The Early History. Retrieved from http:\/\/hparchive.com\/seminar_notes\/HP_LaserJet_The_Early_History_by_Jim_Hall_110512.pdf.  Jim Hall. [n.d.]. HP LaserJet The Early History. Retrieved from http:\/\/hparchive.com\/seminar_notes\/HP_LaserJet_The_Early_History_by_Jim_Hall_110512.pdf."},{"key":"e_1_2_1_74_1","unstructured":"Armijn Hemel and Shane Coughlan. [n.d.]. Binary Analysis Toolkit. Retrieved from http:\/\/www.binaryanalysis.org\/old\/home.  Armijn Hemel and Shane Coughlan. [n.d.]. Binary Analysis Toolkit. Retrieved from http:\/\/www.binaryanalysis.org\/old\/home."},{"key":"e_1_2_1_75_1","unstructured":"Hemel Armijn. [n.d.]. BANG\u2014Binary Analysis Next Generation. Retrieved from https:\/\/github.com\/armijnhemel\/binaryanalysis-ng.  Hemel Armijn. [n.d.]. BANG\u2014Binary Analysis Next Generation. Retrieved from https:\/\/github.com\/armijnhemel\/binaryanalysis-ng."},{"key":"e_1_2_1_76_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134050"},{"key":"e_1_2_1_77_1","unstructured":"Brendan Hesse. 2019. Earn Up to $1 Million from Apple\u2019s Expanded Bug Bounty Program. Retrieved from https:\/\/lifehacker.com\/earn-up-to-1-million-from-apples-expanded-bug-bounty-p-1837106598.  Brendan Hesse. 2019. Earn Up to $1 Million from Apple\u2019s Expanded Bug Bounty Program. Retrieved from https:\/\/lifehacker.com\/earn-up-to-1-million-from-apples-expanded-bug-bounty-p-1837106598."},{"key":"e_1_2_1_78_1","volume-title":"Proceedings of the 10th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools. ACM, 1--8.","author":"Jacobson Emily R.","unstructured":"Emily R. Jacobson , Nathan Rosenblum , and Barton P. Miller . 2011. Labeling library functions in stripped binaries . In Proceedings of the 10th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools. ACM, 1--8. Emily R. Jacobson, Nathan Rosenblum, and Barton P. Miller. 2011. Labeling library functions in stripped binaries. In Proceedings of the 10th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools. ACM, 1--8."},{"key":"e_1_2_1_79_1","unstructured":"Janala2. [n.d.]. Janala2. Retrieved from https:\/\/github.com\/ksen007\/janala2.  Janala2. [n.d.]. Janala2. Retrieved from https:\/\/github.com\/ksen007\/janala2."},{"key":"e_1_2_1_80_1","volume-title":"Proceedings of the 13th Ottawa Linux Symposium.","author":"Jones Dave","year":"2011","unstructured":"Dave Jones . 2011 . Trinity: A system call fuzzer . In Proceedings of the 13th Ottawa Linux Symposium. Dave Jones. 2011. Trinity: A system call fuzzer. In Proceedings of the 13th Ottawa Linux Symposium."},{"key":"e_1_2_1_81_1","doi-asserted-by":"publisher","DOI":"10.1145\/3374664.3375742"},{"key":"e_1_2_1_82_1","doi-asserted-by":"crossref","unstructured":"Sushma Kalle Nehal Ameen Hyunguk Yoo and Irfan Ahmed. 2019. CLIK on PLCs! Attacking control logic with decompilation and virtual PLC. DOI:https:\/\/doi.org\/10.14722\/bar.2019.23xxx    10.14722\/bar.2019.23xxx\nSushma Kalle Nehal Ameen Hyunguk Yoo and Irfan Ahmed. 2019. CLIK on PLCs! Attacking control logic with decompilation and virtual PLC. DOI:https:\/\/doi.org\/10.14722\/bar.2019.23xxx","DOI":"10.14722\/bar.2019.23074"},{"key":"e_1_2_1_83_1","unstructured":"Aaron Kaluszka. [n.d.]. Computer Emulation History. Retrieved from https:\/\/kaluszka.com\/vt\/emulation\/history.html.  Aaron Kaluszka. [n.d.]. Computer Emulation History. Retrieved from https:\/\/kaluszka.com\/vt\/emulation\/history.html."},{"key":"e_1_2_1_84_1","doi-asserted-by":"publisher","DOI":"10.1145\/2590296.2590301"},{"key":"e_1_2_1_85_1","doi-asserted-by":"publisher","DOI":"10.1109\/IECON.2011.6120048"},{"key":"e_1_2_1_86_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23271"},{"key":"e_1_2_1_87_1","doi-asserted-by":"publisher","DOI":"10.1145\/2968455.2968505"},{"key":"e_1_2_1_88_1","unstructured":"Kismet. [n.d.]. Kismet. Retrieved from https:\/\/www.kismetwireless.net\/.  Kismet. [n.d.]. Kismet. Retrieved from https:\/\/www.kismetwireless.net\/."},{"key":"e_1_2_1_89_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243804"},{"key":"e_1_2_1_90_1","volume-title":"Proceedings of the 9th USENIX Workshop on Offensive Technologies. USENIX Association","author":"Koscher Karl","year":"2015","unstructured":"Karl Koscher , Tadayoshi Kohno , and David Molnar . 2015 . SURROGATES: Enabling near-real-time dynamic analyses of embedded systems . In Proceedings of the 9th USENIX Workshop on Offensive Technologies. USENIX Association , Berkeley, CA. Karl Koscher, Tadayoshi Kohno, and David Molnar. 2015. SURROGATES: Enabling near-real-time dynamic analyses of embedded systems. In Proceedings of the 9th USENIX Workshop on Offensive Technologies. USENIX Association, Berkeley, CA."},{"key":"e_1_2_1_91_1","unstructured":"Christopher Kruegel. 2014. Full system emulation: Achieving successful automated dynamic analysis of evasive malware. In blackhat USA 2014 Workshop. blackhat.com. https:\/\/www.blackhat.com\/docs\/us-14\/materials\/us-14-Kruegel-Full-System-Emulation-Achieving-Successful-Automated-Dynamic-Analysis-Of-Evasive-Malware-WP.pdf.  Christopher Kruegel. 2014. Full system emulation: Achieving successful automated dynamic analysis of evasive malware. In blackhat USA 2014 Workshop. blackhat.com. https:\/\/www.blackhat.com\/docs\/us-14\/materials\/us-14-Kruegel-Full-System-Emulation-Achieving-Successful-Automated-Dynamic-Analysis-Of-Evasive-Malware-WP.pdf."},{"key":"e_1_2_1_92_1","volume-title":"Proceedings of the 14th USENIX Security Symposium","volume":"14","author":"Kruegel Christopher","year":"2005","unstructured":"Christopher Kruegel , Engin Kirda , Darren Mutz , William Robertson , and Giovanni Vigna . 2005 . Automating mimicry attacks using static binary analysis . In Proceedings of the 14th USENIX Security Symposium , Vol. 14 . 11--11. Christopher Kruegel, Engin Kirda, Darren Mutz, William Robertson, and Giovanni Vigna. 2005. Automating mimicry attacks using static binary analysis. In Proceedings of the 14th USENIX Security Symposium, Vol. 14. 11--11."},{"key":"e_1_2_1_93_1","volume-title":"Proceedings of the 13th USENIX Security Symposium","volume":"13","author":"Kruegel Christopher","year":"2004","unstructured":"Christopher Kruegel , William Robertson , Fredrik Valeur , and Giovanni Vigna . 2004 . Static disassembly of obfuscated binaries . In Proceedings of the 13th USENIX Security Symposium , Vol. 13 . 18--18. Christopher Kruegel, William Robertson, Fredrik Valeur, and Giovanni Vigna. 2004. Static disassembly of obfuscated binaries. In Proceedings of the 13th USENIX Security Symposium, Vol. 13. 18--18."},{"key":"e_1_2_1_94_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSAC.2004.19"},{"key":"e_1_2_1_95_1","volume-title":"Proceedings of the International Symposium on Code Generation and Optimization. 75--86","author":"Lattner C.","unstructured":"C. Lattner and V. Adve . 2004. LLVM: A compilation framework for lifelong program analysis transformation . In Proceedings of the International Symposium on Code Generation and Optimization. 75--86 . C. Lattner and V. Adve. 2004. LLVM: A compilation framework for lifelong program analysis transformation. In Proceedings of the International Symposium on Code Generation and Optimization. 75--86."},{"key":"e_1_2_1_96_1","first-page":"326357","article-title":"Bochs: A portable pc emulator for Unix\/X","volume":"326350","author":"Lawton Kevin P.","year":"1996","unstructured":"Kevin P. Lawton . 1996 . Bochs: A portable pc emulator for Unix\/X . Linux J. 1996, 29es, Article 7 (September 1996). http:\/\/dl.acm.org\/citation.cfm?id= 326350 . 326357 Kevin P. Lawton. 1996. Bochs: A portable pc emulator for Unix\/X. Linux J. 1996, 29es, Article 7 (September 1996). http:\/\/dl.acm.org\/citation.cfm?id=326350.326357","journal-title":"Linux"},{"key":"e_1_2_1_97_1","unstructured":"Leveldown Security. [n.d.]. SVD-Loader-Ghidra. Retrieved from https:\/\/github.com\/leveldown-security\/SVD-Loader-Ghidra.  Leveldown Security. [n.d.]. SVD-Loader-Ghidra. Retrieved from https:\/\/github.com\/leveldown-security\/SVD-Loader-Ghidra."},{"key":"e_1_2_1_98_1","doi-asserted-by":"publisher","DOI":"10.1109\/MWC.2017.1600304WC"},{"key":"e_1_2_1_99_1","doi-asserted-by":"publisher","DOI":"10.1145\/2046707.2046711"},{"key":"e_1_2_1_100_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-99073-6_4"},{"key":"e_1_2_1_101_1","first-page":"2","article-title":"The future of the Internet of","volume":"60","author":"Lindqvist Ulf","year":"2017","unstructured":"Ulf Lindqvist and Peter G. Neumann . 2017 . The future of the Internet of Things. Commun. ACM 60 , 2 (January 2017), 26--30. DOI:https:\/\/doi.org\/10.1145\/3029589 10.1145\/3029589 Ulf Lindqvist and Peter G. Neumann. 2017. The future of the Internet of Things. Commun. ACM 60, 2 (January 2017), 26--30. DOI:https:\/\/doi.org\/10.1145\/3029589","journal-title":"Things. Commun. ACM"},{"key":"e_1_2_1_102_1","doi-asserted-by":"publisher","DOI":"10.1109\/ITNG.2009.197"},{"key":"e_1_2_1_103_1","doi-asserted-by":"publisher","DOI":"10.1145\/3092282.3092295"},{"key":"e_1_2_1_104_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2017.23227"},{"key":"e_1_2_1_105_1","doi-asserted-by":"publisher","DOI":"10.1109\/2.982916"},{"key":"e_1_2_1_106_1","unstructured":"Malcolm. [n.d.]. Malcolm. Retrieved from https:\/\/github.com\/idaholab\/Malcolm.  Malcolm. [n.d.]. Malcolm. Retrieved from https:\/\/github.com\/idaholab\/Malcolm."},{"key":"e_1_2_1_107_1","volume-title":"Digital America: A tale of the haves and have-mores.","author":"Manyika James","year":"2015","unstructured":"James Manyika , Sree Ramaswamy , Somesh Khanna , Hugo Sarrazin , Gary Pinkus , Guru Sethupathy , and Andrew Yaffe . 2015 . Digital America: A tale of the haves and have-mores. Retrieved from https:\/\/www.mckinsey.com\/industries\/technology-media-and-telecommunications\/our-insights\/digital-america-a-tale-of-the-haves-and-have-mores. James Manyika, Sree Ramaswamy, Somesh Khanna, Hugo Sarrazin, Gary Pinkus, Guru Sethupathy, and Andrew Yaffe. 2015. Digital America: A tale of the haves and have-mores. Retrieved from https:\/\/www.mckinsey.com\/industries\/technology-media-and-telecommunications\/our-insights\/digital-america-a-tale-of-the-haves-and-have-mores."},{"key":"e_1_2_1_108_1","unstructured":"Xavi Mendez. [n.d.]. wfuzz. Retrieved from https:\/\/github.com\/xmendez\/wfuzz.  Xavi Mendez. [n.d.]. wfuzz. Retrieved from https:\/\/github.com\/xmendez\/wfuzz."},{"key":"e_1_2_1_109_1","doi-asserted-by":"publisher","DOI":"10.1109\/ASPDAC.2005.1466491"},{"key":"e_1_2_1_110_1","first-page":"166","article-title":"Function Matching in Binaries","volume":"8","author":"Mohanan Harish","year":"2012","unstructured":"Harish Mohanan , Perraju Bendapudi , Abishek Kumarasubramanian , Rajesh Jalan , and Ramarathnam Venkatesan . 2012 . Function Matching in Binaries . US Patent 8 , 166 ,466. Harish Mohanan, Perraju Bendapudi, Abishek Kumarasubramanian, Rajesh Jalan, and Ramarathnam Venkatesan. 2012. Function Matching in Binaries. US Patent 8,166,466.","journal-title":"US Patent"},{"key":"e_1_2_1_111_1","volume-title":"Manticore: A User-Friendly Symbolic Execution Framework for Binaries and Smart Contracts. arxiv:cs.SE\/1907.03890.","author":"Mossberg Mark","year":"2019","unstructured":"Mark Mossberg , Felipe Manzano , Eric Hennenfent , Alex Groce , Gustavo Grieco , Josselin Feist , Trent Brunson , and Artem Dinaburg . 2019 . Manticore: A User-Friendly Symbolic Execution Framework for Binaries and Smart Contracts. arxiv:cs.SE\/1907.03890. Retrieved from https:\/\/arxiv.org\/abs\/1907.03890. Mark Mossberg, Felipe Manzano, Eric Hennenfent, Alex Groce, Gustavo Grieco, Josselin Feist, Trent Brunson, and Artem Dinaburg. 2019. Manticore: A User-Friendly Symbolic Execution Framework for Binaries and Smart Contracts. arxiv:cs.SE\/1907.03890. Retrieved from https:\/\/arxiv.org\/abs\/1907.03890."},{"key":"e_1_2_1_112_1","volume-title":"Proceedings of the Workshop on Binary Analysis Research, Colocated with Network and Distributed Systems Security Symposium.","author":"Muench Marius","year":"2018","unstructured":"Marius Muench , Dario Nisi , Aur\u00e9lien Francillon , and Davide Balzarotti . 2018 . Avatar: A multi-target orchestration platform . In Proceedings of the Workshop on Binary Analysis Research, Colocated with Network and Distributed Systems Security Symposium. Marius Muench, Dario Nisi, Aur\u00e9lien Francillon, and Davide Balzarotti. 2018. Avatar: A multi-target orchestration platform. In Proceedings of the Workshop on Binary Analysis Research, Colocated with Network and Distributed Systems Security Symposium."},{"key":"e_1_2_1_113_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23166"},{"key":"e_1_2_1_114_1","unstructured":"NationalSecurityAgency. [n.d.]. NationalSecurityAgency\/ghidra. Retrieved from https:\/\/github.com\/NationalSecurityAgency\/ghidra\/wiki\/Frequently-asked-questions.  NationalSecurityAgency. [n.d.]. NationalSecurityAgency\/ghidra. Retrieved from https:\/\/github.com\/NationalSecurityAgency\/ghidra\/wiki\/Frequently-asked-questions."},{"key":"e_1_2_1_115_1","doi-asserted-by":"publisher","DOI":"10.1145\/1273442.1250746"},{"key":"e_1_2_1_116_1","unstructured":"Netresec. [n.d.]. NetworkMiner. Retrieved from https:\/\/www.netresec.com\/?page=NetworkMiner.  Netresec. [n.d.]. NetworkMiner. Retrieved from https:\/\/www.netresec.com\/?page=NetworkMiner."},{"key":"e_1_2_1_117_1","unstructured":"NetWorkPacketCapture. [n.d.]. Retrieved from https:\/\/github.com\/huolizhuminh\/NetWorkPacketCapture.  NetWorkPacketCapture. [n.d.]. Retrieved from https:\/\/github.com\/huolizhuminh\/NetWorkPacketCapture."},{"key":"e_1_2_1_118_1","unstructured":"Lily Hay Newman. 2018. Facebook Bug Bounty Program Makes Biggest Reward Payout Yet. Retrieved from https:\/\/www.wired.com\/story\/facebook-bug-bounty-biggest-payout\/.  Lily Hay Newman. 2018. Facebook Bug Bounty Program Makes Biggest Reward Payout Yet. Retrieved from https:\/\/www.wired.com\/story\/facebook-bug-bounty-biggest-payout\/."},{"key":"e_1_2_1_119_1","unstructured":"NSA. [n.d.]. Ghidra. Retrieved from https:\/\/ghidra-sre.org\/.  NSA. [n.d.]. Ghidra. Retrieved from https:\/\/ghidra-sre.org\/."},{"key":"e_1_2_1_120_1","unstructured":"U.S. Department of Energy. [n.d.]. The Smart Grid. Retrieved from https:\/\/www.smartgrid.gov\/the_smart_grid\/smart_grid.html.  U.S. Department of Energy. [n.d.]. The Smart Grid. Retrieved from https:\/\/www.smartgrid.gov\/the_smart_grid\/smart_grid.html."},{"key":"e_1_2_1_121_1","unstructured":"OWASP. [n.d.]. IoTGoat. Retrieved from https:\/\/github.com\/OWASP\/IoTGoat.  OWASP. [n.d.]. IoTGoat. Retrieved from https:\/\/github.com\/OWASP\/IoTGoat."},{"key":"e_1_2_1_122_1","unstructured":"PAGalaxyLab. [n.d.]. vxhunter. Retrieved from https:\/\/github.com\/PAGalaxyLab\/vxhunter.  PAGalaxyLab. [n.d.]. vxhunter. Retrieved from https:\/\/github.com\/PAGalaxyLab\/vxhunter."},{"key":"e_1_2_1_123_1","doi-asserted-by":"publisher","DOI":"10.1109\/PST.2015.7232966"},{"key":"e_1_2_1_124_1","doi-asserted-by":"publisher","DOI":"10.5555\/3049877.3049889"},{"key":"e_1_2_1_125_1","unstructured":"PcapPlusPlus. [n.d.]. PcapPlusPlus. Retrieved from https:\/\/github.com\/seladb\/PcapPlusPlus.  PcapPlusPlus. [n.d.]. PcapPlusPlus. Retrieved from https:\/\/github.com\/seladb\/PcapPlusPlus."},{"key":"e_1_2_1_126_1","unstructured":"PCem. [n.d.]. PCem. Retrieved from https:\/\/github.com\/Anamon\/pcem.  PCem. [n.d.]. PCem. Retrieved from https:\/\/github.com\/Anamon\/pcem."},{"key":"e_1_2_1_127_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00056"},{"key":"e_1_2_1_128_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.49"},{"key":"e_1_2_1_129_1","doi-asserted-by":"publisher","DOI":"10.1109\/WSC.2010.5678904"},{"key":"e_1_2_1_130_1","unstructured":"PixelCyber. [n.d.]. Thor. Retrieved from https:\/\/github.com\/PixelCyber\/Thor.  PixelCyber. [n.d.]. Thor. Retrieved from https:\/\/github.com\/PixelCyber\/Thor."},{"key":"e_1_2_1_131_1","unstructured":"Praetorian. [n.d.]. The Damn Vulnerable Router Firmware Project. Retrieved from https:\/\/github.com\/praetorian-code\/DVRF.  Praetorian. [n.d.]. The Damn Vulnerable Router Firmware Project. Retrieved from https:\/\/github.com\/praetorian-code\/DVRF."},{"key":"e_1_2_1_132_1","unstructured":"Rui Qiao and R. Sekar. 2016. Effective Function Recovery for COTS Binaries Using Interface Verification. Technical Report. Technical report Secure Systems Lab Stony Brook University.  Rui Qiao and R. Sekar. 2016. Effective Function Recovery for COTS Binaries Using Interface Verification. Technical Report. Technical report Secure Systems Lab Stony Brook University."},{"key":"e_1_2_1_133_1","volume-title":"Proceedings of the 47th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks. IEEE, 201--212","author":"Qiao Rui","unstructured":"Rui Qiao and R. Sekar . 2017. Function interface analysis: A principled approach for function recognition in COTS binaries . In Proceedings of the 47th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks. IEEE, 201--212 . Rui Qiao and R. Sekar. 2017. Function interface analysis: A principled approach for function recognition in COTS binaries. In Proceedings of the 47th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks. IEEE, 201--212."},{"key":"e_1_2_1_134_1","unstructured":"radamsa. [n.d.]. radamsa. Retrieved from https:\/\/gitlab.com\/akihe\/radamsa.  radamsa. [n.d.]. radamsa. Retrieved from https:\/\/gitlab.com\/akihe\/radamsa."},{"key":"e_1_2_1_135_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2017.23404"},{"key":"e_1_2_1_136_1","unstructured":"Hex Rays. [n.d.]. Retrieved from https:\/\/hex-rays.com\/products\/ida\/.  Hex Rays. [n.d.]. Retrieved from https:\/\/hex-rays.com\/products\/ida\/."},{"key":"e_1_2_1_137_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00036"},{"key":"e_1_2_1_138_1","unstructured":"Teddy Reed. [n.d.]. subzero. Retrieved from https:\/\/github.com\/theopolis\/subzero.  Teddy Reed. [n.d.]. subzero. Retrieved from https:\/\/github.com\/theopolis\/subzero."},{"key":"e_1_2_1_139_1","unstructured":"ReFirm Labs. [n.d.]. binwalk. Retrieved from https:\/\/github.com\/ReFirmLabs\/binwalk.  ReFirm Labs. [n.d.]. binwalk. Retrieved from https:\/\/github.com\/ReFirmLabs\/binwalk."},{"key":"e_1_2_1_140_1","unstructured":"Corinne Reichert. 2019. Google\u2019s Android Bug Bounty Program Will Now Pay Out $1.5 Million. Retrieved from https:\/\/www.cnet.com\/news\/googles-android-bug-bounty-program-will-now-pay-out-1-5-million\/.  Corinne Reichert. 2019. Google\u2019s Android Bug Bounty Program Will Now Pay Out $1.5 Million. Retrieved from https:\/\/www.cnet.com\/news\/googles-android-bug-bounty-program-will-now-pay-out-1-5-million\/."},{"key":"e_1_2_1_141_1","unstructured":"Samsung. [n.d.]. Jalangi2. Retrieved from https:\/\/github.com\/Samsung\/jalangi2.  Samsung. [n.d.]. Jalangi2. Retrieved from https:\/\/github.com\/Samsung\/jalangi2."},{"key":"e_1_2_1_142_1","unstructured":"Chase Schultz. [n.d.]. firmware_collection. Retrieved from https:\/\/github.com\/f47h3r\/firmware_collection.  Chase Schultz. [n.d.]. firmware_collection. Retrieved from https:\/\/github.com\/f47h3r\/firmware_collection."},{"key":"e_1_2_1_143_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.26"},{"key":"e_1_2_1_144_1","unstructured":"Sen Koushik. [n.d.]. jCUTE. Retrieved from https:\/\/github.com\/osl\/jcute.  Sen Koushik. [n.d.]. jCUTE. Retrieved from https:\/\/github.com\/osl\/jcute."},{"key":"e_1_2_1_145_1","unstructured":"Kostya Serebryany. 2017. OSS-Fuzz-Google\u2019s Continuous Fuzzing Service for Open Source Software.  Kostya Serebryany. 2017. OSS-Fuzz-Google\u2019s Continuous Fuzzing Service for Open Source Software."},{"key":"e_1_2_1_146_1","unstructured":"Saumil Shah. [n.d.]. The ARM-X Firmware Emulation Framework. Retrieved from https:\/\/github.com\/therealsaumil\/armx.  Saumil Shah. [n.d.]. The ARM-X Firmware Emulation Framework. Retrieved from https:\/\/github.com\/therealsaumil\/armx."},{"key":"e_1_2_1_147_1","doi-asserted-by":"publisher","DOI":"10.1145\/2591062.2594450"},{"key":"e_1_2_1_148_1","unstructured":"Shellphish. 2017. Cyber Grand Shellphish. Retrieved from http:\/\/phrack.org\/papers\/cyber_grand_shellphish.html.  Shellphish. 2017. Cyber Grand Shellphish. Retrieved from http:\/\/phrack.org\/papers\/cyber_grand_shellphish.html."},{"key":"e_1_2_1_149_1","volume-title":"Proceedings of the 24th USENIX Security Symposium. 611--626","author":"Richard Shin Eui Chul","year":"2015","unstructured":"Eui Chul Richard Shin , Dawn Song , and Reza Moazzezi . 2015 . Recognizing functions in binaries with neural networks . In Proceedings of the 24th USENIX Security Symposium. 611--626 . Eui Chul Richard Shin, Dawn Song, and Reza Moazzezi. 2015. Recognizing functions in binaries with neural networks. In Proceedings of the 24th USENIX Security Symposium. 611--626."},{"key":"e_1_2_1_150_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2015.23294"},{"key":"e_1_2_1_151_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.17"},{"key":"e_1_2_1_152_1","unstructured":"Sibyl. [n.d.]. Sibyl. Retrieved from https:\/\/github.com\/cea-sec\/Sibyl.  Sibyl. [n.d.]. Sibyl. Retrieved from https:\/\/github.com\/cea-sec\/Sibyl."},{"key":"e_1_2_1_153_1","unstructured":"Sickendick Karl. [n.d.]. pcode-emulator. Retrieved from https:\/\/github.com\/kc0bfv\/pcode-emulator.  Sickendick Karl. [n.d.]. pcode-emulator. Retrieved from https:\/\/github.com\/kc0bfv\/pcode-emulator."},{"key":"e_1_2_1_154_1","unstructured":"Slack. [n.d.]. Slack. Retrieved from https:\/\/angr.slack.com.  Slack. [n.d.]. Slack. Retrieved from https:\/\/angr.slack.com."},{"key":"e_1_2_1_155_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-89862-7_1"},{"key":"e_1_2_1_156_1","doi-asserted-by":"publisher","DOI":"10.1145\/3338507.3358616"},{"key":"e_1_2_1_157_1","unstructured":"SSRFmap. [n.d.]. SSRFmap. Retrieved from https:\/\/github.com\/swisskyrepo\/SSRFmap.  SSRFmap. [n.d.]. SSRFmap. Retrieved from https:\/\/github.com\/swisskyrepo\/SSRFmap."},{"key":"e_1_2_1_158_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23368"},{"key":"e_1_2_1_159_1","doi-asserted-by":"publisher","DOI":"10.1145\/1869983.1870001"},{"key":"e_1_2_1_160_1","doi-asserted-by":"publisher","DOI":"10.1145\/3288599.3288618"},{"key":"e_1_2_1_161_1","doi-asserted-by":"publisher","DOI":"10.1145\/2070942.2070972"},{"key":"e_1_2_1_162_1","doi-asserted-by":"publisher","DOI":"10.1145\/2737095.2741839"},{"key":"e_1_2_1_163_1","unstructured":"TCPDump. [n.d.]. Retrieved from http:\/\/www.tcpdump.org\/.  TCPDump. [n.d.]. Retrieved from http:\/\/www.tcpdump.org\/."},{"key":"e_1_2_1_164_1","unstructured":"Radare2 Team. 2017. Radare2 Book. GitHub.  Radare2 Team. 2017. Radare2 Book. GitHub."},{"key":"e_1_2_1_165_1","unstructured":"Telerik. [n.d.]. Fiddler. Retrieved from https:\/\/www.telerik.com\/fiddler.  Telerik. [n.d.]. Fiddler. Retrieved from https:\/\/www.telerik.com\/fiddler."},{"key":"e_1_2_1_166_1","unstructured":"Keen Security Lab Tencent. 2016. Car Hacking Research: Remote Attack Tesla Motors. Retrieved from https:\/\/keenlab.tencent.com\/en\/2016\/09\/19\/Keen-Security-Lab-of-Tencent-Car-Hacking-Research-Remote-Attack-to-Tesla-Cars\/.  Keen Security Lab Tencent. 2016. Car Hacking Research: Remote Attack Tesla Motors. Retrieved from https:\/\/keenlab.tencent.com\/en\/2016\/09\/19\/Keen-Security-Lab-of-Tencent-Car-Hacking-Research-Remote-Attack-to-Tesla-Cars\/."},{"key":"#cr-split#-e_1_2_1_167_1.1","doi-asserted-by":"crossref","unstructured":"Sam Thomas Flavio Garcia and Tom Chothia. 2017. HumIDIFy: A tool for hidden functionality detection in firmware. 279--300. DOI:https:\/\/doi.org\/10.1007\/978-3-319-60876-1_13 10.1007\/978-3-319-60876-1_13","DOI":"10.1007\/978-3-319-60876-1_13"},{"key":"#cr-split#-e_1_2_1_167_1.2","doi-asserted-by":"crossref","unstructured":"Sam Thomas Flavio Garcia and Tom Chothia. 2017. HumIDIFy: A tool for hidden functionality detection in firmware. 279--300. DOI:https:\/\/doi.org\/10.1007\/978-3-319-60876-1_13","DOI":"10.1007\/978-3-319-60876-1_13"},{"key":"e_1_2_1_168_1","volume-title":"Thompson and Timothy Vidas","author":"Michael","year":"2018","unstructured":"Michael F. Thompson and Timothy Vidas . 2018 . CGC Monitor: A Vetting System for the DARPA Cyber Grand Challenge. Retrieved from https:\/\/calhoun.nps.edu\/handle\/10945\/59209. Michael F. Thompson and Timothy Vidas. 2018. CGC Monitor: A Vetting System for the DARPA Cyber Grand Challenge. Retrieved from https:\/\/calhoun.nps.edu\/handle\/10945\/59209."},{"key":"e_1_2_1_169_1","doi-asserted-by":"publisher","DOI":"10.1109\/CCST.2010.5678720"},{"key":"e_1_2_1_170_1","volume-title":"Breaking all the things\u2014A systematic survey of firmware extraction techniques for IoT devices","author":"Vasile Sebastian","unstructured":"Sebastian Vasile , David Oswald , and Tom Chothia . 2019. Breaking all the things\u2014A systematic survey of firmware extraction techniques for IoT devices . In Smart Card Research and Advanced Applications, Beg\u00fcl Bilgin and Jean-Bernard Fischer (Eds.). Springer International Publishing , Cham , 171--185. Sebastian Vasile, David Oswald, and Tom Chothia. 2019. Breaking all the things\u2014A systematic survey of firmware extraction techniques for IoT devices. In Smart Card Research and Advanced Applications, Beg\u00fcl Bilgin and Jean-Bernard Fischer (Eds.). Springer International Publishing, Cham, 171--185."},{"key":"e_1_2_1_171_1","unstructured":"Marek Vasut. 2017. Adding New Architecture to QEMU. Retrieved from https:\/\/events17.linuxfoundation.org\/sites\/events\/files\/slides\/ossj-2017.pdf.  Marek Vasut. 2017. Adding New Architecture to QEMU. Retrieved from https:\/\/events17.linuxfoundation.org\/sites\/events\/files\/slides\/ossj-2017.pdf."},{"key":"e_1_2_1_172_1","unstructured":"Trygve Vea. [n.d.]. firmwaredb. Retrieved from https:\/\/github.com\/kvisle\/firmwaredb.  Trygve Vea. [n.d.]. firmwaredb. Retrieved from https:\/\/github.com\/kvisle\/firmwaredb."},{"key":"e_1_2_1_173_1","unstructured":"Vector 35. [n.d.]. Binary Ninja. Retrieved from https:\/\/binary.ninja\/.  Vector 35. [n.d.]. Binary Ninja. Retrieved from https:\/\/binary.ninja\/."},{"key":"e_1_2_1_174_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2012.134"},{"key":"e_1_2_1_175_1","volume-title":"Proceedings of the 23rd USENIX Security Symposium. 813--328","author":"Vogl Sebastian","year":"2014","unstructured":"Sebastian Vogl , Robert Gawlik , Behrad Garmany , Thomas Kittel , Jonas Pfoh , Claudia Eckert , and Thorsten Holz . 2014 . Dynamic hooks: Hiding control flow changes within non-control data . In Proceedings of the 23rd USENIX Security Symposium. 813--328 . Sebastian Vogl, Robert Gawlik, Behrad Garmany, Thomas Kittel, Jonas Pfoh, Claudia Eckert, and Thorsten Holz. 2014. Dynamic hooks: Hiding control flow changes within non-control data. In Proceedings of the 23rd USENIX Security Symposium. 813--328."},{"key":"e_1_2_1_176_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2017.23225"},{"key":"e_1_2_1_177_1","doi-asserted-by":"publisher","DOI":"10.1155\/2018\/7693861"},{"key":"e_1_2_1_178_1","unstructured":"Kayla Wiles. 2019. First All-digital Nuclear Reactor System in the U.S. Installed at Purdue University. Retrieved from https:\/\/www.purdue.edu\/newsroom\/releases\/2019\/Q3\/first-all-digital-nuclear-reactor-control-system-in-the-u.s.-installed-at-purdue-university.html.  Kayla Wiles. 2019. First All-digital Nuclear Reactor System in the U.S. Installed at Purdue University. Retrieved from https:\/\/www.purdue.edu\/newsroom\/releases\/2019\/Q3\/first-all-digital-nuclear-reactor-control-system-in-the-u.s.-installed-at-purdue-university.html."},{"key":"e_1_2_1_179_1","unstructured":"Wireshark. [n.d.]. Wireshark. Retrieved from https:\/\/www.wireshark.org\/.  Wireshark. [n.d.]. Wireshark. Retrieved from https:\/\/www.wireshark.org\/."},{"key":"e_1_2_1_180_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.56"},{"key":"e_1_2_1_181_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2019.2917668"},{"key":"e_1_2_1_182_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2015.05.008"},{"key":"e_1_2_1_183_1","first-page":"2","article-title":"A survey of security vulnerability analysis, discovery, detection, and mitigation on IoT devices","volume":"12","author":"Yu Miao","year":"2020","unstructured":"Miao Yu , Jianwei Zhuge , Ming Cao , Zhiwei Shi , and Lin Jiang . 2020 . A survey of security vulnerability analysis, discovery, detection, and mitigation on IoT devices . Fut. Internet 12 , 2 (February 2020), 27. DOI:https:\/\/doi.org\/10.3390\/fi12020027 10.3390\/fi12020027 Miao Yu, Jianwei Zhuge, Ming Cao, Zhiwei Shi, and Lin Jiang. 2020. A survey of security vulnerability analysis, discovery, detection, and mitigation on IoT devices. Fut. Internet 12, 2 (February 2020), 27. DOI:https:\/\/doi.org\/10.3390\/fi12020027","journal-title":"Fut. Internet"},{"key":"e_1_2_1_184_1","volume-title":"Proceedings of the 27th USENIX Security Symposium. 745--761","author":"Yun Insu","year":"2018","unstructured":"Insu Yun , Sangho Lee , Meng Xu , Yeongjin Jang , and Taesoo Kim . 2018 . QSYM: A practical concolic execution engine tailored for hybrid fuzzing . In Proceedings of the 27th USENIX Security Symposium. 745--761 . Insu Yun, Sangho Lee, Meng Xu, Yeongjin Jang, and Taesoo Kim. 2018. QSYM: A practical concolic execution engine tailored for hybrid fuzzing. In Proceedings of the 27th USENIX Security Symposium. 745--761."},{"key":"e_1_2_1_185_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23229"},{"key":"e_1_2_1_186_1","doi-asserted-by":"publisher","DOI":"10.1145\/2523649.2523661"},{"key":"e_1_2_1_187_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2016.01.002"},{"key":"e_1_2_1_188_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.ijcip.2016.12.002"}],"container-title":["ACM Computing Surveys"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3423167","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3423167","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3423167","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T21:24:57Z","timestamp":1750195497000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3423167"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,1,2]]},"references-count":188,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2022,1,31]]}},"alternative-id":["10.1145\/3423167"],"URL":"https:\/\/doi.org\/10.1145\/3423167","relation":{},"ISSN":["0360-0300","1557-7341"],"issn-type":[{"value":"0360-0300","type":"print"},{"value":"1557-7341","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,1,2]]},"assertion":[{"value":"2020-01-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2020-09-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2021-01-02","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}