{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,25]],"date-time":"2026-02-25T17:17:09Z","timestamp":1772039829056,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":70,"publisher":"ACM","license":[{"start":{"date-parts":[[2022,7,18]],"date-time":"2022-07-18T00:00:00Z","timestamp":1658102400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2022,7,18]]},"DOI":"10.1145\/3533767.3534398","type":"proceedings-article","created":{"date-parts":[[2022,7,15]],"date-time":"2022-07-15T14:28:50Z","timestamp":1657895330000},"page":"276-288","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":22,"title":["Test mimicry to assess the exploitability of library vulnerabilities"],"prefix":"10.1145","author":[{"given":"Hong Jin","family":"Kang","sequence":"first","affiliation":[{"name":"Singapore Management University, Singapore"}]},{"given":"Truong Giang","family":"Nguyen","sequence":"additional","affiliation":[{"name":"Singapore Management University, Singapore"}]},{"given":"Bach","family":"Le","sequence":"additional","affiliation":[{"name":"University of Melbourne, Australia"}]},{"given":"Corina S.","family":"P\u0103s\u0103reanu","sequence":"additional","affiliation":[{"name":"Carnegie Mellon University, USA \/ NASA Ames Research Center, USA"}]},{"given":"David","family":"Lo","sequence":"additional","affiliation":[{"name":"Singapore Management University, Singapore"}]}],"member":"320","published-online":{"date-parts":[[2022,7,18]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"[n.d.]. American Fuzzy Lop. http:\/\/lcamtuf.coredump.cx\/afl\/technical_details.txt. \t\t\t\t\t  [n.d.]. American Fuzzy Lop. http:\/\/lcamtuf.coredump.cx\/afl\/technical_details.txt."},{"key":"e_1_3_2_1_2_1","unstructured":"[n.d.]. CODEC-134 from Apache Commons Codecs\u2019s issue tracker. https:\/\/issues.apache.org\/jira\/browse\/CODEC-134 \t\t\t\t\t  [n.d.]. CODEC-134 from Apache Commons Codecs\u2019s issue tracker. https:\/\/issues.apache.org\/jira\/browse\/CODEC-134"},{"key":"e_1_3_2_1_3_1","unstructured":"[n.d.]. CVE-2019-12402. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2019-12402 \t\t\t\t\t  [n.d.]. CVE-2019-12402. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2019-12402"},{"key":"e_1_3_2_1_4_1","unstructured":"[n.d.]. Google Security Blog: Understanding the Impact of Apache Log4j Vulnerability. https:\/\/security.googleblog.com\/2021\/12\/understanding-impact-of-apache-log4j.html \t\t\t\t\t  [n.d.]. Google Security Blog: Understanding the Impact of Apache Log4j Vulnerability. https:\/\/security.googleblog.com\/2021\/12\/understanding-impact-of-apache-log4j.html"},{"key":"e_1_3_2_1_5_1","unstructured":"[n.d.]. SNYK-JAVA-COMTWELVEMONKEYSIMAGEIO-1083830 from SNYK. https:\/\/snyk.io\/vuln\/SNYK-JAVA-COMTWELVEMONKEYSIMAGEIO-1083830 \t\t\t\t\t  [n.d.]. SNYK-JAVA-COMTWELVEMONKEYSIMAGEIO-1083830 from SNYK. https:\/\/snyk.io\/vuln\/SNYK-JAVA-COMTWELVEMONKEYSIMAGEIO-1083830"},{"key":"e_1_3_2_1_6_1","unstructured":"[n.d.]. SNYK-JAVA-NETLINGALAZIP4J-1074967 from SNYK. https:\/\/snyk.io\/vuln\/SNYK-JAVA-NETLINGALAZIP4J-1074967 \t\t\t\t\t  [n.d.]. SNYK-JAVA-NETLINGALAZIP4J-1074967 from SNYK. https:\/\/snyk.io\/vuln\/SNYK-JAVA-NETLINGALAZIP4J-1074967"},{"key":"e_1_3_2_1_7_1","unstructured":"[n.d.]. SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-31517 from SNYK. https:\/\/snyk.io\/vuln\/SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-31517 \t\t\t\t\t  [n.d.]. SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-31517 from SNYK. https:\/\/snyk.io\/vuln\/SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-31517"},{"key":"e_1_3_2_1_8_1","unstructured":"[n.d.]. SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-570204 from SNYK. https:\/\/snyk.io\/vuln\/SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-570204 \t\t\t\t\t  [n.d.]. SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-570204 from SNYK. https:\/\/snyk.io\/vuln\/SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-570204"},{"key":"e_1_3_2_1_9_1","unstructured":"[n.d.]. Snyk\u2019s vulnerability database. https:\/\/snyk.io\/vuln?type=maven \t\t\t\t\t  [n.d.]. Snyk\u2019s vulnerability database. https:\/\/snyk.io\/vuln?type=maven"},{"key":"e_1_3_2_1_10_1","unstructured":"[n.d.]. SourceClear\u2019s vulnerability database. https:\/\/www.sourceclear.com\/vulnerability-database\/ \t\t\t\t\t  [n.d.]. SourceClear\u2019s vulnerability database. https:\/\/www.sourceclear.com\/vulnerability-database\/"},{"key":"e_1_3_2_1_11_1","unstructured":"[n.d.]. Wired: The Log4J Vulnerability Will Haunt the Internet for Years. https:\/\/www.wired.com\/story\/log4j-log4shell\/ \t\t\t\t\t  [n.d.]. Wired: The Log4J Vulnerability Will Haunt the Internet for Years. https:\/\/www.wired.com\/story\/log4j-log4shell\/"},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-SEIP.2017.27"},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1002\/stvr.457"},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-013-9249-9"},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/2560217.2560219"},{"key":"e_1_3_2_1_16_1","volume-title":"Test-driven development: by example","author":"Beck Kent","unstructured":"Kent Beck . 2003. Test-driven development: by example . Addison-Wesley Professional . Kent Beck. 2003. Test-driven development: by example. Addison-Wesley Professional."},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134020"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2017.2785841"},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2008.17"},{"key":"e_1_3_2_1_20_1","volume-title":"ASM: a code manipulation tool to implement adaptable systems. Adaptable and extensible component systems, 30, 19","author":"Bruneton Eric","year":"2002","unstructured":"Eric Bruneton , Romain Lenglet , and Thierry Coupaye . 2002. ASM: a code manipulation tool to implement adaptable systems. Adaptable and extensible component systems, 30, 19 ( 2002 ). Eric Bruneton, Romain Lenglet, and Thierry Coupaye. 2002. ASM: a code manipulation tool to implement adaptable systems. Adaptable and extensible component systems, 30, 19 (2002)."},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2018.08.010"},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.31"},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243849"},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00046"},{"key":"e_1_3_2_1_25_1","volume-title":"KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities. In USENIX Security Symposium (USENIX Security). 1093\u20131110","author":"Chen Weiteng","year":"2020","unstructured":"Weiteng Chen , Xiaochen Zou , Guoren Li , and Zhiyun Qian . 2020 . KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities. In USENIX Security Symposium (USENIX Security). 1093\u20131110 . https:\/\/www.usenix.org\/conference\/usenixsecurity20\/presentation\/chen-weiteng Weiteng Chen, Xiaochen Zou, Guoren Li, and Zhiyun Qian. 2020. KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities. In USENIX Security Symposium (USENIX Security). 1093\u20131110. https:\/\/www.usenix.org\/conference\/usenixsecurity20\/presentation\/chen-weiteng"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/3379597.3387461"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/1138912.1138918"},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/3196398.3196401"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/3324884.3415299"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/3387940.3392265"},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/1181775.1181806"},{"key":"e_1_3_2_1_32_1","unstructured":"Darius Foo Jason Yeo Hao Xiao and Asankhaya Sharma. 2019. The dynamics of Software Composition Analysis. Automated Software Engineering (ASE) (Late Breaking Results) arxiv:1909.00973 \t\t\t\t\t  Darius Foo Jason Yeo Hao Xiao and Asankhaya Sharma. 2019. The dynamics of Software Composition Analysis. Automated Software Engineering (ASE) (Late Breaking Results) arxiv:1909.00973"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/2025113.2025179"},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00040"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/506315.506316"},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354224"},{"key":"e_1_3_2_1_37_1","volume-title":"USENIX Security Symposium (USENIX Security). 445\u2013458","author":"Holler Christian","year":"2012","unstructured":"Christian Holler , Kim Herzig , and Andreas Zeller . 2012 . Fuzzing with code fragments . In USENIX Security Symposium (USENIX Security). 445\u2013458 . https:\/\/www.usenix.org\/conference\/usenixsecurity12\/technical-sessions\/presentation\/holler Christian Holler, Kim Herzig, and Andreas Zeller. 2012. Fuzzing with code fragments. In USENIX Security Symposium (USENIX Security). 445\u2013458. https:\/\/www.usenix.org\/conference\/usenixsecurity12\/technical-sessions\/presentation\/holler"},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-C.2017.14"},{"key":"e_1_3_2_1_39_1","volume-title":"USENIX Security Symposium (USENIX Security). 177\u2013192","author":"Hu Hong","year":"2015","unstructured":"Hong Hu , Zheng Leong Chua , Sendroiu Adrian , Prateek Saxena , and Zhenkai Liang . 2015 . Automatic generation of data-oriented exploits . In USENIX Security Symposium (USENIX Security). 177\u2013192 . https:\/\/www.usenix.org\/conference\/usenixsecurity15\/technical-sessions\/presentation\/hu Hong Hu, Zheng Leong Chua, Sendroiu Adrian, Prateek Saxena, and Zhenkai Liang. 2015. Automatic generation of data-oriented exploits. In USENIX Security Symposium (USENIX Security). 177\u2013192. https:\/\/www.usenix.org\/conference\/usenixsecurity15\/technical-sessions\/presentation\/hu"},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICPC52881.2021.00046"},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2013.6606613"},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/3368089.3409687"},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSMR.2013.48"},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1109\/SANER.2015.7081877"},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/2931037.2931051"},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-017-9521-5"},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1145\/3364452.3364455"},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1145\/3213846.3213874"},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1145\/3395363.3397348"},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1002\/stvr.294"},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1109\/ASE.2017.8115621"},{"key":"e_1_3_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1145\/3379597.3387476"},{"key":"e_1_3_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1145\/3293882.3330576"},{"key":"e_1_3_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2017.2663435"},{"key":"e_1_3_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1145\/3239235.3268920"},{"key":"e_1_3_2_1_56_1","volume-title":"Antonino Sabetta, and Fabio Massacci.","author":"Pashchenko Ivan","year":"2020","unstructured":"Ivan Pashchenko , Henrik Plate , Serena Elisa Ponta , Antonino Sabetta, and Fabio Massacci. 2020 . Vuln4real: A methodology for counting actually vulnerable dependencies. IEEE Transactions on Software Engineering (TSE) , https:\/\/ieeexplore.ieee.org\/abstract\/document\/9201023\/ Ivan Pashchenko, Henrik Plate, Serena Elisa Ponta, Antonino Sabetta, and Fabio Massacci. 2020. Vuln4real: A methodology for counting actually vulnerable dependencies. IEEE Transactions on Software Engineering (TSE), https:\/\/ieeexplore.ieee.org\/abstract\/document\/9201023\/"},{"key":"e_1_3_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134073"},{"key":"e_1_3_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSME.2018.00054"},{"key":"e_1_3_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1145\/3377811.3380399"},{"key":"e_1_3_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1002\/stvr.1601"},{"key":"e_1_3_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1145\/1007512.1007514"},{"key":"e_1_3_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSME.2018.00058"},{"key":"e_1_3_2_1_63_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2018.2877664"},{"key":"e_1_3_2_1_64_1","doi-asserted-by":"publisher","DOI":"10.1145\/1007512.1007526"},{"key":"e_1_3_2_1_65_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSME46990.2020.00014"},{"key":"e_1_3_2_1_66_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2019.2903291"},{"key":"e_1_3_2_1_67_1","volume-title":"MAZE: Towards Automated Heap Feng Shui. In USENIX Security Symposium (USENIX Security). https:\/\/www.usenix.org\/conference\/usenixsecurity21\/presentation\/wang-yan","author":"Wang Yan","year":"2021","unstructured":"Yan Wang , Chao Zhang , Zixuan Zhao , Bolun Zhang , Xiaorui Gong , and Wei Zou . 2021 . MAZE: Towards Automated Heap Feng Shui. In USENIX Security Symposium (USENIX Security). https:\/\/www.usenix.org\/conference\/usenixsecurity21\/presentation\/wang-yan Yan Wang, Chao Zhang, Zixuan Zhao, Bolun Zhang, Xiaorui Gong, and Wei Zou. 2021. MAZE: Towards Automated Heap Feng Shui. In USENIX Security Symposium (USENIX Security). https:\/\/www.usenix.org\/conference\/usenixsecurity21\/presentation\/wang-yan"},{"key":"e_1_3_2_1_68_1","volume-title":"USENIX Security Symposium (USENIX Security). 781\u2013797","author":"Wu Wei","year":"2018","unstructured":"Wei Wu , Yueqi Chen , Jun Xu , Xinyu Xing , Xiaorui Gong , and Wei Zou . 2018 . FUZE: Towards facilitating exploit generation for kernel use-after-free vulnerabilities . In USENIX Security Symposium (USENIX Security). 781\u2013797 . https:\/\/www.usenix.org\/conference\/usenixsecurity18\/presentation\/wu-wei Wei Wu, Yueqi Chen, Jun Xu, Xinyu Xing, Xiaorui Gong, and Wei Zou. 2018. FUZE: Towards facilitating exploit generation for kernel use-after-free vulnerabilities. In USENIX Security Symposium (USENIX Security). 781\u2013797. https:\/\/www.usenix.org\/conference\/usenixsecurity18\/presentation\/wu-wei"},{"key":"e_1_3_2_1_69_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134085"},{"key":"e_1_3_2_1_70_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2017.67"}],"event":{"name":"ISSTA '22: 31st ACM SIGSOFT International Symposium on Software Testing and Analysis","location":"Virtual South Korea","acronym":"ISSTA '22","sponsor":["SIGSOFT ACM Special Interest Group on Software Engineering"]},"container-title":["Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3533767.3534398","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3533767.3534398","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T18:43:41Z","timestamp":1750272221000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3533767.3534398"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,7,18]]},"references-count":70,"alternative-id":["10.1145\/3533767.3534398","10.1145\/3533767"],"URL":"https:\/\/doi.org\/10.1145\/3533767.3534398","relation":{},"subject":[],"published":{"date-parts":[[2022,7,18]]},"assertion":[{"value":"2022-07-18","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}