{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,25]],"date-time":"2026-02-25T17:53:58Z","timestamp":1772042038590,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":81,"publisher":"ACM","license":[{"start":{"date-parts":[[2022,11,7]],"date-time":"2022-11-07T00:00:00Z","timestamp":1667779200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"European Research Council award number(s)","award":["850868"],"award-info":[{"award-number":["850868"]}]},{"name":"Swiss National Science Foundation award number(s)","award":["PCEGP2_186974"],"award-info":[{"award-number":["PCEGP2_186974"]}]},{"name":"Air Force Research Laboratory award number(s)","award":["FA8655-20-1-7048"],"award-info":[{"award-number":["FA8655-20-1-7048"]}]},{"name":"National Key Research and Development Program of China award number(s)","award":["2021YFB2701000"],"award-info":[{"award-number":["2021YFB2701000"]}]},{"name":"China Postdoctoral Science Foundation award number(s)","award":["2021M701942"],"award-info":[{"award-number":["2021M701942"]}]},{"name":"Beijing National Research Center for Information Science and Technology award number(s)","award":["BNR2022RC01006"],"award-info":[{"award-number":["BNR2022RC01006"]}]},{"name":"Defense Advanced Research Projects Agency award number(s)","award":["HR001119S0089-AMP-FP-034"],"award-info":[{"award-number":["HR001119S0089-AMP-FP-034"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2022,11,7]]},"DOI":"10.1145\/3548606.3560575","type":"proceedings-article","created":{"date-parts":[[2022,11,7]],"date-time":"2022-11-07T11:41:28Z","timestamp":1667821288000},"page":"1599-1613","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":17,"title":["Evocatio"],"prefix":"10.1145","author":[{"given":"Zhiyuan","family":"Jiang","sequence":"first","affiliation":[{"name":"NUDT, Changsha, China"}]},{"given":"Shuitao","family":"Gan","sequence":"additional","affiliation":[{"name":"SKL-MEAC, Tsinghua University, Wuxi, China"}]},{"given":"Adrian","family":"Herrera","sequence":"additional","affiliation":[{"name":"Australian National University, Canberra, Australia"}]},{"given":"Flavio","family":"Toffalini","sequence":"additional","affiliation":[{"name":"EPFL, Lausanne, Switzerland"}]},{"given":"Lucio","family":"Romerio","sequence":"additional","affiliation":[{"name":"EPFL, Lausanne, Switzerland"}]},{"given":"Chaojing","family":"Tang","sequence":"additional","affiliation":[{"name":"NUDT, Changsha, China"}]},{"given":"Manuel","family":"Egele","sequence":"additional","affiliation":[{"name":"Boston University, Boston, MA, USA"}]},{"given":"Chao","family":"Zhang","sequence":"additional","affiliation":[{"name":"Tsinghua University, BNRist Zhongguancun Lab, Beijing, China"}]},{"given":"Mathias","family":"Payer","sequence":"additional","affiliation":[{"name":"EPFL, Lausanne, Switzerland"}]}],"member":"320","published-online":{"date-parts":[[2022,11,7]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"Tools and Algorithms for the Construction and Analysis of Systems (TACAS)","author":"Anand Saswat","unstructured":"Saswat Anand , Patrice Godefroid , and Nikolai Tillmann . 2008. Demand-driven compositional symbolic execution . In Tools and Algorithms for the Construction and Analysis of Systems (TACAS) . Springer , 367--381. Saswat Anand, Patrice Godefroid, and Nikolai Tillmann. 2008. Demand-driven compositional symbolic execution. In Tools and Algorithms for the Construction and Analysis of Systems (TACAS). Springer, 367--381."},{"key":"e_1_3_2_1_2_1","first-page":"1","article-title":"REDQUEEN: Fuzzing with Input-to-State Correspondence","volume":"19","author":"Aschermann Cornelius","year":"2019","unstructured":"Cornelius Aschermann , Sergej Schumilo , Tim Blazytko , Robert Gawlik , and Thorsten Holz . 2019 . REDQUEEN: Fuzzing with Input-to-State Correspondence .. In Network and Distributed Systems Security (NDSS) , Vol. 19. 1 -- 15 . Cornelius Aschermann, Sergej Schumilo, Tim Blazytko, Robert Gawlik, and Thorsten Holz. 2019. REDQUEEN: Fuzzing with Input-to-State Correspondence.. In Network and Distributed Systems Security (NDSS), Vol. 19. 1--15.","journal-title":"Network and Distributed Systems Security (NDSS)"},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/2560217.2560219"},{"key":"e_1_3_2_1_4_1","first-page":"10","volume-title":"Comput. Surveys","volume":"51","author":"Baldoni Roberto","year":"2018","unstructured":"Roberto Baldoni , Emilio Coppa , Daniele Cono D'elia , Camil Demetrescu , and Irene Finocchi . 2018 . A Survey of Symbolic Execution Techniques . Comput. Surveys , Vol. 51 , 3, Article 50 (may 2018), 39 pages. https:\/\/doi.org\/ 10 .1145\/3182657 10.1145\/3182657 Roberto Baldoni, Emilio Coppa, Daniele Cono D'elia, Camil Demetrescu, and Irene Finocchi. 2018. A Survey of Symbolic Execution Techniques. Comput. Surveys, Vol. 51, 3, Article 50 (may 2018), 39 pages. https:\/\/doi.org\/10.1145\/3182657"},{"key":"e_1_3_2_1_5_1","volume-title":"The Page-Fault Weird Machine: Lessons in Instruction-less Computation. In Workshop on Offensive Technologies (WOOT). USENIX.","author":"Bangert Julian","unstructured":"Julian Bangert , Sergey Bratus , Rebecca Shapiro , and Sean W. Smith . 2013 . The Page-Fault Weird Machine: Lessons in Instruction-less Computation. In Workshop on Offensive Technologies (WOOT). USENIX. Julian Bangert, Sergey Bratus, Rebecca Shapiro, and Sean W. Smith. 2013. The Page-Fault Weird Machine: Lessons in Instruction-less Computation. In Workshop on Offensive Technologies (WOOT). USENIX."},{"key":"e_1_3_2_1_6_1","unstructured":"Thomas Bernard. 2018. CVE-2018-12900 Patch. https:\/\/gitlab.com\/libtiff\/libtiff\/-\/merge_requests\/60. Thomas Bernard. 2018. CVE-2018-12900 Patch. https:\/\/gitlab.com\/libtiff\/libtiff\/-\/merge_requests\/60."},{"key":"e_1_3_2_1_7_1","volume-title":"AURORA: Statistical Crash Analysis for Automated Root Cause Explanation. In USENIX Security (SEC). USENIX, 235--252.","author":"Blazytko Tim","year":"2020","unstructured":"Tim Blazytko , Moritz Schl\u00f6gel , Cornelius Aschermann , Ali Abbasi , Joel Frank , Simon W\u00f6rner , and Thorsten Holz . 2020 . AURORA: Statistical Crash Analysis for Automated Root Cause Explanation. In USENIX Security (SEC). USENIX, 235--252. Tim Blazytko, Moritz Schl\u00f6gel, Cornelius Aschermann, Ali Abbasi, Joel Frank, Simon W\u00f6rner, and Thorsten Holz. 2020. AURORA: Statistical Crash Analysis for Automated Root Cause Explanation. In USENIX Security (SEC). USENIX, 235--252."},{"key":"#cr-split#-e_1_3_2_1_8_1.1","doi-asserted-by":"crossref","unstructured":"Marcel B\u00f6hme Van-Thuan Pham Manh-Dung Nguyen and Abhik Roychoudhury. 2017. Directed greybox fuzzing. In Computer and Communications Security (CCS). ACM 2329--2344. https:\/\/doi.org\/10.1145\/3133956.3134020 10.1145\/3133956.3134020","DOI":"10.1145\/3133956.3134020"},{"key":"#cr-split#-e_1_3_2_1_8_1.2","doi-asserted-by":"crossref","unstructured":"Marcel B\u00f6hme Van-Thuan Pham Manh-Dung Nguyen and Abhik Roychoudhury. 2017. Directed greybox fuzzing. In Computer and Communications Security (CCS). ACM 2329--2344. https:\/\/doi.org\/10.1145\/3133956.3134020","DOI":"10.1145\/3133956.3134020"},{"key":"e_1_3_2_1_9_1","unstructured":"Rich Campagna. 2020. The 3 Reasons CVSS Scores Change Over Time. https:\/\/securityboulevard.com\/2020\/05\/the-3-reasons-cvss-scores-change-over-time\/. Rich Campagna. 2020. The 3 Reasons CVSS Scores Change Over Time. https:\/\/securityboulevard.com\/2020\/05\/the-3-reasons-cvss-scores-change-over-time\/."},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE43902.2021.00104"},{"key":"e_1_3_2_1_11_1","volume-title":"Angora: Efficient fuzzing by principled search. In Security and Privacy (S&P)","author":"Chen Peng","year":"2018","unstructured":"Peng Chen and Hao Chen . 2018 . Angora: Efficient fuzzing by principled search. In Security and Privacy (S&P) . IEEE , 711--725. Peng Chen and Hao Chen. 2018. Angora: Efficient fuzzing by principled search. In Security and Privacy (S&P). IEEE, 711--725."},{"key":"e_1_3_2_1_12_1","volume-title":"KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities. In USENIX Security (SEC). USENIX, 1093--1110.","author":"Chen Weiteng","year":"2020","unstructured":"Weiteng Chen , Xiaochen Zou , Guoren Li , and Zhiyun Qian . 2020 . KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities. In USENIX Security (SEC). USENIX, 1093--1110. Weiteng Chen, Xiaochen Zou, Guoren Li, and Zhiyun Qian. 2020. KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities. In USENIX Security (SEC). USENIX, 1093--1110."},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363212"},{"key":"e_1_3_2_1_14_1","unstructured":"Zheng Leong Chua Yanhao Wang Teodora Baluta Prateek Saxena Zhenkai Liang and Purui Su. 2019. One Engine To Serve 'em All: Inferring Taint Rules Without Architectural Semantics. In Network and Distributed Systems Security (NDSS). Zheng Leong Chua Yanhao Wang Teodora Baluta Prateek Saxena Zhenkai Liang and Purui Su. 2019. One Engine To Serve 'em All: Inferring Taint Rules Without Architectural Semantics. In Network and Distributed Systems Security (NDSS)."},{"key":"e_1_3_2_1_15_1","unstructured":"Nick Clifton. 2020. CVE-2021--20284 Patch. https:\/\/sourceware.org\/git\/gitweb.cgi?p=binutils-gdb.git;h=f60742b2a1988d276c77d5c1011143f320d9b4cb. Nick Clifton. 2020. CVE-2021--20284 Patch. https:\/\/sourceware.org\/git\/gitweb.cgi?p=binutils-gdb.git;h=f60742b2a1988d276c77d5c1011143f320d9b4cb."},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/3338112"},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1109\/TETC.2017.2785299"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/3407023.3407038"},{"key":"e_1_3_2_1_19_1","volume-title":"Workshop on Offensive Technologies (WOOT). USENIX.","author":"Fioraldi Andrea","year":"2020","unstructured":"Andrea Fioraldi , Dominik Maier , Heiko Ei\u00dffeldt , and Marc Heuse . 2020 . AFL: Combining incremental steps of fuzzing research . In Workshop on Offensive Technologies (WOOT). USENIX. Andrea Fioraldi, Dominik Maier, Heiko Ei\u00dffeldt, and Marc Heuse. 2020. AFL: Combining incremental steps of fuzzing research. In Workshop on Offensive Technologies (WOOT). USENIX."},{"key":"e_1_3_2_1_20_1","unstructured":"FIRST. 2019. Common Vulnerability Scoring System v3.1: Specification Document. https:\/\/www.first.org\/cvss\/specification-document. FIRST. 2019. Common Vulnerability Scoring System v3.1: Specification Document. https:\/\/www.first.org\/cvss\/specification-document."},{"key":"e_1_3_2_1_21_1","volume-title":"GREYONE: Data Flow Sensitive Fuzzing. In USENIX Security (SEC). USENIX, 2577--2594.","author":"Gan Shuitao","year":"2020","unstructured":"Shuitao Gan , Chao Zhang , Peng Chen , Bodong Zhao , Xiaojun Qin , Dong Wu , and Zuoning Chen . 2020 . GREYONE: Data Flow Sensitive Fuzzing. In USENIX Security (SEC). USENIX, 2577--2594. Shuitao Gan, Chao Zhang, Peng Chen, Bodong Zhao, Xiaojun Qin, Dong Wu, and Zuoning Chen. 2020. GREYONE: Data Flow Sensitive Fuzzing. In USENIX Security (SEC). USENIX, 2577--2594."},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2009.5070546"},{"key":"e_1_3_2_1_23_1","first-page":"1","article-title":"Beyond Tests: Program Vulnerability Repair via Crash Constraint Extraction","volume":"30","author":"Gao Xiang","year":"2021","unstructured":"Xiang Gao , Bo Wang , Gregory J Duck , Ruyi Ji , Yingfei Xiong , and Abhik Roychoudhury . 2021 . Beyond Tests: Program Vulnerability Repair via Crash Constraint Extraction . Transactions on Software Engineering and Methodology , Vol. 30 , 2 (2021), 1 -- 27 . Xiang Gao, Bo Wang, Gregory J Duck, Ruyi Ji, Yingfei Xiong, and Abhik Roychoudhury. 2021. Beyond Tests: Program Vulnerability Repair via Crash Constraint Extraction. Transactions on Software Engineering and Methodology, Vol. 30, 2 (2021), 1--27.","journal-title":"Transactions on Software Engineering and Methodology"},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2017.2755013"},{"key":"e_1_3_2_1_25_1","unstructured":"Google. 2019. Default configuration of AddressSanitizer. https:\/\/github.com\/google\/sanitizers\/wiki\/AddressSanitizer. Google. 2019. Default configuration of AddressSanitizer. https:\/\/github.com\/google\/sanitizers\/wiki\/AddressSanitizer."},{"key":"e_1_3_2_1_26_1","unstructured":"Google. 2022. Google syzbot. https:\/\/syzkaller.appspot.com\/upstream. Google. 2022. Google syzbot. https:\/\/syzkaller.appspot.com\/upstream."},{"key":"e_1_3_2_1_27_1","unstructured":"Istvan Haller Asia Slowinska Matthias Neugschwandtner and Herbert Bos. 2013. Dowsing for overflows: a guided fuzzer to find buffer boundary violations.. In USENIX Security (SEC). USENIX 49--64. Istvan Haller Asia Slowinska Matthias Neugschwandtner and Herbert Bos. 2013. Dowsing for overflows: a guided fuzzer to find buffer boundary violations.. In USENIX Security (SEC). USENIX 49--64."},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSME.2017.52"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/3428334"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354224"},{"key":"e_1_3_2_1_31_1","unstructured":"Max Kellermann. 2018a. CVE-2018--19540 Patch. https:\/\/github.com\/jasper-maint\/jasper\/pull\/39. Max Kellermann. 2018a. CVE-2018--19540 Patch. https:\/\/github.com\/jasper-maint\/jasper\/pull\/39."},{"key":"e_1_3_2_1_32_1","unstructured":"Max Kellermann. 2018b. CVE-2018--19543 Patch. https:\/\/github.com\/jasper-maint\/jasper\/pull\/38\/commits\/69bba1480fb4b1f1e2ab75a14a00721f4cf16e50. Max Kellermann. 2018b. CVE-2018--19543 Patch. https:\/\/github.com\/jasper-maint\/jasper\/pull\/38\/commits\/69bba1480fb4b1f1e2ab75a14a00721f4cf16e50."},{"key":"e_1_3_2_1_33_1","volume-title":"Keromytis","author":"Kemerlis Vasileios P.","year":"2012","unstructured":"Vasileios P. Kemerlis , Georgios Portokalidis , Kangkook Jee , and Angelos D . Keromytis . 2012 . Libdft : Practical Dynamic Data Flow Tracking for Commodity Systems. In Virtual Execution Environments (VEE). ACM , 121--132. https:\/\/doi.org\/10.1145\/2151024.2151042 10.1145\/2151024.2151042 Vasileios P. Kemerlis, Georgios Portokalidis, Kangkook Jee, and Angelos D. Keromytis. 2012. Libdft: Practical Dynamic Data Flow Tracking for Commodity Systems. In Virtual Execution Environments (VEE). ACM, 121--132. https:\/\/doi.org\/10.1145\/2151024.2151042"},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.3233\/IFS-151733"},{"key":"#cr-split#-e_1_3_2_1_35_1.1","doi-asserted-by":"crossref","unstructured":"George Klees Andrew Ruef Benji Cooper Shiyi Wei and Michael Hicks. 2018. Evaluating Fuzz Testing. In Computer and Communications Security (CCS). ACM 2123--2138. https:\/\/doi.org\/10.1145\/3243734.3243804 10.1145\/3243734.3243804","DOI":"10.1145\/3243734.3243804"},{"key":"#cr-split#-e_1_3_2_1_35_1.2","doi-asserted-by":"crossref","unstructured":"George Klees Andrew Ruef Benji Cooper Shiyi Wei and Michael Hicks. 2018. Evaluating Fuzz Testing. In Computer and Communications Security (CCS). ACM 2123--2138. https:\/\/doi.org\/10.1145\/3243734.3243804","DOI":"10.1145\/3243734.3243804"},{"key":"e_1_3_2_1_36_1","unstructured":"Hugo Lefeuvre. 2018a. CVE-2018-8964 Patch. https:\/\/github.com\/libming\/libming\/issues\/129. Hugo Lefeuvre. 2018a. CVE-2018-8964 Patch. https:\/\/github.com\/libming\/libming\/issues\/129."},{"key":"e_1_3_2_1_37_1","unstructured":"Hugo Lefeuvre. 2018b. CVE-2018--9009 Patch. https:\/\/github.com\/libming\/libming\/pull\/145\/commits\/835cdd0776456483466c6d640d251548e7d9dcdb. Hugo Lefeuvre. 2018b. CVE-2018--9009 Patch. https:\/\/github.com\/libming\/libming\/pull\/145\/commits\/835cdd0776456483466c6d640d251548e7d9dcdb."},{"key":"e_1_3_2_1_38_1","unstructured":"Hugo Lefeuvre. 2018c. Patch of CVE-2018-7871. https:\/\/github.com\/libming\/libming\/pull\/125\/commits. Hugo Lefeuvre. 2018c. Patch of CVE-2018-7871. https:\/\/github.com\/libming\/libming\/pull\/125\/commits."},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"crossref","unstructured":"Caroline Lemieux and Koushik Sen. 2018. FairFuzz: A targeted mutation strategy for increasing greybox fuzz testing coverage. In Automated Software Engineering (ASE). ACM 475--485. Caroline Lemieux and Koushik Sen. 2018. FairFuzz: A targeted mutation strategy for increasing greybox fuzz testing coverage. In Automated Software Engineering (ASE). ACM 475--485.","DOI":"10.1145\/3238147.3238176"},{"key":"e_1_3_2_1_40_1","unstructured":"LiveOverflow. 2021a. Avaiable PoC to trigger the CVE-2021-3156. https:\/\/github.com\/LiveOverflow\/pwnedit\/tree\/main\/episode05. LiveOverflow. 2021a. Avaiable PoC to trigger the CVE-2021-3156. https:\/\/github.com\/LiveOverflow\/pwnedit\/tree\/main\/episode05."},{"key":"e_1_3_2_1_41_1","unstructured":"LiveOverflow. 2021b. Modification on sudo to enable it can be fuzzed by AFLplusplus. https:\/\/github.com\/LiveOverflow\/pwnedit\/tree\/main\/episode01. LiveOverflow. 2021b. Modification on sudo to enable it can be fuzzed by AFLplusplus. https:\/\/github.com\/LiveOverflow\/pwnedit\/tree\/main\/episode01."},{"key":"e_1_3_2_1_42_1","unstructured":"Thomas Loimer. 2020. CVE-2020-21675 Patch. https:\/\/sourceforge.net\/p\/mcj\/tickets\/78\/. Thomas Loimer. 2020. CVE-2020-21675 Patch. https:\/\/sourceforge.net\/p\/mcj\/tickets\/78\/."},{"key":"e_1_3_2_1_43_1","unstructured":"Steve Mancini. 2020. The subjective nature of a CVSS score. https:\/\/eclypsium.com\/2020\/09\/30\/the-subjective-nature-of-a-cvss-score\/. Steve Mancini. 2020. The subjective nature of a CVSS score. https:\/\/eclypsium.com\/2020\/09\/30\/the-subjective-nature-of-a-cvss-score\/."},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2019.2946563"},{"key":"e_1_3_2_1_45_1","volume-title":"Automated Software Engineering (ASE)","author":"Mathis Bj\u00f6rn","unstructured":"Bj\u00f6rn Mathis , Vitalii Avdiienko , Ezekiel O. Soremekun , Marcel B\u00f6hme , and Andreas Zeller . 2017. Detecting Information Flow by Mutating Input Data . In Automated Software Engineering (ASE) . IEEE , 263--273. Bj\u00f6rn Mathis, Vitalii Avdiienko, Ezekiel O. Soremekun, Marcel B\u00f6hme, and Andreas Zeller. 2017. Detecting Information Flow by Mutating Input Data. In Automated Software Engineering (ASE). IEEE, 263--273."},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"crossref","unstructured":"Xianya Mi Sanjay Rawat Cristiano Giuffrida and Herbert Bos. 2021. LeanSym: Efficient Hybrid Fuzzing Through Conservative Constraint Debloating. ACM 62--77. Xianya Mi Sanjay Rawat Cristiano Giuffrida and Herbert Bos. 2021. LeanSym: Efficient Hybrid Fuzzing Through Conservative Constraint Debloating. ACM 62--77.","DOI":"10.1145\/3471621.3471852"},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1145\/1134285.1134307"},{"key":"e_1_3_2_1_48_1","unstructured":"Alan Modra. 2020. CVE-2021-20294 Patch. https:\/\/sourceware.org\/bugzilla\/show_bug.cgi?id=26929. Alan Modra. 2020. CVE-2021-20294 Patch. https:\/\/sourceware.org\/bugzilla\/show_bug.cgi?id=26929."},{"key":"e_1_3_2_1_49_1","unstructured":"Alan Modra. 2021. Patch of CVE-2021-45079. https:\/\/sourceware.org\/bugzilla\/show_bug.cgi?id=28694. Alan Modra. 2021. Patch of CVE-2021-45079. https:\/\/sourceware.org\/bugzilla\/show_bug.cgi?id=28694."},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/2699026.2699098"},{"key":"e_1_3_2_1_51_1","unstructured":"NIST. 2021. Common Vulnerability Scoring System. https:\/\/nvd.nist.gov\/vuln-metrics\/cvss. NIST. 2021. Common Vulnerability Scoring System. https:\/\/nvd.nist.gov\/vuln-metrics\/cvss."},{"key":"e_1_3_2_1_52_1","unstructured":"NVD. 2018. CVSS Description of CVE-2018-17795. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2018--17795. NVD. 2018. CVSS Description of CVE-2018-17795. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2018--17795."},{"key":"e_1_3_2_1_53_1","unstructured":"NVD. 2021. Description of CVE-2021-3156. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021--3156. NVD. 2021. Description of CVE-2021-3156. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021--3156."},{"key":"e_1_3_2_1_54_1","unstructured":"IBM QRadar. 2021. Common Vulnerability Scoring System (CVSS). https:\/\/www.ibm.com\/docs\/en\/qradar-on-cloud?topic=vulnerabilities-common-vulnerability-scoring-system-cvss. IBM QRadar. 2021. Common Vulnerability Scoring System (CVSS). https:\/\/www.ibm.com\/docs\/en\/qradar-on-cloud?topic=vulnerabilities-common-vulnerability-scoring-system-cvss."},{"key":"e_1_3_2_1_55_1","doi-asserted-by":"crossref","unstructured":"Sanjay Rawat Vivek Jain Ashish Kumar and Herbert Bos. 2017. VUzzer: Application-aware Evolutionary Fuzzing. In Network and Distributed Systems Security (NDSS). Sanjay Rawat Vivek Jain Ashish Kumar and Herbert Bos. 2017. VUzzer: Application-aware Evolutionary Fuzzing. In Network and Distributed Systems Security (NDSS).","DOI":"10.14722\/ndss.2017.23404"},{"key":"e_1_3_2_1_56_1","unstructured":"Even Rouault. 2016a. CVE-2016--10092 Patch. https:\/\/github.com\/vadz\/libtiff\/commit\/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a. Even Rouault. 2016a. CVE-2016--10092 Patch. https:\/\/github.com\/vadz\/libtiff\/commit\/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a."},{"key":"e_1_3_2_1_57_1","unstructured":"Even Rouault. 2016b. CVE-2016-10272 Patch. https:\/\/github.com\/vadz\/libtiff\/commit\/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a. Even Rouault. 2016b. CVE-2016-10272 Patch. https:\/\/github.com\/vadz\/libtiff\/commit\/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a."},{"key":"e_1_3_2_1_58_1","unstructured":"Even Rouault. 2016c. CVE-2016--9273 Patch. https:\/\/github.com\/vadz\/libtiff\/commit\/d651abc097d91fac57f33b5f9447d0a9183f58e7. Even Rouault. 2016c. CVE-2016--9273 Patch. https:\/\/github.com\/vadz\/libtiff\/commit\/d651abc097d91fac57f33b5f9447d0a9183f58e7."},{"key":"e_1_3_2_1_59_1","unstructured":"Even Rouault. 2016 d. CVE-2016-9532 Patch. https:\/\/github.com\/vadz\/libtiff\/commit\/21d39de1002a5e69caa0574b2cc05d795d6fbfad. Even Rouault. 2016 d. CVE-2016-9532 Patch. https:\/\/github.com\/vadz\/libtiff\/commit\/21d39de1002a5e69caa0574b2cc05d795d6fbfad."},{"key":"e_1_3_2_1_60_1","unstructured":"Even Rouault. 2016 e. Pull Request of CVE-2016--9273. https:\/\/github.com\/vadz\/libtiff\/commit\/d651abc097d91fac57f33b5f9447d0a9183f58e7. Even Rouault. 2016 e. Pull Request of CVE-2016--9273. https:\/\/github.com\/vadz\/libtiff\/commit\/d651abc097d91fac57f33b5f9447d0a9183f58e7."},{"key":"e_1_3_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1145\/3188720"},{"key":"e_1_3_2_1_62_1","unstructured":"Hayaki Saito. 2018. CVE-2020-21050 Patch. https:\/\/github.com\/saitoha\/libsixel\/commit\/7808a06b88c11dbc502318cdd51fa374f8cd47ee. Hayaki Saito. 2018. CVE-2020-21050 Patch. https:\/\/github.com\/saitoha\/libsixel\/commit\/7808a06b88c11dbc502318cdd51fa374f8cd47ee."},{"key":"e_1_3_2_1_63_1","volume-title":"AddressSanitizer: A Fast Address Sanity Checker. In Annual Technical Conference (ATC). USENIX, 28","author":"Serebryany Konstantin","year":"2012","unstructured":"Konstantin Serebryany , Derek Bruening , Alexander Potapenko , and Dmitry Vyukov . 2012 . AddressSanitizer: A Fast Address Sanity Checker. In Annual Technical Conference (ATC). USENIX, 28 . Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitry Vyukov. 2012. AddressSanitizer: A Fast Address Sanity Checker. In Annual Technical Conference (ATC). USENIX, 28."},{"key":"e_1_3_2_1_64_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICMLA52953.2021.00256"},{"key":"#cr-split#-e_1_3_2_1_65_1.1","doi-asserted-by":"crossref","unstructured":"Shiqi Shen Aashish Kolluri Zhen Dong Prateek Saxena and Abhik Roychoudhury. 2021. Localizing Vulnerabilities Statistically From One Exploit. In Asia Computer and Communications Security (ASIA CCS). 537--549. https:\/\/doi.org\/10.1145\/3433210.3437528 10.1145\/3433210.3437528","DOI":"10.1145\/3433210.3437528"},{"key":"#cr-split#-e_1_3_2_1_65_1.2","doi-asserted-by":"crossref","unstructured":"Shiqi Shen Aashish Kolluri Zhen Dong Prateek Saxena and Abhik Roychoudhury. 2021. Localizing Vulnerabilities Statistically From One Exploit. In Asia Computer and Communications Security (ASIA CCS). 537--549. https:\/\/doi.org\/10.1145\/3433210.3437528","DOI":"10.1145\/3433210.3437528"},{"key":"e_1_3_2_1_66_1","doi-asserted-by":"crossref","unstructured":"Shiqi Shen Shweta Shinde Soundarya Ramesh Abhik Roychoudhury and Prateek Saxena. 2019. Neuro-Symbolic Execution: Augmenting Symbolic Execution with Neural Constraints.. In Network and Distributed Systems Security (NDSS). Shiqi Shen Shweta Shinde Soundarya Ramesh Abhik Roychoudhury and Prateek Saxena. 2019. Neuro-Symbolic Execution: Augmenting Symbolic Execution with Neural Constraints.. In Network and Distributed Systems Security (NDSS).","DOI":"10.14722\/ndss.2019.23530"},{"key":"e_1_3_2_1_67_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2018.09.039"},{"key":"e_1_3_2_1_68_1","doi-asserted-by":"publisher","DOI":"10.1145\/3139367.3139390"},{"key":"e_1_3_2_1_69_1","unstructured":"The Clang Team. 2022. DataFlowSanitizer Design Document. https:\/\/clang.llvm.org\/docs\/DataFlowSanitizerDesign.html. The Clang Team. 2022. DataFlowSanitizer Design Document. https:\/\/clang.llvm.org\/docs\/DataFlowSanitizerDesign.html."},{"key":"e_1_3_2_1_70_1","unstructured":"Guido Vranken. 2020. CVE-2020--1104. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-11104. Guido Vranken. 2020. CVE-2020--1104. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-11104."},{"key":"e_1_3_2_1_71_1","volume-title":"ACM","author":"Wang Yan","year":"2018","unstructured":"Yan Wang , Chao Zhang , Xiaobo Xiang , Zixuan Zhao , Wenjie Li , Xiaorui Gong , Bingchang Liu , Kaixiang Chen , and Wei Zou . 2018 . Revery: From Proof-of-Concept to Exploitable. In Computer and Communications Security (CCS) . ACM , 1914--1927. https:\/\/doi.org\/10.1145\/3243734.3243847 10.1145\/3243734.3243847 Yan Wang, Chao Zhang, Xiaobo Xiang, Zixuan Zhao, Wenjie Li, Xiaorui Gong, Bingchang Liu, Kaixiang Chen, and Wei Zou. 2018. Revery: From Proof-of-Concept to Exploitable. In Computer and Communications Security (CCS). ACM, 1914--1927. https:\/\/doi.org\/10.1145\/3243734.3243847"},{"key":"e_1_3_2_1_72_1","volume-title":"MAZE: Towards Automated Heap Feng Shui. In USENIX Security (SEC). USENIX, 1647--1664.","author":"Wang Yan","year":"2021","unstructured":"Yan Wang , Chao Zhang , Zixuan Zhao , Bolun Zhang , Xiaorui Gong , and Wei Zou . 2021 . MAZE: Towards Automated Heap Feng Shui. In USENIX Security (SEC). USENIX, 1647--1664. Yan Wang, Chao Zhang, Zixuan Zhao, Bolun Zhang, Xiaorui Gong, and Wei Zou. 2021. MAZE: Towards Automated Heap Feng Shui. In USENIX Security (SEC). USENIX, 1647--1664."},{"key":"e_1_3_2_1_73_1","volume-title":"28th USENIX Security Symposium (USENIX Security 19)","author":"Wu Wei","year":"2019","unstructured":"Wei Wu , Yueqi Chen , Xinyu Xing , and Wei Zou . 2019 . {KEPLER}: Facilitating control-flow hijacking primitive evaluation for Linux kernel vulnerabilities . In 28th USENIX Security Symposium (USENIX Security 19) . 1187--1204. Wei Wu, Yueqi Chen, Xinyu Xing, and Wei Zou. 2019. {KEPLER}: Facilitating control-flow hijacking primitive evaluation for Linux kernel vulnerabilities. In 28th USENIX Security Symposium (USENIX Security 19). 1187--1204."},{"key":"e_1_3_2_1_74_1","volume-title":"FUZE: Towards Facilitating Exploit Generation for Kernel Use-After-Free Vulnerabilities. In USENIX Security (SEC). USENIX, 781--797.","author":"Wu Wei","year":"2018","unstructured":"Wei Wu , Yueqi Chen , Jun Xu , Xinyu Xing , Xiaorui Gong , and Wei Zou . 2018 . FUZE: Towards Facilitating Exploit Generation for Kernel Use-After-Free Vulnerabilities. In USENIX Security (SEC). USENIX, 781--797. Wei Wu, Yueqi Chen, Jun Xu, Xinyu Xing, Xiaorui Gong, and Wei Zou. 2018. FUZE: Towards Facilitating Exploit Generation for Kernel Use-After-Free Vulnerabilities. In USENIX Security (SEC). USENIX, 781--797."},{"key":"e_1_3_2_1_75_1","volume-title":"Source Code Analysis and Manipulation (SCAM)","author":"Yadegari Babak","unstructured":"Babak Yadegari and Saumya Debray . 2014. Bit-level taint analysis . In Source Code Analysis and Manipulation (SCAM) . IEEE , 255--264. Babak Yadegari and Saumya Debray. 2014. Bit-level taint analysis. In Source Code Analysis and Manipulation (SCAM). IEEE, 255--264."},{"key":"e_1_3_2_1_76_1","volume-title":"ProFuzzer: On-the-fly Input Type Probing for Better Zero-Day Vulnerability Discovery","author":"You Wei","year":"2019","unstructured":"Wei You , Xueqiang Wang , Shiqing Ma , Jianjun Huang , Xiangyu Zhang , XiaoFeng Wang , and Bin Liang . 2019. ProFuzzer: On-the-fly Input Type Probing for Better Zero-Day Vulnerability Discovery . In IEEE Security and Privacy (S&P). IEEE. https:\/\/doi.org\/10.1109\/SP. 2019 .00057 10.1109\/SP.2019.00057 Wei You, Xueqiang Wang, Shiqing Ma, Jianjun Huang, Xiangyu Zhang, XiaoFeng Wang, and Bin Liang. 2019. ProFuzzer: On-the-fly Input Type Probing for Better Zero-Day Vulnerability Discovery. In IEEE Security and Privacy (S&P). IEEE. https:\/\/doi.org\/10.1109\/SP.2019.00057"},{"key":"e_1_3_2_1_77_1","unstructured":"Yuan. 2018. CVE-2020--27828 Patch. https:\/\/github.com\/jasper-software\/jasper\/pull\/253. Yuan. 2018. CVE-2020--27828 Patch. https:\/\/github.com\/jasper-software\/jasper\/pull\/253."},{"key":"e_1_3_2_1_78_1","volume-title":"USENIX Security (SEC)","author":"Zou Xiaochen","unstructured":"Xiaochen Zou , Guoren Li , Weiteng Chen , Hang Zhang , and Zhiyun Qian . 2022. SyzScope: Revealing High-Risk Security Impacts of Fuzzer-Exposed Bugs in Linux kernel . In USENIX Security (SEC) . USENIX , Boston, MA . Xiaochen Zou, Guoren Li, Weiteng Chen, Hang Zhang, and Zhiyun Qian. 2022. SyzScope: Revealing High-Risk Security Impacts of Fuzzer-Exposed Bugs in Linux kernel. In USENIX Security (SEC). USENIX, Boston, MA."}],"event":{"name":"CCS '22: 2022 ACM SIGSAC Conference on Computer and Communications Security","location":"Los Angeles CA USA","acronym":"CCS '22","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3548606.3560575","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3548606.3560575","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T17:50:57Z","timestamp":1750182657000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3548606.3560575"}},"subtitle":["Conjuring Bug Capabilities from a Single PoC"],"short-title":[],"issued":{"date-parts":[[2022,11,7]]},"references-count":81,"alternative-id":["10.1145\/3548606.3560575","10.1145\/3548606"],"URL":"https:\/\/doi.org\/10.1145\/3548606.3560575","relation":{},"subject":[],"published":{"date-parts":[[2022,11,7]]},"assertion":[{"value":"2022-11-07","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}