{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,18]],"date-time":"2026-07-18T02:33:41Z","timestamp":1784342021189,"version":"3.55.0"},"publisher-location":"New York, NY, USA","reference-count":38,"publisher":"ACM","license":[{"start":{"date-parts":[[2025,11,22]],"date-time":"2025-11-22T00:00:00Z","timestamp":1763769600000},"content-version":"vor","delay-in-days":3,"URL":"http:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"United States Air Force and DARPA","award":["FA8750-24-2-0002"],"award-info":[{"award-number":["FA8750-24-2-0002"]}]},{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["#2247880 & #2247881"],"award-info":[{"award-number":["#2247880 & #2247881"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,11,19]]},"DOI":"10.1145\/3719027.3744811","type":"proceedings-article","created":{"date-parts":[[2025,11,22]],"date-time":"2025-11-22T23:32:38Z","timestamp":1763854358000},"page":"813-826","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":4,"title":["SyzSpec: Specification Generation for Linux Kernel Fuzzing via Under-Constrained Symbolic Execution"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-3944-3162","authenticated-orcid":false,"given":"Yu","family":"Hao","sequence":"first","affiliation":[{"name":"University of California, Riverside, Riverside, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0001-9344-799X","authenticated-orcid":false,"given":"Juefei","family":"Pu","sequence":"additional","affiliation":[{"name":"University of California, Riverside, Riverside, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0007-1445-4993","authenticated-orcid":false,"given":"Xingyu","family":"Li","sequence":"additional","affiliation":[{"name":"University of California, Riverside, Riverside, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1506-2522","authenticated-orcid":false,"given":"Zhiyun","family":"Qian","sequence":"additional","affiliation":[{"name":"University of California, Riverside, Riverside, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0130-587X","authenticated-orcid":false,"given":"Ardalan Amiri","family":"Sani","sequence":"additional","affiliation":[{"name":"University of California, Irvine, Irvine, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2025,11,22]]},"reference":[{"key":"e_1_3_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE43902.2021.00071"},{"key":"e_1_3_2_1_2_1","first-page":"199","volume-title":"Sys: A Static\/Symbolic Tool for Finding Good Bugs in Good (Browser) Code. In 29th USENIX Security Symposium, USENIX Security 2020","author":"Brown Fraser","year":"2020","unstructured":"Fraser Brown, Deian Stefan, and Dawson R. Engler. 2020. Sys: A Static\/Symbolic Tool for Finding Good Bugs in Good (Browser) Code. In 29th USENIX Security Symposium, USENIX Security 2020, August 12-14, 2020, Srdjan Capkun and Franziska Roesner (Eds.). USENIX Association, 199-216. https:\/\/www.usenix.org\/conference\/usenixsecurity20\/presentation\/brown"},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2023.24688"},{"key":"e_1_3_2_1_4_1","volume-title":"Engler","author":"Cadar Cristian","year":"2008","unstructured":"Cristian Cadar, Daniel Dunbar, and Dawson R. Engler. 2008. KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs. In 8th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2008, December 8-10, 2008, San Diego, California, USA, Proceedings, Richard Draves and Robbert van Renesse (Eds.). USENIX Association, 209-224. http:\/\/www.usenix.org\/events\/osdi08\/tech\/full_papers\/cadar\/cadar.pdf"},{"key":"e_1_3_2_1_5_1","volume-title":"SyzGen: Dependency Inference for Augmenting Kernel Driver Fuzzing. In IEEE Symposium on Security and Privacy.","author":"Chen Weiteng","year":"2024","unstructured":"Weiteng Chen, Yu Hao, Zheng Zhang, Xiaochen Zou, Dhilung Kirat, Shachee Mishra, Douglas Schales, Jiyong Jang, and Zhiyun Qian. 2024. SyzGen: Dependency Inference for Augmenting Kernel Driver Fuzzing. In IEEE Symposium on Security and Privacy."},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1109\/ASE.2017.8115671"},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134069"},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/277650.277670"},{"key":"e_1_3_2_1_9_1","unstructured":"Galois. 2024. Under-Constrained Symbolic Execution with Crucible. https:\/\/galois.com\/blog\/2021\/10\/under-constrained-symbolic-execution-with-crucible\/. https:\/\/galois.com\/blog\/2021\/10\/under-constrained-symbolic-execution-with-crucible\/"},{"key":"e_1_3_2_1_10_1","unstructured":"Google. 2024a. Syzbot. https:\/\/syzkaller.appspot.com\/upstream. https:\/\/syzkaller.appspot.com\/upstream"},{"key":"e_1_3_2_1_11_1","unstructured":"Google. 2024b. syzkaller. https:\/\/github.com\/google\/syzkaller. https:\/\/github.com\/google\/syzkaller"},{"key":"e_1_3_2_1_12_1","unstructured":"Google. 2024c. Syzlang. https:\/\/github.com\/google\/syzkaller\/blob\/master\/docs\/syscall_descriptions.md. https:\/\/github.com\/google\/syzkaller\/blob\/master\/docs\/syscall_descriptions.md"},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179298"},{"key":"e_1_3_2_1_14_1","first-page":"1","volume-title":"Demystifying the Dependency Challenge in Kernel Fuzzing. In 44rd IEEE\/ACM International Conference on Software Engineering, ICSE 2022","author":"Hao Yu","year":"2022","unstructured":"Yu Hao, Hang Zhang, Guoren Li, Xingyun Du, Zhiyun Qian, and Ardalan Sani. 2022. Demystifying the Dependency Challenge in Kernel Fuzzing. In 44rd IEEE\/ACM International Conference on Software Engineering, ICSE 2022, Pittsburgh, PA, USA, 22-27 May 2022. IEEE, 1-11."},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484813"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/3338906.3338936"},{"key":"e_1_3_2_1_17_1","unstructured":"The kernel development community. 2024. KCOV: code coverage for fuzzing. https:\/\/www.kernel.org\/doc\/html\/v6.6\/dev-tools\/kcov.html."},{"key":"e_1_3_2_1_18_1","volume-title":"HFL: Hybrid Fuzzing on the Linux Kernel. In 27th Annual Network and Distributed System Security Symposium, NDSS 2020","author":"Kim Kyungtae","year":"2020","unstructured":"Kyungtae Kim, Dae R. Jeong, Chung Hwan Kim, Yeongjin Jang, Insik Shin, and Byoungyoung Lee. 2020. HFL: Hybrid Fuzzing on the Linux Kernel. In 27th Annual Network and Distributed System Security Symposium, NDSS 2020, San Diego, California, USA, February 23-26, 2020. The Internet Society. https:\/\/www.ndss-symposium.org\/ndss-paper\/hfl-hybrid-fuzzing-on-the-linux-kernel\/"},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1109\/CGO.2004.1281665"},{"key":"e_1_3_2_1_20_1","unstructured":"Linux. 2024. Building Linux with Clang\/LLVM. https:\/\/www.kernel.org\/doc\/html\/latest\/kbuild\/llvm.html. https:\/\/www.kernel.org\/doc\/html\/latest\/kbuild\/llvm.html"},{"key":"e_1_3_2_1_21_1","volume-title":"31st USENIX Security Symposium, USENIX Security 2022","author":"Liu Jian","year":"2022","unstructured":"Jian Liu, Lin Yi, Weiteng Chen, Chengyu Song, Zhiyun Qian, and Qiuping Yi. 2022. LinKRID: Vetting Imbalance Reference Counting in Linux kernel with Symbolic Execution. In 31st USENIX Security Symposium, USENIX Security 2022, Boston, MA, USA, August 10-12, 2022, Kevin R. B. Butler and Kurt Thomas (Eds.). USENIX Association, 125-142. https:\/\/www.usenix.org\/conference\/usenixsecurity22\/presentation\/liu-jian"},{"key":"e_1_3_2_1_22_1","unstructured":"LLVM. 2024a. Callbr Instruction. https:\/\/llvm.org\/docs\/LangRef.html#callbr-instruction. https:\/\/llvm.org\/docs\/LangRef.html#callbr-instruction"},{"key":"e_1_3_2_1_23_1","unstructured":"LLVM. 2024b. Inline Assembler Expressions. https:\/\/llvm.org\/docs\/LangRef.html#inline-assembler-expressions. https:\/\/llvm.org\/docs\/LangRef.html#inline-assembler-expressions"},{"key":"e_1_3_2_1_24_1","unstructured":"LLVM. 2024c. The Often Misunderstood GEP Instruction. https:\/\/llvm.org\/docs\/GetElementPtr.html. https:\/\/llvm.org\/docs\/GetElementPtr.html"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354244"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.24118"},{"key":"e_1_3_2_1_27_1","volume-title":"Under-Constrained Symbolic Execution: Correctness Checking for Real Code. In 24th USENIX Security Symposium, USENIX Security 15","author":"David","year":"2015","unstructured":"David A. Ramos and Dawson R. Engler. 2015. Under-Constrained Symbolic Execution: Correctness Checking for Real Code. In 24th USENIX Security Symposium, USENIX Security 15, Washington, D.C., USA, August 12-14, 2015, Jaeyeon Jung and Thorsten Holz (Eds.). USENIX Association, 49-64. https:\/\/www.usenix.org\/conference\/usenixsecurity15\/technical-sessions\/presentation\/ramos"},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/2786805.2786830"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.17"},{"key":"e_1_3_2_1_30_1","first-page":"351","volume-title":"Proceedings of the 2022 USENIX Annual Technical Conference, USENIX ATC 2022","author":"Sun Hao","year":"2022","unstructured":"Hao Sun, Yuheng Shen, Jianzhong Liu, Yiru Xu, and Yu Jiang. 2022. KSG: Augmenting Kernel Fuzzing with System Call Specification Generation. In Proceedings of the 2022 USENIX Annual Technical Conference, USENIX ATC 2022, Carlsbad, CA, USA, July 11-13, 2022, Jiri Schindler and Noa Zilberman (Eds.). USENIX Association, 351-366. https:\/\/www.usenix.org\/conference\/atc22\/presentation\/sun"},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/3477132.3483547"},{"key":"e_1_3_2_1_32_1","volume-title":"Charm: Facilitating Dynamic Analysis of Device Drivers of Mobile Systems. In 27th USENIX Security Symposium, USENIX Security 2018","author":"Seyed Talebi Seyed Mohammadjavad","year":"2018","unstructured":"Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, Ardalan Amiri Sani, and Zhiyun Qian. 2018. Charm: Facilitating Dynamic Analysis of Device Drivers of Mobile Systems. In 27th USENIX Security Symposium, USENIX Security 2018, Baltimore, MD, USA, August 15-17, 2018, William Enck and Adrienne Porter Felt (Eds.). USENIX Association, 291-307. https:\/\/www.usenix.org\/conference\/usenixsecurity18\/presentation\/talebi"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/3368089.3409698"},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/3180155.3180251"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/3395363.3397363"},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/3540250.3558919"},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/3368089.3409686"},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2022.24380"}],"event":{"name":"CCS '25: ACM SIGSAC Conference on Computer and Communications Security","location":"Taipei Taiwan","acronym":"CCS '25","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3719027.3744811","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3719027.3744811","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,12,22]],"date-time":"2025-12-22T22:08:14Z","timestamp":1766441294000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3719027.3744811"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,11,19]]},"references-count":38,"alternative-id":["10.1145\/3719027.3744811","10.1145\/3719027"],"URL":"https:\/\/doi.org\/10.1145\/3719027.3744811","relation":{},"subject":[],"published":{"date-parts":[[2025,11,19]]},"assertion":[{"value":"2025-11-22","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}