{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,22]],"date-time":"2025-12-22T22:32:15Z","timestamp":1766442735592,"version":"3.48.0"},"publisher-location":"New York, NY, USA","reference-count":51,"publisher":"ACM","funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62172251"],"award-info":[{"award-number":["62172251"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,11,19]]},"DOI":"10.1145\/3719027.3765035","type":"proceedings-article","created":{"date-parts":[[2025,11,22]],"date-time":"2025-11-22T23:42:02Z","timestamp":1763854922000},"page":"2549-2563","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["ZVDetector: State-Guided Vulnerability Detection System for Zigbee Devices"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-9428-7644","authenticated-orcid":false,"given":"Hai","family":"Lin","sequence":"first","affiliation":[{"name":"Tsinghua University, Beijing, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4300-678X","authenticated-orcid":false,"given":"Chenglong","family":"Li","sequence":"additional","affiliation":[{"name":"Tsinghua University, Beijing, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6109-6737","authenticated-orcid":false,"given":"Jiahai","family":"Yang","sequence":"additional","affiliation":[{"name":"Tsinghua University, Beijing, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6587-820X","authenticated-orcid":false,"given":"Zhiliang","family":"Wang","sequence":"additional","affiliation":[{"name":"Tsinghua University, Beijing, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-9792-3556","authenticated-orcid":false,"given":"Jiaqi","family":"Bai","sequence":"additional","affiliation":[{"name":"Tsinghua University, Beijing, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2025,11,22]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"2023. CVE-2023--24678: Centralite Pearl Thermostat denial-of-service vulnerability. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2024--8231."},{"key":"e_1_3_2_1_2_1","unstructured":"2023. CVE-2023--29779: Sengled Dimmer Switch V0.0.9 denial-of-service vulnerability. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2024--8231."},{"key":"e_1_3_2_1_3_1","first-page":"00","article-title":"CVE-2023--29780","volume":"1","year":"2023","unstructured":"2023. CVE-2023--29780: Third Reality Smart Blind 1.00.54 denial-of-service vulnerability. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2024--8231.","journal-title":"Third Reality Smart Blind"},{"key":"e_1_3_2_1_4_1","unstructured":"2024. Android BLE Library. https:\/\/github.com\/NordicSemiconductor\/Android- BLE-Library."},{"key":"e_1_3_2_1_5_1","unstructured":"2024. CNNVD vulnerability database. https:\/\/www.cnnvd.org.cn\/home\/loophole."},{"key":"e_1_3_2_1_6_1","unstructured":"2024. Eclipse Mosquitto Library. https:\/\/github.com\/eclipse-mosquitto\/ mosquitto\/tree\/master."},{"key":"e_1_3_2_1_7_1","unstructured":"2024. Eclipse Paho MQTT Python Client Library. https:\/\/github.com\/eclipsepaho\/ paho.mqtt.python\/tree\/master\/src\/paho\/mqtt."},{"key":"e_1_3_2_1_8_1","unstructured":"2024. IEEE 802.15.4--2003 IEEE Standard for Information technology. https: \/\/user.engineering.uiowa.edu\/~mcover\/lab4\/802.15.4--2003.pdf."},{"key":"e_1_3_2_1_9_1","unstructured":"2024. LearnLib: An open framework for automata learning. https:\/\/learnlib.de\/."},{"key":"e_1_3_2_1_10_1","unstructured":"2024. MITRE CVE vulnerability database. https:\/\/cve.mitre.org\/cve\/search_cve_ list.html."},{"key":"e_1_3_2_1_11_1","unstructured":"2024. NVD vulnerability database. https:\/\/nvd.nist.gov\/vuln\/search."},{"key":"e_1_3_2_1_12_1","unstructured":"2024. TLS-Attacker: A Java-based framework for analyzing TLS libraries. https: \/\/github.com\/tls-attacker\/TLS-Attacker."},{"key":"e_1_3_2_1_13_1","unstructured":"2024. Zibgee Cluster Library User Guide. https:\/\/www.nxp.com\/docs\/en\/userguide\/ JN-UG-3115.pdf."},{"volume-title":"Zigbee Market Size Share Analysis- Growth Trends Forecasts(2024 -","year":"2029","key":"e_1_3_2_1_14_1","unstructured":"2024. Zigbee Market Size Share Analysis- Growth Trends Forecasts(2024 - 2029). https:\/\/www.mordorintelligence.com\/industry-reports\/zigbee-market."},{"key":"e_1_3_2_1_15_1","unstructured":"2024. ZigBee Specification. https:\/\/csa-iot.org\/wp-content\/uploads\/2023\/04\/05- 3474--23-csg-zigbee-specification-compressed.pdf."},{"key":"e_1_3_2_1_16_1","unstructured":"2024. Zigbee Traffic Dump Tool: TiWsPc). https:\/\/www.ti.com\/tool\/TIMAC."},{"key":"e_1_3_2_1_17_1","unstructured":"2024. ZigBee Zigpy Library Implementation. https:\/\/github.com\/zigpy\/zigpy\/ tree\/dev."},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCWS48432.2020.9292382"},{"key":"e_1_3_2_1_19_1","first-page":"1","article-title":"Towards automated dynamic analysis for linux-based embedded firmware","volume":"1","author":"Chen Daming D","year":"2016","unstructured":"Daming D Chen, Maverick Woo, David Brumley, and Manuel Egele. 2016. Towards automated dynamic analysis for linux-based embedded firmware.. In NDSS, Vol. 1. 1--1.","journal-title":"NDSS"},{"key":"e_1_3_2_1_20_1","volume-title":"Menghan Sun, Ronghai Yang, and Kehuan Zhang.","author":"Chen Jiongyi","year":"2018","unstructured":"Jiongyi Chen, Wenrui Diao, Qingchuan Zhao, Chaoshun Zuo, Zhiqiang Lin, XiaoFeng Wang, Wing Cheong Lau, Menghan Sun, Ronghai Yang, and Kehuan Zhang. 2018. IoTFuzzer: Discovering Memory Corruptions in IoT Through Appbased Fuzzing.. In NDSS."},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/3338502.3359762"},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2018.00052"},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSPW.2018.00009"},{"key":"e_1_3_2_1_24_1","volume-title":"22nd USENIX Security Symposium (USENIX Security 13)","author":"Davidson Drew","year":"2013","unstructured":"Drew Davidson, Benjamin Moench, Thomas Ristenpart, and Somesh Jha. 2013. {FIE} on firmware: Finding vulnerabilities in embedded systems using symbolic execution. In 22nd USENIX Security Symposium (USENIX Security 13). 463--478."},{"key":"e_1_3_2_1_25_1","volume-title":"24th USENIX Security Symposium (USENIX Security 15)","author":"Ruiter Joeri De","year":"2015","unstructured":"Joeri De Ruiter and Erik Poll. 2015. Protocol state fuzzing of {TLS} implementations. In 24th USENIX Security Symposium (USENIX Security 15). 193--206."},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1109\/SUTC.2010.15"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484543"},{"key":"e_1_3_2_1_28_1","volume-title":"29th USENIX Security Symposium (USENIX Security. 2523--2540","author":"Fiterau-Brostean Paul","year":"2020","unstructured":"Paul Fiterau-Brostean, Bengt Jonsson, Robert Merget, Joeri De Ruiter, Konstantinos Sagonas, and Juraj Somorovsky. 2020. Analysis of {DTLS} implementations using protocol state fuzzing. In 29th USENIX Security Symposium (USENIX Security. 2523--2540."},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICST53961.2022.00051"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"crossref","unstructured":"Paul Fiterau-Brostean Bengt Jonsson Konstantinos Sagonas and Fredrik T\u00e5quist. 2023. Automata-Based Automated Detection of State Machine Bugs in Protocol Implementations.. In NDSS.","DOI":"10.14722\/ndss.2023.23068"},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-28865-9_18"},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134050"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/3427228.3427294"},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/3658644.3670342"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/3581791.3596857"},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2024.24556"},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/3098243.3098254"},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSPW.2019.00011"},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-022-10233-3"},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40001.2021.00066"},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1145\/3448300.3468296"},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.14"},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1145\/3341105.3373930"},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-09234-3_6"},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2019.2895025"},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1109\/CCNC49032.2021.9369606"},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00211"},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560703"},{"key":"e_1_3_2_1_49_1","volume-title":"28th USENIX Security Symposium (USENIX Security 19)","author":"Zheng Yaowen","year":"2019","unstructured":"Yaowen Zheng, Ali Davanian, Heng Yin, Chengyu Song, Hongsong Zhu, and Limin Sun. 2019. {FIRM-AFL}:{High-Throughput} greybox fuzzing of {IoT} firmware via augmented process emulation. In 28th USENIX Security Symposium (USENIX Security 19). 1099--1114."},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3559386"},{"key":"e_1_3_2_1_51_1","unstructured":"Tobias Zillner and Sebastian Strobl. 2015. ZigBee exploited: The good the bad and the ugly. Black Hat--2015. Available online: https:\/\/www. blackhat. com\/docs\/us-15\/materials\/us-15-Zillner-ZigBee-Exploited-The-Good-The-Bad-And-The-Ugly.pdf (accessed on 21 March 2018) (2015)."}],"event":{"name":"CCS '25: ACM SIGSAC Conference on Computer and Communications Security","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"location":"Taipei Taiwan","acronym":"CCS '25"},"container-title":["Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3719027.3765035","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,12,22]],"date-time":"2025-12-22T22:29:16Z","timestamp":1766442556000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3719027.3765035"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,11,19]]},"references-count":51,"alternative-id":["10.1145\/3719027.3765035","10.1145\/3719027"],"URL":"https:\/\/doi.org\/10.1145\/3719027.3765035","relation":{},"subject":[],"published":{"date-parts":[[2025,11,19]]},"assertion":[{"value":"2025-11-22","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}