{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,7]],"date-time":"2026-03-07T01:00:48Z","timestamp":1772845248932,"version":"3.50.1"},"reference-count":55,"publisher":"MDPI AG","issue":"15","license":[{"start":{"date-parts":[[2019,7,31]],"date-time":"2019-07-31T00:00:00Z","timestamp":1564531200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"Guangdong Province Key Research and Development Plan","award":["2019B010137004"],"award-info":[{"award-number":["2019B010137004"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Sensors"],"abstract":"<jats:p>Recently, automated software vulnerability detection and exploitation in Internet of Things (IoT) has attracted more and more attention, due to IoT\u2019s fast adoption and high social impact. However, the task is challenging and the solutions are non-trivial: the existing methods have limited effectiveness at discovering vulnerabilities capable of compromising IoT systems. To address this, we propose an Automated Vulnerability Discovery and Exploitation framework with a Scheduling strategy, AutoDES that aims to improve the efficiency and effectiveness of vulnerability discovery and exploitation. In the vulnerability discovery stage, we use our Anti-Driller technique to mitigate the \u201cpath explosion\u201d problem. This approach first generates a specific input proceeding from symbolic execution based on a Control Flow Graph (CFG). It then leverages a mutation-based fuzzer to find vulnerabilities while avoiding invalid mutations. In the vulnerability exploitation stage, we analyze the characteristics of vulnerabilities and then propose to generate exploits, via the use of several proposed attack techniques that can produce a shell based on the detected vulnerabilities. We also propose a genetic algorithm (GA)-based scheduling strategy (AutoS) that helps with assigning the computing resources dynamically and efficiently. The extensive experimental results on the RHG 2018 challenge dataset and the BCTF-RHG 2019 challenge dataset clearly demonstrate the effectiveness and efficiency of the proposed framework.<\/jats:p>","DOI":"10.3390\/s19153362","type":"journal-article","created":{"date-parts":[[2019,7,31]],"date-time":"2019-07-31T11:37:07Z","timestamp":1564573027000},"page":"3362","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":10,"title":["Automated Vulnerability Discovery and Exploitation in the Internet of Things"],"prefix":"10.3390","volume":"19","author":[{"given":"Zhongru","family":"Wang","sequence":"first","affiliation":[{"name":"Key Laboratory of Trustworthy Distributed Computing and Service (Beijing University of Posts and Telecommunications), Ministry of Education, Beijing 100876, China"}]},{"given":"Yuntao","family":"Zhang","sequence":"additional","affiliation":[{"name":"Key Laboratory of Trustworthy Distributed Computing and Service (Beijing University of Posts and Telecommunications), Ministry of Education, Beijing 100876, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9409-5359","authenticated-orcid":false,"given":"Zhihong","family":"Tian","sequence":"additional","affiliation":[{"name":"Cyberspace Institute of Advanced Technology, Guangzhou University, Guangzhou 510006, China"}]},{"given":"Qiang","family":"Ruan","sequence":"additional","affiliation":[{"name":"Beijing DigApis Technology Co., Ltd, Beijing 100081, China"}]},{"given":"Tong","family":"Liu","sequence":"additional","affiliation":[{"name":"Key Laboratory of Trustworthy Distributed Computing and Service (Beijing University of Posts and Telecommunications), Ministry of Education, Beijing 100876, China"}]},{"given":"Haichen","family":"Wang","sequence":"additional","affiliation":[{"name":"Key Laboratory of Trustworthy Distributed Computing and Service (Beijing University of Posts and Telecommunications), Ministry of Education, Beijing 100876, China"}]},{"given":"Zhehui","family":"Liu","sequence":"additional","affiliation":[{"name":"Key Laboratory of Trustworthy Distributed Computing and Service (Beijing University of Posts and Telecommunications), Ministry of Education, Beijing 100876, China"}]},{"given":"Jiayi","family":"Lin","sequence":"additional","affiliation":[{"name":"Key Laboratory of Trustworthy Distributed Computing and Service (Beijing University of Posts and Telecommunications), Ministry of Education, Beijing 100876, China"}]},{"given":"Binxing","family":"Fang","sequence":"additional","affiliation":[{"name":"Key Laboratory of Trustworthy Distributed Computing and Service (Beijing University of Posts and Telecommunications), Ministry of Education, Beijing 100876, China"},{"name":"Cyberspace Institute of Advanced Technology, Guangzhou University, Guangzhou 510006, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3071-8350","authenticated-orcid":false,"given":"Wei","family":"Shi","sequence":"additional","affiliation":[{"name":"School of Information Technology, Carleton University, Ottawa, ON K1S 5B6, Canada"}]}],"member":"1968","published-online":{"date-parts":[[2019,7,31]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"24","DOI":"10.1016\/j.adhoc.2006.05.012","article-title":"An effective key management scheme for heterogeneous sensor networks","volume":"5","author":"Du","year":"2007","journal-title":"Ad Hoc Netw."},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"4285","DOI":"10.1109\/TII.2019.2907754","article-title":"Real Time Lateral Movement Detection based on Evidence Reasoning Network for Edge Computing Environment","volume":"15","author":"Tian","year":"2019","journal-title":"IEEE Trans. Ind. Inform."},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"Sadeghi, A.R., Wachsmann, C., and Waidner, M. (2015, January 8\u201312). Security and privacy challenges in industrial internet of things. Proceedings of the 2015 52nd ACM\/EDAC\/IEEE Design Automation Conference (DAC), San Francisco, CA, USA.","DOI":"10.1145\/2744769.2747942"},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Zhang, Z.K., Cho, M.C.Y., Wang, C.W., Hsu, C.W., Chen, C.K., and Shieh, S. (2014, January 17\u201319). IoT security: Ongoing challenges and research opportunities. Proceedings of the 2014 IEEE 7th International Conference on Service-Oriented Computing and Applications, Matsue, Japan.","DOI":"10.1109\/SOCA.2014.58"},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"5971","DOI":"10.1109\/TVT.2019.2910217","article-title":"Evaluating Reputation Management Schemes of Internet of Vehicles based on Evolutionary Game Theory","volume":"68","author":"Tian","year":"2019","journal-title":"IEEE Trans. Veh. Technol."},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"1584","DOI":"10.1109\/JIOT.2018.2846624","article-title":"Towards a comprehensive insight into the eclipse attacks of tor hidden services","volume":"6","author":"Tan","year":"2019","journal-title":"IEEE Internet Things J."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"12","DOI":"10.1109\/MSP.2018.1870858","article-title":"Mechanical Phish: Resilient Autonomous Hacking","volume":"16","author":"Shoshitaishvili","year":"2018","journal-title":"IEEE Secur. Priv."},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Xie, W., Jiang, Y., Tang, Y., Ding, N., and Gao, Y. (2017, January 15\u201317). Vulnerability detection in iot firmware: A survey. Proceedings of the 2017 IEEE 23rd International Conference on Parallel and Distributed Systems (ICPADS), Shenzhen, China.","DOI":"10.1109\/ICPADS.2017.00104"},{"key":"ref_9","unstructured":"Newsome, J., and Song, D.X. (2005, January 7\u20139). Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. Proceedings of the 12th Annual Network and Distributed System Security Symposium, Seattle, WA, USA."},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"82","DOI":"10.1145\/2408776.2408795","article-title":"Symbolic execution for software testing: Three decades later","volume":"56","author":"Cadar","year":"2013","journal-title":"CACM"},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Stephens, N., Grosen, J., Salls, C., Dutcher, A., Wang, R., Corbetta, J., Shoshitaishvili, Y., Kruegel, C., and Vigna, G. (2016, January 21\u201324). Driller: Augmenting Fuzzing Through Selective Symbolic Execution. Proceedings of the Network and Distributed System Security Symposium, San Diego, CA, USA.","DOI":"10.14722\/ndss.2016.23368"},{"key":"ref_12","first-page":"211","article-title":"Statically detecting use after free on binary code","volume":"10","author":"Feist","year":"2014","journal-title":"JICV"},{"key":"ref_13","unstructured":"Zalewski, M. (2017, August 31). American Fuzzy Lop. Available online: http:\/\/lcamtuf.coredump.cx\/afl."},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"10","DOI":"10.1145\/1455518.1455522","article-title":"EXE: Automatically generating inputs of death","volume":"12","author":"Cadar","year":"2008","journal-title":"TISSEC"},{"key":"ref_15","unstructured":"Cadar, C., Dunbar, D., and Engler, D.R. (2008, January 8\u201310). KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs. Proceedings of the 8th USENIX Symposium on Operating Systems Design and Implementation, San Diego, CA, USA."},{"key":"ref_16","unstructured":"Avgerinos, T., Cha, S.K., Hao, B.L.T., and Brumley, D. (2011, January 6\u20139). AEG: Automatic exploit generation. Proceedings of the NDSS 2011: 18th Network & Distributed System Security Symposium, San Diego, CA, USA."},{"key":"ref_17","first-page":"14","article-title":"Smashing the stack for fun and profit","volume":"7","author":"One","year":"1996","journal-title":"Phrack Mag."},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Shacham, H. (2007, January 28\u201331). The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). Proceedings of the 2007 ACM Conference on Computer and Communications Security, Alexandria, VA, USA.","DOI":"10.1145\/1315245.1315313"},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Sun, H.M., Lin, Y.H., and Wu, M.F. (2006, January 3\u20135). API monitoring system for defeating worms and exploits in MS-Windows system. Proceedings of the 11th Australasian Conference on Information Security and Privacy, Melbourne, Australia.","DOI":"10.1007\/11780656_14"},{"key":"ref_20","unstructured":"Xiao, F., Sha, L.T., Yuan, Z.P., and Wang, R.C. (2017). VulHunter: A Discovery for unknown Bugs based on Analysis for known patches in Industry Internet of Things. IEEE Trans. Emerg. Top. Comput."},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Chen, J., Diao, W., Zhao, Q., Zuo, C., Lin, Z., Wang, X., Lau, W.C., Sun, M., Yang, R., and Zhang, K. (2018, January 18\u201321). IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing. Proceedings of the Network and Distributed System Security Symposium, San Diego, CA, USA.","DOI":"10.14722\/ndss.2018.23159"},{"key":"ref_22","first-page":"1989","article-title":"RPFuzzer: A Framework for Discovering Router Protocols Vulnerabilities Based on Fuzzing","volume":"7","author":"Wang","year":"2013","journal-title":"KSII Trans. Internet Inf. Syst."},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Pustogarov, I., Ristenpart, T., and Shmatikov, V. (2017, January 2\u20136). Using program analysis to synthesize sensor spoofing attacks. Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, New York, NY, USA.","DOI":"10.1145\/3052973.3053038"},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"60","DOI":"10.1109\/MWC.2008.4599222","article-title":"Security in wireless sensor networks","volume":"15","author":"Du","year":"2008","journal-title":"IEEE Wirel. Commun."},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"2314","DOI":"10.1016\/j.comcom.2007.04.009","article-title":"A survey of key management schemes in wireless sensor networks","volume":"30","author":"Xiao","year":"2007","journal-title":"Comput. Commun."},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"126","DOI":"10.1109\/MCOM.2007.4378332","article-title":"Internet Protocol Television (IPTV): The Killer Application for the Next,-Generation Internet","volume":"45","author":"Xiao","year":"2007","journal-title":"IEEE Commun. Mag."},{"key":"ref_27","doi-asserted-by":"crossref","first-page":"1223","DOI":"10.1109\/TWC.2009.060598","article-title":"A routing-driven Elliptic Curve Cryptography based Key management scheme for Heterogeneous Sensor Networks","volume":"8","author":"Du","year":"2009","journal-title":"IEEE Trans. Wirel. Commun."},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"212","DOI":"10.1016\/j.future.2018.12.054","article-title":"A data-driven method for future Internet route decision modeling","volume":"95","author":"Tian","year":"2019","journal-title":"Future Gener. Comput. Syst."},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"B\u00f6hme, M., Pham, V.T., and Roychoudhury, A. (2016, January 24\u201328). Coverage-based Greybox Fuzzing as Markov Chain. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria.","DOI":"10.1145\/2976749.2978428"},{"key":"ref_30","doi-asserted-by":"crossref","unstructured":"B\u00f6hme, M., Pham, V.T., Nguyen, M.D., and Roychoudhury, A. (November, January 30). Directed greybox fuzzing. Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, Dallas, TX, USA.","DOI":"10.1145\/3133956.3134020"},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Li, Y., Chen, B., Chandramohan, M., Lin, S.W., Liu, Y., and Tiu, A. (2017, January 4\u20138). Steelix: Program-state based binary fuzzing. Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering, Paderborn, Germany.","DOI":"10.1145\/3106237.3106295"},{"key":"ref_32","doi-asserted-by":"crossref","unstructured":"Peng, H., Shoshitaishvili, Y., and Payer, M. (2018, January 20\u201324). T-Fuzz: Fuzzing by program transformation. Proceedings of the 2018 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA.","DOI":"10.1109\/SP.2018.00056"},{"key":"ref_33","doi-asserted-by":"crossref","first-page":"40","DOI":"10.1145\/2093548.2093564","article-title":"SAGE: Whitebox fuzzing for security testing","volume":"55","author":"Godefroid","year":"2012","journal-title":"CACM"},{"key":"ref_34","doi-asserted-by":"crossref","unstructured":"Godefroid, P., Klarlund, N., and Sen, K. (2005, January 12\u201315). DART: Directed automated random testing. Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation, Chicago, IL, USA.","DOI":"10.1145\/1065010.1065036"},{"key":"ref_35","doi-asserted-by":"crossref","unstructured":"Sen, K., Marinov, D., and Agha, G. (2005, January 5\u20139). CUTE: A concolic unit testing engine for C. Proceedings of the 10th European Software Engineering Conference Held Jointly with 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering, Lisbon, Portugal.","DOI":"10.1145\/1081706.1081750"},{"key":"ref_36","doi-asserted-by":"crossref","unstructured":"Cha, S.K., Woo, M., and Brumley, D. (2015, January 17\u201321). Program-adaptive mutational fuzzing. Proceedings of the 2015 IEEE Symposium on Security and Privacy, San Jose, CA, USA.","DOI":"10.1109\/SP.2015.50"},{"key":"ref_37","doi-asserted-by":"crossref","unstructured":"Brumley, D., Poosankam, P., Song, D., and Zheng, J. (2008, January 18\u201321). Automatic patch-based exploit generation is possible: Techniques and implications. Proceedings of the 2008 IEEE Symposium on Security and Privacy SP, Washington, DC, USA.","DOI":"10.1109\/SP.2008.17"},{"key":"ref_38","doi-asserted-by":"crossref","first-page":"617","DOI":"10.1016\/j.ejor.2007.05.046","article-title":"Round robin scheduling\u2014A survey","volume":"188","author":"Rasmussen","year":"2008","journal-title":"Eur. J. Oper. Res."},{"key":"ref_39","doi-asserted-by":"crossref","first-page":"32","DOI":"10.1145\/96267.96279","article-title":"An empirical study of the reliability of UNIX utilities","volume":"33","author":"Miller","year":"1990","journal-title":"CACM"},{"key":"ref_40","doi-asserted-by":"crossref","first-page":"107","DOI":"10.1006\/jpdc.1999.1581","article-title":"Dynamic mapping of a class of independent tasks onto heterogeneous computing systems","volume":"59","author":"Maheswaran","year":"1999","journal-title":"J. Parallel Distrib. Comput."},{"key":"ref_41","unstructured":"Freund, R.F., Gherrity, M., Ambrosius, S., Campbell, M., Halderman, M., Hensgen, D., Keith, E., Kidd, T., Kussow, M., and Lima, J.D. (1998, January 30). Scheduling resources in multi-user, heterogeneous, computing environments with SmartNet. Proceedings of the Seventh Heterogeneous Computing Workshop (HCW\u201998), Orlando, FL, USA."},{"key":"ref_42","unstructured":"Davis, L. (1991). Handbook of Genetic Algorithms, Van Nostrand Reinhold."},{"key":"ref_43","first-page":"108","article-title":"A comparative study of artificial bee colony algorithm","volume":"214","author":"Karaboga","year":"2009","journal-title":"Appl. Math. Comput."},{"key":"ref_44","doi-asserted-by":"crossref","unstructured":"Van Laarhoven, P.J., and Aarts, E.H. (1987). Simulated annealing. Simulated Annealing: Theory and Applications, Springer.","DOI":"10.1007\/978-94-015-7744-1"},{"key":"ref_45","doi-asserted-by":"crossref","first-page":"35355","DOI":"10.1109\/ACCESS.2018.2846590","article-title":"A real-time correlation of host-level events in cyber range service for smart campus","volume":"6","author":"Tian","year":"2018","journal-title":"IEEE Access"},{"key":"ref_46","doi-asserted-by":"crossref","first-page":"151","DOI":"10.1016\/j.ins.2019.04.011","article-title":"Block-DEF: A secure digital evidence framework using blockchain","volume":"491","author":"Tian","year":"2019","journal-title":"Inf. Sci."},{"key":"ref_47","unstructured":"Costin, A., Zarras, A., and Francillon, A. (June, January 30). Automated dynamic firmware analysis at scale: A case study on embedded web interfaces. Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, Xi\u2019an, China."},{"key":"ref_48","doi-asserted-by":"crossref","unstructured":"Chen, D.D., Woo, M., Brumley, D., and Egele, M. (2016, January 21\u201324). Towards Automated Dynamic Analysis for Linux-based Embedded Firmware. Proceedings of the Network and Distributed System Security Symposium, San Diego, CA, USA.","DOI":"10.14722\/ndss.2016.23415"},{"key":"ref_49","doi-asserted-by":"crossref","unstructured":"Zaddach, J., Bruno, L., Francillon, A., and Balzarotti, D. (2014, January 23\u201326). AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems\u2019 Firmwares. Proceedings of the Network and Distributed System Security Symposium, San Diego, CA, USA.","DOI":"10.14722\/ndss.2014.23229"},{"key":"ref_50","doi-asserted-by":"crossref","first-page":"262","DOI":"10.1145\/321941.321946","article-title":"A space-economical suffix tree construction algorithm","volume":"23","author":"McCreight","year":"1976","journal-title":"JACM"},{"key":"ref_51","doi-asserted-by":"crossref","unstructured":"Buchanan, E., Roemer, R., Shacham, H., and Savage, S. (2008, January 27\u201331). When good instructions go bad: Generalizing return-oriented programming to RISC. Proceedings of the 2008 ACM Conference on Computer and Communications Security, Alexandria, VA, USA.","DOI":"10.1145\/1455770.1455776"},{"key":"ref_52","unstructured":"RHG2018 (2018, September 21). Robot Hacking Game. Available online: https:\/\/www.xctf.org.cn\/ctfs\/detail\/117\/."},{"key":"ref_53","unstructured":"BCTF-RHG2019 (2019, January 20). Blue-Lotus International CTF Competition. Available online: https:\/\/bbs.ichunqiu.com\/thread-49547-1-1.html."},{"key":"ref_54","doi-asserted-by":"crossref","unstructured":"Shoshitaishvili, Y., Wang, R., Salls, C., Stephens, N., Polino, M., Dutcher, A., Grosen, J., Feng, S., Hauser, C., and Kruegel, C. (2016, January 22\u201326). Sok:(state of) the art of war: Offensive techniques in binary analysis. Proceedings of the 2016 IEEE Symposium on Security and Privacy (SP), San Jose, CA, USA.","DOI":"10.1109\/SP.2016.17"},{"key":"ref_55","unstructured":"Talos, C. (2018, May 25). Mutiny Fuzzer. Available online: https:\/\/github.com\/Cisco-Talos\/mutiny-fuzzer."}],"container-title":["Sensors"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1424-8220\/19\/15\/3362\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T13:11:31Z","timestamp":1760188291000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1424-8220\/19\/15\/3362"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,7,31]]},"references-count":55,"journal-issue":{"issue":"15","published-online":{"date-parts":[[2019,8]]}},"alternative-id":["s19153362"],"URL":"https:\/\/doi.org\/10.3390\/s19153362","relation":{},"ISSN":["1424-8220"],"issn-type":[{"value":"1424-8220","type":"electronic"}],"subject":[],"published":{"date-parts":[[2019,7,31]]}}}