通信学报2026,Vol.47Issue(1):91-105,15.DOI:10.11959/j.issn.1000−436x.2026018
CIDefuse:融合数据流分析与语义嵌入的命令注入漏洞检测系统
CIDefuse:a command injection vulnerability detection system via data-flow analysis and semantic embedding
摘要
Abstract
To address the critical security threats of command injection vulnerabilities in IoT devices,where high false-positive rates were exhibited by traditional static analysis,false negatives were caused by insufficient path coverage in dynamic analysis,and cross-function vulnerabilities were not handled effectively by code similarity-based approaches,CIDefuse was proposed as a vulnerability detection system fusing data-flow analysis with semantic embedding.Firstly,a lightweight backward reaching definition analysis was employed to rapidly prune and precisely extract cross-function candidate vulnerability paths from firmware binaries.Subsequently,a hierarchical graph embedding network was utilized to capture the deep structural and semantic information of the code,enabling accurate vulnerability identification.It is demonstrated by experimental results that an area under the curve(AUC)of 0.93,a precision of 93.75%,and an F1-score of 90.91%are achieved by CIDefuse,and mainstream methods are significantly outperformed.Moreover,three unknown vulnerabilities are successfully discovered by CIDefuse,and all of them are officially acknowledged by the China Na-tional Vulnerability Database(CNVD).This achievement underscores the system's effectiveness and practical value in real-world scenarios.关键词
物联网安全/命令注入/数据流分析/语义嵌入/二进制分析Key words
IoT security/command injection/data-flow analysis/semantic embedding/binary analysis分类
信息技术与安全科学引用本文复制引用
陈霄,沙乐天,潘家晔,孙瑞,董建阔,肖甫..CIDefuse:融合数据流分析与语义嵌入的命令注入漏洞检测系统[J].通信学报,2026,47(1):91-105,15.基金项目
国家自然科学基金资助项目(No.62572255,No.62302238) (No.62572255,No.62302238)
江苏省2024前沿技术研发计划基金资助项目(No.BF2024071)The National Natural Science Foundation of China(No.62572255,No.62302238),The 2024 Frontier Technol-ogy Research and Development Program of Jiangsu(No.BF2024071) (No.BF2024071)
