From Constraints to Cracks: Constraint Semantic Inconsistencies as Vulnerability Beacons for Embedded Systems
Jiaxu Zhao
34th USENIX Security Symposium (USENIX Security '25) · Day 1 · System Security 1: Threat Detection, Exploitation, and Adaptive Defenses
In the rapidly expanding landscape of connected devices, embedded systems form the backbone of countless IoT and network infrastructures. However, as these systems grow in complexity, the prevalence of vulnerabilities has surged, leading to critical risks such as data leaks, unauthorized device control, and service disruptions. This talk, presented by Jiaxu Zhao from the Institute of Information Engineering, Chinese Academy of Sciences, introduces a novel approach to addressing this escalating security challenge: identifying **constraint semantic inconsistencies** as reliable beacons for vulnerabilities in embedded systems.
AI review
Solid, original research that formalizes a real and underexplored vulnerability class — contract semantic inconsistencies — and backs it with a working tool, 88 CVEs, and benchmark comparisons against state-of-the-art static analyzers. The function summary-based binary analysis and ICFG-based contract representation are technically credible contributions, not repackaged ideas. Minor reservations around evaluation transparency and the write-up's tendency toward self-congratulation, but the underlying work earns its place at USENIX.