pith. sign in

arxiv: 2606.25863 · v1 · pith:RGRMK2YInew · submitted 2026-06-24 · 💻 cs.SE · cs.CR

Automated Detection of Configuration-Specific Security Vulnerabilities via Patch Analysis

Pith reviewed 2026-06-25 20:00 UTC · model grok-4.3

classification 💻 cs.SE cs.CR
keywords vulnerability impact conditionsecurity patchesconfigurable systemsstatic analysispatch analysisLinux kernelCVE enrichment
0
0 comments X

The pith

PatchLens recovers precise, human-readable predicates describing exactly which system configurations were vulnerable before each security patch.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper formalizes the Vulnerability Impact Condition as a Boolean predicate over configuration options that identifies all variants containing a given flaw. It presents PatchLens, a static method that extracts these predicates by matching patch changes to presence conditions in the code and analyzing build systems lightly. Evaluation on thousands of patches from Linux, FFmpeg, and PHP shows the predicates are short and that most vulnerabilities affect only specific configurations rather than the entire system. This matters because current CVE descriptions almost never list the relevant options, so automated recovery can improve triage, testing, and risk assessment in configurable software without needing to build every variant.

Core claim

PatchLens recovers VICs by aligning AST-level patch hunks with source-level presence conditions and resolving file inclusion via lightweight build system analysis. On 1,192 Linux kernel, 289 FFmpeg, and 100 PHP patches, it computes compact predicates (averaging under 4 variables) without compiling any variant, revealing that few vulnerabilities are system-wide and that CVE texts encode the necessary configuration options with only about 1% recall.

What carries the argument

PatchLens, a purely static technique that aligns AST-level patch hunks with source-level presence conditions and resolves inclusions through lightweight build system analysis to compute Vulnerability Impact Conditions.

If this is right

  • Variant-aware triage and test selection become possible in continuous integration pipelines.
  • Targeted sampling and fuzzing can focus on the configurations that were actually vulnerable.
  • Feature risk scoring can incorporate the fraction of variants affected by each vulnerability.
  • CVEs can be automatically enriched with the missing configuration details.
  • Scalable assessment of vulnerabilities in highly configurable systems is enabled without variant compilation.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Developers could integrate VIC computation into patch submission workflows to document impacts upfront.
  • Security scanners might use these predicates to flag issues only in affected configurations rather than all builds.
  • Similar techniques could apply to non-security patches or other configurable languages beyond C/C++.
  • The approach might extend to dynamic configuration options if presence conditions can be modeled similarly.

Load-bearing premise

The alignment of AST-level patch hunks with source-level presence conditions combined with lightweight build system analysis accurately recovers the full VIC predicates for the evaluated patches.

What would settle it

A counterexample where the VIC computed by PatchLens for a patch does not correctly identify the configurations that contained the flaw, as verified by manual inspection or by building and testing the variants.

Figures

Figures reproduced from arXiv: 2606.25863 by Daniel Sadoc Menasche, Eduardo Santana de Almeida, Felipe de Sant'Anna Paix\~ao, Gustavo Bittencourt Figueiredo, Joanna C. S. Santos, Paulo Anselmo da Mota Silveira Neto.

Figure 1
Figure 1. Figure 1: Example of a CVE Entry in the National Vulnerability Database [PITH_FULL_IMAGE:figures/full_fig_p006_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Steps taken to generate the dataset with patches and their impact condition. [PITH_FULL_IMAGE:figures/full_fig_p007_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Illustrative example of how PatchLens calculates the impact condition of a patch from the affected nodes in the AST. 28]; however, because PatchLens does not require a complete variability-aware AST to determine presence conditions, a lightweight parser is sufficient in our setting. This strategy reduces parser complexity and, in turn, decreases the likelihood of failures compared to full-featured parsers … view at source ↗
Figure 4
Figure 4. Figure 4: Distribution of number of configuration variables per patch by system. [PITH_FULL_IMAGE:figures/full_fig_p017_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Example of a CVE Entry with additional configuration requirements generated by [PITH_FULL_IMAGE:figures/full_fig_p017_5.png] view at source ↗
read the original abstract

We study how security patches in highly configurable C/C++ systems map onto the space of compile-time variants. We formalize the Vulnerability Impact Condition (VIC) - a Boolean predicate over configuration options that denotes all variants that contained the original flaw - and introduce PatchLens, a purely static technique that recovers VICs by aligning AST-level patch hunks with source-level presence conditions and resolving file inclusion via lightweight build system analysis. Evaluating PatchLens on 1,192 Linux kernel, 289 FFmpeg, and 100 PHP patches, we compute precise, human-readable VICs without the need to compile any system variant. The resulting predicates are compact (avg. 1.84 variables for Linux, 3.23 for FFmpeg, 1.04 for PHP) and show that only a small fraction of vulnerabilities are system-wide, which carry higher CVSS scores; meanwhile, CVE texts almost never encode the required options ($\approx$ 1% average recall), motivating automated enrichment of CVE descriptions with VICs. PatchLens and the accompanying dataset enable immediate applications in CI (variant-aware triage and test selection), targeted sampling and fuzzing, and feature risk scoring, offering a scalable, explainable path to vulnerability assessment in highly configurable software.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The paper formalizes the Vulnerability Impact Condition (VIC) as a Boolean predicate over configuration options that identifies all compile-time variants containing a given security flaw. It introduces PatchLens, a static technique that recovers VICs by aligning AST-level patch hunks with source-level presence conditions and resolving inclusions via lightweight build-system analysis. On 1,192 Linux kernel, 289 FFmpeg, and 100 PHP patches, the method produces compact VICs (averages 1.84, 3.23, and 1.04 variables) without any compilation, shows that system-wide vulnerabilities are rare and higher-CVSS, and finds that CVE texts encode the required options in only ~1% of cases on average.

Significance. If the recovered VICs are accurate, the work supplies a scalable, non-compilation route to configuration-aware vulnerability triage, test selection, and CVE enrichment for large configurable systems. The scale of the empirical evaluation on real patches from three major projects is a clear strength and supports the practicality claim.

major comments (2)
  1. [Evaluation] Evaluation section: the central claim that PatchLens recovers 'precise' VICs rests on the unvalidated assumption that AST hunk alignment plus lightweight build analysis yields complete and correct predicates; no ground-truth comparison against compiled variants, manual configuration enumeration, or independent oracle is reported for any of the 1,581 patches.
  2. [Method] Method description: the paper states that file-inclusion effects are resolved via lightweight build-system analysis, yet provides no discussion or measurement of cases where macro expansion, conditional compilation, or cross-file presence conditions cannot be recovered statically without full preprocessing.
minor comments (1)
  1. [Abstract] The abstract and results claim 'precise' VICs but the manuscript does not define a quantitative precision metric or report any error-rate measurement for the alignment step.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive comments. We address each major comment below and note planned revisions where appropriate.

read point-by-point responses
  1. Referee: [Evaluation] Evaluation section: the central claim that PatchLens recovers 'precise' VICs rests on the unvalidated assumption that AST hunk alignment plus lightweight build analysis yields complete and correct predicates; no ground-truth comparison against compiled variants, manual configuration enumeration, or independent oracle is reported for any of the 1,581 patches.

    Authors: We agree that the evaluation does not report a ground-truth comparison against compiled variants or an independent oracle. The technique is intentionally static to enable analysis at this scale without compilation. We will revise the evaluation section to explicitly acknowledge this limitation, clarify the soundness assumptions of the AST alignment and build analysis, and discuss why exhaustive validation is impractical for 1,581 patches. revision: yes

  2. Referee: [Method] Method description: the paper states that file-inclusion effects are resolved via lightweight build-system analysis, yet provides no discussion or measurement of cases where macro expansion, conditional compilation, or cross-file presence conditions cannot be recovered statically without full preprocessing.

    Authors: The manuscript currently provides no discussion or measurement of cases where the lightweight build-system analysis may fail to recover presence conditions due to macro expansion or complex conditional compilation. We will revise the method section to add a limitations discussion addressing these scenarios and when full preprocessing might be required. revision: yes

Circularity Check

0 steps flagged

No circularity; empirical evaluation on external patch datasets

full rationale

The paper introduces PatchLens as a static analysis technique to recover VICs from security patches and evaluates it directly on external datasets (1,192 Linux kernel patches, 289 FFmpeg patches, 100 PHP patches). The core claims consist of empirical measurements of predicate compactness and CVE recall, with no mathematical derivation, parameter fitting, or uniqueness theorem that reduces to the paper's own inputs or self-citations. The alignment of AST hunks with presence conditions is presented as an implemented method whose output is measured against the input patches, not defined in terms of those outputs. This is a standard self-contained empirical study with no load-bearing circular steps.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 1 invented entities

The approach introduces a new predicate (VIC) and depends on domain assumptions about the sufficiency of AST matching and build analysis for accurate recovery.

axioms (2)
  • domain assumption AST-level patch hunks can be aligned with source-level presence conditions to recover VICs
    Core mechanism of PatchLens as described.
  • domain assumption Lightweight build system analysis resolves file inclusions sufficiently for the predicate recovery
    Explicitly part of the PatchLens technique.
invented entities (1)
  • Vulnerability Impact Condition (VIC) no independent evidence
    purpose: Boolean predicate over configuration options denoting all variants containing the original flaw
    Newly formalized concept in the paper.

pith-pipeline@v0.9.1-grok · 5784 in / 1260 out tokens · 38278 ms · 2026-06-25T20:00:50.384260+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

57 extracted references · 25 canonical work pages

  1. [1]

    Iago Abal, Claus Brabrand, and Andrzej Wasowski. 2014. 42 variability bugs in the Linux Kernel: a qualitative analysis. In Proc. of the 29th ACM/IEEE Intl. Conf. on Automated Software Engineering (ASE). 421–432. doi:10.1145/2642937.2642990

  2. [2]

    Al-Kofahi, Suresh Kothari, and Christian Kästner

    Jafar M. Al-Kofahi, Suresh Kothari, and Christian Kästner. 2017. Four languages and lots of macros: analyzing autotools build systems. SIGPLAN Not. 52, 12 (Oct. 2017), 176–186. doi:10.1145/3170492.3136051

  3. [3]

    Sven Apel, Alexander von Rhein, Philipp Wendler, Armin Größlinger, and Dirk Beyer. 2013. Strategies for Product-Line Verification: Case Studies and Experiments. ICSE ’13. (2013)

  4. [4]

    Hassan, and Xiaohu Yang

    Lingfeng Bao, Xin Xia, Ahmed E. Hassan, and Xiaohu Yang. 2022. V-SZZ: Automatic Identification of Version Ranges Affected by CVE Vulnerabilities. In 2022 IEEE/ACM 44th Intl. Conf. on Software Eng. (ICSE) . 2352–2364. doi:10.1145/ 3510003.3510113

  5. [5]

    Don Batory. 2005. Feature Models, Grammars, and Propositional Formulas. In Software Product Lines, Henk Obbink and Klaus Pohl (Eds.). Springer Berlin Heidelberg, 7–20

  6. [6]

    David Benavides, Sergio Segura, and Antonio Ruiz-Cortés. 2010. Automated analysis of feature models 20 years later: A literature review. Information Systems 35, 6 (2010), 615–636. doi:10.1016/j.is.2010.01.001

  7. [7]

    Thorsten Berger and Steven She. 2012. Google Code Project: various variability extraction and analysis tools. http: //code.google.com/p/variability/ Visited on 2025-06-12

  8. [8]

    Harold Booth. 2015. National Vulnerability Database. https://nvd.nist.gov/ Accessed: 2025-06-30

  9. [9]

    David Buchfuhrer and Christopher Umans. 2011. The complexity of Boolean formula minimization. J. Comput. System Sci. 77, 1 (2011), 142–153. doi:10.1016/j.jcss.2010.06.011 Celebrating Karp’s Kyoto Prize

  10. [10]

    The Kernel Development Community. 2018. KConfig Language. https://www.kernel.org/doc/html/latest/kbuild/kconfig- language.html. Accessed: 2024-01-30

  11. [11]

    Leonardo de Moura and Nikolaj Bjørner. 2008. Z3: An Efficient SMT Solver. InTools and Algorithms for the Construction and Analysis of Systems, C. R. Ramakrishnan and Jakob Rehof (Eds.). Springer Berlin Heidelberg, 337–340

  12. [12]

    Christian Dietrich, Reinhard Tartler, Wolfgang Schröder-Preikschat, and Daniel Lohmann. 2012. A Robust Approach for Variability Extraction from the Linux Build System. SPLC ’12. (2012). doi:10.1145/2362536.2362544

  13. [13]

    Durumeric, Zakir et al. 2014. The Matter of Heartbleed. In Proc. 2014 Conference on Internet Measurement Conference (Vancouver, BC, Canada) (IMC ’14). ACM, New York, NY, USA, 475–488

  14. [14]

    Ernst, Greg J

    Michael D. Ernst, Greg J. Badros, and David Notkin. 2002. An Empirical Analysis of C Preprocessor Use. IEEE Transactions on Software Engineering 28, 12 (2002), 1146–1170

  15. [15]

    Alejandra Garrido and Ralph Johnson. 2005. Analyzing Multiple Configurations of a C Program. ICSM ’05. (2005)

  16. [16]

    Garvin and Myra B

    Brady J. Garvin and Myra B. Cohen. 2011. Feature Interaction Faults Revisited: An Exploratory Study. ISSRE ’11. (2011)

  17. [17]

    Paul Gazzillo. 2017. Kmax: finding all configurations of Kbuild makefiles statically. In Proc. 2017 11th Joint Meeting on Foundations of Software Engineering (Paderborn, Germany) (ESEC/FSE 2017). ACM, New York, NY, USA, 279–290. doi:10.1145/3106237.3106283

  18. [18]

    Paul Gazzillo and Robert Grimm. 2012. SuperC: Parsing All of C by Taming the Preprocessor. PLDI’12. (2012)

  19. [19]

    Paul Gazzillo, Ugur Koc, ThanhVu Nguyen, and Shiyi Wei. 2018. Localizing configurations in highly-configurable systems. In Proc. 22nd International Systems and Software Product Line Conference - Volume 1 (Gothenburg, Sweden) (SPLC ’18). ACM, New York, NY, USA, 269–273. doi:10.1145/3233027.3236404

  20. [20]

    GNU Project. 2017. M4 Macro Language. https://www.gnu.org/software/m4/m4.html Accessed: 2025-07-15

  21. [21]

    GNU Project. 2025. Unified Diff Format. GNU Diffutils Manual, version 3.12, section 2.2.2. https://www.gnu.org/ software/diffutils/manual/html_node/Unified-Format.html Accessed: 2025-07-15

  22. [22]

    Lukas Güthing, Mathis Weiß, Ina Schaefer, and Malte Lochau. 2024. Sampling Cardinality-Based Feature Models. In Proc. 18th International Working Conference on Variability Modelling of Software-Intensive Systems (Bern, Switzerland) (VaMoS ’24). ACM, New York, NY, USA, 46–55

  23. [23]

    Edith Hemaspaandra and Henning Schnoor. 2011. Minimization for Generalized Boolean Formulas. IJCAI International Joint Conference on Artificial Intelligence (04 2011). doi:10.5591/978-1-57735-516-8/IJCAI11-102

  24. [24]

    Muhui Jiang, Jinan Jiang, Tao Wu, Zuchao Ma, Xiapu Luo, and Yajin Zhou. 2024. Understanding Vulnerability Inducing Commits of the Linux Kernel. ACM Transactions on Software Engineering and Methodology 33, 7 (2024), 170:1–170:31

  25. [25]

    Martin Fagereng Johansen, Øystein Haugen, and Franck Fleurey. 2012. An algorithm for generating t-wise covering arrays from large feature models. In Proc. 16th International Software Product Line Conference-Volume 1 . 46–55

  26. [26]

    Peterson

    Kyo Kang, Sholom Cohen, James Hess, William Novak, and A. Peterson. 1990. Feature-Oriented Domain Analysis (FODA) feasibility study. (01 1990)

  27. [27]

    Giarrusso, Tillmann Rendel, Sebastian Erdweg, Klaus Ostermann, and Thorsten Berger

    Christian Kästner, Paolo G. Giarrusso, Tillmann Rendel, Sebastian Erdweg, Klaus Ostermann, and Thorsten Berger

  28. [28]

    Variability-aware parsing in the presence of lexical macros and conditional compilation. In Proc. 2011 ACM International Conference on Object Oriented Programming Systems Languages and Applications (Portland, Oregon, USA) (OOPSLA ’11). ACM, New York, NY, USA, 805–824. doi:10.1145/2048066.2048128 Proc. ACM Softw. Eng., Vol. 3, No. FSE, Article FSE119. Publ...

  29. [29]

    Andy Kenner, Christian Kästner, Steffen Haase, and Thomas Leich. 2010. TypeChef: toward type checking #ifdef variability in C. In FOSD (Eindhoven, The Netherlands). ACM, New York, NY, USA, 25–32

  30. [30]

    Kocher, Paul et al. 2019. Spectre Attacks: Exploiting Speculative Execution. In 2019 IEEE Symposium on Security and Privacy (SP). 1–19. doi:10.1109/SP.2019.00002

  31. [31]

    Kuiter, Elias et al. 2018. PClocator: a tool suite to automatically identify configurations for code locations. In Proc. 22nd International Systems and Software Product Line Conference - Volume 1 (Gothenburg, Sweden) (SPLC ’18). ACM, New York, NY, USA, 284–288. doi:10.1145/3233027.3236399

  32. [32]

    Christian Kästner, Thomas Thüm, Gunter Saake, Janet Feigenspan, Thomas Leich, Fabian Wielgorz, and Sven Apel

  33. [33]

    SPLC ’09

    FeatureIDE: A Tool Framework for Feature-Oriented Software Development. SPLC ’09. (2009)

  34. [34]

    Tobias Landsberg, Christian Dietrich, and Daniel Lohmann. 2024. Should I Bother? Fast Patch Filtering for Statically- Configured Software Variants. SPLC ’24. (2024). doi:10.1145/3646548.3672585

  35. [35]

    Afshan Latif, Farooque Azam, Muhammad Waseem Anwar, and Amina Zafar. 2023. Comparison of Leading Language Parsers – ANTLR, JavaCC, SableCC, Tree-sitter, Yacc, Bison. In2023 13th International Conference on Software Technology and Engineering (ICSTE). 7–13. doi:10.1109/ICSTE61649.2023.00009

  36. [36]

    Jörg Liebig, Sven Apel, Christian Lengauer, Christian Kästner, and Michael Schulze. 2010. An analysis of the variability in forty preprocessor-based software product lines. In Proc. 32nd ACM/IEEE International Conference on Software Engineering - Volume 1 (Cape Town, South Africa) (ICSE ’10). ACM, New York, NY, USA, 105–114. doi:10.1145/1806799. 1806819

  37. [37]

    Jörg Liebig, Christian Kästner, and Sven Apel. 2011. Analyzing the Discipline of Preprocessor Annotations in 30 Million Lines of C Code. AOSD’11. (2011). doi:10.1145/1960275.1960299

  38. [38]

    Jörg Liebig, Alexander von Rhein, Christian Kästner, Sven Apel, Jens Dörre, and Christian Lengauer. 2013. Scalable Analysis of Variable Software. ESEC/FSE ’13. (2013). doi:10.1145/2491411.2491437

  39. [39]

    Flávio Medeiros, Christian Kästner, Márcio Ribeiro, Rohit Gheyi, and Sven Apel. 2016. A Comparison of 10 Sampling Algorithms for Configurable Systems. ICSE ’16. (2016)

  40. [40]

    Flávio Medeiros, Christian Kästner, Márcio Ribeiro, Sarah Nadi, and Rohit Gheyi. 2015. The Love/Hate Relationship with the C Preprocessor: An Interview Study. ECOOP’15. (2015)

  41. [41]

    Flávio Medeiros, Márcio Ribeiro, et al. 2013. Investigating Preprocessor-Based Syntax Errors. GPCE ’13. (2013)

  42. [42]

    Meinicke, Jens et al. 2016. On essential configuration complexity: measuring interactions in highly-configurable systems. In Proc. 31st IEEE/ACM International Conference on Automated Software Engineering (Singapore, Singapore) (ASE ’16). ACM, New York, NY, USA, 483–494. doi:10.1145/2970276.2970322

  43. [43]

    Marcílio Mendonça, Andrzej Wasowski, and Krzysztof Czarnecki. 2009. SAT-based analysis of feature models is easy. SPLC, 231–240

  44. [44]

    NIST. 2015. Official Common Platform Enumeration Dictionary. https://nvd.nist.gov/products/cpe

  45. [45]

    Felipe Paixão. [n. d.]. Patchlens Repository. https://github.com/fleap-dev/patchlens. n. d

  46. [46]

    Felipe Paixão. 2026. Patchlens Artifacts. doi:10.5281/zenodo.19560745

  47. [47]

    Gilles Perrouin, Sagar Sen, Jacques Klein, Benoit Baudry, and Yves le Traon. 2010. Automated and Scalable T-wise Test Case Generation Strategies for Software Product Lines. In 2010 Third International Conference on Software Testing, Verification and Validation. 459–468. doi:10.1109/ICST.2010.43

  48. [48]

    Matthew Prince. 2014. The Hidden Costs of Heartbleed. https://blog.cloudflare.com/the-hard-costs-of-heartbleed/

  49. [49]

    Bissyandé, Naouel Moha, and Jacques Klein

    Timothé Riom, Arthur Sawadogo, Kevin Allix, Tegawendé F. Bissyandé, Naouel Moha, and Jacques Klein. 2021. Revisiting the VCCFinder approach for the identification of vulnerability-contributing commits. Empirical Software Engineering 26, 3 (29 Mar 2021), 46. doi:10.1007/s10664-021-09944-w

  50. [50]

    Rothermel and M.J

    G. Rothermel and M.J. Harrold. 1996. Analyzing regression test selection techniques. IEEE Transactions on Software Engineering 22, 8 (1996), 529–551. doi:10.1109/32.536955

  51. [51]

    Reinhard Tartler et al. 2011. Feature consistency in compile-time-configurable system software: facing the Linux 10,000 feature problem. In Conf. on Computer Systems (EuroSys ’11). ACM, 47–60. doi:10.1145/1966445.1966451

  52. [52]

    Reinhard Tartler, Christian Dietrich, Julio Sincero, Wolfgang Schröder-Preikschat, and Daniel Lohmann. 2014. Static Analysis of Variability in System Software: The 90,000 #ifdefs Issue. USENIX ATC ’14. (2014)

  53. [53]

    Reinhard Tartler, Daniel Lohmann, Christian Dietrich, Christoph Egger, and Julio Sincero. 2011. Configuration Coverage in the Analysis of Large-Scale System Software. PLOS ’11. (2011). doi:10.1145/2039239.2039242

  54. [54]

    Von Rhein, Alexander et al. 2015. Presence-Condition Simplification in Highly Configurable Systems. In2015 IEEE/ACM 37th IEEE International Conference on Software Engineering , Vol. 1. 178–188. doi:10.1109/ICSE.2015.39

  55. [55]

    Xinda Wang, Shu Wang, Pengbin Feng, Kun Sun, and Sushil Jajodia. 2021. Patchdb: A large-scale security patch dataset. In 2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) . IEEE, 149–160

  56. [56]

    Yıldıran, Necip Fazıl et al. 2024. Maximizing Patch Coverage for Testing of Highly-Configurable Software without Exploding Build Times. Proc. ACM Softw. Eng. 1, FSE, Article 20 (July 2024). Proc. ACM Softw. Eng., Vol. 3, No. FSE, Article FSE119. Publication date: July 2026. Automated Detection of Configuration-Specific Security Vulnerabilities via Patch A...

  57. [57]

    Scott Yilek, Eric Rescorla, Hovav Shacham, Brandon Enright, and Stefan Savage. 2009. When private keys are public: results from the 2008 Debian OpenSSL vulnerability. In IMC ’09. ACM, 15–27. doi:10.1145/1644893.1644896 Received 2026-02-24; accepted 2026-03-24 Proc. ACM Softw. Eng., Vol. 3, No. FSE, Article FSE119. Publication date: July 2026