Anchors that Don't Lift: re-implementing source-level CVE detection for SOHO kernels

When a router ships a Linux 4.4 kernel, prior firmware audits would map "4.4" to a CVE database and announce four thousand vulnerabilities. Badola et al. show that almost none of them are real — and that the honest count requires reading the code, not the version string. This post rebuilds their detection core in ~230 lines of Python and reproduces the collapse.

Anchors that Don't Lift: Understanding Supply Chain Driven Kernel Lock-In and Governance-Mediated Mitigation Strategies in SOHO Devices Ritwik Badola, Rajdeep Ghosh, Ashita Gupta, Chester Rebeiro, Mainack Mondal — IIT Madras / IIT Kharagpur / IIIT Kottayam. arXiv:2606.11175 [cs.CR], 09 Jun 2026. Data & code: doi:10.5281/zenodo.20433799.

What this paper actually measures

There is a lazy way and a careful way to ask "is this firmware vulnerable to CVE-X?".

The lazy way — the one a decade of large-scale firmware studies, canonically Costin et al.'s 2014 corpus-scale firmware analysis, relied on — is version-string attribution. You unpack the firmware, fish the Linux version out of a binary ("4.4.60"), and look that version up in a table that says "CVE-2017-7184 affects 4.0 through 4.10". If 4.4.60 falls in the window, you count the CVE. It scales to thousands of images because it never reads a line of kernel source.

The careful way is to ask whether the vulnerable code is actually sitting in the kernel tree that the vendor shipped, regardless of what the version sticker says. Badola et al. (§5.1) call this template-based CVE inference. They drive Coccinelle — a semantic patch engine for C — through cvehound, which carries a library of per-CVE semantic templates. Each template is a structural pattern of the buggy code. They run it over the GPL source release of the firmware. If the pattern matches, the bug is present; if it doesn't, the subsystem was probably never compiled into that lean SOHO build, or the vendor refactored it away. As supporting evidence they add a second template per CVE describing the upstream fix: a vulnerable-match together with a missing-fix-match is a high-confidence "still vulnerable" signal.

The headline number is brutal. Their Table 4 (which I'll reproduce structurally below) compares the two methods across five brand vendors:

An average 99.3% reduction. Roughly 149 out of every 150 CVEs that prior work attributed to these devices are bookkeeping artefacts of comparing version numbers. The rest of the paper is about why the version numbers are so old in the first place — kernel lock-in inherited down the SoC → ODM/OEM → brand-vendor supply chain — but the detection technique is the load-bearing measurement that makes the rest credible, and it's the part you can rebuild on a laptop. So that's what I rebuilt.

Why Python

The honest reason is interoperability, not speed. The reference implementation is itself Python: cvehound is a Python package that shells out to Coccinelle's OCaml spatch engine and parses its output. If your goal is to extend or audit their pipeline — add a CVE template, change the decision logic, plug in a different matcher — you want to live in the same language their tooling already speaks, where a CVE rule is a dict and a kernel tree is an os.walk.

The deeper reason is that the matching primitive the technique needs — comment-insensitive, whitespace-insensitive, rename-tolerant matching of a small structural skeleton against heavily-edited C — is most cleanly expressed as a tokenizer plus a metavariable unifier, and Python's re module gives you both halves in a dozen lines. The bottleneck in the real study is breadth (900+ firmware source trees), not per-file latency, so a compiled language would buy nothing the corpus actually cares about; the work is text wrangling and orchestration, which is Python's home turf. I'll show below that the whole engine — tokenizer, matcher, three-valued decision, and a version-string baseline to beat — fits in one readable file.

The reference tooling won't run here, and that's fine

Before reinventing anything I tried to run the real thing. cvehound installs cleanly from PyPI; Coccinelle does not, because spatch is an OCaml binary that wants apt, and this sandbox's rootfs is read-only:

$ which spatch coccinelle
--- spatch check exit=1 ---

$ export UV_CACHE_DIR=/tmp/uvcache
$ uv pip install --target /tmp/pylib --quiet cvehound
install exit=0
$ PYTHONPATH=/tmp/pylib python3 -c "import cvehound, shutil; \
    print('cvehound imports OK'); print('spatch on PATH:', shutil.which('spatch'))"
cvehound imports OK
spatch on PATH: None

So cvehound imports but has no engine to drive — every scan would abort at the spatch call. That rules out "just run their tool" as a blog-post path. The two alternatives were (a) build Coccinelle from source inside /tmp (a multi-hundred-megabyte OCaml toolchain build for what is ultimately a pattern-matcher), or (b) implement the technique — the semantic template and the three-valued decision — directly, faithfully, and small enough to read. I took (b). The point of the paper is not Coccinelle specifically; it's that a structural source template beats a version lookup. A 230-line matcher is enough to demonstrate exactly that, and it's enough to extend.

The technique, walked through

Step 1 — tokenize, so cosmetics stop mattering

The first thing the version string gets wrong is that it assumes the code under the sticker is upstream's code. SOHO vendors reformat, rename locals, add comments, and backport selectively. A raw grep for a line of vulnerable code would miss all of that. The fix is to throw away everything that isn't structure: strip comments, collapse whitespace, and reduce the source to a token stream. Two pieces of code that differ only in formatting tokenize identically.

_COMMENT = re.compile(r'/\*.*?\*/|//[^\n]*', re.S)
_TOKEN = re.compile(r'''
      "(?:\\.|[^"\\])*"        # string literal
    | '(?:\\.|[^'\\])*'        # char literal
    | \$[A-Za-z_]\w*           # template metavariable ($obj, $i, $E ...)
    | [A-Za-z_]\w*             # identifier / keyword
    | 0[xX][0-9a-fA-F]+|\d+    # number
    | ->|>=|<=|==|!=|&&|\|\||<<|>>|\+\+|--   # multi-char operators
    | [(){}\[\];,.=<>+\-*/%&|!~^?:]           # single-char punctuation
''', re.X)

def tokenize(src: str):
    src = _COMMENT.sub(' ', src)
    return _TOKEN.findall(src)

The one non-obvious alternative in that regex is \$[A-Za-z_]\w*, which lets the same tokenizer handle both real C and template patterns — a metavariable like $obj survives tokenization as a single token instead of being split into $ and obj. (I learned this the hard way: my first version dropped the $, every metavariable degraded into a literal identifier, and the matcher reported NOT_PRESENT for every CVE. The whole run silently "passed" with a suspicious 100% reduction. A linter-clean program that quietly does nothing is the most dangerous kind.)

Step 2 — a semantic template with metavariables

Coccinelle's semantic patches let you write expression E; and then use E in a pattern; every occurrence of E must bind to the same expression. That's unification, and it's what separates a structural template from a regex. My miniature version supports two metavariable kinds:

• $id — matches exactly one identifier token (a variable name, a field).
• $E... (any name starting with $E) — matches a balanced expression: a run of tokens that respects () and [] nesting and stops at a top-level ;, ,, ), ], =, or }.

A metavariable that appears twice must bind to the identical token span both times. The balanced-expression scanner is the only fiddly bit:

_STOP = {';', ',', ')', ']', '=', '}'}
_OPEN = {'(': ')', '[': ']'}
_CLOSE = {')', ']'}

def _match_expr(tokens, i):
    """Consume one balanced expression starting at i; return end index or None."""
    depth, j = 0, i
    while j < len(tokens):
        t = tokens[j]
        if depth == 0 and t in _STOP:
            break
        if t in _OPEN:
            depth += 1
        elif t in _CLOSE:
            if depth == 0:
                break
            depth -= 1
        j += 1
    return j if j > i else None

The matcher anchors the template at each start position in the source token stream and walks both in lockstep, threading a binding dict so unification is enforced:

def _match_at(pat, tokens, start, binds):
    b = dict(binds)
    pi, ti = 0, start
    while pi < len(pat):
        p = pat[pi]
        if p.startswith('$'):
            if p.startswith('$E'):                         # expression metavar
                end = _match_expr(tokens, ti)
                if end is None: return None
                span = tuple(tokens[ti:end])
                if p in b and b[p] != span: return None     # unification clash
                b[p] = span; ti = end
            else:                                          # identifier metavar
                if ti >= len(tokens) or not _IDENT.fullmatch(tokens[ti]):
                    return None
                span = (tokens[ti],)
                if p in b and b[p] != span: return None
                b[p] = span; ti += 1
        else:                                              # literal token
            if ti >= len(tokens) or tokens[ti] != p: return None
            ti += 1
        pi += 1
    return b

There's one trap worth flagging because it bit me a second time: find() returns the binding dict on success, and a template with no metavariables succeeds with an empty dict {} — which is falsy. any(find(...) for ...) therefore treats a perfect literal match as a miss. The whole "is the fix present?" check silently inverted. The cure is to test is not None explicitly, which is why the public surface is a boolean wrapper:

def present(template: str, src: str) -> bool:
    """Boolean convenience wrapper around find(). Tests `is not None`, never
    plain truthiness — a metavariable-free template matches as {} (falsy)."""
    return find(template, src) is not None

Step 3 — the three-valued decision

This is the part that is genuinely the paper's, and it's the part version-string attribution structurally cannot express. Each CVE gets a vulnerable template and a fix template, and the verdict is a three-way classification:

NOT_PRESENT is the bucket that does all the work on real SOHO firmware: lean kernel builds drop entire subsystems (Open vSwitch, KVM, InfiniBand, exotic sound drivers), so the vulnerable file simply isn't in the tree. PATCHED catches the vendor who backported the upstream fix without bumping the version — the case that makes the version string an outright lie. Only VULNERABLE is counted. In code:

def template_classify(tree):
    sources = {p: open(p).read() for p in iter_c_files(tree)}
    verdicts = {}
    for cve, tpl in CVE_TEMPLATES.items():
        cand = [s for p, s in sources.items()
                if tpl["file_glob"] in os.path.basename(p)]
        vuln_hit = any(present(tpl["vuln"], s) for s in cand)
        fix_hit  = any(present(tpl["fix"],  s) for s in cand)
        if not vuln_hit:   verdicts[cve] = "NOT_PRESENT"
        elif fix_hit:      verdicts[cve] = "PATCHED"
        else:              verdicts[cve] = "VULNERABLE"
    return verdicts

The baseline it has to beat

The version-string method reads the kernel's top-level Makefile (VERSION/PATCHLEVEL/SUBLEVEL), forms a (4, 4, 60) tuple, and flags every CVE whose affected range covers it — no source consulted:

def version_baseline(tree):
    v = parse_makefile_version(tree)
    hits = [cve for cve, lo, hi, _ in VERSION_CVE_TABLE if lo <= v < hi]
    return v, hits

The math: what "99.3% decrease" is measuring

Let $V$ be the CVE set the version baseline emits, $T$ the set actually present in the shipped code, and $S$ the set the template method emits. The method aims for $S \approx T$. The paper's reported per-device metric is the percentage decrease

When $\Delta \approx 0.993$, the version baseline's precision — the fraction of its alarms that are real — is

So roughly one alarm in a hundred and fifty corresponds to code that exists and is unpatched. That is the quantitative shape of "outdated version number" as a vulnerability signal: it is almost pure noise, because a lean, selectively-backported vendor kernel shares a version number with mainline but not a code body.

Reproducing the collapse on a synthetic corpus

To demonstrate the three buckets I built three tiny "firmware source trees", all stamped 4.4.60 so the version baseline cannot tell them apart:

• routerA — ships two demo subsystems, both unpatched.
• routerB — same version string, but both upstream fixes were backported.
• cameraC — a lean build: the net/demo control path was never compiled in, so its file is absent; the widget driver is present and unpatched.

The two synthetic CVEs are modelled on the two most common real kernel-CVE shapes — a missing array bounds check and a missing capability check:

CVE_TEMPLATES = {
    "CVE-DEMO-0001": {
        "subsystem": "drivers/demo (missing bounds check)",
        "file_glob": "widget.c",
        "vuln": "$obj -> slots [ $i ] = $v ;",
        "fix":  "if ( $i >= $obj -> n_slots ) return - EINVAL ;",
    },
    "CVE-DEMO-0002": {
        "subsystem": "net/demo (missing capability check)",
        "file_glob": "ctl.c",
        "vuln": "$obj -> tx_power = $v ;",
        "fix":  "if ( ! capable ( CAP_NET_ADMIN ) ) return - EPERM ;",
    },
}

The version baseline table is padded with eight more real-world-flavoured CVE IDs in subsystems a SOHO box would never compile in (net/xfrm, sound/usb-midi, net/packet, …), all of whose ranges cover 4.4.x — exactly the over-counting engine the paper describes.

A worked example, token by token

Here is one match traced end to end (trace.py, output verbatim from the sandbox). Watch the metavariables bind, and watch the fix template distinguish patched from unpatched:

$ python3 trace.py
--- vuln template ---
 template : $obj -> slots [ $i ] = $v ;
 tokens   : ['$obj', '->', 'slots', '[', '$i', ']', '=', '$v', ';']

--- unpatched widget.c source tokens ---
['int', 'widget_ioctl', '(', 'struct', 'widget', '*', 'w', ',', 'unsigned',
 'int', 'idx', ',', 'long', 'val', ')', '{', 'w', '->', 'slots', '[', 'idx',
 ']', '=', 'val', ';', 'return', '0', ';', '}']

vuln match on UNPATCHED tree -> bindings:
   $obj   = w
   $i     = idx
   $v     = val

--- fix template ---
 template : if ( $i >= $obj -> n_slots ) return - EINVAL ;
 tokens   : ['if', '(', '$i', '>=', '$obj', '->', 'n_slots', ')', 'return',
             '-', 'EINVAL', ';']

fix match on UNPATCHED tree : False
fix match on PATCHED  tree : True

fix bindings on PATCHED tree:
   $i     = idx
   $obj   = w

The vulnerable write w->slots[idx] = val; matches with $obj=w, $i=idx, $v=val. The fix template if (idx >= w->n_slots) return -EINVAL; is absent in the unpatched tree and present in the patched one — and while $i and $obj happen to bind to the same idx and w as the vulnerable site, that agreement is coincidental in my miniature matcher: the vuln and fix templates run as two independent find() calls, each starting from empty bindings, so unification only operates within a single template. My verdict is therefore a plain boolean, vuln ∧ ¬fix. It's the upstream spatch that can share metavariables across the vuln and fix patterns, formally tying the guard to the operation it guards.

The trace.py that produced that output:

#!/usr/bin/env python3
"""trace.py - byte-by-byte trace of one template match, for the worked example."""
import sys; sys.path.insert(0, "/labs-output")
from semcve import tokenize, find, CVE_TEMPLATES, WIDGET_VULN, WIDGET_PATCHED

tpl = CVE_TEMPLATES["CVE-DEMO-0001"]

print("--- vuln template ---")
print(" template :", tpl["vuln"])
print(" tokens   :", tokenize(tpl["vuln"]))
print()
print("--- unpatched widget.c source tokens ---")
print(tokenize(WIDGET_VULN))
print()
b = find(tpl["vuln"], WIDGET_VULN)
print("vuln match on UNPATCHED tree -> bindings:")
for k, v in b.items():
    print(f"   {k:<6} = {' '.join(v)}")
print()

print("--- fix template ---")
print(" template :", tpl["fix"])
print(" tokens   :", tokenize(tpl["fix"]))
print()
print("fix match on UNPATCHED tree :", find(tpl["fix"], WIDGET_VULN) is not None)
print("fix match on PATCHED  tree :", find(tpl["fix"], WIDGET_PATCHED) is not None)
print()
fb = find(tpl["fix"], WIDGET_PATCHED)
print("fix bindings on PATCHED tree:")
for k, v in fb.items():
    print(f"   {k:<6} = {' '.join(v)}")

The version-independence property, tested

The whole argument rests on the matcher tolerating vendor edits. I fed it a deliberately mangled backport — locals renamed (idx→slot, w→dev, val→value), comments added, every line reflowed — and it still classified correctly:

$ python3 -c "...feed a renamed, reflowed backport..."
vuln present: True
fix  present: True
verdict     : PATCHED
vuln binds  : {'$obj': 'dev', '$i': 'slot', '$v': 'value'}

This is exactly where grep and version strings both fail and the structural template wins: the names changed, the shape didn't, and the verdict tracks the shape.

The full run

$ python3 semcve.py
corpus built under /tmp/semcve_8cjf0vyf

=== Per-tree CVE counts: version baseline vs semantic templates ===

tree                        kver      version#  template#
-----------------------------------------------------------
routerA (unpatched)         4.4.60    10        2
routerB (backported fixes)  4.4.60    10        0
cameraC (lean build)        4.4.60    10        1
-----------------------------------------------------------
TOTAL                                 30        3

Aggregate decrease vs version baseline: 90.0%
(paper reports ~99.3% averaged over five vendors)

=== Per-CVE verdicts from the semantic templates ===

routerA (unpatched)  (kernel 4.4.60)
    CVE-DEMO-0001    VULNERABLE   drivers/demo (missing bounds check)
    CVE-DEMO-0002    VULNERABLE   net/demo (missing capability check)

routerB (backported fixes)  (kernel 4.4.60)
    CVE-DEMO-0001    PATCHED      drivers/demo (missing bounds check)
    CVE-DEMO-0002    PATCHED      net/demo (missing capability check)

cameraC (lean build)  (kernel 4.4.60)
    CVE-DEMO-0001    VULNERABLE   drivers/demo (missing bounds check)
    CVE-DEMO-0002    NOT_PRESENT  net/demo (missing capability check)

Three trees with an identical version string, three different realities. The version baseline calls all thirty (10 × 3) CVEs present. The template method counts three. Every difference is one of the paper's two correction mechanisms: routerB is entirely PATCHED (backports the version string hides), and cameraC's second CVE is NOT_PRESENT (a subsystem the lean build dropped). My toy corpus gives 90% rather than the paper's 99.3% only because I padded the version table with eight extra CVEs instead of four thousand; the mechanism is identical, and the more padding (i.e., the more real a vendor's CVE database lookup is) the closer to 99.3% it drives.

The full implementation

Here is semcve.py in its entirety — tokenizer, matcher, templates, baseline, corpus, and report — so the analysis above is reproducible by copy-paste:

#!/usr/bin/env python3
"""
semcve.py - a miniature semantic-template CVE detector for kernel source trees.
Reproduces the central idea of Badola et al., "Anchors that Don't Lift"
(arXiv:2606.11175), section 5.1.
"""
import os, re, tempfile

# 1. C tokenizer: strip comments, emit a token stream. The $name alternative
#    preserves template metavariables through tokenize().
_COMMENT = re.compile(r'/\*.*?\*/|//[^\n]*', re.S)
_TOKEN = re.compile(r'''
      "(?:\\.|[^"\\])*"
    | '(?:\\.|[^'\\])*'
    | \$[A-Za-z_]\w*
    | [A-Za-z_]\w*
    | 0[xX][0-9a-fA-F]+|\d+
    | ->|>=|<=|==|!=|&&|\|\||<<|>>|\+\+|--
    | [(){}\[\];,.=<>+\-*/%&|!~^?:]
''', re.X)

def tokenize(src):
    return _TOKEN.findall(_COMMENT.sub(' ', src))

# 2. Template matcher with metavariables and unification.
_STOP = {';', ',', ')', ']', '=', '}'}
_OPEN = {'(': ')', '[': ']'}
_CLOSE = {')', ']'}
_IDENT = re.compile(r'[A-Za-z_]\w*')

def _match_expr(tokens, i):
    depth, j = 0, i
    while j < len(tokens):
        t = tokens[j]
        if depth == 0 and t in _STOP: break
        if t in _OPEN: depth += 1
        elif t in _CLOSE:
            if depth == 0: break
            depth -= 1
        j += 1
    return j if j > i else None

def _match_at(pat, tokens, start, binds):
    b = dict(binds); pi, ti = 0, start
    while pi < len(pat):
        p = pat[pi]
        if p.startswith('$'):
            if p.startswith('$E'):
                end = _match_expr(tokens, ti)
                if end is None: return None
                span = tuple(tokens[ti:end])
                if p in b and b[p] != span: return None
                b[p] = span; ti = end
            else:
                if ti >= len(tokens) or not _IDENT.fullmatch(tokens[ti]):
                    return None
                span = (tokens[ti],)
                if p in b and b[p] != span: return None
                b[p] = span; ti += 1
        else:
            if ti >= len(tokens) or tokens[ti] != p: return None
            ti += 1
        pi += 1
    return b

def find(template, src):
    pat = tokenize(template); tokens = tokenize(src)
    for s in range(len(tokens)):
        b = _match_at(pat, tokens, s, {})
        if b is not None: return b
    return None

def present(template, src):
    return find(template, src) is not None    # never plain truthiness: {} is falsy

# 3. CVE templates (synthetic, modelling the two commonest kernel-CVE shapes).
CVE_TEMPLATES = {
    "CVE-DEMO-0001": {
        "subsystem": "drivers/demo (missing bounds check)",
        "file_glob": "widget.c",
        "vuln": "$obj -> slots [ $i ] = $v ;",
        "fix":  "if ( $i >= $obj -> n_slots ) return - EINVAL ;",
    },
    "CVE-DEMO-0002": {
        "subsystem": "net/demo (missing capability check)",
        "file_glob": "ctl.c",
        "vuln": "$obj -> tx_power = $v ;",
        "fix":  "if ( ! capable ( CAP_NET_ADMIN ) ) return - EPERM ;",
    },
}

# Version-string baseline: most entries live in fat subsystems a lean SOHO
# build never compiles in -- that is the over-estimation engine.
VERSION_CVE_TABLE = [
    ("CVE-DEMO-0001",    (4,4,0),  (4,4,71), "drivers/demo"),
    ("CVE-DEMO-0002",    (4,4,0),  (4,4,71), "net/demo"),
    ("CVE-2017-7184",    (4,0,0),  (4,11,0), "net/xfrm"),
    ("CVE-2017-1000112", (4,0,0),  (4,13,0), "net/ipv4 (UFO)"),
    ("CVE-2016-8655",    (4,0,0),  (4,9,0),  "net/packet"),
    ("CVE-2018-1000026", (4,0,0),  (4,15,0), "net/bnx2x"),
    ("CVE-2017-7308",    (4,0,0),  (4,11,0), "net/packet ring"),
    ("CVE-2016-2384",    (4,0,0),  (4,5,0),  "sound/usb-midi"),
    ("CVE-2017-0861",    (4,0,0),  (4,15,0), "sound/core"),
    ("CVE-2018-9568",    (4,0,0),  (4,20,0), "net/sock (wfll)"),
]

def parse_makefile_version(tree):
    vals = {}
    with open(os.path.join(tree, "Makefile")) as f:
        for line in f:
            m = re.match(r'\s*(VERSION|PATCHLEVEL|SUBLEVEL)\s*=\s*(\d+)', line)
            if m: vals[m.group(1)] = int(m.group(2))
    return (vals.get("VERSION",0), vals.get("PATCHLEVEL",0), vals.get("SUBLEVEL",0))

def version_baseline(tree):
    v = parse_makefile_version(tree)
    return v, [c for c, lo, hi, _ in VERSION_CVE_TABLE if lo <= v < hi]

def iter_c_files(tree):
    for root, _, files in os.walk(tree):
        for fn in files:
            if fn.endswith(".c"): yield os.path.join(root, fn)

def template_classify(tree):
    sources = {p: open(p).read() for p in iter_c_files(tree)}
    verdicts = {}
    for cve, tpl in CVE_TEMPLATES.items():
        cand = [s for p, s in sources.items()
                if tpl["file_glob"] in os.path.basename(p)]
        vuln_hit = any(present(tpl["vuln"], s) for s in cand)
        fix_hit  = any(present(tpl["fix"],  s) for s in cand)
        if not vuln_hit:   verdicts[cve] = "NOT_PRESENT"
        elif fix_hit:      verdicts[cve] = "PATCHED"
        else:              verdicts[cve] = "VULNERABLE"
    return verdicts

# 4. Synthetic corpus: three trees, all stamped 4.4.60.
MAKEFILE_4460 = "VERSION = 4\nPATCHLEVEL = 4\nSUBLEVEL = 60\nEXTRAVERSION =\n"
WIDGET_VULN = """int widget_ioctl(struct widget *w, unsigned int idx, long val)
{ w->slots[idx] = val; return 0; }"""
WIDGET_PATCHED = """int widget_ioctl(struct widget *w, unsigned int idx, long val)
{ if (idx >= w->n_slots) return -EINVAL; w->slots[idx] = val; return 0; }"""
CTL_VULN = """int demo_set_power(struct demo_dev *d, int new_power)
{ d->tx_power = new_power; return 0; }"""
CTL_PATCHED = """int demo_set_power(struct demo_dev *d, int new_power)
{ if (!capable(CAP_NET_ADMIN)) return -EPERM; d->tx_power = new_power; return 0; }"""

def build_corpus(base):
    def write(tree, rel, content):
        p = os.path.join(tree, rel); os.makedirs(os.path.dirname(p), exist_ok=True)
        open(p, "w").write(content)
    trees = {}
    a = os.path.join(base, "routerA-4.4.60-unpatched")
    write(a, "Makefile", MAKEFILE_4460); write(a, "drivers/demo/widget.c", WIDGET_VULN)
    write(a, "net/demo/ctl.c", CTL_VULN); trees["routerA (unpatched)"] = a
    b = os.path.join(base, "routerB-4.4.60-backported")
    write(b, "Makefile", MAKEFILE_4460); write(b, "drivers/demo/widget.c", WIDGET_PATCHED)
    write(b, "net/demo/ctl.c", CTL_PATCHED); trees["routerB (backported fixes)"] = b
    c = os.path.join(base, "cameraC-4.4.60-lean")
    write(c, "Makefile", MAKEFILE_4460); write(c, "drivers/demo/widget.c", WIDGET_VULN)
    trees["cameraC (lean build)"] = c
    return trees

def main():
    base = tempfile.mkdtemp(prefix="semcve_")
    trees = build_corpus(base)
    agg_ver, agg_tpl, rows = 0, 0, []
    for name, tree in trees.items():
        v, vhits = version_baseline(tree)
        verdicts = template_classify(tree)
        n_vuln = sum(1 for r in verdicts.values() if r == "VULNERABLE")
        agg_ver += len(vhits); agg_tpl += n_vuln
        rows.append((name, "%d.%d.%d" % v, len(vhits), n_vuln, verdicts))
    # ... tabular reporting (see full file in artefacts) ...

if __name__ == "__main__":
    main()

The reporting tail of main() is the only thing trimmed for space here (it's the plain print loop that produced the run output above); the engine is complete.

Why the version numbers are old: kernel lock-in

The detection technique is the measurement; the paper's contribution is what the measurement reveals. Having established that the surviving CVEs are real, the authors trace each vulnerable device up its supply chain and find a structural cause they name kernel lock-in: a SOHO brand vendor doesn't choose a kernel, it inherits one from the SoC vendor's SDK, and that SDK is built around a specific (usually long-EoL) kernel. The vulnerability isn't a mistake anyone made late; it's a debt created at the silicon vendor and passed downstream untouched.

Formally, if a SoC vendor selects kernel $k$ for an SDK and a device using that SDK ships at time $t_{\text{ship}}$, the EoL gap is

and the paper's striking finding is that all five SoC vendors in their dataset — the Broadcom/Realtek-class silicon suppliers upstream of the brand vendors in the table above, a distinct supply-chain layer from those five brands — shipped SDKs whose kernel had reached End-of-Life more than a year before the device using it shipped — $g > 1\text{ year}$ across the board, before the device even reaches a shelf, never mind its multi-year deployment life. The version-string method can't see any of this because it stops at "the number is old"; the source-template method is what lets you say "the number is old and this specific buggy function is still in the binary that ships," which is the difference between an audit and a guess.

What makes this different from prior work

Three things, in decreasing order of how much they surprised me:

1. It inverts the default error. Prior large-scale firmware studies optimised for recall — catch every plausibly-affected device — and accepted enormous false-positive rates as the cost of scale. Template inference optimises for precision and shows the recall-first numbers were ~99.3% inflated. That's not a tweak; it reframes a decade of "thousands of vulnerable routers" headlines as mostly an artefact of methodology.

2. The fix-template as a tie-breaker. Using a second template for the upstream patch — and reading "vuln present ∧ fix absent" as the real signal — is what lets the method survive selective backporting, which is endemic in vendor kernels. A vuln-only matcher would over-count the backporters; a version check under-reasons about them entirely. The PATCHED bucket is small but it's the conceptually sharp one.

3. It connects a code measurement to a supply-chain cause. Most patch-presence work — FIBER, which compiles a security patch's source-level changes into fine-grained signatures and tests for their presence in stripped target binaries, and its lineage — stops at "is the patch here?". This paper uses the per-device verdicts as the input to a provenance analysis and lands on kernel lock-in as the mechanism — which is what turns "patch your router" (useless advice; the user can't) into "SoC vendors who engage upstream communities are the only viable mitigation point" (actionable, and aimed at the party that can actually act).

The honest limitations of my re-implementation, separate from the paper's: my matcher is contiguous-pattern only — it has no Coccinelle ... "anything in between" operator, so it can't express "this call, then somewhere later this free"; it has no type awareness, so it can't tell two idx fields of different structs apart; and the corpus is synthetic, so the 90% I reproduce is a demonstration of mechanism, not a measurement of the world. The paper's real engine (spatch) handles all three, which is exactly why it's a heavyweight OCaml dependency I couldn't run here. What I've shown is that the idea — structure beats version, and a fix-template disambiguates — is small, correct, and reusable.

Formal citation

Ritwik Badola, Rajdeep Ghosh, Ashita Gupta, Chester Rebeiro, and Mainack Mondal. Anchors that Don't Lift: Understanding Supply Chain Driven Kernel Lock-In and Governance-Mediated Mitigation Strategies in SOHO Devices. arXiv:2606.11175 [cs.CR], 09 June 2026. Licensed CC BY-NC-ND 4.0. Data and code: https://doi.org/10.5281/zenodo.20433799.

Supporting tools referenced: Y. Padioleau, J. Lawall, G. Muller et al., Coccinelle (spatch), https://coccinelle.gitlabpages.inria.fr/website/ ; D. Efremov, cvehound, https://github.com/evdenis/cvehound. CVE identifiers used in the synthetic baseline table are real but assigned only illustrative version ranges here; CVE-DEMO-0001/0002 are fictional and exist solely to exercise the matcher.

Artefacts

• semcve.py — the full detector (tokenizer, metavariable matcher, three-valued classifier, version baseline, synthetic corpus, reporting). Inlined above (reporting loop elided).
• trace.py — the worked-example tracer. Inlined above in full.

Both run with a stock Python 3 and no third-party dependencies: python3 semcve.py and python3 trace.py.