Note

The sole purpose of this repository is to help me organize recent academic papers related to fuzzing, binary analysis, IoT security, and general exploitation. This is a non-exhausting list, even though I'll try to keep it updated... Feel free to suggest decent papers via a PR.

Read & Tagged

• 2023 - Dissecting American Fuzzy Lop A FuzzBench Evaluation
  • Tags:: AFL, collisions, hitcounts, timeout, novelty search, corpus culling, score calculation, corpus scheduling, splicing
• 2022 - DARWIN: Survival of the Fittest Fuzzing Mutators
  • Tags: mutation scheduling, evolution strategy, AFL, AFL-MOpT, fuzzbench, magma, ecofuzz
• 2022 - Removing Uninteresting Bytes in Software Fuzzing
  • Tags: seed optimization, seed minimization, diar, coverage-guided
• 2021 - An Empirical Study of OSS-Fuzz Bugs
  • Tags: flaky bugs, clusterfuzz, sanitizer, bug detection, bug classification, time-to-fix, time-to-detect
• 2020 - Corpus Distillation for Effective Fuzzing
  • Tags: corpus minimization, afl-cmin, google fuzzer test suite, FTS, minset, AFL
• 2020 - Symbolic execution with SymCC: Don't interpret, compile!
  • Tags: KLEE, QSYM, LLVM, C, C++, compiler, symbolic execution, concolic execution, source code level, IR, angr, Z3, DARPA corpus, AFL
• 2020 - WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats
  • Tags: REDQUEEN, chunk-based formats, AFLSmart, I2S, checksums, magix bytes, QEMU, Eclipser, short fuzzing runs,
• 2020 - Efficient Binary-Level Coverage Analysis
  • Tags: bcov, detour + trampoline, basic block coverage, sliced microexecution, superblocks, strongly connected components, dominator graph, BAP, angr, IDA, DynamoRIO, Intel PI, BAP, angr, IDA, DynamoRIO, Intel PIN
• 2020 - Test-Case Reduction via Test-Case Generation: Insights From the Hypothesis Reducer
  • Tags: Test case reducer, property based testing, CSmith, test case generation, hierachical delta debugging
• 2020 - AFL++: Combining Incremental Steps of Fuzzing Research
  • Tags: AFL++, AFL, MOpt, LAF-Intel, Fuzzbench, Ngram, RedQueen, Unicorn, QBDI, CmpLog, AFLFast
• 2020 - FirmXRay: Detecting Bluetooth Link Layer Vulnerabilities From Bare-Metal Firmware
  • Tags: Ghdira, static analysis, sound disassembly, base address finder, BLE, vulnerability discovery
• 2020 - P2IM: Scalable and Hardware-independent Firmware Testing via Automatic Peripheral Interface Modeling
  • Tags: HALucinator, emulation, firmware, QEMU, AFL, requires source, MCU, peripheral abstraction
• 2020 - What Exactly Determines the Type? Inferring Types with Context
  • Tags: context assisted type inference, stripped binaries, variable and type reconstruction, IDA Pro, Word2Vec, CNN,
• 2020 - Causal Testing: Understanding Defects’ Root Causes
  • Tags: Defects4J, causal relationships, Eclipse plugin, unit test mutation, program trace diffing, static value diffing, user study
• 2020 - AURORA: Statistical Crash Analysis for Automated Root Cause Explanation
  • Tags: RCA, program traces, input diversification, Intel PIN, Rust, CFG,
• 2020 - ParmeSan: Sanitizer-guided Greybox Fuzzing
  • Tags: interprocedural CFG, data flow analysis, directed fuzzing (DGF), disregarding 'hot paths', LAVA-M based primitives, LLVM, Angora, AFLGo, ASAP, santizer dependent
• 2020 - Magma: A Ground-Truth Fuzzing Benchmark
  • Tags: best practices, fuzzer benchmarking, ground truth, Lava-M
• 2020 - Fitness Guided Vulnerability Detection with Greybox Fuzzing
  • Tags: AFL, vuln specific fitness metric (headroom), buffer/integer overflow detection, AFLGo, pointer analysis, CIL, bad benchmarking
• 2020 - GREYONE: Data Flow Sensitive Fuzzing
  • Tags: data-flow fuzzing, taint-guided mutation, input prioritization, constraint conformance, REDQUEEN, good evaluation, VUzzer
• 2020 - FairFuzz-TC: a fuzzer targeting rare branches
  • Tags: AFL, required seeding, branch mask
• 2020 - Fitness Guided Vulnerability Detection with Greybox Fuzzing
  • Tags: AFL, vuln specific fitness metric (headroom), buffer/integer overflow detection, AFLGo, pointer analysis, CIL, bad evaluation
• 2020 - TOFU: Target-Oriented FUzzer
  • Tags: DGF, structured mutations, staged fuzzing/learning of cli args, target fitness, structure aware, Dijkstra for priority, AFLGo, Superion
• 2020 - FuZZan: Efficient Sanitizer Metadata Design for Fuzzing
  • Tags:: sanitizer metadata, optimization, ASAN, MSan, AFL
• 2020 - Boosting Fuzzer Efficiency: An Information Theoretic Perspective
  • Tags:: Shannon entropy, seed power schedule, libfuzzer, active SLAM, DGF, fuzzer efficiency
• 2020 - Learning Input Tokens for Effective Fuzzing
  • Tags: dynamic taint tracking, parser checks, magic bytes, creation of dict inputs for fuzzers
• 2020 - A Review of Memory Errors Exploitation in x86-64
  • Tags: NX, canaries, ASLR, new mitigations, mitigation evaluation, recap on memory issues
• 2020 - SoK: The Progress, Challenges, and Perspectives of Directed Greybox Fuzzing
  • Tags: SoK, directed grey box fuzzing, AFL, AFL mutation operators, DGF vs CGF
• 2020 - MemLock: Memory Usage Guided Fuzzing
  • Tags: memory consumption, AFL, memory leak, uncontrolled-recursion, uncontrolled-memory-allocation, static analysis
• 2019 - Matryoshka: Fuzzing Deeply Nested Branches
  • Tags: AFL, QSYM, Angora, path constraints, nested conditionals, (post) dominator trees, gradient descent, REDQUEEN, LAVA-M
• 2019 - Building Fast Fuzzers
  • Tags: grammar based fuzzing, optimization, bold claims, comparison to badly/non-optimized fuzzers, python, lots of micro-optimizations, nice protocolling of failures, bad ASM optimization
• 2019 - Not All Bugs Are the Same: Understanding, Characterizing, and Classifying the Root Cause of Bugs
  • Tags: RCA via bug reports, classification model, F score,
• 2019 - AntiFuzz: Impeding Fuzzing Audits of Binary Executables
  • Tags: anti fuzzing, prevent crashes, delay executions, obscure coverage information, overload symbolic execution
• 2019 - MOpt: Optimized Mutation Scheduling for Fuzzers
  • Tags: mutation scheduling, particle swarm optimization (PSO), AFL, AFL mutation operators, VUzzer,
• 2019 - FuzzFactory: Domain-Specific Fuzzing with Waypoints
  • Tags: domain-specific fuzzing, AFL, LLVM, solve hard constraints like cmp, find dynamic memory allocations, binary-based
• 2019 - Fuzzing File Systems via Two-Dimensional Input Space Exploration
  • Tags: Ubuntu, file systems, library OS, ext4, brtfs, meta block mutations, edge cases
• 2019 - REDQUEEN: Fuzzing with Input-to-State Correspondence
  • Tags: feedback-driven, AFL, magic-bytes, nested contraints, input-to-state correspondence, I2S
• 2019 - PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary
  • Tags: kernel, android, userland, embedded, hardware, Linux, device driver, WiFi
• 2019 - FirmFuzz: Automated IoT Firmware Introspection and Analysis
  • Tags: emulation, firmadyne, BOF, XSS, CI, NPD, semi-automatic
• 2019 - Firm-AFL: High-Throughput Greybox Fuzzing of IoT Firmware via Augmented Process Emulation
  • Tags: emulation, qemu, afl, full vs user mode, syscall redirect, "augmented process emulation", firmadyne
• 2018 - A Survey of Automated Root Cause Analysisof Software Vulnerability
  • Tags: Exploit mitigations, fuzzing basics, symbolic execution basics, fault localization, high level
• 2018 - PhASAR: An Inter-procedural Static Analysis Framework for C/C++
  • Tags: LLVM, (inter-procedural) data-flow analysis, call-graph, points-to, class hierachy, CFG, IR
• 2018 - INSTRIM: Lightweight Instrumentation for Coverage-guided Fuzzing
  • Tags: LLVM, instrumentation optimization, graph algorithms, selective instrumentation, coverage calculation
• 2018 - What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices
  • Tags: embedded, challenges, heuristics, emulation, crash classification, fault detection
• 2018 - Evaluating Fuzz Testing
  • Tags: fuzzing evaluation, good practices, bad practices
• 2017 - Root Cause Analysis of Software Bugs using Machine Learning Techniques
  • Tags: ML, RC prediction for filed bug reports, unsupervised + supervised combination, RC categorisation, F score
• 2017 - kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
  • Tags: intel PT, kernel, AFL, file systems, Windows, NTFS, Linux, ext, macOS, APFS, driver, feedback-driven
• 2016 - Driller: Argumenting Fuzzing Through Selective Symbolic Execution
  • Tags: DARPA, CGC, concolic execution, hybrid fuzzer, binary based
• 2015 - Challenges with Applying Vulnerability Prediction Models
  • Tags: VPM vs DPM, prediction models on large scale systems, files with frequent changes leave more vulns, older code exhibits more vulns
• 2014 - Optimizing Seed Selection for Fuzzing
  • Tags: BFF, (weighted) minset, peach, cover set problem, seed transferabilty, time minset, size minset, round robin
• 2013 - Automatic Recovery of Root Causes from Bug-Fixing Changes
  • Tags: ML + SCA, F score, AST, PPA, source tree analysis

Unread

Unread papers categorized by a common main theme.

General fuzzing implementations

• 2023 - Large Language Models are Edge-Case Fuzzers: Testing Deep Learning Libraries via FuzzGPT
• 2023 - SBFT Tool Competition 2023 - Fuzzing Track
• 2023 - CarpetFuzz: Automatic Program Option Constraint Extraction from Documentation for Fuzzing
• 2023 - Learning Seed-Adaptive Mutation Strategies for Greybox Fuzzing
• 2023 - Directed Greybox Fuzzing with Stepwise Constraint Focusing
• 2023 - Generation-based fuzzing? Don’t build a new generator, reuse!
• 2023 - RCABench: Open Benchmarking Platform for Root Cause Analysis
• 2023 - Arvin: Greybox Fuzzing Using Approximate Dynamic CFG Analysis
• 2023 - DAISY: Effective Fuzz Driver Synthesis with Object Usage Sequence Analysis
• 2023 - autofz: Automated Fuzzer Composition at Runtime
• 2023 - Towards Hybrid Fuzzing with Multi-level Coverage Tree and Reinforcement Learning in Greybox Fuzzing
• 2023 - Fuzzing, Symbolic Execution, and Expert Guidance for Better Testing
• 2023 - Fuzzing vs SBST: Intersections & Differences
• 2023 - Evaluating the Fork-Awareness of Coverage-Guided Fuzzers
• 2023 - Homo in Machina: Improving Fuzz Testing Coverage via Compartment Analysis
• 2023 - The fun in fuzzing - The debugging techniquie comes into its own
• 2023 - Reachable Coverage: Estimating Saturation in Fuzzing
• 2023 - A Seed Scheduling Method With a Reinforcement Learning for a Coverage Guided Fuzzing
• 2023 - SelectFuzz: Efficient Directed Fuzzing with Selective Path Exploration
• 2022 - Explainable Fuzzer Evaluation
• 2022 - Rare-Seed Generation for Fuzzing
• 2022 - How to Compare Fuzzers
• 2022 - Valkyrie: Improving Fuzzing Performance Through Deterministic Techniques
• 2022 - FUZZING DEEPER LOGIC WITH IMPEDING FUNCTION TRANSFORMATION
• 2022 - Alphuzz: Monte Carlo Search on Seed-Mutation Tree for Coverage-Guided Fuzzing
• 2022 - AutoGenD: fuzz driver generation for binary libraries without header files and symbol information
• 2022 - Mutation Optimization of Directional Fuzzing for Cumulative Defects
• 2022 - IMPROVING AFL++ CMPLOG: TACKLING THE BOTTLENECKS
• 2022 - One Fuzz Doesn’t Fit All: Optimizing Directed Fuzzing via Target-tailored Program State Restriction
• 2022 - POLYFUZZ: Holistic Greybox Fuzzing of Multi-Language Systems
• 2022 - Sydr-Fuzz: Continuous Hybrid Fuzzing and Dynamic Analysis for Security Development Lifecycle
• 2022 - Nimbus: Toward Speed Up Function Signature Recovery via Input Resizing and Multi-Task Learning
• 2022 - So Many Fuzzers, So Little Time
• 2022 - SLOPT: Bandit Optimization Framework for Mutation-Based Fuzzing
• 2022 - DriveFuzz: Discovering Autonomous Driving Bugs through Driving Quality-Guided Fuzzing
• 2022 - UltraFuzz: Towards Resource-saving in Distributed Fuzzing
• 2022 - Snappy: Efficient Fuzzing with Adaptive and Mutable Snapshots
• 2022 - FuzzerAid: Grouping Fuzzed Crashes Based On Fault Signatures
• 2022 - Automatically Seed Corpus and Fuzzing Executables Generation Using Test Framework
• 2022 - CAMFuzz: Explainable Fuzzing with Local Interpretation
• 2022 - Efficient Greybox Fuzzing to Detect Memory Errors
• 2022 - LibAFL: A Framework to Build Modular and Reusable Fuzzers
• 2022 - FishFuzz: Throwing Larger Nets to Catch Deeper Bugs
• 2022 - SYMSAN: Time and Space Efficient Concolic Execution via Dynamic Data-flow Analysis
• 2022 - AMSFuzz: An adaptive mutation schedule for fuzzing
• 2022 - FixReverter: A Realistic Bug Injection Methodology for Benchmarking Fuzz Testing
• 2022 - Multiple Targets Directed Greybox Fuzzing
• 2022 - Combining BMC and Fuzzing Techniques for Finding Software Vulnerabilities in Concurrent Programs
• 2022 - DocTer: Documentation-Guided Fuzzing for Testing Deep Learning API Functions
• 2022 - Obtaining Fuzzing Results with Different Timeouts
• 2022 - FASSFuzzer—An Automated Vulnerability Detection System for Android System Services
• 2022 - WindRanger: A Directed Greybox Fuzzer driven by Deviation Basic Blocks
• 2022 - Drifuzz: Harvesting Bugs in Device Drivers from Golden Seeds
• 2022 - GraphFuzz: Library API Fuzzing with Lifetime-aware Dataflow Graphs
• 2022 - AcoFuzz: Adaptive Energy Allocation for Greybox Fuzzing
• 2022 - TargetFuzz: Using DARTs to Guide Directed Greybox Fuzzers
• 2022 - Fast Fuzzing for Memory Errors
• 2022 - Stateful Greybox Fuzzing
• 2022 - Metamorphic Fuzzing of C++ Libraries
• 2022 - Effective Seed Scheduling for Fuzzing with Graph Centrality Analysis
• 2022 - Comparing Fuzzers on a Level Playing Field with FuzzBench
• 2022 - Vulnerability-oriented directed fuzzing for binary programs
• 2022 - An Improvement of AFL Based On The Function Call Depth
• 2022 - FuzzingDriver: the Missing Dictionary to Increase Code Coverage in Fuzzers
• 2022 - BeDivFuzz: Integrating Behavioral Diversity into Generator-based Fuzzing
• 2022 - One Fuzzing Strategy to Rule Them All
• 2022 - Grammars for Free: Toward Grammar Inference for Ad Hoc Parsers
• 2022 - Fuzzing Class Specifications
• 2022 - Mutation Analysis: Answering the Fuzzing Challenge
• 2022 - Ferry: State-Aware Symbolic Execution for Exploring State-Dependent Program Paths
• 2022 - BEACON : Directed Grey-Box Fuzzing with Provable Path Pruning
• 2022 - MORPHUZZ: Bending (Input) Space to Fuzz Virtual Devices
• 2021 - A parallel fuzzing method based on two-stage mutation
• 2021 - Better Pay Attention Whilst Fuzzing
• 2021 - Diar: Removing Uninteresting Bytes from Seeds in Software Fuzzing
• 2021 - Reducing Time-To-Fix For Fuzzer Bugs
• 2021 - Casr-Cluster: Crash Clustering for Linux Applications
• 2021 - Fuzzm: Finding Memory Bugs through Binary-Only Instrumentation and Fuzzing of WebAssembly
• 2021 - InstruGuard: Find and Fix Instrumentation Errors for Coverage-based Greybox Fuzzing
• 2021 - POSTER: OS Independent Fuzz Testing of I/O Boundary
• 2021 - HDBFuzzer–Target-oriented Hybrid Directed Binary Fuzzer
• 2021 - ovAFLow: Detecting Memory Corruption Bugs with Fuzzing-based Taint Inference
• 2021 - SyzScope: Revealing High-Risk Security Impacts of Fuzzer-Exposed Bugs in Linux kernel
• 2021 - SiliFuzz: Fuzzing CPUs by proxy
• 2021 - Same Coverage, Less Bloat: Accelerating Binary-only Fuzzing with Coverage-preserving Coverage-guided Tracing
• 2021 - Facilitating Parallel Fuzzing with Mutually-exclusive Task Distribution
• 2021 - PATA: Fuzzing with Path Aware Taint Analysis
• 2021 - BSOD: Binary-only Scalable fuzzing Of device Drivers
• 2021 - FuzzBench: An Open Fuzzer Benchmarking Platform and Service
• 2021 - My Fuzzer Beats Them All! Developing a Framework for Fair Evaluation and Comparison of Fuzzers
• 2021 - Scalable Fuzzing of Program Binaries with E9AFL
• 2021 - HyperFuzzer: An Efficient Hybrid Fuzzer for Virtual CPUs
• 2021 - BigMap: Future-proofing Fuzzers with Efficient Large Maps
• 2021 - Token-Level Fuzzing
• 2021 - Hashing Fuzzing: Introducing Input Diversity to Improve Crash Detection
• 2021 - LeanSym: Efficient Hybrid Fuzzing Through Conservative Constraint Debloating
• 2021 - ESRFuzzer: an enhanced fuzzing framework for physical SOHO router devices to discover multi-Type vulnerabilities
• 2021 - KCFuzz: Directed Fuzzing Based on Keypoint Coverage
• 2021 - TCP-Fuzz: Detecting Memory and Semantic Bugs in TCP Stacks with Fuzzing
• 2021 - Fuzzing with optimized grammar-aware mutation strategies
• 2021 - Directed Fuzzing for Use-After-FreeVulnerabilities Detection
• 2021 - DIFUZZRTL: Differential Fuzz Testing to FindCPU Bugs
• 2021 - Z-Fuzzer: device-agnostic fuzzing of Zigbee protocol implementation
• 2021 - Fuzzing with Multi-dimensional Control of Mutation Strategy
• 2021 - Using a Guided Fuzzer and Preconditions to Achieve Branch Coverage with Valid Inputs
• 2021 - RIFF: Reduced Instruction Footprint for Coverage-Guided Fuzzing
• 2021 - CoCoFuzzing: Testing Neural Code Models with Coverage-Guided Fuzzing
• 2021 - Seed Selection for Successful Fuzzing
• 2021 - Gramatron: Effective Grammar-Aware Fuzzing
• 2021 - Hyntrospect: a fuzzer for Hyper-V devices
• 2021 - FUZZOLIC: mixing fuzzing and concolic execution
• 2021 - QFuzz: Quantitative Fuzzing for Side Channels
• 2021 - Revizor: Fuzzing for Leaks in Black-box CPUs
• 2021 - Unleashing Fuzzing Through Comprehensive, Efficient, and Faithful Exploitable-Bug Exposing
• 2021 - Constraint-guided Directed Greybox Fuzzing
• 2021 - Test-Case Reduction and Deduplication Almost forFree with Transformation-Based Compiler Testing
• 2021 - RULF: Rust Library Fuzzing via API Dependency Graph Traversal
• 2021 - STOCHFUZZ: Sound and Cost-effective Fuzzing of Stripped Binaries by Incremental and Stochastic Rewriting
• 2021 - PS-Fuzz: Efficient Graybox Firmware Fuzzing Based on Protocol State
• 2021 - MuDelta: Delta-Oriented Mutation Testing at Commit Time
• 2021 - CollabFuzz: A Framework for Collaborative Fuzzing
• 2021 - MUTAGEN: Faster Mutation-Based Random Testing
• 2021 - Inducing Subtle Mutations with Program Repair
• 2021 - Differential Analysis of X86-64 Instruction Decoders
• 2021 - On Introducing Automatic Test Case Generation in Practice: A Success Story and Lessons Learned
• 2021 - A Priority Based Path Searching Method for Improving Hybrid Fuzzing
• 2021 - IntelliGen: Automatic Driver Synthesis for Fuzz Testing
• 2021 - icLibFuzzer: Isolated-context libFuzzer for Improving Fuzzer Comparability
• 2021 - SN4KE: Practical Mutation Testing at Binary Level
• 2021 - One Engine to Fuzz ’em All: Generic Language Processor Testing with Semantic Validation
• 2021 - Growing A Test Corpus with Bonsai Fuzzing
• 2021 - Fuzzing Symbolic Expressions
• 2021 - JMPscare: Introspection for Binary-Only Fuzzing
• 2021 - An Improved Directed Grey-box Fuzzer
• 2021 - A Binary Protocol Fuzzing Method Based on SeqGAN
• 2021 - Refined Grey-Box Fuzzing with Sivo
• 2021 - PSOFuzzer: A Target-Oriented Software Vulnerability Detection Technology Based on Particle Swarm Optimization
• 2021 - MooFuzz: Many-Objective Optimization Seed Schedule for Fuzzer
• 2021 - CMFuzz: context-aware adaptive mutation for fuzzers
• 2021 - GTFuzz: Guard Token Directed Grey-Box Fuzzing
• 2021 - ProFuzzBench: A Benchmark for Stateful Protocol Fuzzing
• 2021 - SymQEMU:Compilation-based symbolic execution for binaries
• 2021 - CONCOLIC EXECUTION TAILORED FOR HYBRID FUZZING THESIS
• 2021 - Breaking Through Binaries: Compiler-quality Instrumentationfor Better Binary-only Fuzzing
• 2021 - AlphaFuzz: Evolutionary Mutation-based Fuzzing as Monte Carlo Tree Search
• 2020 - Fuzzing with Fast Failure Feedback
• 2020 - LAFuzz: Neural Network for Efficient Fuzzing
• 2020 - MaxAFL: Maximizing Code Coverage with a Gradient-Based Optimization Technique
• 2020 - Program State Abstraction for Feedback-Driven Fuzz Testing using Likely Invariants
• 2020 - PMFuzz: Test Case Generation for Persistent Memory Programs
• 2020 - FuSeBMC: A White-Box Fuzzer for Finding Security Vulnerabilities in C Programs
• 2020 - Integrity: Finding Integer Errors by Targeted Fuzzing
• 2020 - ConFuzz: Coverage-guided Property Fuzzing for Event-driven Programs
• 2020 - AFLTurbo: Speed up Path Discovery for Greybox Fuzzing
• 2020 - Fuzzing Channel-Based Concurrency Runtimes using Types and Effects
• 2020 - DeFuzz: Deep Learning Guided Directed Fuzzing
• 2020 - CrFuzz: Fuzzing Multi-purpose Programs through InputValidation
• 2020 - EPfuzzer: Improving Hybrid Fuzzing with Hardest-to-reach Branch Prioritization
• 2020 - Fuzzing Based on Function Importance by Attributed Call Graph
• 2020 - UNIFUZZ: A Holistic and Pragmatic Metrics-Driven Platform for Evaluating Fuzzers
• 2020 - PathAFL: Path-Coverage Assisted Fuzzing
• 2020 - Path Sensitive Fuzzing for Native Applications
• 2020 - UniFuzz: Optimizing Distributed Fuzzing via Dynamic Centralized Task Scheduling
• 2020 - Fuzzing Error Handling Code using Context-Sensitive Software Fault Injection
• 2020 - SpecFuzz: Bringing Spectre-type vulnerabilities to the surface
• 2020 - Zeror: Speed Up Fuzzing with Coverage-sensitive Tracing and Scheduling
• 2020 - MUZZ: Thread-aware Grey-box Fuzzing for Effective Bug Hunting in Multithreaded Programs
• 2020 - Evolutionary Grammar-Based Fuzzing
• 2020 - AFLpro: Direction sensitive fuzzing
• 2020 - CSI-Fuzz: Full-speed Edge Tracing Using Coverage Sensitive Instrumentation
• 2020 - Scalable Greybox Fuzzing for Effective Vulnerability Management DISS
• 2020 - HotFuzz Discovering Algorithmic Denial-of-Service Vulnerabilities through Guided Micro-Fuzzing
• 2020 - Fuzzing Binaries for Memory Safety Errors with QASan
• 2020 - Suzzer: A Vulnerability-Guided Fuzzer Based on Deep Learning
• 2020 - IJON: Exploring Deep State Spaces via Fuzzing
• 2020 - Binary-level Directed Fuzzing for Use-After-Free Vulnerabilities
• 2020 - PANGOLIN: Incremental Hybrid Fuzzing with Polyhedral Path Abstraction
• 2020 - UEFI Firmware Fuzzing with Simics Virtual Platform
• 2020 - Typestate-Guided Fuzzer for Discovering Use-after-Free Vulnerabilities
• 2020 - FuzzGuard: Filtering out Unreachable Inputs in Directed Grey-box Fuzzing through Deep Learning
• 2020 - HyDiff: Hybrid Differential Software Analysis
• 2019 - Engineering a Better Fuzzer with SynergicallyIntegrated Optimizations
• 2019 - Superion: Grammar-Aware Greybox Fuzzing
• 2019 - ProFuzzer: On-the-fly Input Type Probing for Better Zero-day Vulnerability Discovery
• 2019 - Grimoire: Synthesizing Structure while Fuzzing
• 2019 - Ptrix: Efficient Hardware-Assisted Fuzzing for COTS Binary
• 2019 - SAVIOR: Towards Bug-Driven Hybrid Testing
• 2019 - FUDGE: Fuzz Driver Generation at Scale
• 2019 - NAUTILUS: Fishing for Deep Bugs with Grammars
• 2019 - Send Hardest Problems My Way: Probabilistic Path Prioritization for Hybrid Fuzzing
• 2019 - EnFuzz: Ensemble Fuzzing with Seed Synchronization among Diverse Fuzzers
• 2018 - Fuzz Testing in Practice: Obstacles and Solutions
• 2018 - PAFL: Extend Fuzzing Optimizations of Single Mode to Industrial Parallel Mode
• 2018 - PTfuzz: Guided Fuzzing with Processor Trace Feedback
• 2018 - Angora: Efficient Fuzzing by Principled Search
• 2018 - FairFuzz: A Targeted Mutation Strategy for Increasing Greybox Fuzz Testing Coverage
• 2018 - NEUZZ: Efficient Fuzzing with Neural Program Smoothing
• 2018 - CollAFL: path Sensitive Fuzzing
• 2018 - Full-speed Fuzzing: Reducing Fuzzing Overhead through Coverage-guided Tracing
• 2018 - QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing
• 2018 - Coverage-based Greybox Fuzzing as Markov Chain
• 2018 - MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation
• 2018 - Singularity: Pattern Fuzzing for Worst Case Complexity
• 2018 - Smart Greybox Fuzzing
• 2018 - Hawkeye: Towards a Desired Directed Grey-box Fuzzer
• 2018 - PerfFuzz: Automatically Generating Pathological Inputs
• 2018 - FairFuzz: A Targeted Mutation Strategy for Increasing Greybox Fuzz Testing Coverage
• 2018 - Enhancing Memory Error Detection forLarge-Scale Applications and Fuzz Testing
• 2018 - T-Fuzz: fuzzing by program transformation
• 2017 - Evaluating and improving fault localization
• 2017 - IMF: Inferred Model-based Fuzzer
• 2017 - Synthesizing Program Input Grammars
• 2017 - Stateful Fuzzing of Wireless Device Drivers in an Emulated Environment
• 2017 - Steelix: Program-State Based Binary Fuzzing
• 2017 - Designing New Operating Primitives to ImproveFuzzing Performance
• 2017 - VUzzer: Application-aware Evolutionary Fuzzing
• 2017 - DIFUZE: Interface Aware Fuzzing for Kernel Drivers
• 2017 - Instruction Punning: Lightweight Instrumentation for x86-64
• 2017 - Designing New Operating Primitives to Improve Fuzzing Performance
• 2014 - A Large-Scale Analysis of the Security of Embedded Firmwares
• 2013 - Scheduling Black-box Mutational Fuzzing
• 2013 - Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations
• 2013 - RPFuzzer: A Framework for Discovering Router Protocols Vulnerabilities Based on Fuzzing
• 2011 - Offset-Aware Mutation based Fuzzing for Buffer Overflow Vulnerabilities: Few Preliminary Results
• 2010 - TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection
• 2009 - Taint-based Directed Whitebox Fuzzing
• 2009 - Dynamic Test Generation To Find Integer Bugs in x86 Binary Linux Programs
• 2008 - Grammar-based Whitebox Fuzzing
• 2008 - Vulnerability Analysis for X86 Executables Using Genetic Algorithm and Fuzzing
• 2008 - Fuzzing Wi-Fi Drivers to Locate Security Vulnerabilities
• 2008 - KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs
• 2008 - Automated Whitebox Fuzz Testing
• 2005 - DART: Directed Automated Random Testing
• 1994 - Dominators, Super Blocks, and Program Coverage

IoT fuzzing

• 2023 - Icicle: A Re-Designed Emulator for Grey-Box Firmware Fuzzing
• 2022 - FirmSolo: Enabling dynamic analysis of binary Linux-based IoT kernel modules
• 2022 - FuzzDocs: An Automated Security Evaluation Framework for IoT
• 2022 - AflIot: Fuzzing on linux-based IoT device with binary-level instrumentation
• 2022 - Tardis: Coverage-Guided Embedded Operating System Fuzzing
• 2022 - Efficient greybox fuzzing of applications in Linux-based IoT devices via enhanced user-mode emulation
• 2022 - Trampoline Over the Air: Breaking in IoT Devices Through MQTT Brokers
• 2022 - PDFuzzerGen: Policy-Driven Black-Box Fuzzer Generation for Smart Devices
• 2022 - RW-Fuzzer: A Fuzzing Method for Vulnerability Mining on Router Web Interface
• 2022 - IoTInfer: Automated Blackbox Fuzz Testing of IoT Network Protocols Guided by Finite State Machine Inference
• 2022 - Debugger-driven Embedded Fuzzing
• 2022 - Game of Hide-and-Seek: Exposing Hidden Interfaces in Embedded Web Applications of IoT Devices
• 2022 - 𝜇AFL: Non-intrusive Feedback-driven Fuzzing for Microcontroller Firmware
• 2022 - FirVer: Concolic Testing for Systematic Validation of Firmware Binaries
• 2022 - Fuzzware: Using Precise MMIO Modeling for Effective Firmware Fuzzing
• 2021 - CPscan: Detecting Bugs Caused by Code Pruning in IoT Kernels
• 2021 - An Efficient Feedback-enhanced Fuzzing Scheme for Linux-based IoT Firmwares
• 2021 - A Fuzzing Method for Embedded Software
• 2021 - Large-scale Firmware Vulnerability Analysis Based on Code Similarity
• 2021 - Towards Fast and Scalable Firmware Fuzzing with Dual-Level Peripheral Modeling
• 2021 - Riding the IoT Wave with VFuzz: Discovering Security Flaws in Smart Home
• 2021 - Zero WFuzzer: Target-Oriented Fuzzing for Web Interface of Embedded Devices
• 2021 - StFuzzer: Contribution-Aware Coverage-Guided Fuzzing for Smart Devices
• 2021 - Rtkaller: State-aware Task Generation for RTOS Fuzzing
• 2021 - IFIZZ: Deep-State and Efficient Fault-Scenario Generation to Test IoT Firmware
• 2021 - Automatic Vulnerability Detection in Embedded Devices and Firmware: Survey and Layered Taxonomies
• 2021 - Fuzzing the Internet of Things: A Review on the Techniques and Challenges for Efficient Vulnerability Discovery in Embedded Systems
• 2021 - FIRM-COV: High-Coverage Greybox Fuzzing for IoT Firmware via Optimized Process Emulation
• 2020 - Verification of Embedded Software Binaries using Virtual Prototypes
• 2020 - μSBS: Static Binary Sanitization of Bare-metal Embedded Devices forFault Observability
• 2020 - Device-agnostic Firmware Execution is Possible: A Concolic Execution Approach for Peripheral Emulation
• 2020 - Vulnerability Detection in SIoT Applications: A Fuzzing Method on their Binaries
• 2020 - FirmAE: Towards Large-Scale Emulation of IoT Firmware forDynamic Analysis
• 2020 - FIRMNANO: Toward IoT Firmware Fuzzing Through Augmented Virtual Execution
• 2020 - ARM-AFL: Coverage-Guided Fuzzing Framework for ARM-Based IoT Devices
• 2020 - Bug detection in embedded environments by fuzzing and symbolic execution
• 2020 - FirmXRay: Detecting Bluetooth Link Layer Vulnerabilities From Bare-Metal Firmware
• 2020 - EM-Fuzz: Augmented Firmware Fuzzing via Memory Checking
• 2020 - Verification of Embedded Binaries using Coverage-guided Fuzzing with System C-based Virtual Prototypes
• 2020 - DICE: Automatic Emulation of DMA Input Channels for Dynamic Firmware Analysis
• 2020 - Fw‐fuzz: A code coverage‐guided fuzzing framework for network protocols on firmware
• 2020 - Taint-Driven Firmware Fuzzing of Embedded Systems
• 2020 - A Dynamic Instrumentation Technology for IoT Devices
• 2020 - Vulcan: a state-aware fuzzing tool for wear OS ecosystem
• 2020 - A Novel Concolic Execution Approach on Embedded Device
• 2020 - HFuzz: Towards automatic fuzzing testing of NB-IoT core network protocols implementations
• 2020 - FIRMCORN: Vulnerability-Oriented Fuzzing of IoT Firmware via Optimized Virtual Execution
• 2018 - IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing
• 2017 - Towards Automated Dynamic Analysis for Linux-based Embedded Firmware
• 2016 - Scalable Graph-based Bug Search for Firmware Images
• 2015 - SURROGATES: Enabling Near-Real-Time Dynamic Analyses of Embedded Systems
• 2015 - Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware
• 2014 - A Large-Scale Analysis of the Security of Embedded Firmwares
• 2013 - RPFuzzer: A Framework for Discovering Router Protocols Vulnerabilities Based on Fuzzing

Firmware Emulation

• 2022 - What You See is Not What You Get: Revealing Hidden Memory Mapping for Peripheral Modeling
• 2022 - What Your Firmware Tells You Is Not How You Should Emulate It: A Specification-Guided Approach for Firmware Emulation (Extended Version)
• 2022 - BEERR: Bench of Embedded system Experiments for Reproducible Research
• 2022 - FIRMWIRE: Transparent Dynamic Analysis for Cellular Baseband Firmware
• 2022 - An Automated Approach to Re-Hosting Embedded Firmware Through Removing Hardware Dependencies
• 2021 - FIRMGUIDE: Boosting the Capability of Rehosting Embedded Linux Kernels through Model-Guided Kernel Execution
• 2021 - Automatic Firmware Emulation through Invalidity-guided Knowledge Inference(Extended Version)
• 2021 - Firmware Re-hosting Through Static Binary-level Porting
• 2021 - Jetset: Targeted Firmware Rehosting for Embedded Systems
• 2021 - Automatic Firmware Emulation through Invalidity-guided Knowledge Inference

Network fuzzing

• 2023 - INTENDER: Fuzzing Intent-Based Networking with Intent-State Transition Guidance
• 2023 - NSFuzz: Towards Eficient and State-Aware Network Service Fuzzing
• 2022 - FitM: Binary-Only Coverage-Guided Fuzzing for Stateful Network Protocols
• 2022 - WThreadAFL:Deterministic Greybox Fuzzing for Multi-threadNetwork Servers
• 2022 - Model-Based Grey-Box Fuzzing of Network Protocols
• 2022 - Registered Report: NSFuzz: Towards Efficient and State-Aware Network Service Fuzzing
• 2022 - SnapFuzz: An Efficient Fuzzing Framework for Network Applications
• 2022 - REST API Fuzzing by Coverage Level Guided Blackbox Testing
• 2022 - SNPSFuzzer: A Fast Greybox Fuzzer for Stateful Network Protocols using Snapshots
• 2022 - WAFL: Binary-Only WebAssembly Fuzzing with Fast Snapshots
• 2021 - Nyx-Net: Network Fuzzing with Incremental Snapshots
• 2021 - RapidFuzz: Accelerating Fuzzing via Generative Adversarial Networks
• 2021 - StateAFL: Greybox Fuzzing for Stateful Network Servers
• 2020 - AFLNET: A Greybox Fuzzer for Network Protocols
• 2020 - Finding Security Vulnerabilities in Network Protocol Implementations

Kernel fuzzing

• 2023 - KextFuzz: Fuzzing macOS Kernel EXTensions on Apple Silicon via Exploiting Mitigations
• 2023 - BoKASAN: Binary-only Kernel Address Sanitizer for Effective Kernel Fuzzing
• 2023 - DDRace: Finding Concurrency UAF Vulnerabilities in Linux Drivers with Directed Fuzzing
• 2023 - Towards Unveiling Exploitation Potential With Multiple Error Behaviors for Kernel Bugs
• 2023 - No Grammar, No Problem: Towards Fuzzing the Linux Kernel without System-Call Descriptions
• 2022 - PrIntFuzz: fuzzing Linux drivers via automated virtual device simulation
• 2022 - KSG: Augmenting Kernel Fuzzing with System Call Specification Generation
• 2022 - Demystifying the Dependency Challenge in Kernel Fuzzing
• 2022 - Midas: Systematic Kernel TOCTTOU Protection
• 2021 - Evaluating Code Coverage for Kernel Fuzzers via Function Call Graph
• 2021 - ACHyb: a hybrid analysis approach to detect kernel access control vulnerabilities
• 2021 - CVFuzz: Detecting complexity vulnerabilities in OpenCL kernels via automated pathological input generation
• 2021 - HEALER: Relation Learning Guided Kernel Fuzzing
• 2021 - SyzVegas: Beating Kernel Fuzzing Odds with Reinforcement Learning
• 2021 - NTFUZZ: Enabling Type-Aware Kernel Fuzzing on Windows with Static Binary Analysis
• 2021 - Undo Workarounds for Kernel Bugs
• 2020 - A Hybrid Interface Recovery Method for Android Kernels Fuzzing
• 2020 - FINDING RACE CONDITIONS IN KERNELS:FROM FUZZING TO SYMBOLIC EXECUTION - THESIS
• 2020 - Agamotto: Accelerating Kernel Driver Fuzzing with Lightweight Virtual Machine Checkpoints
• 2020 - X-AFL: a kernel fuzzer combining passive and active fuzzing
• 2020 - Identification of Kernel Memory Corruption Using Kernel Memory Secret Observation Mechanism
• 2020 - HFL: Hybrid Fuzzing on the Linux Kernel
• 2020 - Realistic Error Injection for System Calls
• 2020 - KRACE: Data Race Fuzzing for Kernel File Systems
• 2020 - USBFuzz: A Framework for Fuzzing USB Drivers by Device Emulation
• 2019 - Fuzzing File Systems via Two-Dimensional Input Space Exploration
• 2019 - Razzer: Finding Kernel Race Bugs through Fuzzing
• 2019 - Unicorefuzz: On the Viability of Emulation for Kernel space Fuzzing
• 2017 - Stateful Fuzzing of Wireless Device Drivers in an Emulated Environment
• 2017 - DIFUZE: Interface Aware Fuzzing for Kernel Drivers
• 2008 - Fuzzing Wi-Fi Drivers to Locate Security Vulnerabilities

Format specific fuzzing

• 2023 - MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation
• 2023 - EFCF: High Performance Smart Contract Fuzzing for Exploit Generation
• 2023 - ODDFUZZ: Discovering Java Deserialization Vulnerabilities via Structure-Aware Directed Greybox Fuzzing
• 2023 - VIDEZZO: Dependency-aware Virtual Device Fuzzing
• 2023 - HyPFuzz: Formal-Assisted Processor Fuzzing
• 2023 - FUZZILLI: Fuzzing for JavaScript JIT Compiler Vulnerabilities
• 2022 - SFuzz: Slice-based Fuzzing for Real-Time Operating Systems
• 2022 - LFUZZ: Exploiting Locality for File-system Fuzzing
• 2022 - MUNDOFUZZ: Hypervisor Fuzzing with Statistical Coverage Testing and Grammar Inference
• 2022 - DTLS-Fuzzer: A DTLS Protocol State Fuzzer
• 2022 - FuzzUSB: Hybrid Stateful Fuzzing of USB Gadget Stacks
• 2022 - TheHuzz: Instruction Fuzzing of Processors Using Golden-Reference Models for Finding Software-Exploitable Vulnerabilities
• 2021 - V-Shuttle: Scalable and Semantics-Aware Hypervisor Virtual Device Fuzzing
• 2021 - FormatFuzzer: Effective Fuzzing of Binary File Formats
• 2020 - NYX: Greybox Hypervisor Fuzzing using Fast Snapshots and Affine Types
• 2020 - Tree2tree Structural Language Modeling for Compiler Fuzzing
• 2020 - Detecting Critical Bugs in SMT Solvers Using Blackbox Mutational Fuzzing
• 2020 - JS Engine - Montage: A Neural Network Language Model-Guided JavaScript Engine Fuzzer
• 2020 - JS Engine - Fuzzing JavaScript Engines with Aspect-preserving Mutation
• 2020 - CUDA Compiler - CUDAsmith: A Fuzzer for CUDA Compilers
• 2020 - Smart Contracts - sFuzz: An Efficient Adaptive Fuzzer for Solidity Smart Contracts
• 2019 - Compiler Fuzzing: How Much Does It Matter?
• 2019 - Smart Contracts - Harvey: A Greybox Fuzzer for Smart Contracts
• 2017 - XML - Skyfire: Data-Driven Seed Generation for Fuzzing

Exploitation

• 2023 - Automated Exploitable Heap Layout Generation for Heap Overflows Through Manipulation Distance-Guided Fuzzing
• 2023 - The Most Dangerous Codec in the World: Finding and Exploiting Vulnerabilities in H.264 Decoders
• 2023 - Detecting Exploit Primitives Automatically for Heap Vulnerabilities on Binary Programs
• 2022 - RiscyROP: Automated Return-Oriented Programming Attacks on RISC-V and ARM64
• 2022 - Automatic Permission Check Analysis for Linux Kernel
• 2022 - OS-Aware Vulnerability Prioritization via Differential Severity Analysis
• 2022 - Arbiter: Bridging the Static and Dynamic Divide in Vulnerability Discovery on Binary Programs
• 2022 - KASPER: Scanning for Generalized Transient Execution Gadgets in the Linux Kernel
• 2022 - MaMaDroid 2.0 - The Holes of control flow graphs
• 2022 -ShadowHeap: Memory Safety through Efficient Heap Metadata Validation
• 2022 - MACH2: System for Root Cause Analysis of Kernel Vulnerabilities [THESIS]
• 2021 - Automated Bug Hunting With Data-Driven Symbolic Root Cause Analysis
• 2021 - MAJORCA: Multi-Architecture JOP and ROP Chain Assembler
• 2021 - A Novel Method for the Automatic Generation of JOP Chain Exploits
• 2021 - V0Finder: Discovering the Correct Origin of Publicly Reported Software Vulnerabilities
• 2021 - Identifying Valuable Pointers in Heap Data
• 2021 - OCTOPOCS: Automatic Verification of Propagated Vulnerable Code Using Reformed Proofs of Concept
• 2021 - Characterizing Vulnerabilities in a Major Linux Distribution
• 2021 - MAZE: Towards Automated Heap Feng Shui
• 2021 - Vulnerability Detection in C/C++ Source Code With Graph Representation Learning
• 2021 - mallotROPism: a metamorphic engine for malicious software variation development
• 2020 - Automatic Techniques to Systematically Discover New Heap Exploitation Primitives
• 2020 - Shadow-Heap: Preventing Heap-based Memory Corruptions by Metadata Validation
• 2020 - Practical Fine-Grained Binary Code Randomization
• 2020 - Tiny-CFA: Minimalistic Control-Flow Attestation UsingVerified Proofs of Execution
• 2020 - Greybox Automatic Exploit Generation for Heap Overflows in Language Interpreters - PHD THESIS
• 2020 - ABCFI: Fast and Lightweight Fine-Grained Hardware-Assisted Control-Flow Integrity
• 2020 - HeapExpo: Pinpointing Promoted Pointers to Prevent Use-After-Free Vulnerabilities
• 2020 - Localizing Patch Points From One Exploit
• 2020 - Speculative Dereferencing of Registers: Reviving Foreshadow
• 2020 - HAEPG: An Automatic Multi-hop Exploitation Generation Framework
• 2020 - Exploiting More Binaries by Using Planning to Assemble ROP Exploiting More Binaries by Using Planning to Assemble ROP Attacks Attacks
• 2020 - ROPminer: Learning-Based Static Detection of ROP Chain Considering Linkability of ROP Gadgets
• 2020 - KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities
• 2020 - Preventing Return Oriented Programming Attacks By Preventing Return Instruction Pointer Overwrites
• 2020 - KASLR: Break It, Fix It, Repeat
• 2020 - ShadowGuard : Optimizing the Policy and Mechanism of Shadow Stack Instrumentation using Binary Static Analysis
• 2020 - VulHunter: An Automated Vulnerability Detection System Based on Deep Learning and Bytecode
• 2020 - Analysis and Evaluation of ROPInjector
• 2020 - API Misuse Detection in C Programs: Practice on SSL APIs
• 2020 - KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities
• 2020 - Egalito: Layout-Agnostic Binary Recompilation
• 2020 - Verifying Software Vulnerabilities in IoT Cryptographic Protocols
• 2020 - μRAI: Securing Embedded Systems with Return Address Integrity
• 2020 - Preventing Return Oriented Programming Attacks By Preventing Return Instruction Pointer Overwrites
• 2019 - Kernel Protection Against Just-In-Time Code Reuse
• 2019 - Kernel Exploitation Via Uninitialized Stack
• 2019 - KEPLER: Facilitating Control-flow Hijacking Primitive Evaluation for Linux Kernel Vulnerabilities
• 2019 - SLAKE: Facilitating Slab Manipulation for Exploiting Vulnerabilities in the Linux Kernel
• 2018 - HeapHopper: Bringing Bounded Model Checkingto Heap Implementation Security
• 2018 - K-Miner: Uncovering Memory Corruption in Linux
• 2017 - HAIT: Heap Analyzer with Input Tracing
• 2017 - DROP THE ROP: Fine-grained Control-flow Integrity for the Linux Kernel
• 2017 - kR^X: Comprehensive Kernel Protection against Just-In-Time Code Reuse
• 2017 - Unleashing Use-Before-Initialization Vulnerabilities in the Linux Kernel Using Targeted Stack Spraying
• 2017 - Towards Automated Dynamic Analysis for Linux-based Embedded Firmware
• 2016 - Scalable Graph-based Bug Search for Firmware Images
• 2015 - Cross-Architecture Bug Search in Binary Executables
• 2015 - SURROGATES: Enabling Near-Real-Time Dynamic Analyses of Embedded Systems
• 2015 - From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel
• 2015 - PIE: Parser Identification in Embedded Systems
• 2014 - ret2dir: Rethinking Kernel Isolation
• 2014 - Make It Work, Make It Right, Make It Fast: Building a Platform-Neutral Whole-System Dynamic Binary Analysis Platform
• 2012 - Anatomy of a Remote Kernel Exploit
• 2012 - A Heap of Trouble: Breaking the LinuxKernel SLOB Allocator
• 2011 - Linux kernel vulnerabilities: state-of-the-art defenses and open problems
• 2011 - Protecting the Core: Kernel Exploitation Mitigations
• 2015 - From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel
• 2014 - ret2dir: Rethinking Kernel Isolation
• 2012 - Anatomy of a Remote Kernel Exploit
• 2012 - A Heap of Trouble: Breaking the Linux Kernel SLOB Allocator
• 2011 - Linux kernel vulnerabilities: state-of-the-art defenses and open problems
• 2011 - Protecting the Core: Kernel Exploitation Mitigations

Static Binary Analysis

• 2021 - ICALLEE: Recovering Call Graphs for Binaries
• 2021 - EnBinDiff: Identifying Data-only Patches for Binaries
• 2021 - VIVA: Binary Level Vulnerability Identification via Partial Signature
• 2021 - Overview of the advantages and disadvantages of static code analysis tools
• 2021 - Multi-Level Cross-Architecture Binary Code Similarity Metric
• 2020 - VulDetector: Detecting Vulnerabilities using Weighted Feature Graph Comparison
• 2020 - DEEPBINDIFF: Learning Program-Wide Code Representations for Binary Diffing
• 2020 - BinDeep: A Deep Learning Approach to Binary Code Similarity Detection
• 2020 - Revisiting Binary Code Similarity Analysis using Interpretable Feature Engineering and Lessons Learned
• 2020 - iDEA: Static Analysis on the Security of Apple Kernel Drivers
• 2020 - HART: Hardware-Assisted Kernel Module Tracing on Arm
• 2020 - AN APPROACH TO COMPARING CONTROL FLOW GRAPHS BASED ON BASIC BLOCK MATCHING
• 2020 - How Far We Have Come: Testing Decompilation Correctness of C Decompilers
• 2020 - Dynamic Binary Lifting and Recompilation DISS
• 2020 - Similarity Based Binary Backdoor Detection via Attributed Control Flow Graph
• 2020 - IoTSIT: A Static Instrumentation Tool for IoT Devices
• 2019 - Code Similarity Detection using AST and Textual Information
• 2018 - CodEX: Source Code Plagiarism DetectionBased on Abstract Syntax Trees
• 2017 - rev.ng: a unified binary analysis framework to recover CFGs and function boundaries
• 2017 - Angr: The Next Generation of Binary Analysis
• 2016 - Binary code is not easy
• 2015 - Cross-Architecture Bug Search in Binary Executables
• 2014 - A platform for secure static binary instrumentation
• 2013 - MIL: A language to build program analysis tools through static binary instrumentation
• 2013 - Binary Code Analysis
• 2013 - A compiler-level intermediate representation based binary analysis and rewriting system
• 2013 - Protocol reverse engineering through dynamic and static binary analysis
• 2013 - BinaryPig: Scalable Static Binary Analysis Over Hadoop
• 2011 - BAP: A Binary Analysis Platform
• 2009 - Syntax tree fingerprinting for source code similarity detection
• 2008 - BitBlaze: A New Approach to Computer Security via Binary Analysis
• 2005 - Practical analysis of stripped binary code
• 2004 - Detecting kernel-level rootkits through binary analysis

Misc

• 2023 - MTSan: A Feasible and Practical Memory Sanitizer for Fuzzing COTS Binaries
• 2023 - ARMore: Pushing Love Back Into Binaries
• 2023 - gMutant: A gCov based Mutation Testing Analyser
• 2022 - Auto Off-Target: Enabling Thorough and Scalable Testing for Complex Software Systems
• 2022 - GRIN: Make Rewriting More Precise
• 2022 - CFINSIGHT: A Comprehensive Metric for CFI Policies
• 2022 - Odin: On-Demand Instrumentation with On-the-Fly Recompilation
• 2022 - Debloating Address Sanitizer
• 2021 - FMViz: Visualizing Tests Generated by AFL at the Byte-level
• 2021 - Raising MIPS Binaries to LLVM IR
• 2021 - yzGen: Automated Generation of Syscall Specification of Closed-Source macOS Drivers
• 2021 - Igor: Crash Deduplication Through Root-Cause Clustering
• 2021 - UAFSan: an object-identifier-based dynamic approach for detecting use-after-free vulnerabilities
• 2021 - SyML: Guiding Symbolic Execution Toward Vulnerable States Through Pattern Learning
• 2021 - LLSC: A Parallel Symbolic Execution Compiler for LLVM IR
• 2021 - FuzzSplore: Visualizing Feedback-Driven Fuzzing Techniques
• 2020 - Memory Error Detection Based on Dynamic Binary Translation
• 2020 - Sydr: Cutting Edge Dynamic Symbolic Execution
• 2020 - DrPin: A dynamic binary instumentator for multiple processor architectures
• 2020 - MVP: Detecting Vulnerabilities using Patch-Enhanced Vulnerability Signatures
• 2020 - Collecting Vulnerable Source Code from Open-Source Repositories for Dataset Generation
• 2020 - LEOPARD: Identifying Vulnerable Code for Vulnerability Assessment through Program Metrics
• 2020 - Dynamic Program Analysis Tools in GCC and CLANG Compilers
• 2020 - On Using k-means Clustering for Test Suite Reduction
• 2020 - Optimizing the Parameters of an Evolutionary Algorithm for Fuzzing and Test Data Generation
• 2020 - Inputs from Hell: Learning Input Distributions for Grammar-Based Test Generation
• 2020 - IdSan: An identity-based memory sanitizer for fuzzing binaries
• 2020 - An experimental study oncombining automated andstochastic test data generation - MASTER THESIS
• 2020 - FuzzGen: Automatic Fuzzer Generation
• 2020 - Fuzzing: On the Exponential Cost of Vulnerability Discovery
• 2020 - Poster: Debugging Inputs
• 2020 - API Misuse Detection in C Programs: Practice on SSL APIs
• 2020 - Egalito: Layout-Agnostic Binary Recompilation
• 2020 - Verifying Software Vulnerabilities in IoT Cryptographic Protocols
• 2020 - μRAI: Securing Embedded Systems with Return Address Integrity
• 2020 - Fast Bit-Vector Satisfiability
• 2020 - MARDU: Efficient and Scalable Code Re-randomization
• 2020 - Towards formal verification of IoT protocols: A Review
• 2020 - Automating the fuzzing triage process
• 2020 - COMPARING AFL SCALABILITY IN VIRTUAL-AND NATIVE ENVIRONMENT
• 2020 - SYMBION: Interleaving Symbolic with Concrete Execution
• 2020 - Not All Coverage Measurements Are Equal: Fuzzing by Coverage Accounting for Input Prioritization
• 2019 - Toward the Analysis of Embedded Firmware through Automated Re-hosting
• 2019 - FUZZIFICATION: Anti-Fuzzing Techniques
• 2018 - VulinOSS: A Dataset of Security Vulnerabilities in Open-source Systems
• 2018 - HDDr: A Recursive Variantof the Hierarchical Delta Debugging Algorithm
• 2017 - Coarse Hierarchical Delta Debugging
• 2017 - VUDDY: A Scalable Approach for Vulnerable CodeClone Discovery
• 2017 - Postmortem Program Analysis with Hardware-Enhanced Post-Crash Artifacts
• 2017 - Synthesizing Program Input Grammars
• 2017 - Designing New Operating Primitives to Improve Fuzzing Performance
• 2017 - Instruction Punning: Lightweight Instrumentation for x86-64
• 2016 - Modernizing Hierarchical Delta Debugging
• 2016 - VulPecker: An Automated Vulnerability Detection SystemBased on Code Similarity Analysis
• 2016 - CREDAL: Towards Locating a Memory Corruption Vulnerability with Your Core Dump
• 2016 - RETracer: Triaging Crashes by Reverse Execution fromPartial Memory Dumps
• 2015 - PIE: Parser Identification in Embedded Systems
• 2010 - Iterative Delta Debugging
• 2009 - Dynamic Test Generation To Find Integer Bugs in x86 Binary Linux Programs
• 2006 - HDD: Hierarchical Delta Debugging

Surveys, SoKs, and Studies

• 2023 - Fuzzing the Latest NTFS in Linux with Papora: An Empirical Study
• 2023 - Fuzzing REST APIs for Bugs: An Empirical Analysis
• 2023 - Automated Binary Analysis: A Survey
• 2023 - Fuzzers for stateful systems: Survey and Research Directions
• 2022 - Detecting Vulnerability on IoT Device Firmware: A Survey
• 2022 - Fuzzing of Embedded Systems: A Survey
• 2022 - Embedded Fuzzing: a Review of Challenges, Tools, and Solutions
• 2022 - An empirical study of vulnerability discovery methods over the past ten years
• 2022 - Fuzzing vulnerability discovery techniques: Survey, challenges and future directions
• 2022 - Fuzzing: A Survey for Roadmap
• 2022 - How Long Do Vulnerabilities Live in the Code? A Large-Scale Empirical Measurement Study on FOSS Vulnerability Lifetimes
• 2021 - Protocol Reverse-Engineering Methods and Tools: A Survey
• 2021 - Exploratory Review of Hybrid Fuzzing for Automated Vulnerability Detection
• 2021 - A Systematic Review of Network Protocol Fuzzing Techniques
• 2021 - Vulnerability Detection is Just the Beginning
• 2021 - Evaluating Synthetic Bugs
• 2020 - A Practical, Principled Measure of Fuzzer Appeal:A Preliminary Study
• 2020 - A Systemic Review of Kernel Fuzzing
• 2020 - A Survey of Hybrid Fuzzing based on Symbolic Execution
• 2020 - A Study on Using Code Coverage Information Extracted from Binary to Guide Fuzzing
• 2020 - Study of Security Flaws in the Linux Kernel by Fuzzing
• 2020 - Dynamic vulnerability detection approaches and tools: State of the Art
• 2020 - Fuzzing: Challenges and Reflections
• 2020 - The Relevance of Classic Fuzz Testing: Have We Solved This One?
• 2020 - A Practical, Principled Measure of Fuzzer Appeal:A Preliminary Study
• 2020 - SoK: All You Ever Wanted to Know About x86/x64 Binary Disassembly But Were Afraid to Ask
• 2020 - A Quantitative Comparison of Coverage-Based Greybox Fuzzers
• 2020 - A Survey of Security Vulnerability Analysis, Discovery, Detection, and Mitigation on IoT Devices
• 2020 - A systematic review of fuzzing based on machine learning techniques
• 2019 - A Survey of Binary Code Similarity
• 2019 - The Art, Science, and Engineering of Fuzzing: A Survey
• 2012 - Regression testingminimization, selection and prioritization: a survey