Software security paper list

This repository contains a curated list of papers relevant to:

• software security;
• program analysis; and
• systems security.

The list is divided into further sub-topics and include a sub-topic called "General" for papers that either have not been sorted into a sub-topic yet or do not fit into any sub-topics.

This list is maintained by:

• David Korczynski; and
• Adam Korczynski

PRs are very welcome.

Download all automatically

The auto_download.py script can be used to download either all of the papers or the papers for a given subtopic.

auto_download.py will create a directory out in the current working directory if it does not already exist. Then it will create another folder in out with the name of the sub-topic you are choosing to download or All in case you download all papers.

Example uses:

# Download all papers
python ./auto_download.py All

# Download all papers related to Fuzzing
python ./auto_download.py Fuzzing

# Download all papers related to Malware
python ./auto_download.py Malware

Other paper lists

• Awesome fuzzing
• Recent Papers Related To Fuzzing
• Awesome Virtualization

Papers

Table of contents:

• General
• Android
• Control-flow integrity
• Cyber-physical
• Symbolic execution
• Virtualisation
• Fuzzing
• Malware
• Binary analysis

General

• A Randomized Dynamic Program Analysis Technique for Detecting Real Deadlocks
• Randomized Active Atomicity Violation Detection in Concurrent Programs
• Privacy Oracle: a System for Finding Application Leaks with Black Box Differential Testing
• TypeSan: Practical Type Confusion Detection
• HexType: Efficient Detection of Type Confusion Errors for C++
• Dynamic Test Generation To Find Integer Bugs in x86 Binary Linux Programs
• Vulcan Binary transformation in a distributed environment
• Automated Detection, Exploitation, and Elimination of Double-Fetch Bugs using Modern CPU Features
• Path-Exploration Lifting: Hi-Fi Tests for Lo-Fi Emulators
• Robust Signatures for Kernel Data Structures
• DELTA: A Security Assessment Framework for Software-Defined Networks
• Simplifying and Isolating Failure-Inducing Input
• Fitness-Guided Path Exploration in Dynamic Symbolic Execution
• Enforceable Security Policies
• Enemy of the State: A State-Aware Black-Box Web Vulnerability Scanner
• Feedback-directed Random Test Generation
• Probability-Based Parameter Selection for Black-Box Fuzz Testing
• FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications
• Representation Dependence Testing using Program Inversion
• Deriving Input Syntactic Structure From Execution
• SoftBound: Highly Compatible and Complete Spatial Memory Safety for C
• CodeAlchemist: Semantics-Aware Code Generation to Find Vulnerabilities in JavaScript Engines
• CETS: Compiler-Enforced Temporal Safety for C
• Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software
• NEZHA: Efficient Domain-Independent Differential Testing
• Prospex: Protocol Specification Extraction
• Understanding Integer Overflow in C/C++
• Polyglot: Automatic Extraction of Protocol Message Format using Dynamic Binary Analysis
• QTEP: Quality-Aware Test Case Prioritization
• Race Directed Random Testing of Concurrent Programs
• Type Casting Verification: Stopping an Emerging Attack Vector
• Towards Optimization-Safe Systems: Analyzing the Impact of Undefined Behavior
• Disco: Running commodity operating systems on scalable multiprocessors
• Jump-Oriented Programming: A New Class of Code-Reuse Attack
• Can DREs Provide Long-Lasting Security? The Case of Return-Oriented Programming and the AVC Advantage
• Decoupling dynamic program analysis from execution in virtual environments
• Understanding data lifetime via whole system simulation.
• Minos: Control Data Attack Prevention Orthogonal to Memory Model
• Tainting is Not Pointless
• Size Does Matter: Why Using Gadget-Chain Length to Prevent Code-Reuse Attacks is Hard
• ROPMEMU: A Framework for the Analysis of Complex Code-Reuse Attacks
• A virtual machine based information flow control system for policy enforcement
• The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86)
• SPIDER: Enabling Fast Patch Propagation In Related Software Repositories
• HALucinator: Firmware Re-hosting Through Abstraction Layer Emulation
• PhishTime: Continuous Longitudinal Measurement of the Effectiveness of Anti-phishing Blacklists
• Exploiting Uses of Uninitialized Stack Variables in Linux Kernels to Leak Kernel Pointers
• Sleak: automating address space layout derandomization
• Matched and Mismatched SOCs: A Qualitative Study on Security Operations Center Issues
• GuardION: Practical Mitigation of DMA-Based Rowhammer Attacks on ARM
• Measuring E-mail header injections on the world wide web
• Detecting Deceptive Reviews Using Generative Adversarial Networks
• HeapHopper: Bringing Bounded Model Checking to Heap Implementation Security
• Rampart: Protecting Web Applications from CPU-Exhaustion Denial-of-Service Attacks
• Exploitation and Mitigation of Authentication Schemes Based on Device-Public Information
• Piston: Uncooperative Remote Runtime Patching
• Rise of the HaCRS: Augmenting Autonomous Cyber Reasoning Systems with Human Assistance
• Gossip: Automatically Identifying Malicious Domains from Mailing List Discussions
• POISED: Spotting Twitter Spam Off the Beaten Paths
• How Shall We Play a Game?: A Game-theoretical Model for Cyber-warfare Games
• Obfuscation-Resilient Privacy Leak Detection for Mobile Apps Through Differential Analysis
• BOOMERANG: Exploiting the Semantic Gap in Trusted Execution Environments
• Something from Nothing (There): Collecting Global IPv6 Datasets from DNS
• BootStomp: On the Security of Bootloaders in Mobile Devices
• DR. CHECKER: A Soundy Analysis for Linux Kernel Drivers
• Taming Transactions: Towards Hardware-Assisted Control Flow Integrity Using Transactional Memory
• SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis
• Quickly generating diverse valid test inputs with reinforcement learning
• Mining Temporal Properties of Data Invariants
• General LTL Specification Mining
• Investigating Program BehaviorUsing the Texada LTL Specifications Miner
• Know Your Achilles' Heel: Automatic Detection of Network Critical Services
• Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware
• EVILCOHORT: Detecting Communities of Malicious Accounts on Online Services
• Meerkat: Detecting Website Defacements through Image-based Object Recognition
• How the ELF Ruined Christmas
• ZigZag: Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities
• Framing Dependencies Introduced by Underground Commoditization
• The harvester, the botmaster, and the spammer: on the relations between the different actors in the spam landscape
• PExy: The Other Side of Exploit Kits
• The Dark Alleys of Madison Avenue: Understanding Malicious Advertisements
• Rippler: Delay injection for service dependency detection
• Eyes of a Human, Eyes of a Program: Leveraging Different Views of the Web for Analysis and Detection
• Extracting probable command and control signatures for detecting botnets
• Stranger danger: exploring the ecosystem of ad-based URL shortening services
• Relevant change detection: a framework for the precise extraction of modified and novel web-based content as a filtering technique for analysis engines
• Message in a bottle: sailing past censorship
• deDacota: toward preventing server-side XSS via automatic code and data separation
• Follow the green: growth and dynamics in twitter follower markets
• COMPA: Detecting Compromised Accounts on Social Networks
• Clickonomics: Determining the Effect of Anti-Piracy Measures for One-Click Hosting
• Practical Attacks against the I2P Network
• EARs in the wild: large-scale analysis of execution after redirect vulnerabilities
• Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting
• Revolver: An Automated Approach to the Detection of Evasive Web-based Malware
• Steal This Movie: Automatically Bypassing DRM Protection in Streaming Media Services
• Two years of short URLs internet measurement: security threats and countermeasures
• PeerPress: utilizing enemies' P2P strength against them
• You are what you include: large-scale evaluation of remote javascript inclusions
• Tracking Memory Writes for Malware Classification and Code Reuse Identification
• ViewPoints: differential string analysis for discovering client- and server-side input validation inconsistencies
• A quantitative study of accuracy in system call-based malware detection
• Enforcing dynamic spectrum access with spectrum permits
• Detecting social cliques for automated privacy control in online social networks
• B@bel: Leveraging Email Delivery for Spam Mitigation
• PUBCRAWL: Protecting Users and Businesses from CRAWLers
• Poultry markets: on the underground economy of twitter followers
• Past-sensitive pointer analysis for symbolic execution
• MVEDSUA: Higher Availability Dynamic Software Updates via Multi-Version Execution
• Computing summaries of string loops in C for better testing and refactoring
• A segmented memory model for symbolic execution
• FreeDA: deploying incompatible stock dynamic analyses in production via multi-version execution
• RetroWrite: Statically Instrumenting COTS Binaries for Fuzzing and Sanitization
• BLESA: Spoofing Attacks against Reconnections in Bluetooth Low Energy
• SMoTherSpectre: Exploiting Speculative Execution through Port Contention
• PoLPer: Process-Aware Restriction of Over-Privileged Setuid Calls in Legacy Applications
• BenchIoT: A Security Benchmark for the Internet of Things
• Butterfly Attack: Adversarial Manipulation of Temporal Properties of Cyber-Physical Systems
• SoK: Shining Light on Shadow Stacks
• Pythia: Remote Oracles for the Masses
• CUP: Comprehensive User-Space Protection for C/C++
• Milkomeda: Safeguarding the Mobile GPU Interface Using WebGL Security Checks
• Block Oriented Programming: Automating Data-Only Attacks
• CFIXX: Object Type Integrity for C++
• ACES: Automatic Compartments for Embedded Systems
• Memory Safety for Embedded Devices with nesCheck
• DataShield: Configurable Data Confidentiality and Integrity
• Protecting Bare-Metal Embedded Systems with Privilege Overlays
• Venerable Variadic Vulnerabilities Vanquished
• One Process to Reap Them All: Garbage Collection as-a-Service
• Enforcing Least Privilege Memory Views for Multithreaded Applications
• Forgery-Resistant Touch-based Authentication on Mobile Devices
• VTrust: Regaining Trust on Virtual Calls
• PSHAPE: Automatically Combining Gadgets for Arbitrary Method Execution
• Klotski: Efficient Obfuscated Execution against Controlled-Channel Attacks
• PatchScope: Memory Object Centric Patch Diffing
• Chaser: An Enhanced Fault Injection Tool for Tracing Soft Errors in MPI Applications
• ChaffyScript: Vulnerability-Agnostic Defense of JavaScript Exploits via Memory Perturbation
• Extracting Conditional Formulas for Cross-Platform Bug Search
• Neural Network-based Graph Embedding for Cross-Platform Binary Code Similarity Detection
• SoK: Cyber Insurance - Technical Challenges and a System Security Roadmap
• BakingTimer: privacy analysis of server-side request processing time
• Data-Confined HTML5 Applications
• SoK: Eternal War in Memory
• High System-Code Security with Low Overhead
• Code-Pointer Integrity
• -OVERIFY: Optimizing Programs for Fast Verification

Android

• Android Permissions Demystified
• IntelliDroid: A Targeted Input Generator for the Dynamic Analysis of Android Malware
• PScout: Analyzing the Android Permission Specification
• Broken Fingers: On the Usage of the Fingerprint API in Android
• Going Native: Using a Large-Scale Analysis of Android Apps to Create a Practical Native-Code Sandboxing Policy
• TriggerScope: Towards Detecting Logic Bombs in Android Applications
• BareDroid: Large-Scale Analysis of Android Apps on Real Devices
• Grab 'n Run: Secure and Practical Dynamic Code Loading for Android Applications
• NJAS: Sandboxing Unmodified Applications in non-rooted Devices Running stock Android
• On the Security and Engineering Implications of Finer-Grained Access Controls for Android Developers and Users
• EdgeMiner: Automatically Detecting Implicit Control Flow Transitions through the Android Framework
• CLAPP: characterizing loops in Android applications
• What the App is That? Deception and Countermeasures in the Android User Interface
• Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications
• An empirical study of cryptographic misuse in android applications
• Automatic Generation of Non-intrusive Updates for Third-Party Libraries in Android Applications
• Parallel Space Traveling: A Security Analysis of App-Level Virtualization in Android

Control-flow integrity

• Fine-Grained Control-Flow Integrity for Kernel Software
• Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection
• Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM

Cyber-physical

• TRUST.IO: Protecting Physical Interfaces on Cyber-physical Systems

Symbolic execution

• Symbolic Execution and Program Testing
• DART: Directed Automated Random Testing
• Directed Greybox Fuzzing
• The s2e platform: Design, implementation, and applications
• S2E: A Platform for In-Vivo Multi-Path Analysis of Software Systems
• Klee: Unassisted and automatic generation of high-coverage tests for complex systems programs
• Exe: automatically generating inputs of death
• CUTE: A Concolic Unit Testing Engine for C
• Qsym : A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing
• All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask)
• CAB-Fuzz: Practical Concolic Testing Techniques for COTS Operating Systems
• Driller: Augmenting Fuzzing Through Selective Symbolic Execution
• Enhancing Symbolic Execution with Veritesting
• SYMBION: Interleaving Symbolic with Concrete Execution
• AutoPandas: Neural-Backed Generators for ProgramSynthesis
• Chopped symbolic execution
• PARTI: a multi-interval theory solver for symbolic execution
• Accelerating array constraints in symbolic execution
• Automatic testing of symbolic execution engines via program generation and differential testing
• Floating-point symbolic execution: a case study in n-version programming
• A DSL Approach to Reconcile Equivalent Divergent Program Executions
• Analysing the program analyser
• Shadow of a doubt: testing for divergences between software versions
• Symbooglix: A Symbolic Execution Engine for Boogie Programs
• VARAN the Unbelievable: An Efficient N-version Execution Framework
• Targeted program transformations for symbolic execution
• Shadow symbolic execution for better testing of evolving software
• Covrig: a framework for the analysis of code, test, and coverage evolution in real software
• Multi-solver Support in Symbolic Execution
• Efficient State Merging in Symbolic Execution
• Testing Closed-Source Binary Device Drivers with DDT
• Running symbolic execution forever

Program instrumentation

• Valgrind: A framework for heavyweight dynamic binary instrumentation
• Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation
• Llvm: A compilation framework for lifelong program analysis & transformation
• PEBIL: Efficient Static Binary Instrumentation for Linux
• DECAF++: Elastic Whole-System Dynamic Taint Analysis
• Make It Work, Make It Right, Make It Fast: Building a Platform-Neutral Whole-System Dynamic Binary Analysis Platform
• Repeateable Reverse Engineering for the Greater Good with PANDA

Sanitizer

• AddressSanitizer: A Fast Address Sanity Checker
• MemorySanitizer: fast detector of uninitialized memory use in C++
• ThreadSanitizer – data race detection in practice
• FuZZan: Efficient Sanitizer Metadata Design for Fuzzing

Virtualisation

• Xen and the Art of Virtualization
• QEMU, a Fast and Portable Dynamic Translator
• Kvm: the linux virtual machine monitor
• Virtualization without direct execution or jitting: Designing a portable virtual machine infrastructure.
• Argos: an emulator for fingerprinting zero-day attacks
• Digtool: A Virtualization-Based Framework for Detecting Kernel Vulnerabilities

Fuzzing

• USBFuzz: A Framework for Fuzzing USB Drivers by Device Emulation
• FirmFuzz: Automated IoT Firmware Introspection and Analysis
• Evaluating Fuzz Testing
• Billions and Billions of Constraints: Whitebox Fuzz Testing in Production
• Fuzzing: The State of the Art
• Automated Test Input Generation for Android: Are We There Yet?
• Send Hardest Problems My Way: Probabilistic Path Prioritization for Hybrid Fuzzing
• Scheduling Black-box Mutational Fuzzing
• T-Fuzz: Fuzzing by Program Transformation
• Hawkeye: Towards a Desired Directed Grey-box Fuzzer
• Taint-based Directed Whitebox Fuzzing
• Detecting Atomic-Set Serializability Violations in Multithreaded Programs through Active Randomized Testing
• Statically-Directed Dynamic Automated Test Generation
• Systematic Fuzzing and Testing of TLS Libraries
• STADS: Software Testing as Species Discovery
• PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary
• Random Testing for Security: Blackbox vs. Whitebox Fuzzing
• perf fuzzer: Targeted Fuzzing of the perf event open() System Call
• PULSAR: Stateful Black-Box Fuzzing of Proprietary Network Protocols
• Learn&Fuzz: Machine Learning for Input Fuzzing
• Model-Based Whitebox Fuzzing for Program Binaries
• FairFuzz: A Targeted Mutation Strategy for Increasing Greybox Fuzz Testing Coverage
• LZfuzz: a fast compression-based fuzzer for poorly documented protocols
• jFuzz: A Concolic Whitebox Fuzzer for Java
• T-Fuzz: Model-Based Fuzzing for Robustness Testing of Telecommunication Protocols
• VUzzer: Application-aware Evolutionary Fuzzing
• MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation
• Automated Whitebox Fuzz Testing
• KameleonFuzz: Evolutionary Fuzzing for Black-Box XSS Detection
• Grammar-based Whitebox Fuzzing
• Skyfire: Data-Driven Seed Generation for Fuzzing
• CollAFL: Path Sensitive Fuzzing
• PerfFuzz: Automatically Generating Pathological Inputs
• Pex–White Box Test Generation for .NET
• IMF: Inferred Model-based Fuzzer
• Many-Core Compiler Fuzzing
• QuickFuzz: An Automatic Random Fuzzer for Common File Formats
• Steelix: program-state based binary fuzzing
• kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
• Fuzzing with Code Fragments
• Optimizing Seed Selection for Fuzzing
• Protocol State Fuzzing of TLS Implementations
• Checksum-Aware Fuzzing Combined with Dynamic Taint Analysis and Symbolic Execution
• A Framework for File Format Fuzzing with Genetic Algorithms
• Differential Testing for Software
• Effective Random Testing of Concurrent Programs
• HFL: Hybrid Fuzzing on the Linux Kernel
• HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Guided Micro-Fuzzing
• HYPER-CUBE: High-Dimensional Hypervisor Fuzzing
• Not All Coverage Measurements Are Equal: Fuzzing by Coverage Accounting for Input Prioritization
• REDQUEEN: Fuzzing with Input-to-State Correspondence
• Life after Speech Recognition: Fuzzing Semantic Misinterpretation for Voice Assistant Applications
• INSTRIM: Lightweight Instrumentation for Coverage-guided Fuzzing
• IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing
• What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices
• Fuzzing JavaScript Engines with Aspect-preserving Mutation
• IJON: Exploring Deep State Spaces via Fuzzing
• Krace: Data Race Fuzzing for Kernel File Systems
• Pangolin:Incremental Hybrid Fuzzing with Polyhedral Path Abstraction
• Full-speed Fuzzing: Reducing Fuzzing Overhead through Coverage-guided Tracing
• Fuzzing File Systems via Two-Dimensional Input Space Exploration
• NEUZZ: Efficient Fuzzing with Neural Program Smoothing
• Razzer: Finding Kernel Race Bugs through Fuzzing
• Program-Adaptive Mutational Fuzzing
• TaintScope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection
• FANS: Fuzzing Android Native System Services via Automated Interface Analysis
• Analysis of DTLS Implementations Using Protocol State Fuzzing
• EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit
• Fuzzing Error Handling Code using Context-Sensitive Software Fault Injection
• FuzzGen: Automatic Fuzzer Generation
• ParmeSan: Sanitizer-guided Greybox Fuzzing
• SpecFuzz: Bringing Spectre-type vulnerabilities to the surface
• FuzzGuard: Filtering out Unreachable Inputs in Directed Grey-box Fuzzing through Deep Learning
• Montage: A Neural Network Language Model-Guided JavaScript Engine Fuzzer
• GREYONE: Data Flow Sensitive Fuzzing
• Fuzzification: Anti-Fuzzing Techniques
• AntiFuzz: Impeding Fuzzing Audits of Binary Executables
• Charm: Facilitating Dynamic Analysis of Device Drivers of Mobile Systems
• OSS-Fuzz - Google's continuous fuzzing service for open source software
• Intriguer: Field-Level Constraint Solving for Hybrid Fuzzing
• Learning to Fuzz from Symbolic Execution with Application to Smart Contracts
• Matryoshka: fuzzing deeply nested branches
• SemFuzz: Semantics-based Automatic Generation of Proof-of-Concept Exploits
• AFL-based Fuzzing for Java with Kelinci
• SlowFuzz: Automated Domain-Independent Detection of Algorithmic Complexity Vulnerabilities
• DIFUZE: Interface Aware Fuzzing for Kernel Drivers
• Coverage-based Greybox Fuzzing as Markov Chain
• eFuzz: A Fuzzer for DLMS/COSEM Electricity Meters
• Taming compiler fuzzers
• SAGE: whitebox fuzzing for security testing
• Synthesizing Racy Tests
• Coverage-Directed Differential Testing of JVM Implementations
• Synthesizing Program Input Grammars
• Angora: Efficient Fuzzing by Principled Search
• Well There’s Your Problem: Isolating the Crash-Inducing Bits in a Fuzzed File
• IFuzzer: An Evolutionary Interpreter Fuzzer using Genetic Programming
• Designing New Operating Primitives to Improve Fuzzing Performance
• Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations
• Automated Testing for SQL Injection Vulnerabilities: An Input Mutation Approach
• Turning Programs against Each Other: High Coverage Fuzz-Testing using Binary-Code Mutation and Dynamic Slicing
• KiF: A stateful SIP Fuzzer
• GRT: Program-Analysis-Guided Random Testing
• Autodafe: an Act of Software Torture
• Singularity: Pattern Fuzzing for Worst Case Complexity
• Exploring Abstraction Functions in Fuzzing
• FuzzFactory: domain-specific fuzzing with waypoints
• Zest: Validity Fuzzing and Parametric Generators for Effective Random Testing
• Semantic fuzzing with zest
• JQF: coverage-guided property-based testing in Java
• FUDGE: fuzz driver generation at scale
• FairFuzz: Targeting Rare Branches to Rapidly Increase Greybox Fuzz Testing Coverage
• FIRM-AFL: High-Throughput Greybox Fuzzing of IoT Firmware via Augmented Process Emulation
• Be Sensitive and Collaborative: Analyzing Impact of Coverage Metrics in Greybox Fuzzing
• Enhancing Memory Error Detection for Large-Scale Applications and Fuzz Testing

Malware

• An Abstract Theory of Computer Viruses
• Precise system-wide concatic malware unpacking
• A characterisation of system-wide propagation in the malware landscape
• Capturing Malware Propagations with Code Injections and Code-Reuse Attacks
• System-level support for intrusion recovery
• Repeconstruct: reconstructing binaries with self-modifying code and import address table destruction
• Automated classification and analysis of internet malware
• WYSINWYX: What You See Is Not What You eXecute
• Quincy: Detecting Host-Based Code Injection Attacks in Memory Dumps
• Bee master: Detecting host-based code injection attacks
• Host-based code injection attacks: A popular technique used by malware
• Scalable, Behavior-Based Malware Clustering
• A View on Current Malware Behaviors
• Dynamic analysis of malicious code
• Behavior abstraction in malware analysis.
• Detecting Hardware-Assisted Virtualization
• BitScope: Automatically Dissecting Malicious Binaries
• On the Limits of Information Flow Techniques for Malware Analysis and Containment
• Understanding Linux Malware
• Ether: Malware Analysis via Hardware Virtualization Extensions
• Dynamic Spyware Analysis
• A Survey on Automated Dynamic Malware Analysis Techniques and Tools
• CodeXt: Automatic Extraction of Obfuscated Attack Code from Memory Dump
• A Survey of Mobile Malware in the Wild
• Attacks on More Virtual Machine Emulators
• Malware as interaction machines: A new framework for behavior modelling
• Malware dynamic recompilation
• Secure and advanced unpacking using computer emulation.
• Renovo: A Hidden Code Extractor for Packed Executables
• Emulating Emulation-Resistant Malware
• Backtracking intrusions
• Counteracting Data-Only Malware with Code Pointer Examination
• The power of procrastination: Detection and mitigation of execution-stalling malicious code
• Polymorphic worm detection using structural information of executables.
• Static disassembly of obfuscated binaries
• Testing closedsource binary device drivers with ddt
• The dropper effect: Insights into malware distribution with downloader graph analytics
• Exploiting diverse observation perspectives to get insights on the malware landscape
• Scalability, fidelity and stealth in the drakvuf dynamic malware analysis system
• Graph matching networks for learning the similarity of graph structured objects
• Detecting environment-sensitive malware
• Omniunpack: Fast, generic, and safe unpacking of malware
• Exploring multiple execution paths for malware analysis
• Malpedia: A collaborative effort to inventorize the malware landscape
• Rop payload detection using speculative code execution
• Sweetbait: Zero-hour worm detection and containment using low- and high-interaction honeypots
• Paranoid android: Versatile protection for smartphones
• Detecting system emulators
• Large-scale analysis of malware downloaders
• Prudent practices for designing malware experiments: Status quo and outlook
• Polyunpack: Automating the hidden-code extraction of unpack-executing malware
• AVCLASS: A Tool for Massive Malware Labeling
• A fast automaton-based method for detecting anomalous program behaviors
• Malrec: Compact fulltrace malware recording for retrospective deep analysis
• Eureka: A framework for enabling static malware analysis
• Pointless tainting?: Evaluating the practicality of pointer tainting
• Deepmem: Learning graph neural network models for fast and robust memory forensic analysis
• Sok: Deep packer inspection: A longitudinal study of the complexity of run-time packers
• Evading android runtime analysis via sandbox detection
• Persistent data-only malware: Function hooks without code
• Deep ground truth analysis of current android malware
• Mose: Live migration based on-the-fly software emulation
• Toward automated dynamic malware analysis using cwsandbox
• Cxpinspector: Hypervisorbased, hardware-assisted system monitoring
• A generic approach to automatic deobfuscation of executable code
• Symbolic execution of obfuscated code
• V2e: Combining hardware virtualization and software emulation for transparent and extensible malware analysis
• Droidscope: Seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis
• Panorama: Capturing system-wide information flow for malware detection and analysis
• Dissecting android malware: Characterization and Evolution
• Abusing File Processing in Malware Detectors for Fun and Profit
• Input Generation via Decomposition and Re-Stitching: Finding Bugs in Malware
• Hulk: Eliciting Malicious Behavior in Browser Extensions
• Mining specifications of malicious behavior
• When Malware is Packin' Heat; Limits of Machine Learning Classifiers Based on Static Analysis Features
• Neurlux: dynamic malware analysis without feature engineering
• Using Loops For Malware Classification Resilient to Feature-unaware Perturbations
• Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates
• MineSweeper: An In-depth Look into Drive-by Cryptocurrency Mining and Its Defense
• Dark Hazard: Learning-based, Large-Scale Discovery of Hidden Sensitive Operations in Android Apps
• JSForce: A Forced Execution Engine for Malicious JavaScript Detection
• Things You May Not Know About Android (Un)Packers: A Systematic Study based on Whole-System Emulation
• Measuring and Disrupting Anti-Adblockers Using Differential Execution Analysis
• malWASH: Washing Malware to Evade Dynamic Analysis
• Jarhead analysis and detection of malicious Java applets
• Blacksheep: detecting compromised hosts in homogeneous crowds
• BareCloud: Bare-metal Analysis-based Evasive Malware Detection
• Making Malory Behave Maliciously: Targeted Fuzzing of Android Execution Environments
• A Static, Packer-Agnostic Filter to Detect Similar Malware Samples
• FlashDetect: ActionScript 3 Malware Detection

Binary analysis

• ByteWeight: Learning to Recognize Functions in Binary Code
• CoDisasm: Medium Scale Concatic Disassembly of Self-Modifying Binaries with Overlapping Instructions
• Minemu: The World’s Fastest Taint Tracker
• When good instructions go bad: Generalizing return-oriented programming to risc.
• An API for Runtime Code Patching
• Reverse Engineering of Binary Device Drivers with RevNIC
• https://apps.dtic.mil/sti/pdfs/AD1034415.pdf
• Graph-based comparison of executable objects
• TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones
• Structural Comparison of Executable Objects
• Labeling library functions in stripped binaries
• Jakstab: A static analysis platform for binaries
• Learning to Analyze Binary Computer Code
• Architecture-independent dynamic information flow tracking
• Decompilation of binary programs.
• A Platform for Secure Static Binary Instrumentation
• Tupni: Automatic Reverse Engineering of Input Formats
• RETracer: Triaging Crashes by Reverse Execution from Partial Memory Dumps
• Cryptographic Function Detection in Obfuscated Binaries via Bit-precise Symbolic Loop Mapping
• Karonte: Detecting Insecure Multi-binary Interactions in Embedded Firmware
• BootKeeper: Validating Software Integrity Properties on Boot Firmware Images
• BinTrimmer: Towards Static Binary Debloating Through Abstract Interpretation
• Ramblr: Making Reassembly Great Again
• rev.ng: a unified binary analysis framework to recover CFGs and function boundaries
• Enabling sophisticated analyses of ×86 binaries with RevGen
• HI-CFG: Construction by Binary Analysis and Application to Attack Polymorphism
• DeepBinDiff: Learning Program-Wide Code Representations for Binary Diffing