From 0a28d36522901bf1e65182bdc215330b8d03d1ec Mon Sep 17 00:00:00 2001 From: sam bacha Date: Wed, 1 Sep 2021 00:35:14 -0700 Subject: [PATCH] docs(list): fuzzing --- | 505 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 505 insertions(+) diff --git a/ b/ index 6e39073..87304c1 100644 --- a/ +++ b/ @@ -205,3 +205,508 @@ speed up pull | 154 | | 0 | Comparison Between Bitcoin and Quarkchain | | Full paper not accessible | | | | | | | 155 | | 0 | Projektbericht für die QS Qualität und Sicherheit GmbH, Bonn | | Not in english | | | | | | | | 3 | 45 | | | | | | | | | + + + +## Fuzzing + +> [author: @0xricksanchez, source commit]( + +### Note + +The sole purpose of this repository is to help me organize recent academic papers related to *fuzzing*, *binary analysis*, *IoT security*, and *general exploitation*. This is a non-exhausting list, even though I'll try to keep it updated... +Feel free to suggest decent papers via a PR. + +## Papers and Links + + +* [2021 - An Empirical Study of OSS-Fuzz Bugs]( + * **Tags:** flaky bugs, clusterfuzz, sanitizer, bug detection, bug classification, time-to-fix, time-to-detect +* [2020 - Corpus Distillation for Effective Fuzzing]( + * **Tags:** corpus minimization, afl-cmin, google fuzzer test suite, FTS, minset, AFL +* [2020 - Symbolic execution with SymCC: Don't interpret, compile!]( + * **Tags:** KLEE, QSYM, LLVM, C, C++, compiler, symbolic execution, concolic execution, source code level, IR, angr, Z3, DARPA corpus, AFL +* [2020 - WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats]( + * **Tags:** REDQUEEN, chunk-based formats, AFLSmart, I2S, checksums, magix bytes, QEMU, Eclipser, short fuzzing runs, +* [2020 - Efficient Binary-Level Coverage Analysis]( + * **Tags:** bcov, detour + trampoline, basic block coverage, sliced microexecution, superblocks, strongly connected components, dominator graph, BAP, angr, IDA, DynamoRIO, Intel PI, BAP, angr, IDA, DynamoRIO, Intel PIN +* [2020 - Test-Case Reduction via Test-Case Generation: Insights From the Hypothesis Reducer]( + * **Tags:** Test case reducer, property based testing, CSmith, test case generation, hierachical delta debugging +* [2020 - AFL++: Combining Incremental Steps of Fuzzing Research]( + * **Tags:** AFL++, AFL, MOpt, LAF-Intel, Fuzzbench, Ngram, RedQueen, Unicorn, QBDI, CmpLog, AFLFast +* [2020 - FirmXRay: Detecting Bluetooth Link Layer Vulnerabilities From Bare-Metal Firmware]( + * **Tags:** Ghdira, static analysis, sound disassembly, base address finder, BLE, vulnerability discovery +* [2020 - P2IM: Scalable and Hardware-independent Firmware Testing via Automatic Peripheral Interface Modeling]( + * **Tags:** HALucinator, emulation, firmware, QEMU, AFL, requires source, MCU, peripheral abstraction +* [2020 - What Exactly Determines the Type? Inferring Types with Context]( + * **Tags:** context assisted type inference, stripped binaries, variable and type reconstruction, IDA Pro, Word2Vec, CNN, +* [2020 - Causal Testing: Understanding Defects’ Root Causes]( + * **Tags:** Defects4J, causal relationships, Eclipse plugin, unit test mutation, program trace diffing, static value diffing, user study +* [2020 - AURORA: Statistical Crash Analysis for Automated Root Cause Explanation]( + * **Tags:** RCA, program traces, input diversification, Intel PIN, Rust, CFG, +* [2020 - ParmeSan: Sanitizer-guided Greybox Fuzzing]( + * Tags: interprocedural CFG, data flow analysis, directed fuzzing (DGF), disregarding 'hot paths', LAVA-M based primitives, LLVM, Angora, AFLGo, ASAP, santizer dependent +* [2020 - Magma: A Ground-Truth Fuzzing Benchmark]( + * **Tags:** best practices, fuzzer benchmarking, ground truth, Lava-M +* [2020 - Fitness Guided Vulnerability Detection with Greybox Fuzzing]( + * **Tags:** AFL, vuln specific fitness metric (headroom), buffer/integer overflow detection, AFLGo, pointer analysis, CIL, bad benchmarking +* [2020 - GREYONE: Data Flow Sensitive Fuzzing]( + * **Tags:** data-flow fuzzing, taint-guided mutation, input prioritization, *constraint conformance*, REDQUEEN, good evaluation, VUzzer +* [2020 - FairFuzz-TC: a fuzzer targeting rare branches]( + * **Tags:** AFL, required seeding, *branch mask* +* [2020 - Fitness Guided Vulnerability Detection with Greybox Fuzzing]( + * **Tags:** AFL, vuln specific fitness metric (headroom), buffer/integer overflow detection, AFLGo, pointer analysis, CIL, bad evaluation +* [2020 - TOFU: Target-Oriented FUzzer]( + * **Tags:** DGF, structured mutations, staged fuzzing/learning of cli args, target fitness, structure aware, Dijkstra for priority, AFLGo, Superion +* [2020 - FuZZan: Efficient Sanitizer Metadata Design for Fuzzing]( + * **Tags:**: sanitizer metadata, optimization, ASAN, MSan, AFL +* [2020 - Boosting Fuzzer Efficiency: An Information Theoretic Perspective]( + * **Tags:**: Shannon entropy, seed power schedule, libfuzzer, active SLAM, DGF, fuzzer efficiency +* [2020 - Learning Input Tokens for Effective Fuzzing]( + * **Tags:** dynamic taint tracking, parser checks, magic bytes, creation of dict inputs for fuzzers +* [2020 - A Review of Memory Errors Exploitation in x86-64]( + * **Tags:** NX, canaries, ASLR, new mitigations, mitigation evaluation, recap on memory issues +* [2020 - SoK: The Progress, Challenges, and Perspectives of Directed Greybox Fuzzing]( + * **Tags:** SoK, directed grey box fuzzing, AFL, AFL mutation operators, DGF vs CGF +* [2020 - MemLock: Memory Usage Guided Fuzzing]( + * **Tags:** memory consumption, AFL, memory leak, uncontrolled-recursion, uncontrolled-memory-allocation, static analysis +* [2019 - Matryoshka: Fuzzing Deeply Nested Branches]( + * **Tags:** AFL, QSYM, Angora, path constraints, nested conditionals, (post) dominator trees, gradient descent, REDQUEEN, LAVA-M +* [2019 - Building Fast Fuzzers]( + * **Tags:** grammar based fuzzing, optimization, bold claims, comparison to badly/non-optimized fuzzers, python, lots of micro-optimizations, nice protocolling of failures, bad ASM optimization +* [2019 - Not All Bugs Are the Same: Understanding, Characterizing, and Classifying the Root Cause of Bugs]( + * **Tags:** RCA via bug reports, classification model, F score, +* [2019 - AntiFuzz: Impeding Fuzzing Audits of Binary Executables]( + * **Tags:** anti fuzzing, prevent crashes, delay executions, obscure coverage information, overload symbolic execution +* [2019 - MOpt: Optimized Mutation Scheduling for Fuzzers]( + * **Tags:** mutation scheduling, particle swarm optimization (PSO), AFL, AFL mutation operators, VUzzer, +* [2019 - FuzzFactory: Domain-Specific Fuzzing with Waypoints]( + * **Tags:** domain-specific fuzzing, AFL, LLVM, solve hard constraints like cmp, find dynamic memory allocations, binary-based +* [2019 - Fuzzing File Systems via Two-Dimensional Input Space Exploration]( + * **Tags:** Ubuntu, file systems, library OS, ext4, brtfs, meta block mutations, edge cases +* [2019 - REDQUEEN: Fuzzing with Input-to-State Correspondence]( + * **Tags:** feedback-driven, AFL, magic-bytes, nested contraints, input-to-state correspondence, I2S +* [2019 - PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary]( + * **Tags:** kernel, android, userland, embedded, hardware, Linux, device driver, WiFi +* [2019 - FirmFuzz: Automated IoT Firmware Introspection and Analysis]( + * **Tags:** emulation, firmadyne, BOF, XSS, CI, NPD, semi-automatic +* [2019 - Firm-AFL: High-Throughput Greybox Fuzzing of IoT Firmware via Augmented Process Emulation]( + * **Tags:** emulation, qemu, afl, full vs user mode, syscall redirect, "augmented process emulation", firmadyne +* [2018 - A Survey of Automated Root Cause Analysisof Software Vulnerability]( + * **Tags:** Exploit mitigations, fuzzing basics, symbolic execution basics, fault localization, high level +* [2018 - PhASAR: An Inter-procedural Static Analysis Framework for C/C++]( + * **Tags:** LLVM, (inter-procedural) data-flow analysis, call-graph, points-to, class hierachy, CFG, IR +* [2018 - INSTRIM: Lightweight Instrumentation for Coverage-guided Fuzzing]( + * **Tags:** LLVM, instrumentation optimization, graph algorithms, selective instrumentation, coverage calculation +* [2018 - What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices]( + * **Tags:** embedded, challenges, heuristics, emulation, crash classification, fault detection +* [2018 - Evaluating Fuzz Testing]( + * **Tags:** fuzzing evaluation, good practices, bad practices +* [2017 - Root Cause Analysis of Software Bugs using Machine Learning Techniques]( + * **Tags:** ML, RC prediction for filed bug reports, unsupervised + supervised combination, RC categorisation, F score +* [2017 - kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels]( + * **Tags:** intel PT, kernel, AFL, file systems, Windows, NTFS, Linux, ext, macOS, APFS, driver, feedback-driven +* [2016 - Driller: Argumenting Fuzzing Through Selective Symbolic Execution]( + * **Tags:** DARPA, CGC, concolic execution, hybrid fuzzer, binary based +* [2015 - Challenges with Applying Vulnerability Prediction Models]( + * **Tags:** VPM vs DPM, prediction models on large scale systems, files with frequent changes leave more vulns, older code exhibits more vulns +* [2014 - Optimizing Seed Selection for Fuzzing]( + * **Tags:** BFF, (weighted) minset, peach, cover set problem, seed transferabilty, time minset, size minset, round robin +* [2013 - Automatic Recovery of Root Causes from Bug-Fixing Changes]( + * **Tags:** ML + SCA, F score, AST, PPA, source tree analysis + +### General fuzzing implementations + +* [2021 - Scalable Fuzzing of Program Binaries with E9AFL]( +* [2021 - BigMap: Future-proofing Fuzzers with Efficient Large Maps]( +* [2021 - Token-Level Fuzzing]( +* [2021 - Hashing Fuzzing: Introducing Input Diversity to Improve Crash Detection]( +* [2021 - LeanSym: Efficient Hybrid Fuzzing Through Conservative Constraint Debloating]( +* [2021 - ESRFuzzer: an enhanced fuzzing framework for physical SOHO router devices to discover multi-Type vulnerabilities]( +* [2021 - FIRM-COV: High-Coverage Greybox Fuzzing for IoT Firmware via Optimized Process Emulation]( +* [2021 - KCFuzz: Directed Fuzzing Based on Keypoint Coverage]( +* [2021 - TCP-Fuzz: Detecting Memory and Semantic Bugs in TCP Stacks with Fuzzing]( +* [2021 - Fuzzing with optimized grammar-aware mutation strategies]( +* [2021 - Directed Fuzzing for Use-After-FreeVulnerabilities Detection]( +* [2021 - RapidFuzz: Accelerating Fuzzing via Generative Adversarial Networks]( +* [2021 - DIFUZZRTL: Differential Fuzz Testing to FindCPU Bugs]( +* [2021 - Z-Fuzzer: device-agnostic fuzzing of Zigbee protocol implementation]( +* [2021 - Fuzzing with Multi-dimensional Control of Mutation Strategy]( +* [2021 - Using a Guided Fuzzer and Preconditions to Achieve Branch Coverage with Valid Inputs]( +* [2021 - RIFF: Reduced Instruction Footprint for Coverage-Guided Fuzzing]( +* [2021 - CoCoFuzzing: Testing Neural Code Models with Coverage-Guided Fuzzing]( +* [2021 - Seed Selection for Successful Fuzzing]( +* [2021 - Gramatron: Effective Grammar-Aware Fuzzing]( +* [2021 - Hyntrospect: a fuzzer for Hyper-V devices]( +* [2021 - FUZZOLIC: mixing fuzzing and concolic execution]( +* [2021 - QFuzz: Quantitative Fuzzing for Side Channels]( +* [2021 - Revizor: Fuzzing for Leaks in Black-box CPUs]( +* [2021 - Unleashing Fuzzing Through Comprehensive, Efficient, and Faithful Exploitable-Bug Exposing]( +* [2021 - Constraint-guided Directed Greybox Fuzzing]( +* [2021 - Test-Case Reduction and Deduplication Almost forFree with Transformation-Based Compiler Testing]( +* [2021 - RULF: Rust Library Fuzzing via API Dependency Graph Traversal]( +* [2021 - STOCHFUZZ: Sound and Cost-effective Fuzzing of Stripped Binaries by Incremental and Stochastic Rewriting]( +* [2021 - PS-Fuzz: Efficient Graybox Firmware Fuzzing Based on Protocol State]( +* [2021 - MuDelta: Delta-Oriented Mutation Testing at Commit Time]( +* [2021 - CollabFuzz: A Framework for Collaborative Fuzzing]( +* [2021 - MUTAGEN: Faster Mutation-Based Random Testing]( +* [2021 - Inducing Subtle Mutations with Program Repair]( +* [2021 - Differential Analysis of X86-64 Instruction Decoders]( +* [2021 - On Introducing Automatic Test Case Generation in Practice: A Success Story and Lessons Learned]( +* [2021 - A Priority Based Path Searching Method for Improving Hybrid Fuzzing]( +* [2021 - IntelliGen: Automatic Driver Synthesis for Fuzz Testing]( +* [2021 - icLibFuzzer: Isolated-context libFuzzer for Improving Fuzzer Comparability]( +* [2021 - SN4KE: Practical Mutation Testing at Binary Level]( +* [2021 - One Engine to Fuzz ’em All: Generic Language Processor Testing with Semantic Validation]( +* [2021 - Growing A Test Corpus with Bonsai Fuzzing]( +* [2021 - Fuzzing Symbolic Expressions]( +* [2021 - JMPscare: Introspection for Binary-Only Fuzzing]( +* [2021 - An Improved Directed Grey-box Fuzzer]( +* [2021 - A Binary Protocol Fuzzing Method Based on SeqGAN]( +* [2021 - Refined Grey-Box Fuzzing with Sivo]( +* [2021 - PSOFuzzer: A Target-Oriented Software Vulnerability Detection Technology Based on Particle Swarm Optimization]( +* [2021 - MooFuzz: Many-Objective Optimization Seed Schedule for Fuzzer]( +* [2021 - CMFuzz: context-aware adaptive mutation for fuzzers]( +* [2021 - GTFuzz: Guard Token Directed Grey-Box Fuzzing]( +* [2021 - ProFuzzBench: A Benchmark for Stateful Protocol Fuzzing]( +* [2021 - SymQEMU:Compilation-based symbolic execution for binaries]( +* [2021 - CONCOLIC EXECUTION TAILORED FOR HYBRID FUZZING THESIS]( +* [2021 - Breaking Through Binaries: Compiler-quality Instrumentationfor Better Binary-only Fuzzing]( +* [2021 - AlphaFuzz: Evolutionary Mutation-based Fuzzing as Monte Carlo Tree Search]( +* [2020 - Fuzzing with Fast Failure Feedback]( +* [2020 - LAFuzz: Neural Network for Efficient Fuzzing]( +* [2020 - MaxAFL: Maximizing Code Coverage with a Gradient-Based Optimization Technique]( +* [2020 - Program State Abstraction for Feedback-Driven Fuzz Testing using Likely Invariants]( +* [2020 - PMFuzz: Test Case Generation for Persistent Memory Programs]( +* [2020 - FuSeBMC: A White-Box Fuzzer for Finding Security Vulnerabilities in C Programs]( +* [2020 - Integrity: Finding Integer Errors by Targeted Fuzzing]( +* [2020 - ConFuzz: Coverage-guided Property Fuzzing for Event-driven Programs]( +* [2020 - AFLTurbo: Speed up Path Discovery for Greybox Fuzzing]( +* [2020 - Fuzzing Channel-Based Concurrency Runtimes using Types and Effects]( +* [2020 - DeFuzz: Deep Learning Guided Directed Fuzzing]( +* [2020 - CrFuzz: Fuzzing Multi-purpose Programs through InputValidation]( +* [2020 - EPfuzzer: Improving Hybrid Fuzzing with Hardest-to-reach Branch Prioritization]( +* [2020 - Fuzzing Based on Function Importance by Attributed Call Graph]( +* [2020 - UNIFUZZ: A Holistic and Pragmatic Metrics-Driven Platform for Evaluating Fuzzers]( +* [2020 - PathAFL: Path-Coverage Assisted Fuzzing]( +* [2020 - Path Sensitive Fuzzing for Native Applications]( +* [2020 - UniFuzz: Optimizing Distributed Fuzzing via Dynamic Centralized Task Scheduling]( +* [2020 - Fuzzing Error Handling Code using Context-Sensitive Software Fault Injection]( +* [2020 - SpecFuzz: Bringing Spectre-type vulnerabilities to the surface]( +* [2020 - Zeror: Speed Up Fuzzing with Coverage-sensitive Tracing and Scheduling]( +* [2020 - MUZZ: Thread-aware Grey-box Fuzzing for Effective Bug Hunting in Multithreaded Programs]( +* [2020 - Evolutionary Grammar-Based Fuzzing]( +* [2020 - AFLpro: Direction sensitive fuzzing]( +* [2020 - CSI-Fuzz: Full-speed Edge Tracing Using Coverage Sensitive Instrumentation]( +* [2020 - Scalable Greybox Fuzzing for Effective Vulnerability Management DISS]( +* [2020 - HotFuzz Discovering Algorithmic Denial-of-Service Vulnerabilities through Guided Micro-Fuzzing]( +* [2020 - Fuzzing Binaries for Memory Safety Errors with QASan]( +* [2020 - Suzzer: A Vulnerability-Guided Fuzzer Based on Deep Learning]( +* [2020 - IJON: Exploring Deep State Spaces via Fuzzing]( +* [2020 - Binary-level Directed Fuzzing for Use-After-Free Vulnerabilities]( +* [2020 - AFLNET: A Greybox Fuzzer for Network Protocols]( +* [2020 - PANGOLIN: Incremental Hybrid Fuzzing with Polyhedral Path Abstraction]( +* [2020 - UEFI Firmware Fuzzing with Simics Virtual Platform]( +* [2020 - Finding Security Vulnerabilities in Network Protocol Implementations]( +* [2020 - Typestate-Guided Fuzzer for Discovering Use-after-Free Vulnerabilities]( +* [2020 - FuzzGuard: Filtering out Unreachable Inputs in Directed Grey-box Fuzzing through Deep Learning]( +* [2020 - HyDiff: Hybrid Differential Software Analysis]( +* [2019 - Engineering a Better Fuzzer with SynergicallyIntegrated Optimizations]( +* [2019 - Superion: Grammar-Aware Greybox Fuzzing]( +* [2019 - ProFuzzer: On-the-fly Input Type Probing for Better Zero-day Vulnerability Discovery]( +* [2019 - Grimoire: Synthesizing Structure while Fuzzing]( +* [2019 - Ptrix: Efficient Hardware-Assisted Fuzzing for COTS Binary]( +* [2019 - SAVIOR: Towards Bug-Driven Hybrid Testing]( +* [2019 - FUDGE: Fuzz Driver Generation at Scale]( +* [2019 - NAUTILUS: Fishing for Deep Bugs with Grammars]( +* [2019 - Send Hardest Problems My Way: Probabilistic Path Prioritization for Hybrid Fuzzing]( +* [2019 - EnFuzz: Ensemble Fuzzing with Seed Synchronization among Diverse Fuzzers]( +* [2018 - Fuzz Testing in Practice: Obstacles and Solutions]( +* [2018 - PAFL: Extend Fuzzing Optimizations of Single Mode to Industrial Parallel Mode]( +* [2018 - PTfuzz: Guided Fuzzing with Processor Trace Feedback]( +* [2018 - Angora: Efficient Fuzzing by Principled Search]( +* [2018 - FairFuzz: A Targeted Mutation Strategy for Increasing Greybox Fuzz Testing Coverage]( +* [2018 - NEUZZ: Efficient Fuzzing with Neural Program Smoothing]( +* [2018 - CollAFL: path Sensitive Fuzzing]( +* [2018 - Full-speed Fuzzing: Reducing Fuzzing Overhead through Coverage-guided Tracing]( +* [2018 - QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing]( +* [2018 - Coverage-based Greybox Fuzzing as Markov Chain]( +* [2018 - MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation]( +* [2018 - Singularity: Pattern Fuzzing for Worst Case Complexity]( +* [2018 - Smart Greybox Fuzzing]( +* [2018 - Hawkeye: Towards a Desired Directed Grey-box Fuzzer]( +* [2018 - PerfFuzz: Automatically Generating Pathological Inputs]( +* [2018 - FairFuzz: A Targeted Mutation Strategy for Increasing Greybox Fuzz Testing Coverage]( +* [2018 - Enhancing Memory Error Detection forLarge-Scale Applications and Fuzz Testing]( +* [2018 - T-Fuzz: fuzzing by program transformation]( +* [2017 - Evaluating and improving fault localization]( +* [2017 - IMF: Inferred Model-based Fuzzer]( +* [2017 - Synthesizing Program Input Grammars]( +* [2017 - Stateful Fuzzing of Wireless Device Drivers in an Emulated Environment]( +* [2017 - Steelix: Program-State Based Binary Fuzzing]( +* [2017 - Designing New Operating Primitives to ImproveFuzzing Performance]( +* [2017 - VUzzer: Application-aware Evolutionary Fuzzing]( +* [2017 - DIFUZE: Interface Aware Fuzzing for Kernel Drivers]( +* [2017 - Instruction Punning: Lightweight Instrumentation for x86-64]( +* [2017 - Designing New Operating Primitives to Improve Fuzzing Performance]( +* [2014 - A Large-Scale Analysis of the Security of Embedded Firmwares]( +* [2013 - Scheduling Black-box Mutational Fuzzing]( +* [2013 - Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations]( +* [2013 - RPFuzzer: A Framework for Discovering Router Protocols Vulnerabilities Based on Fuzzing]( +* [2011 - Offset-Aware Mutation based Fuzzing for Buffer Overflow Vulnerabilities: Few Preliminary Results]( +* [2010 - TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection]( +* [2009 - Taint-based Directed Whitebox Fuzzing]( +* [2009 - Dynamic Test Generation To Find Integer Bugs in x86 Binary Linux Programs]( +* [2008 - Grammar-based Whitebox Fuzzing]( +* [2008 - Vulnerability Analysis for X86 Executables Using Genetic Algorithm and Fuzzing]( +* [2008 - Fuzzing Wi-Fi Drivers to Locate Security Vulnerabilities]( +* [2008 - KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs]( +* [2008 - Automated Whitebox Fuzz Testing]( +* [2005 - DART: Directed Automated Random Testing]( +* [1994 - Dominators, Super Blocks, and Program Coverage]( + +### IoT fuzzing + +* [2021 - Automatic Vulnerability Detection in Embedded Devices and Firmware: Survey and Layered Taxonomies]( +* [2021 - Fuzzing the Internet of Things: A Review on the Techniques and Challenges for Efficient Vulnerability Discovery in Embedded Systems]( +* [2020 - Verification of Embedded Software Binaries using Virtual Prototypes]( +* [2020 - μSBS: Static Binary Sanitization of Bare-metal Embedded Devices forFault Observability]( +* [2020 - Device-agnostic Firmware Execution is Possible: A Concolic Execution Approach for Peripheral Emulation]( +* [2020 - Vulnerability Detection in SIoT Applications: A Fuzzing Method on their Binaries]( +* [2020 - FirmAE: Towards Large-Scale Emulation of IoT Firmware forDynamic Analysis]( +* [2020 - FIRMNANO: Toward IoT Firmware Fuzzing Through Augmented Virtual Execution]( +* [2020 - ARM-AFL: Coverage-Guided Fuzzing Framework for ARM-Based IoT Devices]( +* [2020 - Bug detection in embedded environments by fuzzing and symbolic execution]( +* [2020 - FirmXRay: Detecting Bluetooth Link Layer Vulnerabilities From Bare-Metal Firmware]( +* [2020 - EM-Fuzz: Augmented Firmware Fuzzing via Memory Checking]( +* [2020 - Verification of Embedded Binaries using Coverage-guided Fuzzing with System C-based Virtual Prototypes]( +* [2020 - DICE: Automatic Emulation of DMA Input Channels for Dynamic Firmware Analysis]( +* [2020 - Fw‐fuzz: A code coverage‐guided fuzzing framework for network protocols on firmware]( +* [2020 - TAINT-DRIVEN FIRMWARE FUZZING OF EMBEDDED SYSTEMS THESIS]( +* [2020 - A Dynamic Instrumentation Technology for IoT Devices]( +* [2020 - Vulcan: a state-aware fuzzing tool for wear OS ecosystem]( +* [2020 - A Novel Concolic Execution Approach on Embedded Device]( +* [2020 - HFuzz: Towards automatic fuzzing testing of NB-IoT core network protocols implementations]( +* [2020 - FIRMCORN: Vulnerability-Oriented Fuzzing of IoT Firmware via Optimized Virtual Execution]( +* [2018 - IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing]( +* [2017 - Towards Automated Dynamic Analysis for Linux-based Embedded Firmware]( +* [2016 - Scalable Graph-based Bug Search for Firmware Images]( +* [2015 - SURROGATES: Enabling Near-Real-Time Dynamic Analyses of Embedded Systems]( +* [2015 - Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware]( +* [2014 - A Large-Scale Analysis of the Security of Embedded Firmwares]( +* [2013 - RPFuzzer: A Framework for Discovering Router Protocols Vulnerabilities Based on Fuzzing]( + +#### Emulation + +* [2021 - Automatic Firmware Emulation through Invalidity-guided Knowledge Inference(Extended Version)]( +* [2021 - Firmware Re-hosting Through Static Binary-level Porting]( +* [2021 - Jetset: Targeted Firmware Rehosting for Embedded Systems]( +* [2021 - Automatic Firmware Emulation through Invalidity-guided Knowledge Inference]( + + +#### Kernel fuzzing + +* [2021 - SyzVegas: Beating Kernel Fuzzing Odds with Reinforcement Learning]( +* [2021 - NTFUZZ: Enabling Type-Aware Kernel Fuzzing on Windows with Static Binary Analysis]( +* [2021 - Undo Workarounds for Kernel Bugs]( +* [2020 - A Hybrid Interface Recovery Method for Android Kernels Fuzzing]( +* [2020 - FINDING RACE CONDITIONS IN KERNELS:FROM FUZZING TO SYMBOLIC EXECUTION - THESIS]( +* [2020 - Agamotto: Accelerating Kernel Driver Fuzzing with Lightweight Virtual Machine Checkpoints]( +* [2020 - X-AFL: a kernel fuzzer combining passive and active fuzzing]( +* [2020 - Identification of Kernel Memory Corruption Using Kernel Memory Secret Observation Mechanism]( +* [2020 - HFL: Hybrid Fuzzing on the Linux Kernel]( +* [2020 - Realistic Error Injection for System Calls]( +* [2020 - KRACE: Data Race Fuzzing for Kernel File Systems]( +* [2020 - USBFuzz: A Framework for Fuzzing USB Drivers by Device Emulation]( +* [2019 - Fuzzing File Systems via Two-Dimensional Input Space Exploration]( +* [2019 - Razzer: Finding Kernel Race Bugs through Fuzzing]( +* [2019 - Unicorefuzz: On the Viability of Emulation for Kernel space Fuzzing]( +* [2017 - Stateful Fuzzing of Wireless Device Drivers in an Emulated Environment]( +* [2017 - DIFUZE: Interface Aware Fuzzing for Kernel Drivers]( +* [2008 - Fuzzing Wi-Fi Drivers to Locate Security Vulnerabilities]( + + +#### Format specific fuzzing + +* [2020 - NYX: Greybox Hypervisor Fuzzing using Fast Snapshots and Affine Types]( +* [2020 - Tree2tree Structural Language Modeling for Compiler Fuzzing]( +* [2020 - Detecting Critical Bugs in SMT Solvers Using Blackbox Mutational Fuzzing]( +* [2020 - JS Engine - Montage: A Neural Network Language Model-Guided JavaScript Engine Fuzzer]( +* [2020 - JS Engine - Fuzzing JavaScript Engines with Aspect-preserving Mutation]( +* [2020 - CUDA Compiler - CUDAsmith: A Fuzzer for CUDA Compilers]( +* [2020 - Smart Contracts - sFuzz: An Efficient Adaptive Fuzzer for Solidity Smart Contracts]( +* [2019 - Compiler Fuzzing: How Much Does It Matter?]( +* [2019 - Smart Contracts - Harvey: A Greybox Fuzzer for Smart Contracts]( +* [2017 - XML - Skyfire: Data-Driven Seed Generation for Fuzzing]( + + +#### Exploitation + +* [2021 - V0Finder: Discovering the Correct Origin of Publicly Reported Software Vulnerabilities]( +* [2021 - Identifying Valuable Pointers in Heap Data]( +* [2021 - OCTOPOCS: Automatic Verification of Propagated Vulnerable Code Using Reformed Proofs of Concept]( +* [2021 - Characterizing Vulnerabilities in a Major Linux Distribution]( +* [2021 - MAZE: Towards Automated Heap Feng Shui]( +* [2021 - Vulnerability Detection in C/C++ Source Code With Graph Representation Learning]( +* [2021 - mallotROPism: a metamorphic engine for malicious software variation development]( +* [2020 - Automatic Techniques to Systematically Discover New Heap Exploitation Primitives]( +* [2020 - Shadow-Heap: Preventing Heap-based Memory Corruptions by Metadata Validation]( +* [2020 - Practical Fine-Grained Binary Code Randomization]( +* [2020 - Tiny-CFA: Minimalistic Control-Flow Attestation UsingVerified Proofs of Execution]( +* [2020 - Greybox Automatic Exploit Generation for Heap Overflows in Language Interpreters - PHD THESIS]( +* [2020 - ABCFI: Fast and Lightweight Fine-Grained Hardware-Assisted Control-Flow Integrity]( +* [2020 - HeapExpo: Pinpointing Promoted Pointers to Prevent Use-After-Free Vulnerabilities]( +* [2020 - Localizing Patch Points From One Exploit]( +* [2020 - Speculative Dereferencing of Registers: Reviving Foreshadow]( +* [2020 - HAEPG: An Automatic Multi-hop Exploitation Generation Framework]( +* [2020 - Exploiting More Binaries by Using Planning to Assemble ROP Exploiting More Binaries by Using Planning to Assemble ROP Attacks Attacks]( +* [2020 - ROPminer: Learning-Based Static Detection of ROP Chain Considering Linkability of ROP Gadgets]( +* [2020 - KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities]( +* [2020 - Preventing Return Oriented Programming Attacks By Preventing Return Instruction Pointer Overwrites]( +* [2020 - KASLR: Break It, Fix It, Repeat]( +* [2020 - ShadowGuard : Optimizing the Policy and Mechanism of Shadow Stack Instrumentation using Binary Static Analysis]( +* [2020 - VulHunter: An Automated Vulnerability Detection System Based on Deep Learning and Bytecode]( +* [2020 - Analysis and Evaluation of ROPInjector]( +* [2020 - API Misuse Detection in C Programs: Practice on SSL APIs]( +* [2020 - KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities]( +* [2020 - Egalito: Layout-Agnostic Binary Recompilation]( +* [2020 - Verifying Software Vulnerabilities in IoT Cryptographic Protocols]( +* [2020 - μRAI: Securing Embedded Systems with Return Address Integrity]( +* [2020 - Preventing Return Oriented Programming Attacks By Preventing Return Instruction Pointer Overwrites]( +* [2019 - Kernel Protection Against Just-In-Time Code Reuse]( +* [2019 - Kernel Exploitation Via Uninitialized Stack]( +* [2019 - KEPLER: Facilitating Control-flow Hijacking Primitive Evaluation for Linux Kernel Vulnerabilities]( +* [2019 - SLAKE: Facilitating Slab Manipulation for Exploiting Vulnerabilities in the Linux Kernel]( +* [2018 - HeapHopper: Bringing Bounded Model Checkingto Heap Implementation Security]( +* [2018 - K-Miner: Uncovering Memory Corruption in Linux]( +* [2017 - HAIT: Heap Analyzer with Input Tracing]( +* [2017 - DROP THE ROP: Fine-grained Control-flow Integrity for the Linux Kernel]( +* [2017 - kR^X: Comprehensive Kernel Protection against Just-In-Time Code Reuse]( +* [2017 - Unleashing Use-Before-Initialization Vulnerabilities in the Linux Kernel Using Targeted Stack Spraying]( +* [2017 - Towards Automated Dynamic Analysis for Linux-based Embedded Firmware]( +* [2016 - Scalable Graph-based Bug Search for Firmware Images]( +* [2015 - Cross-Architecture Bug Search in Binary Executables]( +* [2015 - SURROGATES: Enabling Near-Real-Time Dynamic Analyses of Embedded Systems]( +* [2015 - From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel]( +* [2015 - PIE: Parser Identification in Embedded Systems]( +* [2014 - ret2dir: Rethinking Kernel Isolation]( +* [2014 - Make It Work, Make It Right, Make It Fast: Building a Platform-Neutral Whole-System Dynamic Binary Analysis Platform]( +* [2012 - Anatomy of a Remote Kernel Exploit]( +* [2012 - A Heap of Trouble: Breaking the LinuxKernel SLOB Allocator]( +* [2011 - Linux kernel vulnerabilities: state-of-the-art defenses and open problems]( +* [2011 - Protecting the Core: Kernel Exploitation Mitigations]( +* [2015 - From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel]( +* [2014 - ret2dir: Rethinking Kernel Isolation]( +* [2012 - Anatomy of a Remote Kernel Exploit]( +* [2012 - A Heap of Trouble: Breaking the Linux Kernel SLOB Allocator]( +* [2011 - Linux kernel vulnerabilities: state-of-the-art defenses and open problems]( +* [2011 - Protecting the Core: Kernel Exploitation Mitigations]( + + +#### Static Binary Analysis + +* [2021 - VIVA: Binary Level Vulnerability Identification via Partial Signature]( +* [2021 - Overview of the advantages and disadvantages of static code analysis tools]( +* [2021 - Multi-Level Cross-Architecture Binary Code Similarity Metric]( +* [2020 - VulDetector: Detecting Vulnerabilities using Weighted Feature Graph Comparison]( +* [2020 - DEEPBINDIFF: Learning Program-Wide Code Representations for Binary Diffing]( +* [2020 - BinDeep: A Deep Learning Approach to Binary Code Similarity Detection]( +* [2020 - Revisiting Binary Code Similarity Analysis using Interpretable Feature Engineering and Lessons Learned]( +* [2020 - iDEA: Static Analysis on the Security of Apple Kernel Drivers]( +* [2020 - HART: Hardware-Assisted Kernel Module Tracing on Arm]( +* [2020 - AN APPROACH TO COMPARING CONTROL FLOW GRAPHS BASED ON BASIC BLOCK MATCHING]( +* [2020 - How Far We Have Come: Testing Decompilation Correctness of C Decompilers]( +* [2020 - Dynamic Binary Lifting and Recompilation DISS]( +* [2020 - Similarity Based Binary Backdoor Detection via Attributed Control Flow Graph]( +* [2020 - IoTSIT: A Static Instrumentation Tool for IoT Devices]( +* [2019 - Code Similarity Detection using AST and Textual Information]( +* [2018 - CodEX: Source Code Plagiarism DetectionBased on Abstract Syntax Trees]( +* [2017 - a unified binary analysis framework to recover CFGs and function boundaries]( +* [2017 - Angr: The Next Generation of Binary Analysis]( +* [2016 - Binary code is not easy]( +* [2015 - Cross-Architecture Bug Search in Binary Executables]( +* [2014 - A platform for secure static binary instrumentation]( +* [2013 - MIL: A language to build program analysis tools through static binary instrumentation]( +* [2013 - Binary Code Analysis]( +* [2013 - A compiler-level intermediate representation based binary analysis and rewriting system]( +* [2013 - Protocol reverse engineering through dynamic and static binary analysis]( +* [2013 - BinaryPig: Scalable Static Binary Analysis Over Hadoop]( +* [2011 - BAP: A Binary Analysis Platform]( +* [2009 - Syntax tree fingerprinting for source code similarity detection]( +* [2008 - BitBlaze: A New Approach to Computer Security via Binary Analysis]( +* [2005 - Practical analysis of stripped binary code]( +* [2004 - Detecting kernel-level rootkits through binary analysis]( + + +#### Misc + +* [2021 - UAFSan: an object-identifier-based dynamic approach for detecting use-after-free vulnerabilities]( +* [2021 - SyML: Guiding Symbolic Execution Toward Vulnerable States Through Pattern Learning]( +* [2021 - LLSC: A Parallel Symbolic Execution Compiler for LLVM IR]( +* [2021 - FuzzSplore: Visualizing Feedback-Driven Fuzzing Techniques]( +* [2020 - Memory Error Detection Based on Dynamic Binary Translation]( +* [2020 - Sydr: Cutting Edge Dynamic Symbolic Execution]( +* [2020 - DrPin: A dynamic binary instumentator for multiple processor architectures]( +* [2020 - MVP: Detecting Vulnerabilities using Patch-Enhanced Vulnerability Signatures]( +* [2020 - Collecting Vulnerable Source Code from Open-Source Repositories for Dataset Generation]( +* [2020 - LEOPARD: Identifying Vulnerable Code for Vulnerability Assessment through Program Metrics]( +* [2020 - Dynamic Program Analysis Tools in GCC and CLANG Compilers]( +* [2020 - On Using k-means Clustering for Test Suite Reduction]( +* [2020 - Optimizing the Parameters of an Evolutionary Algorithm for Fuzzing and Test Data Generation]( +* [2020 - Inputs from Hell: Learning Input Distributions for Grammar-Based Test Generation]( +* [2020 - IdSan: An identity-based memory sanitizer for fuzzing binaries]( +* [2020 - An experimental study oncombining automated andstochastic test data generation - MASTER THESIS]( +* [2020 - FuzzGen: Automatic Fuzzer Generation]( +* [2020 - Fuzzing: On the Exponential Cost of Vulnerability Discovery]( +* [2020 - Poster: Debugging Inputs]( +* [2020 - API Misuse Detection in C Programs: Practice on SSL APIs]( +* [2020 - Egalito: Layout-Agnostic Binary Recompilation]( +* [2020 - Verifying Software Vulnerabilities in IoT Cryptographic Protocols]( +* [2020 - μRAI: Securing Embedded Systems with Return Address Integrity]( +* [2020 - Fast Bit-Vector Satisfiability]( +* [2020 - MARDU: Efficient and Scalable Code Re-randomization]( +* [2020 - Towards formal verification of IoT protocols: A Review]( +* [2020 - Automating the fuzzing triage process]( +* [2020 - COMPARING AFL SCALABILITY IN VIRTUAL-AND NATIVE ENVIRONMENT]( +* [2020 - SYMBION: Interleaving Symbolic with Concrete Execution]( +* [2020 - Not All Coverage Measurements Are Equal: Fuzzing by Coverage Accounting for Input Prioritization]( +* [2019 - Toward the Analysis of Embedded Firmware through Automated Re-hosting]( +* [2019 - FUZZIFICATION: Anti-Fuzzing Techniques]( +* [2018 - VulinOSS: A Dataset of Security Vulnerabilities in Open-source Systems]( +* [2018 - HDDr: A Recursive Variantof the Hierarchical Delta Debugging Algorithm]( +* [2017 - Coarse Hierarchical Delta Debugging]( +* [2017 - VUDDY: A Scalable Approach for Vulnerable CodeClone Discovery]( +* [2017 - Postmortem Program Analysis with Hardware-Enhanced Post-Crash Artifacts]( +* [2017 - Synthesizing Program Input Grammars]( +* [2017 - Designing New Operating Primitives to Improve Fuzzing Performance]( +* [2017 - Instruction Punning: Lightweight Instrumentation for x86-64]( +* [2016 - Modernizing Hierarchical Delta Debugging]( +* [2016 - VulPecker: An Automated Vulnerability Detection SystemBased on Code Similarity Analysis]( +* [2016 - CREDAL: Towards Locating a Memory Corruption Vulnerability with Your Core Dump]( +* [2016 - RETracer: Triaging Crashes by Reverse Execution fromPartial Memory Dumps]( +* [2015 - PIE: Parser Identification in Embedded Systems]( +* [2010 - Iterative Delta Debugging]( +* [2009 - Dynamic Test Generation To Find Integer Bugs in x86 Binary Linux Programs]( +* [2006 - HDD: Hierarchical Delta Debugging]( + +### Surveys, SoKs, and Studies + +* [2021 - A Systematic Review of Network Protocol Fuzzing Techniques]( +* [2021 - Vulnerability Detection is Just the Beginning]( +* [2021 - Evaluating Synthetic Bugs]( +* [2020 - A Practical, Principled Measure of Fuzzer Appeal:A Preliminary Study]( +* [2020 - A Systemic Review of Kernel Fuzzing]( +* [2020 - A Survey of Hybrid Fuzzing based on Symbolic Execution]( +* [2020 - A Study on Using Code Coverage Information Extracted from Binary to Guide Fuzzing]( +* [2020 - Study of Security Flaws in the Linux Kernel by Fuzzing]( +* [2020 - Dynamic vulnerability detection approaches and tools: State of the Art]( +* [2020 - Fuzzing: Challenges and Reflections]( +* [2020 - The Relevance of Classic Fuzz Testing: Have We Solved This One?]( +* [2020 - A Practical, Principled Measure of Fuzzer Appeal:A Preliminary Study]( +* [2020 - SoK: All You Ever Wanted to Know About x86/x64 Binary Disassembly But Were Afraid to Ask]( +* [2020 - A Quantitative Comparison of Coverage-Based Greybox Fuzzers]( +* [2020 - A Survey of Security Vulnerability Analysis, Discovery, Detection, and Mitigation on IoT Devices]( +* [2020 - A systematic review of fuzzing based on machine learning techniques]( +* [2019 - A Survey of Binary Code Similarity]( +* [2019 - The Art, Science, and Engineering of Fuzzing: A Survey]( +* [2012 - Regression testingminimization, selection and prioritization: a survey](