# software-security-paper-list

**Repository Path**: haidragon/software-security-paper-list

## Basic Information

- **Project Name**: software-security-paper-list
- **Description**: No description available
- **Primary Language**: Unknown
- **License**: MIT
- **Default Branch**: main
- **Homepage**: None
- **GVP Project**: No

## Statistics

- **Stars**: 0
- **Forks**: 0
- **Created**: 2021-01-03
- **Last Updated**: 2021-01-03

## Categories & Tags

**Categories**: Uncategorized

**Tags**: None

## README

# Software security paper list


This repository contains a curated list of papers relevant to:
* software security;
* program analysis; and
* systems security.

The list is divided into further sub-topics and include a sub-topic called "General" for papers that either have not been sorted into a sub-topic yet or do not fit into any sub-topics.


This list is maintained by:
* [David Korczynski](https://twitter.com/Davkorcz); and
* [Adam Korczynski](https://twitter.com/AdamKorcz4)

PRs are very welcome.

### Download all automatically
The `auto_download.py` script can be used to download either all of the papers or the papers for a given subtopic.

`auto_download.py` will create a directory `out` in the current working directory if it does not already exist. Then it will create another folder in `out` with the name of the sub-topic you are choosing to download or `All` in case you download all papers.

Example uses:
```
# Download all papers
python ./auto_download.py All

# Download all papers related to Fuzzing
python ./auto_download.py Fuzzing

# Download all papers related to Malware
python ./auto_download.py Malware
```

### Other paper lists
* [Awesome fuzzing](https://github.com/cpuu/awesome-fuzzing)
* [Recent Papers Related To Fuzzing](https://github.com/wcventure/FuzzingPaper)
* [Awesome Virtualization](https://github.com/Wenzel/awesome-virtualization)


# Papers
Table of contents:
* [General](#General)
* [Android](#Android)
* [Control-flow integrity](#control-flow-integrity)
* [Cyber-physical](#Cyber-physical)
* [Symbolic execution](#Symbolic-execution)
* [Virtualisation](#Virtualisation)
* [Fuzzing](#Fuzzing)
* [Malware](#Malware)
* [Binary analysis](#binary-analysis)

## General
- [A Randomized Dynamic Program Analysis Technique for Detecting Real Deadlocks](https://www.cis.upenn.edu/~mhnaik/papers/pldi09b.pdf)
- [Randomized Active Atomicity Violation Detection in Concurrent Programs](https://parlab.eecs.berkeley.edu/sites/all/parlab/files/Randomized%20Active%20Atomicity%20Violation%20Detection%20in%20Concurrent%20Programs.pdf)
- [Privacy Oracle: a System for Finding Application Leaks with Black Box Differential Testing](https://homes.cs.washington.edu/~yoshi/papers/PrivacyOracle/privacyoracle-ccs2008.pdf)
- [TypeSan: Practical Type Confusion Detection](https://nebelwelt.net/publications/files/16CCS2.pdf)
- [HexType: Efficient Detection of Type Confusion Errors for C++](https://nebelwelt.net/files/17CCS.pdf)
- [Dynamic Test Generation To Find Integer Bugs in x86 Binary Linux Programs](https://people.eecs.berkeley.edu/~daw/papers/smartfuzz-use09.pdf)
- [Vulcan Binary transformation in a distributed environment](https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/tr-2001-50.pdf)
- [Automated Detection, Exploitation, and Elimination of Double-Fetch Bugs using Modern CPU Features](https://arxiv.org/pdf/1711.01254.pdf)
- [Path-Exploration Lifting: Hi-Fi Tests for Lo-Fi Emulators](https://people.eecs.berkeley.edu/~dawnsong/papers/2012%20Path%20Exploration%20Lifting%20Hi%20Fi%20Tests%20for%20Lo%20Fi%20Emulators.pdf)
- [Robust Signatures for Kernel Data Structures](https://www.cc.gatech.edu/~brendan/ccs09_siggen.pdf)
- [DELTA: A Security Assessment Framework for Software-Defined Networks](https://pdfs.semanticscholar.org/ad1d/64e9e431681a088db680adcf1cb479fc22fc.pdf)
- [Simplifying and Isolating Failure-Inducing Input](https://www.cs.purdue.edu/homes/xyzhang/fall07/Papers/delta-debugging.pdf)
- [Fitness-Guided Path Exploration in Dynamic Symbolic Execution](https://www.microsoft.com/en-us/research/wp-content/uploads/2009/06/dsn09-fitnex1.pdf)
- [Enforceable Security Policies](https://www.cs.cornell.edu/fbs/publications/EnfSecPols.pdf)
- [Enemy of the State: A State-Aware Black-Box Web Vulnerability Scanner](https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final225.pdf)
- [Feedback-directed Random Test Generation](https://homes.cs.washington.edu/~mernst/pubs/feedback-testgen-icse2007.pdf)
- [Probability-Based Parameter Selection for Black-Box Fuzz Testing](http://webblaze.cs.berkeley.edu/papers/FLAX.pdf)
- [FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications]()
- [Representation Dependence Testing using Program Inversion](https://core.ac.uk/download/pdf/207770249.pdf)
- [Deriving Input Syntactic Structure From Execution](https://www.cs.purdue.edu/homes/xyzhang/Comp/fse08.pdf)
- [SoftBound: Highly Compatible and Complete Spatial Memory Safety for C](https://www.cs.rutgers.edu/~santosh.nagarakatte/papers/pldi09_softbound.pdf)
- [CodeAlchemist: Semantics-Aware Code Generation to Find Vulnerabilities in JavaScript Engines](https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_05A-5_Han_paper.pdf)
- [CETS: Compiler-Enforced Temporal Safety for C](https://www.cs.rutgers.edu/~santosh.nagarakatte/papers/ismm10-cets.pdf)
- [Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software](http://bitblaze.cs.berkeley.edu/papers/taintcheck-full.pdf)
- [NEZHA: Efficient Domain-Independent Differential Testing](https://www.cs.columbia.edu/~suman/docs/nezha.pdf)
- [Prospex: Protocol Specification Extraction](https://sites.cs.ucsb.edu/~chris/research/doc/oakland09_prospex.pdf)
- [Understanding Integer Overflow in C/C++](https://www.cs.utah.edu/~regehr/papers/overflow12.pdf)
- [Polyglot: Automatic Extraction of Protocol Message Format using Dynamic Binary Analysis](http://bitblaze.cs.berkeley.edu/papers/polyglot_ccs07_av.pdf)
- [QTEP: Quality-Aware Test Case Prioritization](http://asset.uwaterloo.ca/qtep/qtep.pdf)
- [Race Directed Random Testing of Concurrent Programs](https://www.cs.columbia.edu/~junfeng/09fa-e6998/papers/racefuzz.pdf)
- [Type Casting Verification: Stopping an Emerging Attack Vector](https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-lee.pdf)
- [Towards Optimization-Safe Systems: Analyzing the Impact of Undefined Behavior](https://people.csail.mit.edu/nickolai/papers/wang-stack.pdf)
- [Disco: Running commodity operating systems on scalable multiprocessors](http://www.cs.cornell.edu/courses/cs6411/2018sp/papers/bugnion97disco.pdf)
- [Jump-Oriented Programming: A New Class of Code-Reuse Attack](https://people.engr.ncsu.edu/tkbletsc/pubs/JOP.pdf)
- [Can DREs Provide Long-Lasting Security? The Case of Return-Oriented Programming and the AVC Advantage](https://www.usenix.org/legacy/events/evtwote09/tech/full_papers/checkoway.pdf)
- [Decoupling dynamic program analysis from execution in virtual environments](https://www.usenix.org/legacy/event/usenix08/tech/full_papers/chow/chow.pdf)
- [Understanding data lifetime via whole system simulation.](https://benpfaff.org/papers/taint.pdf)
- [Minos: Control Data Attack Prevention Orthogonal to Memory Model](http://people.cs.uchicago.edu/~ftchong/papers/micro2004.pdf)
- [Tainting is Not Pointless](https://web.stanford.edu/group/mast/cgi-bin/drupal/system/files/2010.taintingpoint.osr_.pdf)
- [Size Does Matter: Why Using Gadget-Chain Length to Prevent Code-Reuse Attacks is Hard](http://www.syssec-project.eu/m/page-media/3/sec14-paper-goktas.pdf)
- [ROPMEMU: A Framework for the Analysis of Complex Code-Reuse Attacks](http://www.s3.eurecom.fr/docs/asiaccs16_graziano.pdf)
- [A virtual machine based information flow control system for policy enforcement](https://www.cs.vu.nl/~ast/Publications/Papers/entcs-2008.pdf)
- [The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86)](https://hovav.net/ucsd/dist/geometry.pdf)
- [SPIDER: Enabling Fast Patch Propagation In Related Software Repositories](https://seclab.cs.ucsb.edu/files/publications/machiry2020_spider.pdf)
- [HALucinator: Firmware Re-hosting Through Abstraction Layer Emulation](https://seclab.cs.ucsb.edu/files/publications/gustafson2020_halucinator.pdf)
- [PhishTime: Continuous Longitudinal Measurement of the Effectiveness of Anti-phishing Blacklists](https://www.usenix.org/system/files/sec20-oest-phishtime.pdf)
- [Exploiting Uses of Uninitialized Stack Variables in Linux Kernels to Leak Kernel Pointers](https://www.usenix.org/system/files/woot20-paper-cho.pdf)
- [Sleak: automating address space layout derandomization](https://sites.cs.ucsb.edu/~vigna/publications/2019_ACSAC_Sleak.pdf)
- [Matched and Mismatched SOCs: A Qualitative Study on Security Operations Center Issues](https://adamdoupe.com/publications/matched-and-mismatched-socs-ccs2019.pdf)
- [GuardION: Practical Mitigation of DMA-Based Rowhammer Attacks on ARM](https://research.vu.nl/files/75478203/Veen2018_Chapter_GuardIONPracticalMitigationOfD.pdf)
- [Measuring E-mail header injections on the world wide web](https://sites.cs.ucsb.edu/~chris/research/doc/sac18_email.pdf)
- [Detecting Deceptive Reviews Using Generative Adversarial Networks](https://arxiv.org/pdf/1805.10364.pdf)
- [HeapHopper: Bringing Bounded Model Checking to Heap Implementation Security](https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-eckert.pdf)
- [Rampart: Protecting Web Applications from CPU-Exhaustion Denial-of-Service Attacks](https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-meng.pdf)
- [Exploitation and Mitigation of Authentication Schemes Based on Device-Public Information](https://dl.acm.org/doi/pdf/10.1145/3134600.3134615)
- [Piston: Uncooperative Remote Runtime Patching](https://sites.cs.ucsb.edu/~chris/research/doc/acsac17_piston.pdf)
- [Rise of the HaCRS: Augmenting Autonomous Cyber Reasoning Systems with Human Assistance](https://acmccs.github.io/papers/p347-shoshitaishviliA.pdf)
- [Gossip: Automatically Identifying Malicious Domains from Mailing List Discussions](https://sites.cs.ucsb.edu/~vigna/publications/2017_AsiaCCS_gossip.pdf)
- [POISED: Spotting Twitter Spam Off the Beaten Paths](https://arxiv.org/pdf/1708.09058.pdf)
- [How Shall We Play a Game?: A Game-theoretical Model for Cyber-warfare Games](https://users.ece.cmu.edu/~youzhib/paper/bao2017csf.pdf)
- [Obfuscation-Resilient Privacy Leak Detection for Mobile Apps Through Differential Analysis](https://reyammer.io/publications/2017_ndss_agrigento.pdf)
- [BOOMERANG: Exploiting the Semantic Gap in Trusted Execution Environments](https://sites.cs.ucsb.edu/~cspensky/pdfs/ndss17-final227.pdf)
- [Something from Nothing (There): Collecting Global IPv6 Datasets from DNS](https://sites.cs.ucsb.edu/~vigna/publications/2017_PAM_CollectingIPv6.pdf)
- [BootStomp: On the Security of Bootloaders in Mobile Devices](https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-redini.pdf)
- [DR. CHECKER: A Soundy Analysis for Linux Kernel Drivers](https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-machiry.pdf)
- [Taming Transactions: Towards Hardware-Assisted Control Flow Integrity Using Transactional Memory](https://sites.cs.ucsb.edu/~vigna/publications/2016_RAID_Transactional.pdf)
- [SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis](https://sites.cs.ucsb.edu/~vigna/publications/2016_SP_angrSoK.pdf)
- [Quickly generating diverse valid test inputs with reinforcement learning](https://people.eecs.berkeley.edu/~rohanpadhye/files/rlcheck-icse20.pdf)
- [Mining Temporal Properties of Data Invariants](https://www.carolemieux.com/icse15-quarry-src-abstract.pdf)
- [General LTL Specification Mining](https://www.cs.ubc.ca/~bestchai/papers/texada-ase15_final.pdf)
- [Investigating Program BehaviorUsing the Texada LTL Specifications Miner](https://www.carolemieux.com/texada_ase15_demos_final.pdf)
- [Know Your Achilles' Heel: Automatic Detection of Network Critical Services](https://sites.cs.ucsb.edu/~vigna/publications/2015_ACSAC_Achilles.pdf)
- [Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware](https://www.ndss-symposium.org/wp-content/uploads/2017/09/11_1_2.pdf)
- [EVILCOHORT: Detecting Communities of Malicious Accounts on Online Services](https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-stringhini.pdf)
- [Meerkat: Detecting Website Defacements through Image-based Object Recognition](https://sites.cs.ucsb.edu/~chris/research/doc/usenix15_meerkat.pdf)
- [How the ELF Ruined Christmas](https://sites.cs.ucsb.edu/~chris/research/doc/usenix15_elf.pdf)
- [ZigZag: Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities](https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-weissbacher.pdf)
- [Framing Dependencies Introduced by Underground Commoditization](https://cseweb.ucsd.edu/~savage/papers/WEIS15.pdf)
- [The harvester, the botmaster, and the spammer: on the relations between the different actors in the spam landscape](https://www.ucl.ac.uk/jill-dando-institute/sites/jill-dando-institute/files/harvesters-asiaccs2014.pdf)
- [PExy: The Other Side of Exploit Kits](https://kapravelos.com/publications/pexy-DIMVA14.pdf)
- [The Dark Alleys of Madison Avenue: Understanding Malicious Advertisements](https://www.kapravelos.com/publications/malvertisments-IMC14.pdf)
- [Rippler: Delay injection for service dependency detection](https://sites.cs.ucsb.edu/~chris/research/doc/infocom14_rippler.pdf)
- [Eyes of a Human, Eyes of a Program: Leveraging Different Views of the Web for Analysis and Detection](https://sites.cs.ucsb.edu/~vigna/publications/2014_RAID_EagleEye.pdf)
- [Extracting probable command and control signatures for detecting botnets](https://sites.cs.ucsb.edu/~chris/research/doc/sac14_botnetcnc.pdf)
- [Stranger danger: exploring the ecosystem of ad-based URL shortening services](https://core.ac.uk/download/pdf/34593962.pdf)
- [Relevant change detection: a framework for the precise extraction of modified and novel web-based content as a filtering technique for analysis engines](https://seclab.cs.ucsb.edu/files/publications/Borgolte2014Relevant_Change.pdf)
- [Message in a bottle: sailing past censorship](https://sites.cs.ucsb.edu/~chris/research/doc/acsac13_message.pdf)
- [deDacota: toward preventing server-side XSS via automatic code and data separation](https://sites.cs.ucsb.edu/~vigna/publications/2013_CCS_deDacota.pdf)
- [Follow the green: growth and dynamics in twitter follower markets](https://seclab.bu.edu/papers/follower_markets-imc2013.pdf)
- [COMPA: Detecting Compromised Accounts on Social Networks](https://www.ucl.ac.uk/jill-dando-institute/sites/jill-dando-institute/files/compa-full-paper.pdf)
- [Clickonomics: Determining the Effect of Anti-Piracy Measures for One-Click Hosting](https://sites.cs.ucsb.edu/~chris/research/doc/ndss13_clickonomics.pdf)
- [Practical Attacks against the I2P Network](https://sites.cs.ucsb.edu/~chris/research/doc/raid13_i2p.pdf)
- [EARs in the wild: large-scale analysis of execution after redirect vulnerabilities](https://sefcom.asu.edu/publications/ears-in-the-wild-sac2013.pdf)
- [Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting](https://seclab.cs.ucsb.edu/files/publications/Nikiforakis2013Cookieless_monster.pdf)
- [Revolver: An Automated Approach to the Detection of Evasive Web-based Malware](https://www.yancomm.net/papers/2013%20-%20USENIX%20Security%20-%20Revolver.pdf)
- [Steal This Movie: Automatically Bypassing DRM Protection in Streaming Media Services](https://www.usenix.org/system/files/conference/usenixsecurity13/sec13-paper_wang_3.pdf)
- [Two years of short URLs internet measurement: security threats and countermeasures](https://seclab.cs.ucsb.edu/files/publications/Maggi2013Two_years.pdf)
- [PeerPress: utilizing enemies' P2P strength against them](https://people.engr.tamu.edu/guofei/paper/PeerPress-CCS12.pdf)
- [You are what you include: large-scale evaluation of remote javascript inclusions](https://www.kapravelos.com/publications/jsinclusions-CCS12.pdf)
- [Tracking Memory Writes for Malware Classification and Code Reuse Identification](https://sites.cs.ucsb.edu/~vigna/publications/2012_DIMVA_memwrite.pdf)
- [ViewPoints: differential string analysis for discovering client- and server-side input validation inconsistencies](https://sites.cs.ucsb.edu/~bultan/publications/issta12.pdf)
- [A quantitative study of accuracy in system call-based malware detection](https://sites.cs.ucsb.edu/~chris/research/doc/issta12_malmodels.pdf)
- [Enforcing dynamic spectrum access with spectrum permits](https://sites.cs.ucsb.edu/~chris/research/doc/mobihoc12_gelato.pdf)
- [Detecting social cliques for automated privacy control in online social networks](https://www.cse.usf.edu/dsg/data/publications/papers/privacy_survey_imrul.pdf)
- [B@bel: Leveraging Email Delivery for Spam Mitigation](https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final59.pdf)
- [PUBCRAWL: Protecting Users and Businesses from CRAWLers](https://sites.cs.ucsb.edu/~vigna/publications/2012_USENIX_pubcrawl.pdf)
- [Poultry markets: on the underground economy of twitter followers](https://seclab.bu.edu/people/gianluca/papers/poultry-WOSN12.pdf)
- [Past-sensitive pointer analysis for symbolic execution](https://srg.doc.ic.ac.uk/files/papers/pastsensitive-fse-20.pdf)
- [MVEDSUA: Higher Availability Dynamic Software Updates via Multi-Version Execution](http://www.cs.umd.edu/~mwh/papers/mvedsua.pdf)
- [Computing summaries of string loops in C for better testing and refactoring](https://srg.doc.ic.ac.uk/files/papers/loops-pldi-19.pdf)
- [A segmented memory model for symbolic execution](https://srg.doc.ic.ac.uk/files/papers/segmem-esecfse-19.pdf)
- [FreeDA: deploying incompatible stock dynamic analyses in production via multi-version execution](https://srg.doc.ic.ac.uk/files/papers/freeda-cf-18.pdf)
- [RetroWrite: Statically Instrumenting COTS Binaries for Fuzzing and Sanitization](https://hexhive.epfl.ch/publications/files/20Oakland.pdf)
- [BLESA: Spoofing Attacks against Reconnections in Bluetooth Low Energy](https://www.usenix.org/system/files/woot20-paper-wu.pdf)
- [SMoTherSpectre: Exploiting Speculative Execution through Port Contention](https://arxiv.org/pdf/1903.01843.pdf)
- [PoLPer: Process-Aware Restriction of Over-Privileged Setuid Calls in Legacy Applications](https://chungkim.io/doc/codaspy19-polper.pdf)
- [BenchIoT: A Security Benchmark for the Internet of Things](https://hexhive.epfl.ch/publications/files/19DSN.pdf)
- [Butterfly Attack: Adversarial Manipulation of Temporal Properties of Cyber-Physical Systems](https://nebelwelt.net/files/19RTSS.pdf)
- [SoK: Shining Light on Shadow Stacks](https://hexhive.epfl.ch/publications/files/19Oakland.pdf)
- [Pythia: Remote Oracles for the Masses](https://www.usenix.org/system/files/sec19-tsai.pdf)
- [CUP: Comprehensive User-Space Protection for C/C++](https://nebelwelt.net/publications/files/18AsiaCCS.pdf)
- [Milkomeda: Safeguarding the Mobile GPU Interface Using WebGL Security Checks](https://nebelwelt.net/files/18CCS2.pdf)
- [Block Oriented Programming: Automating Data-Only Attacks](https://arxiv.org/pdf/1805.04767.pdf)
- [CFIXX: Object Type Integrity for C++](https://hexhive.epfl.ch/publications/files/18NDSS.pdf)
- [ACES: Automatic Compartments for Embedded Systems](https://engineering.purdue.edu/dcsl/publications/papers/2018/aces_usenixsec18_revision.pdf)
- [Memory Safety for Embedded Devices with nesCheck](https://hexhive.epfl.ch/publications/files/17AsiaCCS2.pdf)
- [DataShield: Configurable Data Confidentiality and Integrity](https://hexhive.epfl.ch/publications/files/17AsiaCCS.pdf)
- [Protecting Bare-Metal Embedded Systems with Privilege Overlays](https://nebelwelt.net/files/17Oakland.pdf)
- [Venerable Variadic Vulnerabilities Vanquished](https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-biswas.pdf)
- [One Process to Reap Them All: Garbage Collection as-a-Service](https://nebelwelt.net/files/17VEE.pdf)
- [Enforcing Least Privilege Memory Views for Multithreaded Applications](https://www.cs.purdue.edu/homes/hsu62/ccs16_smv.pdf)
- [Forgery-Resistant Touch-based Authentication on Mobile Devices](http://www.mariofrank.net/paper/2016_AsiaCCS_ForgeryResistantTouchAuth.pdf)
- [VTrust: Regaining Trust on Virtual Calls](https://dingelish.com/vtrust.pdf)
- [PSHAPE: Automatically Combining Gadgets for Arbitrary Method Execution](http://bodden.de/pubs/fbt+16pshape.pdf)
- [Klotski: Efficient Obfuscated Execution against Controlled-Channel Attacks](https://www.cs.ucr.edu/~csong/asplos20-klotski.pdf)
- [PatchScope: Memory Object Centric Patch Diffing](https://www.cs.ucr.edu/~heng/pubs/PatchScope_ccs20.pdf)
- [Chaser: An Enhanced Fault Injection Tool for Tracing Soft Errors in MPI Applications](https://www.cs.ucr.edu/~heng/pubs/Chaser.pdf)
- [ChaffyScript: Vulnerability-Agnostic Defense of JavaScript Exploits via Memory Perturbation](https://www.cs.ucr.edu/~heng/pubs/ChaffyScript_securecomm2019.pdf)
- [Extracting Conditional Formulas for Cross-Platform Bug Search](https://www.cs.ucr.edu/~heng/pubs/asiaccs2017.pdf)
- [Neural Network-based Graph Embedding for Cross-Platform Binary Code Similarity Detection](https://arxiv.org/pdf/1708.06525.pdf)
- [SoK: Cyber Insurance - Technical Challenges and a System Security Roadmap](https://oaklandsok.github.io/papers/dambra2020.pdf)
- [BakingTimer: privacy analysis of server-side request processing time](https://igor-santos.net/papers/2019/2019-sanchez-rola-acsac-bakingtimer.pdf)
- [Data-Confined HTML5 Applications](https://devd.me/papers/dcs-esorics.pdf)
- [SoK: Eternal War in Memory](https://people.eecs.berkeley.edu/~dawnsong/papers/Oakland13-SoK-CR.pdf)
- [High System-Code Security with Low Overhead](https://pure.royalholloway.ac.uk/portal/files/25073434/oakland15.pdf)
- [Code-Pointer Integrity](https://www.usenix.org/system/files/conference/osdi14/osdi14-paper-kuznetsov.pdf)
- [-OVERIFY: Optimizing Programs for Fast Verification](https://www.usenix.org/system/files/conference/hotos13/hotos13-final69.pdf)


## Android
- [Android Permissions Demystified](https://people.eecs.berkeley.edu/~dawnsong/papers/2011%20Android%20permissions%20demystified.pdf)
- [IntelliDroid: A Targeted Input Generator for the Dynamic Analysis of Android Malware](https://security.csl.toronto.edu/papers/mwong_ndss2016.pdf)
- [PScout: Analyzing the Android Permission Specification](https://security.csl.toronto.edu/papers/PScout-CCS2012-web.pdf)
- [Broken Fingers: On the Usage of the Fingerprint API in Android](https://reyammer.io/publications/2018_ndss_fingerprint.pdf)
- [Going Native: Using a Large-Scale Analysis of Android Apps to Create a Practical Native-Code Sandboxing Policy](https://www.lasca.ic.unicamp.br/paulo/papers/2016-NDSS-vitor.afonso-going.native.android.pdf)
- [TriggerScope: Towards Detecting Logic Bombs in Android Applications](https://sites.cs.ucsb.edu/~vigna/publications/2016_SP_Triggerscope.pdf)
- [BareDroid: Large-Scale Analysis of Android Apps on Real Devices](https://sites.cs.ucsb.edu/~vigna/publications/2015_ACSAC_Baredroid.pdf)
- [Grab 'n Run: Secure and Practical Dynamic Code Loading for Android Applications](https://reyammer.io/publications/2015_acsac_grabandrun.pdf)
- [NJAS: Sandboxing Unmodified Applications in non-rooted Devices Running stock Android](https://dl.acm.org/doi/pdf/10.1145/2808117.2808122)
- [On the Security and Engineering Implications of Finer-Grained Access Controls for Android Developers and Users](https://reyammer.io/publications/2015_dimva_permissions.pdf)
- [EdgeMiner: Automatically Detecting Implicit Control Flow Transitions through the Android Framework](https://sites.cs.ucsb.edu/~chris/research/doc/ndss15_edgeminer.pdf)
- [CLAPP: characterizing loops in Android applications](https://reyammer.io/publications/2015_fse_clapp.pdf)
- [What the App is That? Deception and Countermeasures in the Android User Interface](https://sites.cs.ucsb.edu/~chris/research/doc/oakland15_uideception.pdf)
- [Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications](https://reyammer.io/publications/2014_ndss_android-remote-code-execution.pdf)
- [An empirical study of cryptographic misuse in android applications](https://www.cs.umd.edu/class/fall2017/cmsc818O/papers/crypto-misuse-android.pdf)
- [Automatic Generation of Non-intrusive Updates for Third-Party Libraries in Android Applications](https://www.usenix.org/system/files/raid2019-duan.pdf)
- [Parallel Space Traveling: A Security Analysis of App-Level Virtualization in Android](https://www.cs.ucr.edu/~heng/pubs/sacmat2020.pdf)


## Control-flow integrity
- [Fine-Grained Control-Flow Integrity for Kernel Software](https://nebelwelt.net/files/16EUROSP.pdf)
- [Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-davi.pdf)
- [Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM](https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/42808.pdf)


## Cyber-physical
- [TRUST.IO: Protecting Physical Interfaces on Cyber-physical Systems](https://seclab.cs.ucsb.edu/files/publications/Spensky2020_Trust.pdf)

## Symbolic execution
- [Symbolic Execution and Program Testing](https://www.cs.umd.edu/class/fall2014/cmsc631/papers/king-symbolic-execution.pdf)
- [DART: Directed Automated Random Testing](https://web.eecs.umich.edu/~weimerw/2014-6610/reading/p213-godefroid.pdf)
- [Directed Greybox Fuzzing](https://acmccs.github.io/papers/p2329-bohmeAemb.pdf)
- [The s2e platform: Design, implementation, and applications](https://dslab.epfl.ch/pubs/s2e-tocs.pdf)
- [S2E: A Platform for In-Vivo Multi-Path Analysis of Software Systems](https://cseweb.ucsd.edu/~dstefan/cse291-fall16/papers/s2e.pdf)
- [Klee: Unassisted and automatic generation of high-coverage tests for complex systems programs](https://hci.stanford.edu/cstr/reports/2008-03.pdf)
- [Exe: automatically generating inputs of death](https://web.stanford.edu/~engler/exe-ccs-06.pdf)
- [CUTE: A Concolic Unit Testing Engine for C](http://mir.cs.illinois.edu/marinov/publications/SenETAL05CUTE.pdf)
- [Qsym : A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing](https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-yun.pdf)
- [All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask)](https://users.ece.cmu.edu/~aavgerin/papers/Oakland10.pdf)
- [CAB-Fuzz: Practical Concolic Testing Techniques for COTS Operating Systems](https://www.usenix.org/system/files/conference/atc17/atc17-kim.pdf)
- [Driller: Augmenting Fuzzing Through Selective Symbolic Execution](https://sites.cs.ucsb.edu/~vigna/publications/2016_NDSS_Driller.pdf)
- [Enhancing Symbolic Execution with Veritesting](https://users.ece.cmu.edu/~aavgerin/papers/veritesting-icse-2014.pdf)
- [SYMBION: Interleaving Symbolic with Concrete Execution](https://seclab.cs.ucsb.edu/files/publications/gritti2020_symbion.pdf)
- [AutoPandas: Neural-Backed Generators for ProgramSynthesis](https://people.eecs.berkeley.edu/~ksen/papers/autopandas2.pdf)
- [Chopped symbolic execution](https://srg.doc.ic.ac.uk/files/papers/chopper-icse-18.pdf)
- [PARTI: a multi-interval theory solver for symbolic execution](https://srg.doc.ic.ac.uk/files/papers/parti-ase-18.pdf)
- [Accelerating array constraints in symbolic execution](https://srg.doc.ic.ac.uk/files/papers/klee-array-17.pdf)
- [Automatic testing of symbolic execution engines via program generation and differential testing](https://srg.doc.ic.ac.uk/files/papers/symex-engine-tester-ase-17.pdf)
- [Floating-point symbolic execution: a case study in n-version programming](https://srg.doc.ic.ac.uk/files/papers/klee-n-version-fp-ase-17.pdf)
- [A DSL Approach to Reconcile Equivalent Divergent Program Executions](https://srg.doc.ic.ac.uk/files/papers/varan-dsl-atc-17.pdf)
- [Analysing the program analyser](https://spiral.imperial.ac.uk/bitstream/10044/1/29767/8/16-analysers-v2025.pdf)
- [Shadow of a doubt: testing for divergences between software versions](https://srg.doc.ic.ac.uk/files/papers/shadow-icse-16.pdf)
- [Symbooglix: A Symbolic Execution Engine for Boogie Programs](https://www.doc.ic.ac.uk/~afd/homepages/papers/pdfs/2016/ICST.pdf)
- [VARAN the Unbelievable: An Efficient N-version Execution Framework](https://srg.doc.ic.ac.uk/files/papers/varan-asplos-15.pdf)
- [Targeted program transformations for symbolic execution](https://www.doc.ic.ac.uk/~cristic/papers/symex-transf-fse-ni-15.pdf)
- [Shadow symbolic execution for better testing of evolving software](https://srg.doc.ic.ac.uk/files/papers/shadow-icse-nier-14.pdf)
- [Covrig: a framework for the analysis of code, test, and coverage evolution in real software](https://spiral.imperial.ac.uk/bitstream/10044/1/23359/2/covrig-issta-14.pdf)
- [Multi-solver Support in Symbolic Execution](https://srg.doc.ic.ac.uk/files/papers/klee-multisolver-cav-13.pdf)
- [Efficient State Merging in Symbolic Execution](https://www.unibw.de/patch/papers/pldi12.pdf/@@download/file/pldi12.pdf)
- [Testing Closed-Source Binary Device Drivers with DDT](https://www.usenix.org/legacy/events/atc10/tech/full_papers/Kuznetsov.pdf)
- [Running symbolic execution forever](https://srg.doc.ic.ac.uk/files/papers/moklee-issta-20.pdf)


## Program instrumentation
- [Valgrind: A framework for heavyweight dynamic binary instrumentation](https://www.cs.columbia.edu/~junfeng/09fa-e6998/papers/valgrind.pdf)
- [Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation](https://www.cs.ucr.edu/~heng/teaching/cs260-winter2017/luk05pin.pdf)
- [Llvm: A compilation framework for lifelong program analysis & transformation](https://llvm.org/pubs/2003-09-30-LifelongOptimizationTR.pdf)
- [PEBIL: Efficient Static Binary Instrumentation for Linux](http://users.sdsc.edu/~lcarring/Papers/2010_ISPASS.pdf)
- [DECAF++: Elastic Whole-System Dynamic Taint Analysis](https://www.cs.ucr.edu/~heng/pubs/DECAF++.pdf)
- [Make It Work, Make It Right, Make It Fast: Building a Platform-Neutral Whole-System Dynamic Binary Analysis Platform](https://www.cs.ucr.edu/~heng/pubs/issta14.pdf)
- [Repeateable Reverse Engineering for the Greater Good with PANDA](https://mice.cs.columbia.edu/getTechreport.php?techreportID=1588&disposition=inline&format=pdf)


## Sanitizer
- [AddressSanitizer: A Fast Address Sanity Checker](https://www.usenix.org/system/files/conference/atc12/atc12-final39.pdf)
- [MemorySanitizer: fast detector of uninitialized memory use in C++](https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43308.pdf)
- [ThreadSanitizer – data race detection in practice](https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/35604.pdf)
- [FuZZan: Efficient Sanitizer Metadata Design for Fuzzing](https://www.usenix.org/system/files/atc20-jeon.pdf)

## Virtualisation
- [Xen and the Art of Virtualization](https://www.cl.cam.ac.uk/research/srg/netos/papers/2003-xensosp.pdf)
- [QEMU, a Fast and Portable Dynamic Translator](https://www.usenix.org/legacy/publications/library/proceedings/usenix05/tech/freenix/full_papers/bellard/bellard.pdf)
- [Kvm: the linux virtual machine monitor](https://www.kernel.org/doc/ols/2007/ols2007v1-pages-225-230.pdf)
- [Virtualization without direct execution or jitting: Designing a portable virtual machine infrastructure.](http://bochs.sourceforge.net/Virtualization_Without_Hardware_Final.pdf)
- [Argos: an emulator for fingerprinting zero-day attacks](https://www.few.vu.nl/argos/papers/argos_eurosys06.pdf)
- [Digtool: A Virtualization-Based Framework for Detecting Kernel Vulnerabilities](https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-pan.pdf)





## Fuzzing
- [USBFuzz: A Framework for Fuzzing USB Drivers by Device Emulation](https://www.usenix.org/system/files/sec20-peng_0.pdf)
- [FirmFuzz: Automated IoT Firmware Introspection and Analysis](http://web.mit.edu/ha22286/www/papers/IoTS&P19.pdf)
- [Evaluating Fuzz Testing](https://arxiv.org/pdf/1808.09700.pdf)
- [Billions and Billions of Constraints: Whitebox Fuzz Testing in Production](https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/main-may10.pdf)
- [Fuzzing: The State of the Art](https://fuzzinginfo.files.wordpress.com/2012/05/dsto-tn-1043-pr.pdf)
- [Automated Test Input Generation for Android: Are We There Yet?](https://arxiv.org/pdf/1503.07217.pdf)
- [Send Hardest Problems My Way: Probabilistic Path Prioritization for Hybrid Fuzzing](https://www.cs.ucr.edu/~heng/pubs/digfuzz_ndss19.pdf)
- [Scheduling Black-box Mutational Fuzzing](https://users.ece.cmu.edu/~sangkilc/papers/ccs13-woo.pdf)
- [T-Fuzz: Fuzzing by Program Transformation](https://www.yancomm.net/papers/2018%20-%20SP%20-%20T-Fuzz.pdf)
- [Hawkeye: Towards a Desired Directed Grey-box Fuzzer](https://chenbihuan.github.io/paper/ccs18-chen-hawkeye.pdf)
- [Taint-based Directed Whitebox Fuzzing](https://people.csail.mit.edu/rinard/paper/icse09.pdf)
- [Detecting Atomic-Set Serializability Violations in Multithreaded Programs through Active Randomized Testing](https://www.cs.cityu.edu.hk/~wkchan/papers/icse10-lai+cheung+chan.pdf)
- [Statically-Directed Dynamic Automated Test Generation](https://www.domagoj-babic.com/uploads/Pubs/ISSTA11sandwich/issta11sandwich.pdf)
- [Systematic Fuzzing and Testing of TLS Libraries](https://www.nds.ruhr-uni-bochum.de/media/nds/veroeffentlichungen/2016/10/19/tls-attacker-ccs16.pdf)
- [STADS: Software Testing as Species Discovery](https://arxiv.org/pdf/1803.02130.pdf)
- [PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary](https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_04A-1_Song_paper.pdf)
- [Random Testing for Security: Blackbox vs. Whitebox Fuzzing](https://patricegodefroid.github.io/public_psfiles/abstract-rt2007.pdf)
- [perf fuzzer: Targeted Fuzzing of the perf event open() System Call](http://web.eece.maine.edu/~vweaver/projects/perf_events/fuzzer/2015_perf_fuzzer_tr.pdf)
- [PULSAR: Stateful Black-Box Fuzzing of Proprietary Network Protocols](https://hugogascon.com/publications/2015-securecomm.pdf)
- [Learn&Fuzz: Machine Learning for Input Fuzzing](https://arxiv.org/pdf/1701.07232.pdf)
- [Model-Based Whitebox Fuzzing for Program Binaries](https://mboehme.github.io/paper/ASE16.pdf)
- [FairFuzz: A Targeted Mutation Strategy for Increasing Greybox Fuzz Testing Coverage](https://www.carolemieux.com/fairfuzz-ase18.pdf)
- [LZfuzz: a fast compression-based fuzzer for poorly documented protocols](https://digitalcommons.dartmouth.edu/cgi/viewcontent.cgi?article=1318&context=cs_tr)
- [jFuzz: A Concolic Whitebox Fuzzer for Java](https://ece.uwaterloo.ca/~vganesh/Publications_files/vg-NFM2009-jFuzz.pdf)
- [T-Fuzz: Model-Based Fuzzing for Robustness Testing of Telecommunication Protocols](https://core.ac.uk/download/pdf/187598761.pdf)
- [VUzzer: Application-aware Evolutionary Fuzzing](https://download.vusec.net/papers/vuzzer_ndss17.pdf)
- [MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation](https://www.cs.columbia.edu/~suman/docs/moonshine.pdf)
- [Automated Whitebox Fuzz Testing](https://patricegodefroid.github.io/public_psfiles/ndss2008.pdf)
- [KameleonFuzz: Evolutionary Fuzzing for Black-Box XSS Detection](https://www.cs.huji.ac.il/~ai/projects/2014/EvolutionaryXSSDetector/files/original_article.pdf)
- [Grammar-based Whitebox Fuzzing](https://people.csail.mit.edu/akiezun/pldi-kiezun.pdf)
- [Skyfire: Data-Driven Seed Generation for Fuzzing](https://www.ieee-security.org/TC/SP2017/papers/42.pdf)
- [CollAFL: Path Sensitive Fuzzing](http://barbie.uta.edu/~xlren/Fuzzing/path-sensitive-fuzzing.pdf)
- [PerfFuzz: Automatically Generating Pathological Inputs](https://www.carolemieux.com/perffuzz-issta2018.pdf)
- [Pex–White Box Test Generation for .NET](https://web.eecs.umich.edu/~weimerw/2014-6610/reading/pex.pdf)
- [IMF: Inferred Model-based Fuzzer](https://acmccs.github.io/papers/p2345-hanA.pdf)
- [Many-Core Compiler Fuzzing](http://multicore.doc.ic.ac.uk/tools/CLsmith/PLDI15/paper.pdf)
- [QuickFuzz: An Automatic Random Fuzzer for Common File Formats](https://people.kth.se/~buiras/publications/QFHaskell2016.pdf)
- [Steelix: program-state based binary fuzzing](https://people.engr.tamu.edu/guofei/paper/Wang_TISSEC11_TaintScope.pdf)
- [kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels](https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-schumilo.pdf)
- [Fuzzing with Code Fragments](https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final73.pdf)
- [Optimizing Seed Selection for Fuzzing](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-rebert.pdf)
- [Protocol State Fuzzing of TLS Implementations](https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-de-ruiter.pdf)
- [Checksum-Aware Fuzzing Combined with Dynamic Taint Analysis and Symbolic Execution]()
- [A Framework for File Format Fuzzing with Genetic Algorithms](https://trace.tennessee.edu/cgi/viewcontent.cgi?article=2402&context=utk_graddiss)
- [Differential Testing for Software](https://www.hpl.hp.com/hpjournal/dtj/vol10num1/vol10num1art9.pdf)
- [Effective Random Testing of Concurrent Programs](https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.73.876&rep=rep1&type=pdf)
- [HFL: Hybrid Fuzzing on the Linux Kernel](https://www.unexploitable.systems/publication/kimhfl/)
- [HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Guided Micro-Fuzzing](https://www.researchgate.net/publication/339164746_HotFuzz_Discovering_Algorithmic_Denial-of-Service_Vulnerabilities_Through_Guided_Micro-Fuzzing)
- [HYPER-CUBE: High-Dimensional Hypervisor Fuzzing](https://www.syssec.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2020/02/07/Hyper-Cube-NDSS20.pdf)
- [Not All Coverage Measurements Are Equal: Fuzzing by Coverage Accounting for Input Prioritization](https://www.ndss-symposium.org/wp-content/uploads/2020/02/24422.pdf)
- [REDQUEEN: Fuzzing with Input-to-State Correspondence](https://www.syssec.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2018/12/17/NDSS19-Redqueen.pdf)
- [Life after Speech Recognition: Fuzzing Semantic Misinterpretation for Voice Assistant Applications](https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_08-4_Zhang_paper.pdf)
- [INSTRIM: Lightweight Instrumentation for Coverage-guided Fuzzing](https://www.ndss-symposium.org/wp-content/uploads/2018/07/bar2018_14_Hsu_paper.pdf)
- [IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing](http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2018/02/ndss2018_01A-1_Chen_paper.pdf)
- [What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices](http://s3.eurecom.fr/docs/ndss18_muench.pdf)
- [Fuzzing JavaScript Engines with Aspect-preserving Mutation](https://jakkdu.github.io/pubs/2020/park:die.pdf)
- [IJON: Exploring Deep State Spaces via Fuzzing](https://www.syssec.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2020/02/27/IJON-Oakland20.pdf)
- [Krace: Data Race Fuzzing for Kernel File Systems](https://www.cc.gatech.edu/~mxu80/pubs/xu:krace.pdf)
- [Pangolin:Incremental Hybrid Fuzzing with Polyhedral Path Abstraction](https://qingkaishi.github.io/public_pdfs/SP2020.pdf)
- [Full-speed Fuzzing: Reducing Fuzzing Overhead through Coverage-guided Tracing](https://www.computer.org/csdl/proceedings-article/sp/2019/666000b122/19skgbGVFEQ)
- [Fuzzing File Systems via Two-Dimensional Input Space Exploration](https://www.computer.org/csdl/proceedings-article/sp/2019/666000a594/19skfLYOpaw)
- [NEUZZ: Efficient Fuzzing with Neural Program Smoothing](https://www.computer.org/csdl/proceedings-article/sp/2019/666000a900/19skg5XghG0)
- [Razzer: Finding Kernel Race Bugs through Fuzzing](https://www.computer.org/csdl/proceedings-article/sp/2019/666000a296/19skfwZLirm)
- [Program-Adaptive Mutational Fuzzing](https://softsec.kaist.ac.kr/~sangkilc/papers/cha-oakland15.pdf)
- [TaintScope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection](https://ieeexplore.ieee.org/abstract/document/5504701)
- [FANS: Fuzzing Android Native System Services via Automated Interface Analysis](https://www.usenix.org/conference/usenixsecurity20/presentation/liu)
- [Analysis of DTLS Implementations Using Protocol State Fuzzing](https://www.usenix.org/conference/usenixsecurity20/presentation/fiterau-brostean)
- [EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit](https://www.usenix.org/conference/usenixsecurity20/presentation/yue)
- [Fuzzing Error Handling Code using Context-Sensitive Software Fault Injection](https://www.usenix.org/conference/usenixsecurity20/presentation/jiang)
- [FuzzGen: Automatic Fuzzer Generation](https://www.usenix.org/conference/usenixsecurity20/presentation/ispoglou)
- [ParmeSan: Sanitizer-guided Greybox Fuzzing](https://www.usenix.org/conference/usenixsecurity20/presentation/osterlund)
- [SpecFuzz: Bringing Spectre-type vulnerabilities to the surface](https://www.usenix.org/conference/usenixsecurity20/presentation/oleksenko)
- [FuzzGuard: Filtering out Unreachable Inputs in Directed Grey-box Fuzzing through Deep Learning](https://www.usenix.org/conference/usenixsecurity20/presentation/zong)
- [Montage: A Neural Network Language Model-Guided JavaScript Engine Fuzzer](https://www.usenix.org/conference/usenixsecurity20/presentation/lee-suyoung)
- [GREYONE: Data Flow Sensitive Fuzzing](https://www.usenix.org/conference/usenixsecurity20/presentation/gan)
- [Fuzzification: Anti-Fuzzing Techniques](https://www.usenix.org/conference/usenixsecurity19/presentation/jung)
- [AntiFuzz: Impeding Fuzzing Audits of Binary Executables](https://www.usenix.org/conference/usenixsecurity19/presentation/guler)
- [Charm: Facilitating Dynamic Analysis of Device Drivers of Mobile Systems](https://www.usenix.org/conference/usenixsecurity18/presentation/talebi)
- [OSS-Fuzz - Google's continuous fuzzing service for open source software](https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/serebryany)
- [Intriguer: Field-Level Constraint Solving for Hybrid Fuzzing](https://dl.acm.org/citation.cfm?id=3354249)
- [Learning to Fuzz from Symbolic Execution with Application to Smart Contracts](https://files.sri.inf.ethz.ch/website/papers/ccs19-ilf.pdf)
- [Matryoshka: fuzzing deeply nested branches](https://web.cs.ucdavis.edu/~hchen/paper/chen2019matryoshka.pdf)
- [SemFuzz: Semantics-based Automatic Generation of Proof-of-Concept Exploits](https://www.informatics.indiana.edu/xw7/papers/p2139-you.pdf)
- [AFL-based Fuzzing for Java with Kelinci](https://dl.acm.org/citation.cfm?id=3138820)
- [SlowFuzz: Automated Domain-Independent Detection of Algorithmic Complexity Vulnerabilities](https://arxiv.org/pdf/1708.08437.pdf)
- [DIFUZE: Interface Aware Fuzzing for Kernel Drivers](https://acmccs.github.io/papers/p2123-corinaA.pdf)
- [Coverage-based Greybox Fuzzing as Markov Chain](https://ieeexplore.ieee.org/abstract/document/8233151)
- [eFuzz: A Fuzzer for DLMS/COSEM Electricity Meters](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.817.5616&rep=rep1&type=pdf)
- [Taming compiler fuzzers](https://www.cs.utah.edu/~regehr/papers/pldi13.pdf)
- [SAGE: whitebox fuzzing for security testing](https://dl.acm.org/citation.cfm?id=2094081)
- [Synthesizing Racy Tests](https://www.cs.purdue.edu/homes/suresh/papers/pldi15a.pdf)
- [Coverage-Directed Differential Testing of JVM Implementations](https://chengniansun.bitbucket.io/papers/pldi16.pdf)
- [Synthesizing Program Input Grammars](https://arxiv.org/pdf/1608.01723.pdf)
- [Angora: Efficient Fuzzing by Principled Search](https://web.cs.ucdavis.edu/~hchen/paper/chen2018angora.pdf)
- [Well There’s Your Problem: Isolating the Crash-Inducing Bits in a Fuzzed File](https://resources.sei.cmu.edu/asset_files/TechnicalNote/2012_004_001_28149.pdf)
- [IFuzzer: An Evolutionary Interpreter Fuzzer using Genetic Programming](https://download.vusec.net/papers/ifuzzer-esorics16.pdf)
- [Designing New Operating Primitives to Improve Fuzzing Performance](https://multics69.github.io/pages/pubs/fuzzing-xu-ccs17.pdf)
- [Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations](https://www.cs.vu.nl/~herbertb/papers/dowser_usenixsec13.pdf)
- [Automated Testing for SQL Injection Vulnerabilities: An Input Mutation Approach](https://www.researchgate.net/profile/Cu_Nguyen/publication/262048518_Automated_Testing_for_SQL_Injection_Vulnerabilities_An_Input_Mutation_Approach/links/00b495367f13ad00a5000000/Automated-Testing-for-SQL-Injection-Vulnerabilities-An-Input-Mutation-Approach.pdf)
- [Turning Programs against Each Other: High Coverage Fuzz-Testing using Binary-Code Mutation and Dynamic Slicing](https://www.ida.liu.se/~ulfka17/papers/FSE2015.pdf)
- [KiF: A stateful SIP Fuzzer](https://hal.inria.fr/inria-00166947/PDF/Kif_A_stateful_SIP_Fuzzer.pdf)
- [GRT: Program-Analysis-Guided Random Testing](https://people.kth.se/~artho/papers/lei-ase2015.pdf)
- [Autodafe: an Act of Software Torture](https://infoscience.epfl.ch/record/140525/files/Vuagnoux05.pdf)
- [Singularity: Pattern Fuzzing for Worst Case Complexity](https://www.cs.utexas.edu/users/isil/fse18.pdf)
- [Exploring Abstraction Functions in Fuzzing](https://sites.cs.ucsb.edu/~vigna/publications/2020_CNS_FuzzSense.pdf)
- [FuzzFactory: domain-specific fuzzing with waypoints](https://dl.acm.org/doi/pdf/10.1145/3360600)
- [Zest: Validity Fuzzing and Parametric Generators for Effective Random Testing](https://www.researchgate.net/profile/Koushik_Sen8/publication/329388154_Zest_Validity_Fuzzing_and_Parametric_Generators_for_Effective_Random_Testing/links/5c45bb0a299bf12be3d7f286/Zest-Validity-Fuzzing-and-Parametric-Generators-for-Effective-Random-Testing.pdf)
- [Semantic fuzzing with zest](https://arxiv.org/pdf/1812.00078.pdf)
- [JQF: coverage-guided property-based testing in Java](https://people.eecs.berkeley.edu/~rohanpadhye/files/jqf-issta19.pdf)
- [FUDGE: fuzz driver generation at scale](https://storage.googleapis.com/pub-tools-public-publication-data/pdf/df9df05d2f5bfe279dc1c0ce6cf51072d5ee1feb.pdf)
- [FairFuzz: Targeting Rare Branches to Rapidly Increase Greybox Fuzz Testing Coverage](https://arxiv.org/pdf/1709.07101.pdf)
- [FIRM-AFL: High-Throughput Greybox Fuzzing of IoT Firmware via Augmented Process Emulation](https://www.cs.ucr.edu/~heng/pubs/FirmAFL.pdf)
- [Be Sensitive and Collaborative: Analyzing Impact of Coverage Metrics in Greybox Fuzzing](https://www.usenix.org/system/files/raid2019-wang-jinghan.pdf)
- [Enhancing Memory Error Detection for Large-Scale Applications and Fuzz Testing](http://cps.kaist.ac.kr/papers/18-MEDS-han.pdf)


## Malware
- [An Abstract Theory of Computer Viruses](https://www.cin.ufpe.br/~ruy/crypto/virus/ala01.pdf)
- [Precise system-wide concatic malware unpacking](https://arxiv.org/pdf/1908.09204.pdf)
- [A characterisation of system-wide propagation in the malware landscape](https://arxiv.org/pdf/1908.10167.pdf)
- [Capturing Malware Propagations with Code Injections and Code-Reuse Attacks](https://acmccs.github.io/papers/p1691-korczynskiA.pdf)
- [System-level support for intrusion recovery](http://www.syssec-project.eu/m/page-media/3/diskduster-dimva12.pdf)
- [Repeconstruct: reconstructing binaries with self-modifying code and import address table destruction](https://www.semanticscholar.org/paper/RePEconstruct%3A-reconstructing-binaries-with-code-Korczynski/28d1465ed7e378d4cf778f58fe4c4eaf33652251)
- [Automated classification and analysis of internet malware](https://jon.oberheide.org/files/raid07-malware.pdf)
- [WYSINWYX: What You See Is Not What You eXecute](https://research.cs.wisc.edu/wpis/papers/wysinwyx.final.pdf)
- [Quincy: Detecting Host-Based Code Injection Attacks in Memory Dumps](https://net.cs.uni-bonn.de/fileadmin/ag/martini/Staff/barabosch_quincy_dimva2017.pdf)
- [Bee master: Detecting host-based code injection attacks](https://net.cs.uni-bonn.de/fileadmin/ag/martini/Staff/barabosch_bee_master_dimva_2014.pdf)
- [Host-based code injection attacks: A popular technique used by malware](https://net.cs.uni-bonn.de/fileadmin/ag/martini/Staff/barabosch_HBCIAs_MALCON_2014.pdf)
- [Scalable, Behavior-Based Malware Clustering](https://sites.cs.ucsb.edu/~chris/research/doc/ndss09_cluster.pdf)
- [A View on Current Malware Behaviors](https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.448.3918&rep=rep1&type=pdf)
- [Dynamic analysis of malicious code](https://sites.cs.ucsb.edu/~chris/research/doc/virology06_dynamic.pdf)
- [Behavior abstraction in malware analysis.](https://hal.inria.fr/inria-00536500/file/RV-preprint.pdf)
- [Detecting Hardware-Assisted Virtualization](https://christian-rossow.de/publications/detectvt-dimva2016.pdf)
- [BitScope: Automatically Dissecting Malicious Binaries](http://bitblaze.cs.berkeley.edu/papers/bitscope_tr_2007.pdf)
- [On the Limits of Information Flow Techniques for Malware Analysis and Containment](https://www.comp.nus.edu.sg/~prateeks/papers/saxena-dimva08.pdf)
- [Understanding Linux Malware](https://reyammer.io/publications/2018_oakland_linuxmalware.pdf)
- [Ether: Malware Analysis via Hardware Virtualization Extensions](http://ether.gtisc.gatech.edu/ether_ccs_2008.pdf)
- [Dynamic Spyware Analysis](http://bitblaze.cs.berkeley.edu/papers/usenix07.pdf)
- [A Survey on Automated Dynamic Malware Analysis Techniques and Tools](https://publications.sba-research.org/publications/malware_survey.pdf)
- [CodeXt: Automatic Extraction of Obfuscated Attack Code from Memory Dump](https://cs.gmu.edu/~xwangc/Publications/ISC2014-AttackCodeExtraction-final.pdf)
- [A Survey of Mobile Malware in the Wild](https://www.cs.odu.edu/~cs441/Papers/sec-011.pdf)
- [Attacks on More Virtual Machine Emulators](http://pferrie.tripod.com/papers/attacks2.pdf)
- [Malware as interaction machines: A new framework for behavior modelling](https://www.researchgate.net/profile/Herve_Debar/publication/220673358_Malware_as_interaction_machines_A_new_framework_for_behavior_modelling/links/0fcfd5087b15854379000000/Malware-as-interaction-machines-A-new-framework-for-behavior-modelling.pdf)
- [Malware dynamic recompilation](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6759227)
- [Secure and advanced unpacking using computer emulation.](https://link.springer.com/article/10.1007/s11416-007-0046-0)
- [Renovo: A Hidden Code Extractor for Packed Executables](http://bitblaze.cs.berkeley.edu/papers/renovo.pdf)
- [Emulating Emulation-Resistant Malware](http://bitblaze.cs.berkeley.edu/papers/VMSec02-kang.pdf)
- [Backtracking intrusions](https://www2.cs.duke.edu/courses/cps210/spring06/papers/p190-king.pdf)
- [Counteracting Data-Only Malware with Code Pointer Examination](https://www.sec.in.tum.de/i20/publications/counteracting-data-only-malware-with-code-pointer-examination/@@download/file/kittelraid2015.pdf)
- [The power of procrastination: Detection and mitigation of execution-stalling malicious code](https://publik.tuwien.ac.at/files/PubDat_204777.pdf)
- [Polymorphic worm detection using structural information of executables.](https://www.auto.tuwien.ac.at/~chris/research/doc/raid05_polyworm.pdf)
- [Static disassembly of obfuscated binaries](https://sites.cs.ucsb.edu/~chris/research/doc/usenix04_disasm.pdf)
- [Testing closedsource binary device drivers with ddt](https://dslab.epfl.ch/pubs/ddt.pdf)
- [The dropper effect: Insights into malware distribution with downloader graph analytics](http://users.umiacs.umd.edu/~tdumitra/papers/CCS-2015.pdf)
- [Exploiting diverse observation perspectives to get insights on the malware landscape](https://ieeexplore.ieee.org/document/5544291)
- [Scalability, fidelity and stealth in the drakvuf dynamic malware analysis system](https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.684.5968&rep=rep1&type=pdf)
- [Graph matching networks for learning the similarity of graph structured objects](https://arxiv.org/pdf/1904.12787.pdf)
- [Detecting environment-sensitive malware](http://www.syssec-project.eu/m/page-media/3/disarm-raid11.pdf)
- [Omniunpack: Fast, generic, and safe unpacking of malware](https://wiki.smu.edu.sg/flyer/images/2/26/OmniUnpack.pdf)
- [Exploring multiple execution paths for malware analysis](https://sites.cs.ucsb.edu/~chris/research/doc/oakland07_explore.pdf)
- [Malpedia: A collaborative effort to inventorize the malware landscape](https://journal.cecyf.fr/ojs/index.php/cybin/article/download/17/20)
- [Rop payload detection using speculative code execution](https://www3.cs.stonybrook.edu/~mikepo/papers/ropscan.malware11.pdf)
- [Sweetbait: Zero-hour worm detection and containment using low- and high-interaction honeypots](https://www.portokalidis.net/files/sweetbait_tr05.pdf)
- [Paranoid android: Versatile protection for smartphones](http://www.syssec-project.eu/m/page-media/3/paranoid-android-acsac10.pdf)
- [Detecting system emulators](https://publik.tuwien.ac.at/files/pub-inf_5317.pdf)
- [Large-scale analysis of malware downloaders](https://chrisdietri.ch/files/downloaders-dimva12.pdf)
- [Prudent practices for designing malware experiments: Status quo and outlook](https://oaklandsok.github.io/papers/rossow2012.pdf)
- [Polyunpack: Automating the hidden-code extraction of unpack-executing malware](https://www.acsac.org/2006/papers/122.pdf)
- [AVCLASS: A Tool for Massive Malware Labeling](http://software.imdea.org/~juanca/papers/avclass_raid16.pdf)
- [A fast automaton-based method for detecting anomalous program behaviors](http://seclab.cs.sunysb.edu/seclab/pubs/ieee01.pdf)
- [Malrec: Compact fulltrace malware recording for retrospective deep analysis](https://par.nsf.gov/servlets/purl/10084747)
- [Eureka: A framework for enabling static malware analysis](http://www.csl.sri.com/users/vinod/papers/Eureka.pdf)
- [Pointless tainting?: Evaluating the practicality of pointer tainting](https://www.cs.vu.nl/~herbertb/papers/pointless_eurosys09.pdf)
- [Deepmem: Learning graph neural network models for fast and robust memory forensic analysis](https://www.cs.ucr.edu/~heng/pubs/deepmem_ccs18.pdf)
- [Sok: Deep packer inspection: A longitudinal study of the complexity of run-time packers](http://s3.eurecom.fr/docs/oakland15_packing.pdf)
- [Evading android runtime analysis via sandbox detection](https://users.ece.cmu.edu/~tvidas/papers/ASIACCS14.pdf)
- [Persistent data-only malware: Function hooks without code](https://www.ndss-symposium.org/wp-content/uploads/2017/09/11_2_1.pdf)
- [Deep ground truth analysis of current android malware](https://www.cs.bgsu.edu/sanroy/Files/papers/amd2017.pdf)
- [Mose: Live migration based on-the-fly software emulation](http://web.eng.fiu.edu/aperezpo/CAE_R/OSPapers/Analysis-2.pdf)
- [Toward automated dynamic malware analysis using cwsandbox](https://www.ei.ruhr-uni-bochum.de/media/nds/veroeffentlichungen/2011/08/17/j2holz.pdf)
- [Cxpinspector: Hypervisorbased, hardware-assisted system monitoring](https://www.syssec.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2012/11/26/TR-HGI-2012-002.pdf)
- [A generic approach to automatic deobfuscation of executable code](https://www.sysnet.ucsd.edu/~bjohanne/assets/papers/2015oakland.pdf)
- [Symbolic execution of obfuscated code](https://www2.cs.arizona.edu/people/debray/Publications/ccs2015-symbolic.pdf)
- [V2e: Combining hardware virtualization and software emulation for transparent and extensible malware analysis](https://www.cs.ucr.edu/~heng/pubs/v2e.pdf)
- [Droidscope: Seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis](https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final107.pdf)
- [Panorama: Capturing system-wide information flow for malware detection and analysis](http://bitblaze.cs.berkeley.edu/papers/panorama.pdf)
- [Dissecting android malware: Characterization and Evolution](https://www.csc2.ncsu.edu/faculty/xjiang4/pubs/OAKLAND12.pdf)
- [Abusing File Processing in Malware Detectors for Fun and Profit](https://www.cs.cornell.edu/~shmat/shmat_oak12av.pdf)
- [Input Generation via Decomposition and Re-Stitching: Finding Bugs in Malware](http://bitblaze.cs.berkeley.edu/papers/restitching.pdf)
- [Hulk: Eliciting Malicious Behavior in Browser Extensions](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-kapravelos.pdf)
- [Mining specifications of malicious behavior](https://publik.tuwien.ac.at/files/pub-inf_5316.pdf)
- [When Malware is Packin' Heat; Limits of Machine Learning Classifiers Based on Static Analysis Features](https://www.ndss-symposium.org/wp-content/uploads/2020/02/24310-paper.pdf)
- [Neurlux: dynamic malware analysis without feature engineering](https://arxiv.org/pdf/1910.11376.pdf)
- [Using Loops For Malware Classification Resilient to Feature-unaware Perturbations](https://sites.cs.ucsb.edu/~chris/research/doc/acsac18_loops.pdf)
- [Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates](https://sites.cs.ucsb.edu/~vigna/publications/2018_NDSS_CloudStrife.pdf)
- [MineSweeper: An In-depth Look into Drive-by Cryptocurrency Mining and Its Defense](https://download.vusec.net/papers/minesweeper_ccs18.pdf)
- [Dark Hazard: Learning-based, Large-Scale Discovery of Hidden Sensitive Operations in Android Apps](https://www.cs.ucr.edu/~heng/pubs/ndss2017.pdf)
- [JSForce: A Forced Execution Engine for Malicious JavaScript Detection](https://arxiv.org/pdf/1701.07860.pdf)
- [Things You May Not Know About Android (Un)Packers: A Systematic Study based on Whole-System Emulation](https://homes.luddy.indiana.edu/xw7/papers/duan2018ndss.pdf)
- [Measuring and Disrupting Anti-Adblockers Using Differential Execution Analysis](https://homepage.divms.uiowa.edu/~mshafiq/files/adblock-ndss2018.pdf)
- [malWASH: Washing Malware to Evade Dynamic Analysis](https://www.usenix.org/system/files/conference/woot16/woot16-paper-ispoglou.pdf)
- [Jarhead analysis and detection of malicious Java applets](https://publications.sba-research.org/publications/acsac12_jarhead.pdf)
- [Blacksheep: detecting compromised hosts in homogeneous crowds](https://www.yancomm.net/papers/2012%20-%20CCS%20-%20Blacksheep.pdf)
- [BareCloud: Bare-metal Analysis-based Evasive Malware Detection](https://sites.cs.ucsb.edu/~chris/research/doc/usenix14_barecloud.pdf)
- [Making Malory Behave Maliciously: Targeted Fuzzing of Android Execution Environments](https://www.software-lab.org/publications/icse2017-fuzzdroid.pdf)
- [A Static, Packer-Agnostic Filter to Detect Similar Malware Samples](https://sites.cs.ucsb.edu/~chris/research/doc/dimva12_unpacked.pdf)
- [FlashDetect: ActionScript 3 Malware Detection](https://sites.cs.ucsb.edu/~chris/research/doc/raid12_flash.pdf)


## Binary analysis
- [ByteWeight: Learning to Recognize Functions in Binary Code](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-bao.pdf)
- [CoDisasm: Medium Scale Concatic Disassembly of Self-Modifying Binaries with Overlapping Instructions](https://hal.inria.fr/hal-01257908/document)
- [Minemu: The World’s Fastest Taint Tracker](http://www.few.vu.nl/~herbertb/papers/minemu_raid11.pdf)
- [When good instructions go bad: Generalizing return-oriented programming to risc.](https://sjmulder.nl/dl/pdf/unsorted/2008%20-%20Bachanan%20et%20al%20-%20When%20Good%20Instructions%20Go%20Bad.pdf)
- [An API for Runtime Code Patching](http://www.cs.umd.edu/~hollings/papers/apijournal.pdf)
- [Reverse Engineering of Binary Device Drivers with RevNIC](https://dslab.epfl.ch/pubs/revnic.pdf)
- [https://apps.dtic.mil/sti/pdfs/AD1034415.pdf](https://apps.dtic.mil/sti/pdfs/AD1034415.pdf)
- [Graph-based comparison of executable objects](https://static.googleusercontent.com/media/www.zynamics.com/en//downloads/bindiffsstic05-1.pdf)
- [TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones](https://static.usenix.org/event/osdi10/tech/full_papers/Enck.pdf)
- [Structural Comparison of Executable Objects](https://static.googleusercontent.com/media/www.zynamics.com/en//downloads/dimva_paper2.pdf)
- [ Labeling library functions in stripped binaries](https://ftp.cs.wisc.edu/par-distr-sys/papers/Jacobson11Unstrip.pdf)
- [Jakstab: A static analysis platform for binaries](https://www.cs.rhul.ac.uk/home/uaac003/papers/cav08.pdf)
- [Learning to Analyze Binary Computer Code](https://www.aaai.org/Papers/AAAI/2008/AAAI08-127.pdf)
- [Architecture-independent dynamic information flow tracking](https://repository.library.northeastern.edu/files/neu:1345/fulltext.pdf)
- [Decompilation of binary programs.](https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.14.8073&rep=rep1&type=pdf)
- [A Platform for Secure Static Binary Instrumentation](http://seclab.cs.sunysb.edu/seclab/pubs/vee14.pdf)
- [Tupni: Automatic Reverse Engineering of Input Formats](https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/tupni-ccs08.pdf)
- [RETracer: Triaging Crashes by Reverse Execution from Partial Memory Dumps](https://softsec.kaist.ac.kr/~sangkilc/papers/cui-icse16.pdf)
- [Cryptographic Function Detection in Obfuscated Binaries via Bit-precise Symbolic Loop Mapping](https://faculty.ist.psu.edu/wu/papers/CryptoHunt.pdf)
- [Karonte: Detecting Insecure Multi-binary Interactions in Embedded Firmware](https://sefcom.asu.edu/publications/karonte-oakland2020.pdf)
- [BootKeeper: Validating Software Integrity Properties on Boot Firmware Images](https://arxiv.org/pdf/1903.12505.pdf)
- [BinTrimmer: Towards Static Binary Debloating Through Abstract Interpretation](https://sites.cs.ucsb.edu/~chris/research/doc/dimva19_bintrimmer.pdf)
- [Ramblr: Making Reassembly Great Again](https://www.ndss-symposium.org/wp-content/uploads/2017/09/ndss2017_10-5_Wang_paper_0.pdf)
- [rev.ng: a unified binary analysis framework to recover CFGs and function boundaries](https://hexhive.epfl.ch/publications/files/17CC.pdf)
- [Enabling sophisticated analyses of ×86 binaries with RevGen](https://dslab.epfl.ch/pubs/revgen.pdf)
- [HI-CFG: Construction by Binary Analysis and Application to Attack Polymorphism](https://core.ac.uk/download/pdf/189202772.pdf)
- [DeepBinDiff: Learning Program-Wide Code Representations for Binary Diffing](https://www.ndss-symposium.org/wp-content/uploads/2020/02/24311-paper.pdf)