Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/0xricksanchez/paper_collection
Academic papers related to fuzzing, binary analysis, and exploit dev, which I want to read or have already read
https://github.com/0xricksanchez/paper_collection
directed-fuzzing embedded exploitation fuzzing fuzzing-binaries guided-fuzzing hybrid-fuzzing iot kernel linux linux-kernel mitigations paper rca root-cause sanitizer vulnerability-detection
Last synced: 3 months ago
JSON representation
Academic papers related to fuzzing, binary analysis, and exploit dev, which I want to read or have already read
- Host: GitHub
- URL: https://github.com/0xricksanchez/paper_collection
- Owner: 0xricksanchez
- Created: 2020-01-24T12:56:41.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2023-10-26T09:18:47.000Z (8 months ago)
- Last Synced: 2024-01-21T04:33:34.005Z (5 months ago)
- Topics: directed-fuzzing, embedded, exploitation, fuzzing, fuzzing-binaries, guided-fuzzing, hybrid-fuzzing, iot, kernel, linux, linux-kernel, mitigations, paper, rca, root-cause, sanitizer, vulnerability-detection
- Homepage:
- Size: 95.7 KB
- Stars: 1,152
- Watchers: 100
- Forks: 119
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Lists
- awesome-devsecops-russia - Fuzzing Paper Collection
- awesome-hacking-lists - paper_collection - Academic papers related to fuzzing, binary analysis, and exploit dev, which I want to read or have already read (Others (1002))
- awesome-rainmana - 0xricksanchez/paper_collection - Academic papers related to fuzzing, binary analysis, and exploit dev, which I want to read or have already read (Others)
- awesome-hacking-lists - paper_collection - Academic papers related to fuzzing, binary analysis, and exploit dev, which I want to read or have already read (Others)
- awesome-hacking-lists - 0xricksanchez/paper_collection - Academic papers related to fuzzing, binary analysis, and exploit dev, which I want to read or have already read (Others)
- IoTSecurity101 - fuzzing, binary analysis, IoT security, and general exploitation
README
# Note
The sole purpose of this repository is to help me organize recent academic papers related to _fuzzing_, _binary analysis_, _IoT security_, and _general exploitation_. This is a non-exhausting list, even though I'll try to keep it updated...
Feel free to suggest decent papers via a PR.
## Table of Contents
* [Note](#note)
* [Table of Contents](#table-of-contents)
* [Read & Tagged](#read--tagged)
* [Unread](#unread)
* [General fuzzing implementations](#general-fuzzing-implementations)
* [AI/LLM](#aillm)
* [IoT fuzzing](#iot-fuzzing)
* [Firmware Emulation](#firmware-emulation)
* [Network fuzzing](#network-fuzzing)
* [Kernel fuzzing](#kernel-fuzzing)
* [Format specific fuzzing](#format-specific-fuzzing)
* [Exploitation](#exploitation)
* [Static Binary Analysis](#static-binary-analysis)
* [Misc](#misc)
* [Surveys, SoKs, and Studies](#surveys-soks-and-studies)
## Read & Tagged
* [2023 - Dissecting American Fuzzy Lop A FuzzBench Evaluation](https://www.ndss-symposium.org/wp-content/uploads/fuzzing2022_23004_paper.pdf)
* **Tags:**: AFL, collisions, hitcounts, timeout, novelty search, corpus culling, score calculation, corpus scheduling, splicing
* [2022 - DARWIN: Survival of the Fittest Fuzzing Mutators](https://arxiv.org/pdf/2210.11783.pdf)
* **Tags:** mutation scheduling, evolution strategy, AFL, AFL-MOpT, fuzzbench, magma, ecofuzz
* [2022 - Removing Uninteresting Bytes in Software Fuzzing](https://ieeexplore.ieee.org/abstract/document/9787966)
* **Tags:** seed optimization, seed minimization, diar, coverage-guided
* [2021 - An Empirical Study of OSS-Fuzz Bugs](https://arxiv.org/pdf/2103.11518.pdf)
* **Tags:** flaky bugs, clusterfuzz, sanitizer, bug detection, bug classification, time-to-fix, time-to-detect
* [2020 - Corpus Distillation for Effective Fuzzing](https://arxiv.org/pdf/1905.13055.pdf)
* **Tags:** corpus minimization, afl-cmin, google fuzzer test suite, FTS, minset, AFL
* [2020 - Symbolic execution with SymCC: Don't interpret, compile!](https://www.usenix.org/system/files/sec20-poeplau.pdf)
* **Tags:** KLEE, QSYM, LLVM, C, C++, compiler, symbolic execution, concolic execution, source code level, IR, angr, Z3, DARPA corpus, AFL
* [2020 - WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats](https://andreafioraldi.github.io/assets/weizz-issta2020.pdf)
* **Tags:** REDQUEEN, chunk-based formats, AFLSmart, I2S, checksums, magix bytes, QEMU, Eclipser, short fuzzing runs,
* [2020 - Efficient Binary-Level Coverage Analysis](https://ui.adsabs.harvard.edu/abs/2020arXiv200414191A/abstract)
* **Tags:** bcov, detour + trampoline, basic block coverage, sliced microexecution, superblocks, strongly connected components, dominator graph, BAP, angr, IDA, DynamoRIO, Intel PI, BAP, angr, IDA, DynamoRIO, Intel PIN
* [2020 - Test-Case Reduction via Test-Case Generation: Insights From the Hypothesis Reducer](https://drmaciver.github.io/papers/reduction-via-generation-preview.pdf)
* **Tags:** Test case reducer, property based testing, CSmith, test case generation, hierachical delta debugging
* [2020 - AFL++: Combining Incremental Steps of Fuzzing Research](https://aflplus.plus//papers/aflpp-woot2020.pdf)
* **Tags:** AFL++, AFL, MOpt, LAF-Intel, Fuzzbench, Ngram, RedQueen, Unicorn, QBDI, CmpLog, AFLFast
* [2020 - FirmXRay: Detecting Bluetooth Link Layer Vulnerabilities From Bare-Metal Firmware](http://web.cse.ohio-state.edu/~lin.3021/file/CCS20.pdf)
* **Tags:** Ghdira, static analysis, sound disassembly, base address finder, BLE, vulnerability discovery
* [2020 - P2IM: Scalable and Hardware-independent Firmware Testing via Automatic Peripheral Interface Modeling](https://www.usenix.org/system/files/sec20spring_feng_prepub_0.pdf)
* **Tags:** HALucinator, emulation, firmware, QEMU, AFL, requires source, MCU, peripheral abstraction
* [2020 - What Exactly Determines the Type? Inferring Types with Context](https://sci-hub.tw/https://ieeexplore.ieee.org/document/9159142)
* **Tags:** context assisted type inference, stripped binaries, variable and type reconstruction, IDA Pro, Word2Vec, CNN,
* [2020 - Causal Testing: Understanding Defects’ Root Causes](https://arxiv.org/pdf/1809.06991.pdf)
* **Tags:** Defects4J, causal relationships, Eclipse plugin, unit test mutation, program trace diffing, static value diffing, user study
* [2020 - AURORA: Statistical Crash Analysis for Automated Root Cause Explanation](https://www.syssec.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2020/04/01/aurora.pdf)
* **Tags:** RCA, program traces, input diversification, Intel PIN, Rust, CFG,
* [2020 - ParmeSan: Sanitizer-guided Greybox Fuzzing](https://download.vusec.net/papers/parmesan_sec20.pdf)
* Tags: interprocedural CFG, data flow analysis, directed fuzzing (DGF), disregarding 'hot paths', LAVA-M based primitives, LLVM, Angora, AFLGo, ASAP, santizer dependent
* [2020 - Magma: A Ground-Truth Fuzzing Benchmark](https://hexhive.epfl.ch/magma/docs/preprint.pdf)
* **Tags:** best practices, fuzzer benchmarking, ground truth, Lava-M
* [2020 - Fitness Guided Vulnerability Detection with Greybox Fuzzing](https://www.csa.iisc.ac.in/~raghavan/ReadingMaterial/sbst20.pdf)
* **Tags:** AFL, vuln specific fitness metric (headroom), buffer/integer overflow detection, AFLGo, pointer analysis, CIL, bad benchmarking
* [2020 - GREYONE: Data Flow Sensitive Fuzzing](https://www.usenix.org/system/files/sec20spring_gan_prepub.pdf)
* **Tags:** data-flow fuzzing, taint-guided mutation, input prioritization, _constraint conformance_, REDQUEEN, good evaluation, VUzzer
* [2020 - FairFuzz-TC: a fuzzer targeting rare branches](https://sci-hub.tw/https://link.springer.com/article/10.1007/s10009-020-00569-w)
* **Tags:** AFL, required seeding, _branch mask_
* [2020 - Fitness Guided Vulnerability Detection with Greybox Fuzzing](https://www.csa.iisc.ac.in/~raghavan/ReadingMaterial/sbst20.pdf)
* **Tags:** AFL, vuln specific fitness metric (headroom), buffer/integer overflow detection, AFLGo, pointer analysis, CIL, bad evaluation
* [2020 - TOFU: Target-Oriented FUzzer](https://arxiv.org/pdf/2004.14375.pdf)
* **Tags:** DGF, structured mutations, staged fuzzing/learning of cli args, target fitness, structure aware, Dijkstra for priority, AFLGo, Superion
* [2020 - FuZZan: Efficient Sanitizer Metadata Design for Fuzzing](https://nebelwelt.net/files/20ATC.pdf)
* **Tags:**: sanitizer metadata, optimization, ASAN, MSan, AFL
* [2020 - Boosting Fuzzer Efficiency: An Information Theoretic Perspective](https://mboehme.github.io/paper/FSE20.Entropy.pdf)
* **Tags:**: Shannon entropy, seed power schedule, libfuzzer, active SLAM, DGF, fuzzer efficiency
* [2020 - Learning Input Tokens for Effective Fuzzing](https://publications.cispa.saarland/3098/1/lFuzzer-preprint.pdf)
* **Tags:** dynamic taint tracking, parser checks, magic bytes, creation of dict inputs for fuzzers
* [2020 - A Review of Memory Errors Exploitation in x86-64](https://www.mdpi.com/2073-431X/9/2/48/htm)
* **Tags:** NX, canaries, ASLR, new mitigations, mitigation evaluation, recap on memory issues
* [2020 - SoK: The Progress, Challenges, and Perspectives of Directed Greybox Fuzzing](https://arxiv.org/pdf/2005.11907.pdf)
* **Tags:** SoK, directed grey box fuzzing, AFL, AFL mutation operators, DGF vs CGF
* [2020 - MemLock: Memory Usage Guided Fuzzing](https://wcventure.github.io/pdf/ICSE2020_MemLock.pdf)
* **Tags:** memory consumption, AFL, memory leak, uncontrolled-recursion, uncontrolled-memory-allocation, static analysis
* [2019 - Matryoshka: Fuzzing Deeply Nested Branches](https://arxiv.org/pdf/1905.12228.pdf)
* **Tags:** AFL, QSYM, Angora, path constraints, nested conditionals, (post) dominator trees, gradient descent, REDQUEEN, LAVA-M
* [2019 - Building Fast Fuzzers](https://arxiv.org/pdf/1911.07707.pdf)
* **Tags:** grammar based fuzzing, optimization, bold claims, comparison to badly/non-optimized fuzzers, python, lots of micro-optimizations, nice protocolling of failures, bad ASM optimization
* [2019 - Not All Bugs Are the Same: Understanding, Characterizing, and Classifying the Root Cause of Bugs](https://arxiv.org/pdf/1907.11031.pdf)
* **Tags:** RCA via bug reports, classification model, F score,
* [2019 - AntiFuzz: Impeding Fuzzing Audits of Binary Executables](https://www.usenix.org/system/files/sec19-guler.pdf)
* **Tags:** anti fuzzing, prevent crashes, delay executions, obscure coverage information, overload symbolic execution
* [2019 - MOpt: Optimized Mutation Scheduling for Fuzzers](https://www.usenix.org/system/files/sec19-lyu.pdf)
* **Tags:** mutation scheduling, particle swarm optimization (PSO), AFL, AFL mutation operators, VUzzer,
* [2019 - FuzzFactory: Domain-Specific Fuzzing with Waypoints](https://dl.acm.org/doi/pdf/10.1145/3360600?download=true)
* **Tags:** domain-specific fuzzing, AFL, LLVM, solve hard constraints like cmp, find dynamic memory allocations, binary-based
* [2019 - Fuzzing File Systems via Two-Dimensional Input Space Exploration](https://taesoo.kim/pubs/2019/xu:janus.pdf)
* **Tags:** Ubuntu, file systems, library OS, ext4, brtfs, meta block mutations, edge cases
* [2019 - REDQUEEN: Fuzzing with Input-to-State Correspondence](https://www.syssec.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2018/12/17/NDSS19-Redqueen.pdf)
* **Tags:** feedback-driven, AFL, magic-bytes, nested contraints, input-to-state correspondence, I2S
* [2019 - PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary](https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_04A-1_Song_paper.pdf)
* **Tags:** kernel, android, userland, embedded, hardware, Linux, device driver, WiFi
* [2019 - FirmFuzz: Automated IoT Firmware Introspection and Analysis](https://nebelwelt.net/publications/files/19IOTSP.pdf)
* **Tags:** emulation, firmadyne, BOF, XSS, CI, NPD, semi-automatic
* [2019 - Firm-AFL: High-Throughput Greybox Fuzzing of IoT Firmware via Augmented Process Emulation](https://www.usenix.org/system/files/sec19-zheng_0.pdf)
* **Tags:** emulation, qemu, afl, full vs user mode, syscall redirect, "augmented process emulation", firmadyne
* [2018 - A Survey of Automated Root Cause Analysisof Software Vulnerability](https://sci-hub.tw/10.1007/978-3-319-93554-6_74)
* **Tags:** Exploit mitigations, fuzzing basics, symbolic execution basics, fault localization, high level
* [2018 - PhASAR: An Inter-procedural Static Analysis Framework for C/C++](https://link.springer.com/content/pdf/10.1007%2F978-3-030-17465-1_22.pdf)
* **Tags:** LLVM, (inter-procedural) data-flow analysis, call-graph, points-to, class hierachy, CFG, IR
* [2018 - INSTRIM: Lightweight Instrumentation for Coverage-guided Fuzzing](https://www.csie.ntu.edu.tw/~hchsiao/pub/2018_BAR.pdf)
* **Tags:** LLVM, instrumentation optimization, graph algorithms, selective instrumentation, coverage calculation
* [2018 - What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices](http://s3.eurecom.fr/docs/ndss18_muench.pdf)
* **Tags:** embedded, challenges, heuristics, emulation, crash classification, fault detection
* [2018 - Evaluating Fuzz Testing](https://www.cs.umd.edu/~mwh/papers/fuzzeval.pdf)
* **Tags:** fuzzing evaluation, good practices, bad practices
* [2017 - Root Cause Analysis of Software Bugs using Machine Learning Techniques](https://sci-hub.tw/10.1109/CONFLUENCE.2017.7943132)
* **Tags:** ML, RC prediction for filed bug reports, unsupervised + supervised combination, RC categorisation, F score
* [2017 - kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels](https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-schumilo.pdf)
* **Tags:** intel PT, kernel, AFL, file systems, Windows, NTFS, Linux, ext, macOS, APFS, driver, feedback-driven
* [2016 - Driller: Argumenting Fuzzing Through Selective Symbolic Execution](https://sites.cs.ucsb.edu/~vigna/publications/2016_NDSS_Driller.pdf)
* **Tags:** DARPA, CGC, concolic execution, hybrid fuzzer, binary based
* [2015 - Challenges with Applying Vulnerability Prediction Models](https://www.microsoft.com/en-us/research/wp-content/uploads/2015/04/ChallengesVulnerabilityModelsMicrosoft_HotSOS.pdf)
* **Tags:** VPM vs DPM, prediction models on large scale systems, files with frequent changes leave more vulns, older code exhibits more vulns
* [2014 - Optimizing Seed Selection for Fuzzing](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-rebert.pdf)
* **Tags:** BFF, (weighted) minset, peach, cover set problem, seed transferabilty, time minset, size minset, round robin
* [2013 - Automatic Recovery of Root Causes from Bug-Fixing Changes](https://soarsmu.github.io/papers/wcre13-rootcause.pdfhttps://soarsmu.github.io/papers/wcre13-rootcause.pdf)
* **Tags:** ML + SCA, F score, AST, PPA, source tree analysis
## Unread
Unread papers categorized by a common main theme.
### General fuzzing implementations
* [2023 - SYNTONY: Potential-Aware Fuzzing with Particle Swarm Optimization](https://www.sciencedirect.com/science/article/abs/pii/S0164121223002753)
* [2023 - Triereme: Speeding up hybrid fuzzing through efficient query scheduling](https://goto.ucsd.edu/~gleissen/papers/triereme.pdf)
* [2023 - Hybrid Testing: Combining Static Analysis and Directed Fuzzing](https://dspace.mit.edu/handle/1721.1/151679)
* [2023 - Titan : Efficient Multi-target Directed Greybox Fuzzing](https://5hadowblad3.github.io/files/Oakland24-Titan.pdf)
* [2023 - SpecFuzzer: A Tool for Inferring Class Specifications via Grammar-based Fuzzing](https://facumolina.github.io/files/specfuzzer-tooldemo-ase2023.pdf)
* [2023 - Hopper: Interpretative Fuzzing for Libraries](https://arxiv.org/pdf/2309.03496.pdf)
* [2023 - Enhancing Coverage-Guided Fuzzing via Phantom Program](https://shadowmydx.github.io/papers/fse2023a.pdf)
* [2023 - Hyperfuzzing: black-box security hypertesting with a grey-box fuzzer](https://arxiv.org/pdf/2308.09081.pdf)
* [2023 - SHAPFUZZ: Efficient Fuzzing via Shapley-Guided Byte Selection](https://arxiv.org/pdf/2308.09239.pdf)
* [2023 - PSOFuzz - Fuzzing Processors with Particle Swarm Optimization](https://arxiv.org/pdf/2307.14480.pdf)
* [2023 - SymRustC: A Hybrid Fuzzer for Rust](https://dl.acm.org/doi/abs/10.1145/3597926.3604927)
* [2023 - Finch: Fuzzing with Quantitative and Adaptive Hot-Bytes Identification](https://arxiv.org/pdf/2307.02289.pdf)
* [2023 - HyperGo: Probability-based Directed Hybrid Fuzzing](https://arxiv.org/pdf/2307.07815.pdf)
* [2023 - CrabSandwich: Fuzzing Rust with Rust](https://dl.acm.org/doi/abs/10.1145/3605157.3605176)
* [2023 - InFuzz: An Interactive Tool for Enhancing Efficiency in Fuzzing through Visual Bottleneck Analysis](https://dl.acm.org/doi/abs/10.1145/3605157.3605847)
* [2023 - Rare Path Guided Fuzzing∗](https://dl.acm.org/doi/pdf/10.1145/3597926.3598136)
* [2023 - Guiding Greybox Fuzzing with Mutation Testing](https://dl.acm.org/doi/pdf/10.1145/3597926.3598107)
* [2023 - FGo: A Directed Grey-box Fuzzer with Probabilistic Exponential cut-the-loss Strategies](https://arxiv.org/pdf/2307.05961.pdf)
* [2023 - FISHFUZZ: Catch Deeper Bugs by Throwing Larger Nets](https://nebelwelt.net/publications/files/23SEC5.pdf)
* [2023 - PosFuzz: augmenting greybox fuzzing with effective position distribution](https://link.springer.com/article/10.1186/s42400-023-00143-2)
* [2023 - Bottleneck Analysis via Grammar-based Performance Fuzzing*](https://ieeexplore.ieee.org/abstract/document/10132229)
* [2023 - What Happens When We Fuzz? Investigating OSS-Fuzz Bug History](https://arxiv.org/pdf/2305.11433.pdf)
* [2023 - Toss a Fault to Your Witcher: Applying Grey-box Coverage-Guided Mutational Fuzzing to Detect SQL and Command Injection Vulnerabilities](https://adamdoupe.com/publications/witcher-oakland2023.pdf)
* [2023 - Large Language Models are Edge-Case Fuzzers: Testing Deep Learning Libraries via FuzzGPT](https://arxiv.org/pdf/2304.02014.pdf)
* [2023 - SBFT Tool Competition 2023 - Fuzzing Track](https://arxiv.org/pdf/2304.10070.pdf)
* [2023 - CarpetFuzz: Automatic Program Option Constraint Extraction from Documentation for Fuzzing](https://www.usenix.org/system/files/sec23fall-prepub-467-wang-dawei.pdf)
* [2023 - Learning Seed-Adaptive Mutation Strategies for Greybox Fuzzing](http://prl.korea.ac.kr/~pronto/home/papers/icse23-seamfuzz.pdf)
* [2023 - Directed Greybox Fuzzing with Stepwise Constraint Focusing](https://arxiv.org/pdf/2303.14895.pdf)
* [2023 - Generation-based fuzzing? Don’t build a new generator, reuse!](https://www.sciencedirect.com/science/article/pii/S0167404823000883)
* [2023 - RCABench: Open Benchmarking Platform for Root Cause Analysis](https://arxiv.org/pdf/2303.05029.pdf)
* [2023 - Arvin: Greybox Fuzzing Using Approximate Dynamic CFG Analysis](https://hexhive.epfl.ch/publications/files/23AsiaCCS.pdf)
* [2023 - DAISY: Effective Fuzz Driver Synthesis with Object Usage Sequence Analysis](http://www.wingtecher.com/themes/WingTecherResearch/assets/papers/ICSE-SEIP23.pdf)
* [2023 - autofz: Automated Fuzzer Composition at Runtime](https://gts3.org/assets/papers/2023/fu:autofz.pdf)
* [2023 - Towards Hybrid Fuzzing with Multi-level Coverage Tree and Reinforcement Learning in Greybox Fuzzing](https://dixiyao.github.io/assets/papers/1776.pdf)
* [2023 - Fuzzing, Symbolic Execution, and Expert Guidance for Better Testing](https://ieeexplore.ieee.org/abstract/document/10021305)
* [2023 - Fuzzing vs SBST: Intersections & Differences](https://dl.acm.org/doi/abs/10.1145/3573074.3573102)
* [2023 - Evaluating the Fork-Awareness of Coverage-Guided Fuzzers](https://arxiv.org/pdf/2301.05060.pdf)
* [2023 - Homo in Machina: Improving Fuzz Testing Coverage via Compartment Analysis](https://arxiv.org/pdf/2212.11162.pdf)
* [2023 - The fun in fuzzing - The debugging techniquie comes into its own](https://dl.acm.org/doi/pdf/10.1145/3580504)
* [2023 - Reachable Coverage: Estimating Saturation in Fuzzing](https://mboehme.github.io/paper/ICSE23.Effectiveness.pdf)
* [2023 - A Seed Scheduling Method With a Reinforcement Learning for a Coverage Guided Fuzzing](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=10005088)
* [2023 - SelectFuzz: Efficient Directed Fuzzing with Selective Path Exploration](https://www.computer.org/csdl/proceedings-article/sp/2023/933600b050/1Js0DBwgpwY)
* [2022 - Explainable Fuzzer Evaluation](https://arxiv.org/pdf/2212.09519.pdf)
* [2022 - Rare-Seed Generation for Fuzzing](https://arxiv.org/pdf/2212.09004.pdf)
* [2022 - How to Compare Fuzzers](https://arxiv.org/pdf/2212.03075.pdf)
* [2022 - Valkyrie: Improving Fuzzing Performance Through Deterministic Techniques](https://www.cs.ucdavis.edu/~hchen/paper/rong2022valkyrie.pdf)
* [2022 - FUZZING DEEPER LOGIC WITH IMPEDING FUNCTION TRANSFORMATION](https://hammer.purdue.edu/articles/thesis/FUZZING_DEEPER_LOGIC_WITH_IMPEDING_FUNCTION_TRANSFORMATION/21663506)
* [2022 - Alphuzz: Monte Carlo Search on Seed-Mutation Tree for Coverage-Guided Fuzzing](https://dl.acm.org/doi/abs/10.1145/3564625.3564660)
* [2022 - AutoGenD: fuzz driver generation for binary libraries without header files and symbol information](https://www.spiedigitallibrary.org/conference-proceedings-of-spie/12503/1250306/AutoGenD--fuzz-driver-generation-for-binary-libraries-without-header/10.1117/12.2657278.short?SSO=1)
* [2022 - Mutation Optimization of Directional Fuzzing for Cumulative Defects](https://www.jos.org.cn/josen/article/abstract/6491)
* [2022 - IMPROVING AFL++ CMPLOG: TACKLING THE BOTTLENECKS](https://arxiv.org/pdf/2211.08357.pdf)
* [2022 - One Fuzz Doesn’t Fit All: Optimizing Directed Fuzzing via Target-tailored Program State Restriction](https://hexhive.epfl.ch/publications/files/22ACSAC2.pdf)
* [2022 - POLYFUZZ: Holistic Greybox Fuzzing of Multi-Language Systems](https://www.usenix.org/system/files/sec23summer_411-li_wen-prepub.pdf)
* [2022 - Sydr-Fuzz: Continuous Hybrid Fuzzing and Dynamic Analysis for Security Development Lifecycle](https://arxiv.org/pdf/2211.11595.pdf)
* [2022 - Nimbus: Toward Speed Up Function Signature Recovery via Input Resizing and Multi-Task Learning](https://arxiv.org/pdf/2211.04219.pdf)
* [2022 - So Many Fuzzers, So Little Time](https://assist-project.github.io/papers/[email protected])
* [2022 - SLOPT: Bandit Optimization Framework for Mutation-Based Fuzzing](https://arxiv.org/pdf/2211.03285.pdf)
* [2022 - DriveFuzz: Discovering Autonomous Driving Bugs through Driving Quality-Guided Fuzzing](https://arxiv.org/pdf/2211.01829.pdf)
* [2022 - UltraFuzz: Towards Resource-saving in Distributed Fuzzing](https://www.computer.org/csdl/journal/ts/5555/01/09939114/1I1KHo9MOPe)
* [2022 - Snappy: Efficient Fuzzing with Adaptive and Mutable Snapshots](https://download.vusec.net/papers/snappy_acsac22.pdf)
* [2022 - FuzzerAid: Grouping Fuzzed Crashes Based On Fault Signatures](https://arxiv.org/pdf/2209.01244.pdf)
* [2022 - Automatically Seed Corpus and Fuzzing Executables Generation Using Test Framework](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=9867993)
* [2022 - CAMFuzz: Explainable Fuzzing with Local Interpretation](https://cybersecurity.springeropen.com/articles/10.1186/s42400-022-00116-x)
* [2022 - Efficient Greybox Fuzzing to Detect Memory Errors](https://www.comp.nus.edu.sg/~gregory/papers/rezzan.pdf)
* [2022 - LibAFL: A Framework to Build Modular and Reusable Fuzzers](http://193.55.114.4/docs/ccs22_fioraldi.pdf)
* [2022 - FishFuzz: Throwing Larger Nets to Catch Deeper Bugs](https://arxiv.org/pdf/2207.13393.pdf)
* [2022 - SYMSAN: Time and Space Efficient Concolic Execution via Dynamic Data-flow Analysis](https://www.cs.ucr.edu/~csong/sec22-symsan.pdf)
* [2022 - AMSFuzz: An adaptive mutation schedule for fuzzing](https://www.sciencedirect.com/science/article/abs/pii/S0957417422013203)
* [2022 - FixReverter: A Realistic Bug Injection Methodology for Benchmarking Fuzz Testing](https://www.usenix.org/system/files/sec22-zhang-zenong.pdf)
* [2022 - Multiple Targets Directed Greybox Fuzzing](https://arxiv.org/pdf/2206.14977.pdf)
* [2022 - Combining BMC and Fuzzing Techniques for Finding Software Vulnerabilities in Concurrent Programs](https://arxiv.org/pdf/2206.06043.pdf)
* [2022 - DocTer: Documentation-Guided Fuzzing for Testing Deep Learning API Functions](https://www.cs.purdue.edu/homes/lintan/publications/docter-issta22.pdf)
* [2022 - Obtaining Fuzzing Results with Different Timeouts](https://ieeexplore.ieee.org/abstract/document/9787974)
* [2022 - FASSFuzzer—An Automated Vulnerability Detection System for Android System Services](https://web.archive.org/web/20220501200656id_/http://www.csroc.org.tw/journal/JOC33-2/JOC3302-17.pdf)
* [2022 - WindRanger: A Directed Greybox Fuzzer driven by Deviation Basic Blocks](https://114.212.80.14/paper/ICSE22_windranger.pdf)
* [2022 - Drifuzz: Harvesting Bugs in Device Drivers from Golden Seeds](https://messlab.moyix.net/papers/drifuzz_sec22.pdf)
* [2022 - GraphFuzz: Library API Fuzzing with Lifetime-aware Dataflow Graphs](https://hgarrereyn.github.io/GraphFuzz/research/GraphFuzz_ICSE_2022.pdf)
* [2022 - AcoFuzz: Adaptive Energy Allocation for Greybox Fuzzing](https://ieeexplore.ieee.org/abstract/document/9787956)
* [2022 - TargetFuzz: Using DARTs to Guide Directed Greybox Fuzzers](https://www.honda-ri.de/pubs/pdf/4940.pdf)
* [2022 - Fast Fuzzing for Memory Errors](https://arxiv.org/pdf/2204.02773.pdf)
* [2022 - Stateful Greybox Fuzzing](https://arxiv.org/pdf/2204.02545.pdf)
* [2022 - Metamorphic Fuzzing of C++ Libraries](https://www.doc.ic.ac.uk/~afd/homepages/papers/pdfs/2022/ICST.pdf)
* [2022 - Effective Seed Scheduling for Fuzzing with Graph Centrality Analysis](https://arxiv.org/pdf/2203.12064.pdf)
* [2022 - Comparing Fuzzers on a Level Playing Field with FuzzBench](https://discovery.ucl.ac.uk/id/eprint/10144606/1/Comparing%20Fuzzers%20on%20a%20Level%20Playing%20Field%20with%20FuzzBench.pdf)
* [2022 - Vulnerability-oriented directed fuzzing for binary programs](https://www.nature.com/articles/s41598-022-07355-5)
* [2022 - An Improvement of AFL Based On The Function Call Depth](https://ieeexplore.ieee.org/document/9674138)
* [2022 - FuzzingDriver: the Missing Dictionary to Increase Code Coverage in Fuzzers](https://arxiv.org/pdf/2201.04853.pdf)
* [2022 - BeDivFuzz: Integrating Behavioral Diversity into Generator-based Fuzzing](https://arxiv.org/pdf/2202.13114.pdf)
* [2022 - One Fuzzing Strategy to Rule Them All](https://shadowmydx.github.io/papers/icse22-main-1314.pdf)
* [2022 - Grammars for Free: Toward Grammar Inference for Ad Hoc Parsers](https://arxiv.org/pdf/2202.01021.pdf)
* [2022 - Fuzzing Class Specifications](https://arxiv.org/pdf/2201.10874.pdf)
* [2022 - Mutation Analysis: Answering the Fuzzing Challenge](https://arxiv.org/pdf/2201.11303.pdf)
* [2022 - Ferry: State-Aware Symbolic Execution for Exploring State-Dependent Program Paths](https://yangzhemin.github.io/papers/ferry-security22.pdf)
* [2022 - BEACON : Directed Grey-Box Fuzzing with Provable Path Pruning](https://qingkaishi.github.io/public_pdfs/SP22.pdf)
* [2022 - MORPHUZZ: Bending (Input) Space to Fuzz Virtual Devices](https://www.usenix.org/system/files/sec22summer_bulekov.pdf)
* [2021 - A parallel fuzzing method based on two-stage mutation](https://www.spiedigitallibrary.org/conference-proceedings-of-spie/12085/1208511/A-parallel-fuzzing-method-based-on-two-stage-mutation/10.1117/12.2624946.short)
* [2021 - Better Pay Attention Whilst Fuzzing](https://arxiv.org/pdf/2112.07143.pdf)
* [2021 - Diar: Removing Uninteresting Bytes from Seeds in Software Fuzzing](https://arxiv.org/pdf/2112.13297.pdf)
* [2021 - Reducing Time-To-Fix For Fuzzer Bugs](https://ruimaranhao.com/assets/pdfs/ase2021.pdf)
* [2021 - Casr-Cluster: Crash Clustering for Linux Applications](https://arxiv.org/pdf/2112.13719.pdf)
* [2021 - Fuzzm: Finding Memory Bugs through Binary-Only Instrumentation and Fuzzing of WebAssembly](https://arxiv.org/pdf/2110.15433.pdf)
* [2021 - InstruGuard: Find and Fix Instrumentation Errors for Coverage-based Greybox Fuzzing](https://ajax4sec.github.io/papers/ASE_2021.pdf)
* [2021 - POSTER: OS Independent Fuzz Testing of I/O Boundary](https://dl.acm.org/doi/abs/10.1145/3460120.3485359)
* [2021 - HDBFuzzer–Target-oriented Hybrid Directed Binary Fuzzer](https://dl.acm.org/doi/abs/10.1145/3487075.3487124)
* [2021 - ovAFLow: Detecting Memory Corruption Bugs with Fuzzing-based Taint Inference](https://jcst.ict.ac.cn/EN/10.1007/s11390-021-1600-9)
* [2021 - SyzScope: Revealing High-Risk Security Impacts of Fuzzer-Exposed Bugs in Linux kernel](https://etenal.me/wp-content/uploads/2021/10/SyzScope-final.pdf)
* [2021 - SiliFuzz: Fuzzing CPUs by proxy](https://github.com/google/fuzzing/blob/master/docs/silifuzz.pdf)
* [2021 - Same Coverage, Less Bloat: Accelerating Binary-only Fuzzing with Coverage-preserving Coverage-guided Tracing](https://people.cs.vt.edu/snagy2/papers/21CCS.pdf)
* [2021 - Facilitating Parallel Fuzzing with Mutually-exclusive Task Distribution](https://arxiv.org/pdf/2109.08635.pdf)
* [2021 - PATA: Fuzzing with Path Aware Taint Analysis](http://www.wingtecher.com/themes/WingTecherResearch/assets/papers/sp22.pdf)
* [2021 - BSOD: Binary-only Scalable fuzzing Of device Drivers](https://dmnk.co/raid21-bsod.pdf)
* [2021 - FuzzBench: An Open Fuzzer Benchmarking Platform and Service](https://storage.googleapis.com/pub-tools-public-publication-data/pdf/64574e1a7cfc9456c273ce03574dacfcd6ad9d54.pdf)
* [2021 - My Fuzzer Beats Them All! Developing a Framework for Fair Evaluation and Comparison of Fuzzers](https://arxiv.org/pdf/2108.07076.pdf)
* [2021 - Scalable Fuzzing of Program Binaries with E9AFL](https://www.comp.nus.edu.sg/~abhik/pdf/ASE21.pdf)
* [2021 - HyperFuzzer: An Efficient Hybrid Fuzzer for Virtual CPUs](https://patricegodefroid.github.io/public_psfiles/hyperfuzzer-ccs21.pdf)
* [2021 - BigMap: Future-proofing Fuzzers with Efficient Large Maps](https://ieeexplore.ieee.org/abstract/document/9505052)
* [2021 - Token-Level Fuzzing](https://seclab.cs.ucsb.edu/files/publications/Salls2021Token_Level.pdf)
* [2021 - Hashing Fuzzing: Introducing Input Diversity to Improve Crash Detection](https://eprints.mdx.ac.uk/33682/1/main_TSE.pdf)
* [2021 - LeanSym: Efficient Hybrid Fuzzing Through Conservative Constraint Debloating](https://download.vusec.net/papers/leansym_raid21.pdf)
* [2021 - ESRFuzzer: an enhanced fuzzing framework for physical SOHO router devices to discover multi-Type vulnerabilities](https://cybersecurity.springeropen.com/articles/10.1186/s42400-021-00091-9)
* [2021 - KCFuzz: Directed Fuzzing Based on Keypoint Coverage](https://link.springer.com/chapter/10.1007/978-3-030-78609-0_27)
* [2021 - TCP-Fuzz: Detecting Memory and Semantic Bugs in TCP Stacks with Fuzzing](https://www.usenix.org/conference/atc21/presentation/zou)
* [2021 - Fuzzing with optimized grammar-aware mutation strategies](https://ieeexplore.ieee.org/abstract/document/9469897)
* [2021 - Directed Fuzzing for Use-After-FreeVulnerabilities Detection](http://www.lirmm.fr/afadl2021/papers/afadl2020_paper_4.pdf)
* [2021 - DIFUZZRTL: Differential Fuzz Testing to FindCPU Bugs](https://compsec.snu.ac.kr/papers/hur-difuzzrtl.pdf)
* [2021 - Z-Fuzzer: device-agnostic fuzzing of Zigbee protocol implementation](https://dl.acm.org/doi/abs/10.1145/3448300.3468296)
* [2021 - Fuzzing with Multi-dimensional Control of Mutation Strategy](https://link.springer.com/chapter/10.1007/978-3-030-79728-7_27)
* [2021 - Using a Guided Fuzzer and Preconditions to Achieve Branch Coverage with Valid Inputs](https://link.springer.com/chapter/10.1007/978-3-030-79379-1_5)
* [2021 - RIFF: Reduced Instruction Footprint for Coverage-Guided Fuzzing](http://www.wingtecher.com/themes/WingTecherResearch/assets/papers/atc21.pdf)
* [2021 - CoCoFuzzing: Testing Neural Code Models with Coverage-Guided Fuzzing](https://arxiv.org/pdf/2106.09242.pdf)
* [2021 - Seed Selection for Successful Fuzzing](https://nebelwelt.net/files/21ISSTA2.pdf)
* [2021 - Gramatron: Effective Grammar-Aware Fuzzing](https://nebelwelt.net/files/21ISSTA.pdf)
* [2021 - Hyntrospect: a fuzzer for Hyper-V devices](https://www.sstic.org/media/SSTIC2021/SSTIC-actes/hyntrospect_a_fuzzer_for_hyper-v_devices/SSTIC2021-Article-hyntrospect_a_fuzzer_for_hyper-v_devices-dubois.pdf)
* [2021 - FUZZOLIC: mixing fuzzing and concolic execution](https://www.sciencedirect.com/science/article/pii/S0167404821001929)
* [2021 - QFuzz: Quantitative Fuzzing for Side Channels](https://arxiv.org/pdf/2106.03346.pdf)
* [2021 - Revizor: Fuzzing for Leaks in Black-box CPUs](https://arxiv.org/pdf/2105.06872.pdf)
* [2021 - Unleashing Fuzzing Through Comprehensive, Efficient, and Faithful Exploitable-Bug Exposing](https://ieeexplore.ieee.org/abstract/document/9430753)
* [2021 - Constraint-guided Directed Greybox Fuzzing](https://www.usenix.org/system/files/sec21fall-lee-gwangmu.pdf)
* [2021 - Test-Case Reduction and Deduplication Almost forFree with Transformation-Based Compiler Testing](https://www.doc.ic.ac.uk/~afd/homepages/papers/pdfs/2021/PLDI.pdf)
* [2021 - RULF: Rust Library Fuzzing via API Dependency Graph Traversal](https://arxiv.org/pdf/2104.12064.pdf)
* [2021 - STOCHFUZZ: Sound and Cost-effective Fuzzing of Stripped Binaries by Incremental and Stochastic Rewriting](https://www.cs.purdue.edu/homes/zhan3299/res/SP21b.pdf)
* [2021 - PS-Fuzz: Efficient Graybox Firmware Fuzzing Based on Protocol State](https://search.proquest.com/openview/bd00ff3647f2802721db0e14448f8c2b/1?pq-origsite=gscholar&cbl=4585459)
* [2021 - MuDelta: Delta-Oriented Mutation Testing at Commit Time](https://orbilu.uni.lu/bitstream/10993/46742/1/RelevantMutantPrediction%20%281%29.pdf)
* [2021 - CollabFuzz: A Framework for Collaborative Fuzzing](https://download.vusec.net/papers/collabfuzz_eurosec21.pdf)
* [2021 - MUTAGEN: Faster Mutation-Based Random Testing](http://www.cse.chalmers.se/~mista/assets/pdf/icse21-src.pdf)
* [2021 - Inducing Subtle Mutations with Program Repair](http://rahul.gopinath.org/resources/icstw2021/schwander2021inducing.pdf)
* [2021 - Differential Analysis of X86-64 Instruction Decoders](https://easychair.org/publications/preprint/1LHr)
* [2021 - On Introducing Automatic Test Case Generation in Practice: A Success Story and Lessons Learned](https://arxiv.org/pdf/2103.00465.pdf)
* [2021 - A Priority Based Path Searching Method for Improving Hybrid Fuzzing](https://www.sciencedirect.com/science/article/pii/S0167404821000663)
* [2021 - IntelliGen: Automatic Driver Synthesis for Fuzz Testing](http://www.wingtecher.com/themes/WingTecherResearch/assets/papers/icse_seip_0221.pdf)
* [2021 - icLibFuzzer: Isolated-context libFuzzer for Improving Fuzzer Comparability](https://bar2021.moyix.net/bar2021-preprint13.pdf)
* [2021 - SN4KE: Practical Mutation Testing at Binary Level](https://bar2021.moyix.net/bar2021-preprint17.pdf)
* [2021 - One Engine to Fuzz ’em All: Generic Language Processor Testing with Semantic Validation](https://faculty.ist.psu.edu/wu/papers/polyglot.pdf)
* [2021 - Growing A Test Corpus with Bonsai Fuzzing](https://rohan.padhye.org/files/bonsai-icse21.pdf)
* [2021 - Fuzzing Symbolic Expressions](https://arxiv.org/pdf/2102.06580.pdf)
* [2021 - JMPscare: Introspection for Binary-Only Fuzzing](https://bar2021.moyix.net/bar2021-preprint3.pdf)
* [2021 - An Improved Directed Grey-box Fuzzer](https://ieeexplore.ieee.org/abstract/document/9338761)
* [2021 - A Binary Protocol Fuzzing Method Based on SeqGAN](https://ieeexplore.ieee.org/abstract/document/9339152)
* [2021 - Refined Grey-Box Fuzzing with Sivo](https://arxiv.org/pdf/2102.02394.pdf)
* [2021 - PSOFuzzer: A Target-Oriented Software Vulnerability Detection Technology Based on Particle Swarm Optimization](https://www.mdpi.com/2076-3417/11/3/1095/htm)
* [2021 - MooFuzz: Many-Objective Optimization Seed Schedule for Fuzzer](https://www.mdpi.com/2227-7390/9/3/205/htm)
* [2021 - CMFuzz: context-aware adaptive mutation for fuzzers](https://link.springer.com/article/10.1007/s10664-020-09927-3)
* [2021 - GTFuzz: Guard Token Directed Grey-Box Fuzzing](https://ieeexplore.ieee.org/abstract/document/9320425)
* [2021 - ProFuzzBench: A Benchmark for Stateful Protocol Fuzzing](https://arxiv.org/pdf/2101.05102.pdf)
* [2021 - SymQEMU:Compilation-based symbolic execution for binaries](http://www.s3.eurecom.fr/docs/ndss21_symqemu.pdf)
* [2021 - CONCOLIC EXECUTION TAILORED FOR HYBRID FUZZING THESIS](https://smartech.gatech.edu/bitstream/handle/1853/64153/YUN-DISSERTATION-2020.pdf)
* [2021 - Breaking Through Binaries: Compiler-quality Instrumentationfor Better Binary-only Fuzzing](http://static1.1.sqspcdn.com/static/f/543048/28391424/1610229123433/FIBRE_USENIX_21.pdf?token=XvHn0I3h9MvSnRBV%2Fo4dQ675sEA%3D)
* [2021 - AlphaFuzz: Evolutionary Mutation-based Fuzzing as Monte Carlo Tree Search](https://arxiv.org/pdf/2101.00612.pdf)
* [2020 - Fuzzing with Fast Failure Feedback](https://arxiv.org/pdf/2012.13516.pdf)
* [2020 - LAFuzz: Neural Network for Efficient Fuzzing](https://ieeexplore.ieee.org/abstract/document/9288180)
* [2020 - MaxAFL: Maximizing Code Coverage with a Gradient-Based Optimization Technique](https://www.mdpi.com/2079-9292/10/1/11)
* [2020 - Program State Abstraction for Feedback-Driven Fuzz Testing using Likely Invariants](https://arxiv.org/pdf/2012.11182.pdf)
* [2020 - PMFuzz: Test Case Generation for Persistent Memory Programs](https://asplos-conference.org/abstracts/asplos21-paper8-extended_abstract.pdf)
* [2020 - FuSeBMC: A White-Box Fuzzer for Finding Security Vulnerabilities in C Programs](https://arxiv.org/pdf/2012.11223.pdf)
* [2020 - Integrity: Finding Integer Errors by Targeted Fuzzing](https://link.springer.com/chapter/10.1007/978-3-030-63086-7_20)
* [2020 - ConFuzz: Coverage-guided Property Fuzzing for Event-driven Programs](https://kcsrk.info/papers/confuzz_padl21.pdf)
* [2020 - AFLTurbo: Speed up Path Discovery for Greybox Fuzzing](https://ieeexplore.ieee.org/abstract/document/9251057)
* [2020 - Fuzzing Channel-Based Concurrency Runtimes using Types and Effects](http://soft.vub.ac.be/Publications/2020/vub-tr-soft-20-14.pdf)
* [2020 - DeFuzz: Deep Learning Guided Directed Fuzzing](https://arxiv.org/pdf/2010.12149.pdf)
* [2020 - CrFuzz: Fuzzing Multi-purpose Programs through InputValidation](https://www.cs.ucr.edu/~csong/fse20-crfuzz.pdf)
* [2020 - EPfuzzer: Improving Hybrid Fuzzing with Hardest-to-reach Branch Prioritization](http://itiis.org/digital-library/23867)
* [2020 - Fuzzing Based on Function Importance by Attributed Call Graph](https://arxiv.org/pdf/2010.03482.pdf)
* [2020 - UNIFUZZ: A Holistic and Pragmatic Metrics-Driven Platform for Evaluating Fuzzers](https://arxiv.org/pdf/2010.01785.pdf)
* [2020 - PathAFL: Path-Coverage Assisted Fuzzing](https://dl.acm.org/doi/abs/10.1145/3320269.3384736)
* [2020 - Path Sensitive Fuzzing for Native Applications](https://ieeexplore.ieee.org/abstract/document/9208709)
* [2020 - UniFuzz: Optimizing Distributed Fuzzing via Dynamic Centralized Task Scheduling](https://arxiv.org/pdf/2009.06124.pdf)
* [2020 - Fuzzing Error Handling Code using Context-Sensitive Software Fault Injection](https://www.usenix.org/system/files/sec20-jiang.pdf)
* [2020 - SpecFuzz: Bringing Spectre-type vulnerabilities to the surface](https://www.usenix.org/system/files/sec20-oleksenko.pdf)
* [2020 - Zeror: Speed Up Fuzzing with Coverage-sensitive Tracing and Scheduling](http://www.wingtecher.com/themes/WingTecherResearch/assets/papers/ase20.pdf)
* [2020 - MUZZ: Thread-aware Grey-box Fuzzing for Effective Bug Hunting in Multithreaded Programs](https://arxiv.org/pdf/2007.15943.pdf)
* [2020 - Evolutionary Grammar-Based Fuzzing](https://arxiv.org/pdf/2008.01150.pdf)
* [2020 - AFLpro: Direction sensitive fuzzing](https://sci-hub.tw/http://www.sciencedirect.com/science/article/pii/S2214212619305733)
* [2020 - CSI-Fuzz: Full-speed Edge Tracing Using Coverage Sensitive Instrumentation](https://sci-hub.tw/10.1109/TDSC.2020.3008826)
* [2020 - Scalable Greybox Fuzzing for Effective Vulnerability Management DISS](https://mediatum.ub.tum.de/doc/1509837/file.pdf)
* [2020 - HotFuzz Discovering Algorithmic Denial-of-Service Vulnerabilities through Guided Micro-Fuzzing](https://pdfs.semanticscholar.org/6515/a12fc8615a401e3c7a80d5ada59e5d057971.pdf)
* [2020 - Fuzzing Binaries for Memory Safety Errors with QASan](https://www.researchgate.net/publication/342493914_Fuzzing_Binaries_for_Memory_Safety_Errors_with_QASan)
* [2020 - Suzzer: A Vulnerability-Guided Fuzzer Based on Deep Learning](https://link.springer.com/chapter/10.1007%2F978-3-030-42921-8_8)
* [2020 - IJON: Exploring Deep State Spaces via Fuzzing](https://www.syssec.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2020/02/27/IJON-Oakland20.pdf)
* [2020 - Binary-level Directed Fuzzing for Use-After-Free Vulnerabilities](https://arxiv.org/pdf/2002.10751.pdf)
* [2020 - PANGOLIN: Incremental Hybrid Fuzzing with Polyhedral Path Abstraction](https://qingkaishi.github.io/public_pdfs/SP2020.pdf)
* [2020 - UEFI Firmware Fuzzing with Simics Virtual Platform](http://web.cecs.pdx.edu/~zhenkun/pub/uefi-fuzzing-dac20.pdf)
* [2020 - Typestate-Guided Fuzzer for Discovering Use-after-Free Vulnerabilities](https://yuleisui.github.io/publications/icse20.pdf)
* [2020 - FuzzGuard: Filtering out Unreachable Inputs in Directed Grey-box Fuzzing through Deep Learning](https://www.usenix.org/system/files/sec20summer_zong_prepub.pdf)
* [2020 - HyDiff: Hybrid Differential Software Analysis](https://yannicnoller.github.io/publications/icse2020_noller_hydiff.pdf)
* [2019 - Engineering a Better Fuzzer with SynergicallyIntegrated Optimizations](http://www.wingtecher.com/themes/WingTecherResearch/assets/papers/issre19_betterfuzzer.pdf)
* [2019 - Superion: Grammar-Aware Greybox Fuzzing](https://arxiv.org/pdf/1812.01197.pdf)
* [2019 - ProFuzzer: On-the-fly Input Type Probing for Better Zero-day Vulnerability Discovery](https://www.cs.purdue.edu/homes/ma229/papers/SP19.pdf)
* [2019 - Grimoire: Synthesizing Structure while Fuzzing](https://www.usenix.org/system/files/sec19-blazytko.pdf)
* [2019 - Ptrix: Efficient Hardware-Assisted Fuzzing for COTS Binary](https://arxiv.org/pdf/1905.10499.pdf)
* [2019 - SAVIOR: Towards Bug-Driven Hybrid Testing](https://arxiv.org/pdf/1906.07327.pdf)
* [2019 - FUDGE: Fuzz Driver Generation at Scale](https://www.domagoj-babic.com/uploads/Pubs/Fudge/esecfse19fudge.pdf)
* [2019 - NAUTILUS: Fishing for Deep Bugs with Grammars](https://www.syssec.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2018/12/17/NDSS19-Nautilus.pdf)
* [2019 - Send Hardest Problems My Way: Probabilistic Path Prioritization for Hybrid Fuzzing](https://www.cs.ucr.edu/~heng/pubs/digfuzz_ndss19.pdf)
* [2019 - EnFuzz: Ensemble Fuzzing with Seed Synchronization among Diverse Fuzzers](https://www.usenix.org/system/files/sec19-chen-yuanliang.pdf)
* [2018 - Fuzz Testing in Practice: Obstacles and Solutions](https://sci-hub.se/10.1109/SANER.2018.8330260)
* [2018 - PAFL: Extend Fuzzing Optimizations of Single Mode to Industrial Parallel Mode](https://sci-hub.se/https://doi.org/10.1145/3236024.3275525)
* [2018 - PTfuzz: Guided Fuzzing with Processor Trace Feedback](https://sci-hub.se/10.1109/ACCESS.2018.2851237)
* [2018 - Angora: Efficient Fuzzing by Principled Search](https://web.cs.ucdavis.edu/~hchen/paper/chen2018angora.pdf)
* [2018 - FairFuzz: A Targeted Mutation Strategy for Increasing Greybox Fuzz Testing Coverage](https://www.carolemieux.com/fairfuzz-ase18.pdf)
* [2018 - NEUZZ: Efficient Fuzzing with Neural Program Smoothing](https://arxiv.org/pdf/1807.05620.pdf)
* [2018 - CollAFL: path Sensitive Fuzzing](http://chao.100871.net/papers/oakland18.pdf)
* [2018 - Full-speed Fuzzing: Reducing Fuzzing Overhead through Coverage-guided Tracing](https://arxiv.org/pdf/1812.11875.pdf)
* [2018 - QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing](https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-yun.pdf)
* [2018 - Coverage-based Greybox Fuzzing as Markov Chain](https://mboehme.github.io/paper/TSE18.pdf)
* [2018 - MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation](http://www.cs.columbia.edu/~suman/docs/moonshine.pdf)
* [2018 - Singularity: Pattern Fuzzing for Worst Case Complexity](https://fredfeng.github.io/papers/fse18.pdf)
* [2018 - Smart Greybox Fuzzing](https://arxiv.org/pdf/1811.09447.pdf)
* [2018 - Hawkeye: Towards a Desired Directed Grey-box Fuzzer](https://chenbihuan.github.io/paper/ccs18-chen-hawkeye.pdf)
* [2018 - PerfFuzz: Automatically Generating Pathological Inputs](https://www.carolemieux.com/perffuzz-issta2018.pdf)
* [2018 - FairFuzz: A Targeted Mutation Strategy for Increasing Greybox Fuzz Testing Coverage](https://www.carolemieux.com/fairfuzz-ase18.pdf)
* [2018 - Enhancing Memory Error Detection forLarge-Scale Applications and Fuzz Testing](https://lifeasageek.github.io/papers/han:meds.pdf)
* [2018 - T-Fuzz: fuzzing by program transformation](https://nebelwelt.net/publications/files/18Oakland.pdf)
* [2017 - Evaluating and improving fault localization](https://www.sci-hub.ren/10.1109/ICSE.2017.62)
* [2017 - IMF: Inferred Model-based Fuzzer](https://acmccs.github.io/papers/p2345-hanA.pdf)
* [2017 - Synthesizing Program Input Grammars](https://obastani.github.io/docs/pldi17.pdf)
* [2017 - Stateful Fuzzing of Wireless Device Drivers in an Emulated Environment](https://pdfs.semanticscholar.org/26b9/97d7a83ce950db6d311ee65c268e756e0794.pdf)
* [2017 - Steelix: Program-State Based Binary Fuzzing](https://dl.acm.org/doi/pdf/10.1145/3106237.3106295?download=true)
* [2017 - Designing New Operating Primitives to ImproveFuzzing Performance](https://acmccs.github.io/papers/p2313-xuA.pdf)
* [2017 - VUzzer: Application-aware Evolutionary Fuzzing](https://www.cs.vu.nl/~giuffrida/papers/vuzzer-ndss-2017.pdf)
* [2017 - DIFUZE: Interface Aware Fuzzing for Kernel Drivers](https://acmccs.github.io/papers/p2123-corinaA.pdf)
* [2017 - Instruction Punning: Lightweight Instrumentation for x86-64](https://dl.acm.org/doi/pdf/10.1145/3062341.3062344?download=true)
* [2017 - Designing New Operating Primitives to Improve Fuzzing Performance](http://iisp.gatech.edu/sites/default/files/images/designing_new_operating_primitives_to_improve_fuzzing_performance_vt.pdf)
* [2014 - A Large-Scale Analysis of the Security of Embedded Firmwares](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-costin.pdf)
* [2013 - Scheduling Black-box Mutational Fuzzing](https://dl.acm.org/doi/pdf/10.1145/2508859.2516736?download=true)
* [2013 - Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations](https://www.usenix.org/system/files/conference/usenixsecurity13/sec13-paper_haller.pdf)
* [2013 - RPFuzzer: A Framework for Discovering Router Protocols Vulnerabilities Based on Fuzzing](http://www.itiis.org/journals/tiis/digital-library/manuscript/file/20353/14.TIIS-RP-2012-Dec-0966.R1.pdf)
* [2011 - Offset-Aware Mutation based Fuzzing for Buffer Overflow Vulnerabilities: Few Preliminary Results](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5954459)
* [2010 - TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5504701)
* [2009 - Taint-based Directed Whitebox Fuzzing](https://ece.uwaterloo.ca/~vganesh/Publications_files/vg-ICSE2009-BuzzFuzz.pdf)
* [2009 - Dynamic Test Generation To Find Integer Bugs in x86 Binary Linux Programs](https://argp.github.io/public/50a11f65857c12c76995f843dbfe6dda.pdf)
* [2008 - Grammar-based Whitebox Fuzzing](https://people.csail.mit.edu/akiezun/pldi-kiezun.pdf)
* [2008 - Vulnerability Analysis for X86 Executables Using Genetic Algorithm and Fuzzing](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=4682289)
* [2008 - Fuzzing Wi-Fi Drivers to Locate Security Vulnerabilities](https://www.di.fc.ul.pt/~nuno/PAPERS/EDCC08.pdf)
* [2008 - KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs](https://hci.stanford.edu/cstr/reports/2008-03.pdf)
* [2008 - Automated Whitebox Fuzz Testing](https://patricegodefroid.github.io/public_psfiles/ndss2008.pdf)
* [2005 - DART: Directed Automated Random Testing](https://web.eecs.umich.edu/~weimerw/2014-6610/reading/p213-godefroid.pdf)
* [1994 - Dominators, Super Blocks, and Program Coverage](https://www.sci-hub.ren/10.1145/174675.175935)
### Harnessing
* [2023 - AFGen: Whole-Function Fuzzing for Applications and Libraries](https://www.computer.org/csdl/proceedings-article/sp/2024/313000a011/1RjE9PjiDss)
* [2023 - NaNofuzz: A Usable Tool for Automatic Test Generation](https://cmumatt.github.io/assets/NaNofuzz_2023.pdf)
### AI/LLM
* [2023 - LLM-Based Code Generation Method for Golang Compiler Testing](https://guqiuhan.github.io/publication/conference-paper/conference-paper.pdf)
* [2023 - Large Language Model guided Protocol Fuzzing](https://mpi-softsec.github.io/papers/NDSS24-chatafl.pdf)
* [2023 - AI-assisted Vulnerability Analysis And Classification Framework for UDS on CAN-bus Fuzzer](https://www.researchgate.net/profile/Golam-Kayas/publication/374415112_AI-assisted_Vulnerability_Analysis_And_Classification_Framework_for_UDS_on_CAN-bus_Fuzzer/links/651c6261b0df2f20a20ae412/AI-assisted-Vulnerability-Analysis-And-Classification-Framework-for-UDS-on-CAN-bus-Fuzzer.pdf)
* [2023 - GPTFUZZER: Red Teaming Large Language Models with Auto-Generated Jailbreak Prompts](https://arxiv.org/pdf/2309.10253.pdf)
* [2023 - FUZZLLM: A NOVEL AND UNIVERSAL FUZZING FRAMEWORK FOR PROACTIVELY DISCOVERING JAILBREAK VULNERABILITIES IN LARGE LANGUAGE MODELS](https://arxiv.org/pdf/2309.05274.pdf)
* [2023 - Universal Fuzzing via Large Language Models](https://arxiv.org/pdf/2308.04748.pdf)
* [2023 - Understanding Large Language Model Based Fuzz Driver Generation](https://arxiv.org/pdf/2307.12469.pdf)
* [2023 - Large Language Models for Fuzzing Parsers](https://dl.acm.org/doi/abs/10.1145/3605157.3605173)
* [2023 - Large Language Models Are Zero-Shot Fuzzers: Fuzzing Deep-Learning Libraries via Large Language Models](https://dl.acm.org/doi/abs/10.1145/3597926.3598067)
* [2023 - Augmenting Greybox Fuzzing with Generative AI](https://arxiv.org/pdf/2306.06782.pdf)
* [2023 - Understanding Programs by Exploiting (Fuzzing) Test Cases](https://arxiv.org/pdf/2305.13592.pdf)
### IoT fuzzing
* [2023 - Fuzzability Testing Framework for Incomplete Firmware Binary](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=10189855)
* [2023 - Fuzzing Embedded Systems Using Debug Interfaces](https://publications.cispa.saarland/3950/1/issta23-gdbfuzz.pdf)
* [2023 - Icicle: A Re-Designed Emulator for Grey-Box Firmware Fuzzing](https://arxiv.org/pdf/2301.13346.pdf)
* [2022 - FirmSolo: Enabling dynamic analysis of binary Linux-based IoT kernel modules](https://www.usenix.org/system/files/sec23summer_190-angelakopoulos-prepub.pdf)
* [2022 - FuzzDocs: An Automated Security Evaluation Framework for IoT](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=9895405)
* [2022 - AflIot: Fuzzing on linux-based IoT device with binary-level instrumentation](https://www.sciencedirect.com/science/article/pii/S0167404822002838)
* [2022 - Tardis: Coverage-Guided Embedded Operating System Fuzzing](http://www.wingtecher.com/themes/WingTecherResearch/assets/papers/Emsoft22_Tardis.pdf)
* [2022 - Efficient greybox fuzzing of applications in Linux-based IoT devices via enhanced user-mode emulation](https://dl.acm.org/doi/pdf/10.1145/3533767.3534414)
* [2022 - Trampoline Over the Air: Breaking in IoT Devices Through MQTT Brokers](https://ieeexplore.ieee.org/abstract/document/9797386)
* [2022 - PDFuzzerGen: Policy-Driven Black-Box Fuzzer Generation for Smart Devices](https://www.hindawi.com/journals/scn/2022/9788219/)
* [2022 - RW-Fuzzer: A Fuzzing Method for Vulnerability Mining on Router Web Interface](https://www.hindawi.com/journals/wcmc/2022/5311295/)
* [2022 - IoTInfer: Automated Blackbox Fuzz Testing of IoT Network Protocols Guided by Finite State Machine Inference](https://ieeexplore.ieee.org/abstract/document/9794676)
* [2022 - Debugger-driven Embedded Fuzzing](https://ieeexplore.ieee.org/abstract/document/9787842)
* [2022 - Game of Hide-and-Seek: Exposing Hidden Interfaces in Embedded Web Applications of IoT Devices](https://dl.acm.org/doi/abs/10.1145/3485447.3512213)
* [2022 - 𝜇AFL: Non-intrusive Feedback-driven Fuzzing for Microcontroller Firmware](https://arxiv.org/pdf/2202.03013.pdf)
* [2022 - FirVer: Concolic Testing for Systematic Validation of Firmware Binaries](http://sandip.ece.ufl.edu/publications/aspdac22.pdf)
* [2022 - Fuzzware: Using Precise MMIO Modeling for Effective Firmware Fuzzing](https://sites.cs.ucsb.edu/~vigna/publications/2022_USENIXSecurity_Fuzzware.pdf)
* [2021 - CPscan: Detecting Bugs Caused by Code Pruning in IoT Kernels](https://dl.acm.org/doi/abs/10.1145/3460120.3484738)
* [2021 - An Efficient Feedback-enhanced Fuzzing Scheme for Linux-based IoT Firmwares](http://wenku.sougen.cn/static/publications/CT1281.pdf)
* [2021 - A Fuzzing Method for Embedded Software](https://ieeexplore.ieee.org/abstract/document/9587220)
* [2021 - Large-scale Firmware Vulnerability Analysis Based on Code Similarity](https://ieeexplore.ieee.org/abstract/document/9524216/)
* [2021 - Towards Fast and Scalable Firmware Fuzzing with Dual-Level Peripheral Modeling](https://ieeexplore.ieee.org/abstract/document/9564029)
* [2021 - Riding the IoT Wave with VFuzz: Discovering Security Flaws in Smart Home](https://ieeexplore.ieee.org/abstract/document/9663293)
* [2021 - Zero WFuzzer: Target-Oriented Fuzzing for Web Interface of Embedded Devices](https://ieeexplore.ieee.org/abstract/document/9544451)
* [2021 - StFuzzer: Contribution-Aware Coverage-Guided Fuzzing for Smart Devices](https://www.hindawi.com/journals/scn/2021/1987844/)
* [2021 - Rtkaller: State-aware Task Generation for RTOS Fuzzing](http://www.wingtecher.com/themes/WingTecherResearch/assets/papers/emsoft21.pdf)
* [2021 - IFIZZ: Deep-State and Efficient Fault-Scenario Generation to Test IoT Firmware](https://nesa.zju.edu.cn/download/liu_pdf_ifizz.pdf)
* [2021 - Automatic Vulnerability Detection in Embedded Devices and Firmware: Survey and Layered Taxonomies](https://dl.acm.org/doi/abs/10.1145/3432893)
* [2021 - Fuzzing the Internet of Things: A Review on the Techniques and Challenges for Efficient Vulnerability Discovery in Embedded Systems](https://ieeexplore.ieee.org/abstract/document/9344712)
* [2021 - FIRM-COV: High-Coverage Greybox Fuzzing for IoT Firmware via Optimized Process Emulation](https://ieeexplore.ieee.org/abstract/document/9489311)
* [2020 - Verification of Embedded Software Binaries using Virtual Prototypes](https://link.springer.com/chapter/10.1007/978-3-030-54828-5_6)
* [2020 - μSBS: Static Binary Sanitization of Bare-metal Embedded Devices forFault Observability](https://www.usenix.org/system/files/raid20-salehi.pdf)
* [2020 - Device-agnostic Firmware Execution is Possible: A Concolic Execution Approach for Peripheral Emulation](https://dl.acm.org/doi/abs/10.1145/3427228.3427280)
* [2020 - Vulnerability Detection in SIoT Applications: A Fuzzing Method on their Binaries](https://ieeexplore.ieee.org/abstract/document/9259242)
* [2020 - FirmAE: Towards Large-Scale Emulation of IoT Firmware forDynamic Analysis](https://syssec.kaist.ac.kr/pub/2020/kim_acsac2020.pdf)
* [2020 - FIRMNANO: Toward IoT Firmware Fuzzing Through Augmented Virtual Execution](https://ieeexplore.ieee.org/abstract/document/9237719)
* [2020 - ARM-AFL: Coverage-Guided Fuzzing Framework for ARM-Based IoT Devices](https://link.springer.com/chapter/10.1007/978-3-030-61638-0_14)
* [2020 - Bug detection in embedded environments by fuzzing and symbolic execution](http://docs.mipro-proceedings.com/iss/04_ISS_5762.pdf)
* [2020 - FirmXRay: Detecting Bluetooth Link Layer Vulnerabilities From Bare-Metal Firmware](http://web.cse.ohio-state.edu/~lin.3021/file/CCS20.pdf)
* [2020 - EM-Fuzz: Augmented Firmware Fuzzing via Memory Checking](http://www.wingtecher.com/themes/WingTecherResearch/assets/papers/EMSOFT20.pdf)
* [2020 - Verification of Embedded Binaries using Coverage-guided Fuzzing with System C-based Virtual Prototypes](http://www.informatik.uni-bremen.de/agra/doc/konf/2020GLSVLSI_Verification-of-Embedded-Binaries-using-Coverage-guided-Fuzzing-with-SystemC-Virtual-Prototypes.pdf)
* [2020 - DICE: Automatic Emulation of DMA Input Channels for Dynamic Firmware Analysis](https://arxiv.org/pdf/2007.01502.pdf)
* [2020 - Fw‐fuzz: A code coverage‐guided fuzzing framework for network protocols on firmware](https://onlinelibrary.wiley.com/doi/full/10.1002/cpe.5756)
* [2020 - Taint-Driven Firmware Fuzzing of Embedded Systems](https://melisasavich.io/pubs/thesis.pdf)
* [2020 - A Dynamic Instrumentation Technology for IoT Devices](https://link.springer.com/chapter/10.1007/978-3-030-50399-4_29)
* [2020 - Vulcan: a state-aware fuzzing tool for wear OS ecosystem](https://dl.acm.org/doi/abs/10.1145/3386901.3397492)
* [2020 - A Novel Concolic Execution Approach on Embedded Device](https://dl.acm.org/doi/abs/10.1145/3377644.3377654)
* [2020 - HFuzz: Towards automatic fuzzing testing of NB-IoT core network protocols implementations](https://www.sciencedirect.com/science/article/pii/S0167739X19324409)
* [2020 - FIRMCORN: Vulnerability-Oriented Fuzzing of IoT Firmware via Optimized Virtual Execution](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8990098)
* [2018 - IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing](https://web.cse.ohio-state.edu/~lin.3021/file/NDSS18b.pdf)
* [2017 - Towards Automated Dynamic Analysis for Linux-based Embedded Firmware](https://www.ndss-symposium.org/wp-content/uploads/2017/09/towards-automated-dynamic-analysis-linux-based-embedded-firmware.pdf)
* [2016 - Scalable Graph-based Bug Search for Firmware Images](https://www.cs.ucr.edu/~heng/pubs/genius-ccs16.pdf)
* [2015 - SURROGATES: Enabling Near-Real-Time Dynamic Analyses of Embedded Systems](https://www.usenix.org/system/files/conference/woot15/woot15-paper-koscher.pdf)
* [2015 - Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware](https://pdfs.semanticscholar.org/b006/72fc5ff99434bf5347418a2d2762a3bb2639.pdf)
* [2014 - A Large-Scale Analysis of the Security of Embedded Firmwares](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-costin.pdf)
* [2013 - RPFuzzer: A Framework for Discovering Router Protocols Vulnerabilities Based on Fuzzing](http://www.itiis.org/journals/tiis/digital-library/manuscript/file/20353/14.TIIS-RP-2012-Dec-0966.R1.pdf)
### Firmware Emulation
* [2022 - What You See is Not What You Get: Revealing Hidden Memory Mapping for Peripheral Modeling](https://web.cse.ohio-state.edu/~lin.3021/file/RAID22.pdf)
* [2022 - What Your Firmware Tells You Is Not How You Should Emulate It: A Specification-Guided Approach for Firmware Emulation (Extended Version)](https://arxiv.org/pdf/2208.07833.pdf)
* [2022 - BEERR: Bench of Embedded system Experiments for Reproducible Research](https://www.s3.eurecom.fr/docs/silm22_olivier.pdf)
* [2022 - FIRMWIRE: Transparent Dynamic Analysis for Cellular Baseband Firmware](https://hernan.de/research/papers/firmwire-ndss22-hernandez.pdf)
* [2022 - An Automated Approach to Re-Hosting Embedded Firmware Through Removing Hardware Dependencies](https://hammer.purdue.edu/articles/thesis/An_Automated_Approach_to_Re-Hosting_Embedded_Firmware_Through_Removing_Hardware_Dependencies/17131628)
* [2021 - FIRMGUIDE: Boosting the Capability of Rehosting Embedded Linux Kernels through Model-Guided Kernel Execution](https://yajin.org/papers/ase21_firmguide.pdf)
* [2021 - Automatic Firmware Emulation through Invalidity-guided Knowledge Inference(Extended Version)](https://arxiv.org/pdf/2107.07759.pdf)
* [2021 - Firmware Re-hosting Through Static Binary-level Porting](https://arxiv.org/pdf/2107.09856.pdf)
* [2021 - Jetset: Targeted Firmware Rehosting for Embedded Systems](https://www.usenix.org/system/files/sec21fall-johnson.pdf)
* [2021 - Automatic Firmware Emulation through Invalidity-guided Knowledge Inference](https://www.usenix.org/system/files/sec21fall-zhou.pdf)
### Network fuzzing
* [2023 NSFuzz: Towards Eficient and State-Aware Network Service Fuzzing - RCR Report](https://dl.acm.org/doi/pdf/10.1145/3580599)
* [2023 - INTENDER: Fuzzing Intent-Based Networking with Intent-State Transition Guidance](https://www.usenix.org/system/files/sec23fall-prepub-285_kim-jiwon.pdf)
* [2023 - NSFuzz: Towards Eficient and State-Aware Network Service Fuzzing](https://dl.acm.org/doi/pdf/10.1145/3580598)
* [2022 - FitM: Binary-Only Coverage-Guided Fuzzing for Stateful Network Protocols](https://www.ndss-symposium.org/wp-content/uploads/bar2022_23008_paper.pdf)
* [2022 - WThreadAFL:Deterministic Greybox Fuzzing for Multi-threadNetwork Servers](https://conferences.sigcomm.org/events/apnet2022/posters/WThreadAFL.pdf)
* [2022 - Model-Based Grey-Box Fuzzing of Network Protocols](https://www.hindawi.com/journals/scn/2022/6880677/)
* [2022 - Registered Report: NSFuzz: Towards Efficient and State-Aware Network Service Fuzzing](https://www.ndss-symposium.org/wp-content/uploads/fuzzing2022_23006_paper.pdf)
* [2022 - SnapFuzz: An Efficient Fuzzing Framework for Network Applications](https://arxiv.org/pdf/2201.04048.pdf)
* [2022 - REST API Fuzzing by Coverage Level Guided Blackbox Testing](https://arxiv.org/pdf/2112.15485.pdf)
* [2022 - SNPSFuzzer: A Fast Greybox Fuzzer for Stateful Network Protocols using Snapshots](https://arxiv.org/pdf/2202.03643.pdf)
* [2022 - WAFL: Binary-Only WebAssembly Fuzzing with Fast Snapshots](https://dl.acm.org/doi/abs/10.1145/3503921.3503924)
* [2021 - Nyx-Net: Network Fuzzing with Incremental Snapshots](https://arxiv.org/pdf/2111.03013.pdf)
* [2021 - RapidFuzz: Accelerating Fuzzing via Generative Adversarial Networks](https://www.sciencedirect.com/science/article/abs/pii/S0925231221010122)
* [2021 - StateAFL: Greybox Fuzzing for Stateful Network Servers](https://arxiv.org/pdf/2110.06253.pdf)
* [2020 - AFLNET: A Greybox Fuzzer for Network Protocols](https://www.comp.nus.edu.sg/~abhik/pdf/AFLNet-ICST20.pdf)
* [2020 - Finding Security Vulnerabilities in Network Protocol Implementations](https://arxiv.org/pdf/2001.09592.pdf)
### Kernel fuzzing
* [2023 - WinkFuzz: Model-based Script Synthesis for Fuzzing](https://dl.acm.org/doi/abs/10.1145/3591365.3592946)
* [2023 - SyzDescribe: Principled, Automated, Static Generation of Syscall Descriptions for Kernel Drivers](https://www.cs.ucr.edu/~zhiyunq/pub/oakland23_syzdescribe.pdf)
* [2023 - ACTOR: Action-Guided Kernel Fuzzing](https://nebelwelt.net/files/23SEC6.pdf)
* [2023 - KextFuzz: Fuzzing macOS Kernel EXTensions on Apple Silicon via Exploiting Mitigations](https://www.usenix.org/system/files/sec23fall-prepub-425-yin-tingting.pdf)
* [2023 - BoKASAN: Binary-only Kernel Address Sanitizer for Effective Kernel Fuzzing](https://www.usenix.org/system/files/sec23fall-prepub-325-cho-mingi.pdf)
* [2023 - DDRace: Finding Concurrency UAF Vulnerabilities in Linux Drivers with Directed Fuzzing](https://www.usenix.org/system/files/sec23fall-prepub-193-yuan-ming.pdf)
* [2023 - Towards Unveiling Exploitation Potential With Multiple Error Behaviors for Kernel Bugs](https://ieeexplore.ieee.org/abstract/document/10048506)
* [2023 - No Grammar, No Problem: Towards Fuzzing the Linux Kernel without System-Call Descriptions](https://www.ndss-symposium.org/wp-content/uploads/2023/02/ndss2023_f688_paper.pdf)
* [2022 - PrIntFuzz: fuzzing Linux drivers via automated virtual device simulation](https://dl.acm.org/doi/pdf/10.1145/3533767.3534226)
* [2022 - KSG: Augmenting Kernel Fuzzing with System Call Specification Generation](http://www.wingtecher.com/themes/WingTecherResearch/assets/papers/atc22.pdf)
* [2022 - Demystifying the Dependency Challenge in Kernel Fuzzing](https://github.com/ZHYfeng/Dependency/blob/master/Paper.pdf)
* [2022 - Midas: Systematic Kernel TOCTTOU Protection](https://www.usenix.org/system/files/sec22summer_bhattacharyya.pdf)
* [2021 - Evaluating Code Coverage for Kernel Fuzzers via Function Call Graph](https://ieeexplore.ieee.org/abstract/document/9618942)
* [2021 - ACHyb: a hybrid analysis approach to detect kernel access control vulnerabilities](https://dl.acm.org/doi/abs/10.1145/3468264.3468627)
* [2021 - CVFuzz: Detecting complexity vulnerabilities in OpenCL kernels via automated pathological input generation](https://www.sciencedirect.com/science/article/abs/pii/S0167739X21003526)
* [2021 - HEALER: Relation Learning Guided Kernel Fuzzing](www.wingtecher.com/themes/WingTecherResearch/assets/papers/healer-sosp21.pdf)
* [2021 - SyzVegas: Beating Kernel Fuzzing Odds with Reinforcement Learning](https://www.usenix.org/conference/usenixsecurity21/presentation/wang-daimeng)
* [2021 - NTFUZZ: Enabling Type-Aware Kernel Fuzzing on Windows with Static Binary Analysis](https://softsec.kaist.ac.kr/~jschoi/data/oakland2021.pdf)
* [2021 - Undo Workarounds for Kernel Bugs](https://www.cs.ucr.edu/~zhiyunq/pub/sec21_undo_workarounds.pdf)
* [2020 - A Hybrid Interface Recovery Method for Android Kernels Fuzzing](https://qrs20.techconf.org/QRS2020_FULL/pdfs/QRS2020-4LGdOos7NAbR8M2s6S6ezE/891300a335/891300a335.pdf)
* [2020 - FINDING RACE CONDITIONS IN KERNELS:FROM FUZZING TO SYMBOLIC EXECUTION - THESIS](https://gts3.org/assets/papers/2020/xu:thesis.pdf)
* [2020 - Agamotto: Accelerating Kernel Driver Fuzzing with Lightweight Virtual Machine Checkpoints](https://www.usenix.org/conference/usenixsecurity20/presentation/song)
* [2020 - X-AFL: a kernel fuzzer combining passive and active fuzzing](https://dl.acm.org/doi/abs/10.1145/3380786.3391400)
* [2020 - Identification of Kernel Memory Corruption Using Kernel Memory Secret Observation Mechanism](https://search.ieice.org/bin/summary.php?id=e103-d_7_1462)
* [2020 - HFL: Hybrid Fuzzing on the Linux Kernel](https://www.ndss-symposium.org/wp-content/uploads/2020/02/24018.pdf)
* [2020 - Realistic Error Injection for System Calls](https://arxiv.org/pdf/2006.04444.pdf)
* [2020 - KRACE: Data Race Fuzzing for Kernel File Systems](https://www.cc.gatech.edu/~mxu80/pubs/xu:krace.pdf)
* [2020 - USBFuzz: A Framework for Fuzzing USB Drivers by Device Emulation](https://hexhive.epfl.ch/publications/files/20SEC3.pdf)
* [2019 - Fuzzing File Systems via Two-Dimensional Input Space Exploration](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8835267)
* [2019 - Razzer: Finding Kernel Race Bugs through Fuzzing](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8835326)
* [2019 - Unicorefuzz: On the Viability of Emulation for Kernel space Fuzzing](https://www.usenix.org/system/files/woot19-paper_maier.pdf)
* [2017 - Stateful Fuzzing of Wireless Device Drivers in an Emulated Environment](https://pdfs.semanticscholar.org/26b9/97d7a83ce950db6d311ee65c268e756e0794.pdf)
* [2017 - DIFUZE: Interface Aware Fuzzing for Kernel Drivers](https://acmccs.github.io/papers/p2123-corinaA.pdf)
* [2008 - Fuzzing Wi-Fi Drivers to Locate Security Vulnerabilities](https://www.di.fc.ul.pt/~nuno/PAPERS/EDCC08.pdf)
### Format specific fuzzing
* [2023 - Android Fuzzing: Balancing User-Inputs and Intents](https://ieeexplore.ieee.org/abstract/document/10132258)
* [2023 - ItyFuzz: Snapshot-Based Fuzzer for Smart Contract](https://arxiv.org/pdf/2306.17135.pdf)
* [2023 - BRF: eBPF Runtime Fuzzer](https://arxiv.org/pdf/2305.08782.pdf)
* [2023 - MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation](https://www.usenix.org/system/files/sec23fall-prepub-7-xu-jinyan.pdf)
* [2023 - EFCF: High Performance Smart Contract Fuzzing for Exploit Generation](https://arxiv.org/pdf/2304.06341.pdf)
* [2023 - ODDFUZZ: Discovering Java Deserialization Vulnerabilities via Structure-Aware Directed Greybox Fuzzing](https://arxiv.org/pdf/2304.04233.pdf)
* [2023 - VIDEZZO: Dependency-aware Virtual Device Fuzzing](https://nebelwelt.net/files/23Oakland4.pdf)
* [2023 - HyPFuzz: Formal-Assisted Processor Fuzzing](https://arxiv.org/pdf/2304.02485.pdf)
* [2023 - FUZZILLI: Fuzzing for JavaScript JIT Compiler Vulnerabilities](https://www.ndss-symposium.org/wp-content/uploads/2023/02/ndss2023_f290_paper.pdf)
* [2022 - SFuzz: Slice-based Fuzzing for Real-Time Operating Systems](https://dl.acm.org/doi/abs/10.1145/3548606.3559367)
* [2022 - LFUZZ: Exploiting Locality for File-system Fuzzing](https://www.cs.fsu.edu/files/reports/TR220922.pdf)
* [2022 - MUNDOFUZZ: Hypervisor Fuzzing with Statistical Coverage Testing and Grammar Inference](https://lifeasageek.github.io/papers/cheolwoo-mundofuzz.pdf)
* [2022 - DTLS-Fuzzer: A DTLS Protocol State Fuzzer](https://assist-project.github.io/papers/[email protected])
* [2022 - FuzzUSB: Hybrid Stateful Fuzzing of USB Gadget Stacks](https://www.computer.org/csdl/proceedings-article/sp/2022/131600a632/1A4Q3mz4uLm)
* [2022 - TheHuzz: Instruction Fuzzing of Processors Using Golden-Reference Models for Finding Software-Exploitable Vulnerabilities](https://arxiv.org/pdf/2201.09941.pdf)
* [2021 - V-Shuttle: Scalable and Semantics-Aware Hypervisor Virtual Device Fuzzing](https://nesa.zju.edu.cn/download/pgn_pdf_V-SHUTTLE.pdf)
* [2021 - FormatFuzzer: Effective Fuzzing of Binary File Formats](https://arxiv.org/pdf/2109.11277.pdf)
* [2020 - NYX: Greybox Hypervisor Fuzzing using Fast Snapshots and Affine Types](https://www.usenix.org/system/files/sec21summer_schumilo.pdf)
* [2020 - Tree2tree Structural Language Modeling for Compiler Fuzzing](https://link.springer.com/chapter/10.1007/978-3-030-60245-1_38)
* [2020 - Detecting Critical Bugs in SMT Solvers Using Blackbox Mutational Fuzzing](https://arxiv.org/pdf/2004.05934.pdf)
* [2020 - JS Engine - Montage: A Neural Network Language Model-Guided JavaScript Engine Fuzzer](https://arxiv.org/abs/2001.04107.pdf)
* [2020 - JS Engine - Fuzzing JavaScript Engines with Aspect-preserving Mutation](https://jakkdu.github.io/pubs/2020/park:die.pdf)
* [2020 - CUDA Compiler - CUDAsmith: A Fuzzer for CUDA Compilers](http://jiangbo.buaa.edu.cn/compsac20-CUDAsmith.pdf)
* [2020 - Smart Contracts - sFuzz: An Efficient Adaptive Fuzzer for Solidity Smart Contracts](https://arxiv.org/abs/2004.08563)
* [2019 - Compiler Fuzzing: How Much Does It Matter?](https://srg.doc.ic.ac.uk/files/papers/compilerbugs-oopsla-19.pdf)
* [2019 - Smart Contracts - Harvey: A Greybox Fuzzer for Smart Contracts](https://arxiv.org/abs/1905.06944.pdf)
* [2017 - XML - Skyfire: Data-Driven Seed Generation for Fuzzing](https://www.ieee-security.org/TC/SP2017/papers/42.pdf)
### Exploitation
* [2023 - Enhanced Memory Corruption Detection in C/C++ Programs](https://dl.acm.org/doi/abs/10.1145/3605731.3605903)
* [2023 - Automated Exploitable Heap Layout Generation for Heap Overflows Through Manipulation Distance-Guided Fuzzing](https://www.usenix.org/system/files/sec23fall-prepub-581-zhang-bin.pdf)
* [2023 - The Most Dangerous Codec in the World: Finding and Exploiting Vulnerabilities in H.264 Decoders](https://wrv.github.io/h26forge.pdf)
* [2023 - Detecting Exploit Primitives Automatically for Heap Vulnerabilities on Binary Programs](https://arxiv.org/pdf/2212.13990.pdf)
* [2022 - RiscyROP: Automated Return-Oriented Programming Attacks on RISC-V and ARM64](https://www.syssec.wiwi.uni-due.de/fileadmin/fileupload/I-SYSSEC/research/RiscyROP.pdf)
* [2022 - Automatic Permission Check Analysis for Linux Kernel](https://www.computer.org/csdl/journal/tq/5555/01/09750908/1ClSWBlV5ao)
* [2022 - OS-Aware Vulnerability Prioritization via Differential Severity Analysis](https://www.xiaojingliao.com/uploads/9/7/0/2/97024238/sec22fall-final431.pdf)
* [2022 - Arbiter: Bridging the Static and Dynamic Divide in Vulnerability Discovery on Binary Programs](http://193.55.114.4/docs/usenixsec22_arbiter.pdf)
* [2022 - KASPER: Scanning for Generalized Transient Execution Gadgets in the Linux Kernel](https://download.vusec.net/papers/kasper_ndss22.pdf)
* [2022 - MaMaDroid 2.0 - The Holes of control flow graphs](https://arxiv.org/pdf/2202.13922.pdf)
* [2022 -ShadowHeap: Memory Safety through Efficient Heap Metadata Validation](https://isyou.info/jowua/papers/jowua-v12n4-1.pdf)
* [2022 - MACH2: System for Root Cause Analysis of Kernel Vulnerabilities [THESIS]]()
* [2021 - Automated Bug Hunting With Data-Driven Symbolic Root Cause Analysis](https://dl.acm.org/doi/abs/10.1145/3460120.3485363)
* [2021 - MAJORCA: Multi-Architecture JOP and ROP Chain Assembler](https://arxiv.org/pdf/2111.05781.pdf)
* [2021 - A Novel Method for the Automatic Generation of JOP Chain Exploits](https://link.springer.com/chapter/10.1007/978-3-030-84614-5_7)
* [2021 - V0Finder: Discovering the Correct Origin of Publicly Reported Software Vulnerabilities](https://ccs.korea.ac.kr/pds/SECURITY21.pdf)
* [2021 - Identifying Valuable Pointers in Heap Data](https://mickens.seas.harvard.edu/files/mickens/files/memory_cartography.pdf)
* [2021 - OCTOPOCS: Automatic Verification of Propagated Vulnerable Code Using Reformed Proofs of Concept](https://ccs.korea.ac.kr/pds/DSN21.pdf)
* [2021 - Characterizing Vulnerabilities in a Major Linux Distribution](https://ksiresearch.org/seke/seke20paper/paper033.pdf)
* [2021 - MAZE: Towards Automated Heap Feng Shui](https://www.usenix.org/system/files/sec21fall-wang-yan.pdf)
* [2021 - Vulnerability Detection in C/C++ Source Code With Graph Representation Learning](https://ieeexplore.ieee.org/abstract/document/9376145)
* [2021 - mallotROPism: a metamorphic engine for malicious software variation development](https://link.springer.com/article/10.1007/s10207-021-00541-y)
* [2020 - Automatic Techniques to Systematically Discover New Heap Exploitation Primitives](https://www.usenix.org/system/files/sec20-yun.pdf)
* [2020 - Shadow-Heap: Preventing Heap-based Memory Corruptions by Metadata Validation](https://lukasatkinson.de/research/Bouche2020ShadowHeapValidation.pdf)
* [2020 - Practical Fine-Grained Binary Code Randomization](https://dl.acm.org/doi/abs/10.1145/3427228.3427292)
* [2020 - Tiny-CFA: Minimalistic Control-Flow Attestation UsingVerified Proofs of Execution](http://sprout.ics.uci.edu/pubs/tiny-cfa.pdf)
* [2020 - Greybox Automatic Exploit Generation for Heap Overflows in Language Interpreters - PHD THESIS](https://seanhn.files.wordpress.com/2020/11/heelan_phd_thesis.pdf)
* [2020 - ABCFI: Fast and Lightweight Fine-Grained Hardware-Assisted Control-Flow Integrity](https://www.sci-hub.ren/10.1109/TCAD.2020.3012640)
* [2020 - HeapExpo: Pinpointing Promoted Pointers to Prevent Use-After-Free Vulnerabilities](http://moyix.net/~moyix/papers/heapexpo.pdf)
* [2020 - Localizing Patch Points From One Exploit](https://arxiv.org/pdf/2008.04516.pdf)
* [2020 - Speculative Dereferencing of Registers: Reviving Foreshadow](https://arxiv.org/pdf/2008.02307.pdf)
* [2020 - HAEPG: An Automatic Multi-hop Exploitation Generation Framework](https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7338205/)
* [2020 - Exploiting More Binaries by Using Planning to Assemble ROP Exploiting More Binaries by Using Planning to Assemble ROP Attacks Attacks](https://scholars.unh.edu/cgi/viewcontent.cgi?article=2376&context=thesis)
* [2020 - ROPminer: Learning-Based Static Detection of ROP Chain Considering Linkability of ROP Gadgets](https://search.ieice.org/bin/summary.php?id=e103-d_7_1476)
* [2020 - KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities](http://www.cs.ucr.edu/~zhiyunq/pub/sec20_koobe.pdf)
* [2020 - Preventing Return Oriented Programming Attacks By Preventing Return Instruction Pointer Overwrites](https://www.csee.umbc.edu/~allgood1/papers/611-rop.pdf)
* [2020 - KASLR: Break It, Fix It, Repeat](http://cc0x1f.net/publications/kaslr.pdf)
* [2020 - ShadowGuard : Optimizing the Policy and Mechanism of Shadow Stack Instrumentation using Binary Static Analysis](https://arxiv.org/pdf/2002.07748.pdf)
* [2020 - VulHunter: An Automated Vulnerability Detection System Based on Deep Learning and Bytecode](https://link.springer.com/chapter/10.1007/978-3-030-41579-2_12)
* [2020 - Analysis and Evaluation of ROPInjector](http://dione.lib.unipi.gr/xmlui/bitstream/handle/unipi/12622/Tsioutsias_1633.pdf?sequence=1)
* [2020 - API Misuse Detection in C Programs: Practice on SSL APIs](https://www.worldscientific.com/doi/abs/10.1142/S0218194019400205)
* [2020 - KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities](http://www.cs.ucr.edu/~zhiyunq/pub/sec20_koobe.pdf)
* [2020 - Egalito: Layout-Agnostic Binary Recompilation](http://www.cs.columbia.edu/~junfeng/papers/egalito-asplos20.pdf)
* [2020 - Verifying Software Vulnerabilities in IoT Cryptographic Protocols](https://arxiv.org/pdf/2001.09837.pdf)
* [2020 - μRAI: Securing Embedded Systems with Return Address Integrity](https://nebelwelt.net/files/20NDSS.pdf)
* [2020 - Preventing Return Oriented Programming Attacks By Preventing Return Instruction Pointer Overwrites](https://www.csee.umbc.edu/~allgood1/papers/611-rop.pdf)
* [2019 - Kernel Protection Against Just-In-Time Code Reuse](https://dl.acm.org/doi/abs/10.1145/3277592)
* [2019 - Kernel Exploitation Via Uninitialized Stack](https://infocon.org/cons/DEF%20CON/DEF%20CON%2019/DEF%20CON%2019%20presentations/DEF%20CON%2019%20-%20Cook-Kernel-Exploitation.pdf)
* [2019 - KEPLER: Facilitating Control-flow Hijacking Primitive Evaluation for Linux Kernel Vulnerabilities](https://www.usenix.org/system/files/sec19-wu-wei.pdf)
* [2019 - SLAKE: Facilitating Slab Manipulation for Exploiting Vulnerabilities in the Linux Kernel](https://dl.acm.org/doi/abs/10.1145/3319535.3363212)
* [2018 - HeapHopper: Bringing Bounded Model Checkingto Heap Implementation Security](https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-eckert.pdf)
* [2018 - K-Miner: Uncovering Memory Corruption in Linux](https://www.ndss-symposium.org/wp-content/uploads/2018/02/ndss2018_05A-1_Gens_paper.pdf)
* [2017 - HAIT: Heap Analyzer with Input Tracing](https://www.scitepress.org/papers/2017/64208/64208.pdf)
* [2017 - DROP THE ROP: Fine-grained Control-flow Integrity for the Linux Kernel](https://pdfs.semanticscholar.org/c143/95767b618a014472a0b835464aeb4aaf7734.pdf)
* [2017 - kR^X: Comprehensive Kernel Protection against Just-In-Time Code Reuse](https://dl.acm.org/doi/abs/10.1145/3064176.3064216)
* [2017 - Unleashing Use-Before-Initialization Vulnerabilities in the Linux Kernel Using Targeted Stack Spraying](https://www.ndss-symposium.org/wp-content/uploads/2017/09/ndss2017_09-2_Lu_paper.pdf)
* [2017 - Towards Automated Dynamic Analysis for Linux-based Embedded Firmware](https://www.ndss-symposium.org/wp-content/uploads/2017/09/towards-automated-dynamic-analysis-linux-based-embedded-firmware.pdf)
* [2016 - Scalable Graph-based Bug Search for Firmware Images](https://www.cs.ucr.edu/~heng/pubs/genius-ccs16.pdf)
* [2015 - Cross-Architecture Bug Search in Binary Executables](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7163056)
* [2015 - SURROGATES: Enabling Near-Real-Time Dynamic Analyses of Embedded Systems](https://www.usenix.org/system/files/conference/woot15/woot15-paper-koscher.pdf)
* [2015 - From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel](http://repository.root-me.org/Exploitation%20-%20Syst%C3%A8me/Unix/EN%20-%20From%20collision%20to%20exploitation%3A%20Unleashing%20Use-After-Free%20vulnerabilities%20in%20Linux%20Kernel.pdf)
* [2015 - PIE: Parser Identification in Embedded Systems](http://www.s3.eurecom.fr/docs/acsac15_cojocar.pdf)
* [2014 - ret2dir: Rethinking Kernel Isolation](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-kemerlis.pdf)
* [2014 - Make It Work, Make It Right, Make It Fast: Building a Platform-Neutral Whole-System Dynamic Binary Analysis Platform](https://dl.acm.org/doi/pdf/10.1145/2610384.2610407?download=true)
* [2012 - Anatomy of a Remote Kernel Exploit](https://www.cs.dartmouth.edu/~sergey/cs108/2012/Dan-Rosenberg-lecture.pdf)
* [2012 - A Heap of Trouble: Breaking the LinuxKernel SLOB Allocator](https://vsecurity.com//download/publications/slob-exploitation.pdf)
* [2011 - Linux kernel vulnerabilities: state-of-the-art defenses and open problems](https://dl.acm.org/doi/abs/10.1145/2103799.2103805)
* [2011 - Protecting the Core: Kernel Exploitation Mitigations](http://census.gr/media/bheu-2011-wp.pdf)
* [2015 - From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel](http://repository.root-me.org/Exploitation%20-%20Syst%C3%A8me/Unix/EN%20-%20From%20collision%20to%20exploitation%3A%20Unleashing%20Use-After-Free%20vulnerabilities%20in%20Linux%20Kernel.pdf)
* [2014 - ret2dir: Rethinking Kernel Isolation](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-kemerlis.pdf)
* [2012 - Anatomy of a Remote Kernel Exploit](https://www.cs.dartmouth.edu/~sergey/cs108/2012/Dan-Rosenberg-lecture.pdf)
* [2012 - A Heap of Trouble: Breaking the Linux Kernel SLOB Allocator](https://vsecurity.com//download/publications/slob-exploitation.pdf)
* [2011 - Linux kernel vulnerabilities: state-of-the-art defenses and open problems](https://dl.acm.org/doi/abs/10.1145/2103799.2103805)
* [2011 - Protecting the Core: Kernel Exploitation Mitigations](http://census.gr/media/bheu-2011-wp.pdf)
### Static Binary Analysis
* [2021 - ICALLEE: Recovering Call Graphs for Binaries](https://arxiv.org/pdf/2111.01415.pdf)
* [2021 - EnBinDiff: Identifying Data-only Patches for Binaries](https://www.computer.org/csdl/journal/tq/5555/01/09645381/1zc6LAcyvHG)
* [2021 - VIVA: Binary Level Vulnerability Identification via Partial Signature](https://ieeexplore.ieee.org/abstract/document/9425910)
* [2021 - Overview of the advantages and disadvantages of static code analysis tools](https://courses.cs.ut.ee/MTAT.03.270/2021_spring/uploads/Main/report-draft.pdf)
* [2021 - Multi-Level Cross-Architecture Binary Code Similarity Metric](https://link.springer.com/article/10.1007/s13369-021-05630-7)
* [2020 - VulDetector: Detecting Vulnerabilities using Weighted Feature Graph Comparison](https://ieeexplore.ieee.org/abstract/document/9309254)
* [2020 - DEEPBINDIFF: Learning Program-Wide Code Representations for Binary Diffing](https://www.ndss-symposium.org/wp-content/uploads/2020/02/24311-paper.pdf)
* [2020 - BinDeep: A Deep Learning Approach to Binary Code Similarity Detection](https://www.sci-hub.ren/10.1016/j.eswa.2020.114348)
* [2020 - Revisiting Binary Code Similarity Analysis using Interpretable Feature Engineering and Lessons Learned](https://0xdkay.me/pub/2020/kim-arxiv2020.pdf)
* [2020 - iDEA: Static Analysis on the Security of Apple Kernel Drivers](http://homes.sice.indiana.edu/luyixing/bib/CCS20-iDEA.pdf)
* [2020 - HART: Hardware-Assisted Kernel Module Tracing on Arm](https://sci-hub.tw/10.1007/978-3-030-58951-6)
* [2020 - AN APPROACH TO COMPARING CONTROL FLOW GRAPHS BASED ON BASIC BLOCK MATCHING](http://www.ijcse.com/docs/INDJCSE20-11-03-237.pdf)
* [2020 - How Far We Have Come: Testing Decompilation Correctness of C Decompilers](https://dl.acm.org/doi/pdf/10.1145/3395363.3397370)
* [2020 - Dynamic Binary Lifting and Recompilation DISS](https://escholarship.org/content/qt8pz574mn/qt8pz574mn_noSplash_b11493cfba04b6b9c737eb3e42038820.pdf)
* [2020 - Similarity Based Binary Backdoor Detection via Attributed Control Flow Graph](https://ieeexplore.ieee.org/abstract/document/9085069)
* [2020 - IoTSIT: A Static Instrumentation Tool for IoT Devices](https://ieeexplore.ieee.org/document/9084145)
* [2019 - Code Similarity Detection using AST and Textual Information](http://www.ijpe-online.com/EN/10.23940/ijpe.19.10.p14.26832691)
* [2018 - CodEX: Source Code Plagiarism DetectionBased on Abstract Syntax Trees](https://pdfs.semanticscholar.org/d5bd/a9161deac69e4fed8da63971f773c60f3caf.pdf)
* [2017 - rev.ng: a unified binary analysis framework to recover CFGs and function boundaries](https://dl.acm.org/doi/abs/10.1145/3033019.3033028)
* [2017 - Angr: The Next Generation of Binary Analysis](https://ieeexplore.ieee.org/abstract/document/8077799)
* [2016 - Binary code is not easy](https://dl.acm.org/doi/abs/10.1145/2931037.2931047)
* [2015 - Cross-Architecture Bug Search in Binary Executables](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7163056)
* [2014 - A platform for secure static binary instrumentation](https://dl.acm.org/doi/abs/10.1145/2576195.2576208)
* [2013 - MIL: A language to build program analysis tools through static binary instrumentation](https://ieeexplore.ieee.org/abstract/document/6799106)
* [2013 - Binary Code Analysis](https://ieeexplore.ieee.org/abstract/document/6583187)
* [2013 - A compiler-level intermediate representation based binary analysis and rewriting system](https://dl.acm.org/doi/abs/10.1145/2465351.2465380)
* [2013 - Protocol reverse engineering through dynamic and static binary analysis](https://www.sciencedirect.com/science/article/abs/pii/S1005888513602174)
* [2013 - BinaryPig: Scalable Static Binary Analysis Over Hadoop](https://media.blackhat.com/us-13/US-13-Hanif-Binarypig-Scalable-Malware-Analytics-in-Hadoop-WP.pdf)
* [2011 - BAP: A Binary Analysis Platform](https://link.springer.com/chapter/10.1007/978-3-642-22110-1_37)
* [2009 - Syntax tree fingerprinting for source code similarity detection](https://www.researchgate.net/publication/221219530_Syntax_tree_fingerprinting_for_source_code_similarity_detection)
* [2008 - BitBlaze: A New Approach to Computer Security via Binary Analysis](https://link.springer.com/chapter/10.1007/978-3-540-89862-7_1)
* [2005 - Practical analysis of stripped binary code](https://dl.acm.org/doi/abs/10.1145/1127577.1127590)
* [2004 - Detecting kernel-level rootkits through binary analysis](https://ieeexplore.ieee.org/abstract/document/1377219)
### Misc
* [2023 - MTSan: A Feasible and Practical Memory Sanitizer for Fuzzing COTS Binaries](https://www.usenix.org/system/files/sec23fall-prepub-279-chen-xingman.pdf)
* [2023 - ARMore: Pushing Love Back Into Binaries](https://nebelwelt.net/files/23SEC3.pdf)
* [2023 - gMutant: A gCov based Mutation Testing Analyser](https://dl.acm.org/doi/abs/10.1145/3578527.3578546)
* [2022 - Auto Off-Target: Enabling Thorough and Scalable Testing for Complex Software Systems](https://dl.acm.org/doi/pdf/10.1145/3551349.3556915)
* [2022 - GRIN: Make Rewriting More Precise](https://dl.acm.org/doi/fullHtml/10.1145/3523181.3523207)
* [2022 - CFINSIGHT: A Comprehensive Metric for CFI Policies](https://www.ndss-symposium.org/wp-content/uploads/2022-165-paper.pdf)
* [2022 - Odin: On-Demand Instrumentation with On-the-Fly Recompilation](http://www.wingtecher.com/themes/WingTecherResearch/assets/papers/odin-final.pdf)
* [2022 - Debloating Address Sanitizer](https://www.usenix.org/system/files/sec22summer_zhang-yuchen.pdf)
* [2021 - FMViz: Visualizing Tests Generated by AFL at the Byte-level](https://arxiv.org/pdf/2112.13207.pdf)
* [2021 - Raising MIPS Binaries to LLVM IR](https://link.springer.com/chapter/10.1007/978-3-030-92571-0_6)
* [2021 - yzGen: Automated Generation of Syscall Specification of Closed-Source macOS Drivers](https://www.cs.ucr.edu/~zhiyunq/pub/ccs21_syzgen.pdf)
* [2021 - Igor: Crash Deduplication Through Root-Cause Clustering](http://www.nebelwelt.net/publications/files/21CCS.pdf)
* [2021 - UAFSan: an object-identifier-based dynamic approach for detecting use-after-free vulnerabilities](https://dl.acm.org/doi/abs/10.1145/3460319.3464835)
* [2021 - SyML: Guiding Symbolic Execution Toward Vulnerable States Through Pattern Learning](https://conand.me/publications/ruaro-syml-2021.pdf)
* [2021 - LLSC: A Parallel Symbolic Execution Compiler for LLVM IR](https://continuation.passing.style/static/papers/fsedemo21.pdf)
* [2021 - FuzzSplore: Visualizing Feedback-Driven Fuzzing Techniques](https://arxiv.org/pdf/2102.02527.pdf)
* [2020 - Memory Error Detection Based on Dynamic Binary Translation](https://ieeexplore.ieee.org/abstract/document/9295756/keywords#keywords)
* [2020 - Sydr: Cutting Edge Dynamic Symbolic Execution](https://arxiv.org/pdf/2011.09269.pdf)
* [2020 - DrPin: A dynamic binary instumentator for multiple processor architectures](http://wscad.sbc.org.br/2020/artigos/trilha-principal/s05p02-209710-1.pdf)
* [2020 - MVP: Detecting Vulnerabilities using Patch-Enhanced Vulnerability Signatures](https://www.usenix.org/system/files/sec20-xiao.pdf)
* [2020 - Collecting Vulnerable Source Code from Open-Source Repositories for Dataset Generation](https://www.mdpi.com/2076-3417/10/4/1270/htm)
* [2020 - LEOPARD: Identifying Vulnerable Code for Vulnerability Assessment through Program Metrics](https://arxiv.org/pdf/1901.11479.pdf)
* [2020 - Dynamic Program Analysis Tools in GCC and CLANG Compilers](https://sci-hub.tw/https://doi.org/10.1134/S0361768820010089)
* [2020 - On Using k-means Clustering for Test Suite Reduction](https://sci-hub.tw/https://ieeexplore.ieee.org/document/9155590)
* [2020 - Optimizing the Parameters of an Evolutionary Algorithm for Fuzzing and Test Data Generation](https://sci-hub.tw/10.1109/ICSTW50294.2020.00061)
* [2020 - Inputs from Hell: Learning Input Distributions for Grammar-Based Test Generation](https://publications.cispa.saarland/3167/7/inputs-from-hell.pdf)
* [2020 - IdSan: An identity-based memory sanitizer for fuzzing binaries](https://arxiv.org/pdf/2007.13113.pdf)
* [2020 - An experimental study oncombining automated andstochastic test data generation - MASTER THESIS](https://gupea.ub.gu.se/bitstream/2077/65502/1/gupea_2077_65502_1.pdf)
* [2020 - FuzzGen: Automatic Fuzzer Generation](https://www.usenix.org/system/files/sec20fall_ispoglou_prepub.pdf)
* [2020 - Fuzzing: On the Exponential Cost of Vulnerability Discovery](https://mboehme.github.io/paper/FSE20.EmpiricalLaw.pdf)
* [2020 - Poster: Debugging Inputs](https://publications.cispa.saarland/3062/1/icse2020-poster-paper42-camera-ready.pdf)
* [2020 - API Misuse Detection in C Programs: Practice on SSL APIs](https://www.worldscientific.com/doi/abs/10.1142/S0218194019400205)
* [2020 - Egalito: Layout-Agnostic Binary Recompilation](http://www.cs.columbia.edu/~junfeng/papers/egalito-asplos20.pdf)
* [2020 - Verifying Software Vulnerabilities in IoT Cryptographic Protocols](https://arxiv.org/pdf/2001.09837.pdf)
* [2020 - μRAI: Securing Embedded Systems with Return Address Integrity](https://nebelwelt.net/files/20NDSS.pdf)
* [2020 - Fast Bit-Vector Satisfiability](https://qingkaishi.github.io/public_pdfs/ISSTA20-Trident.pdf)
* [2020 - MARDU: Efficient and Scalable Code Re-randomization](https://dl.acm.org/doi/pdf/10.1145/3383669.3398280)
* [2020 - Towards formal verification of IoT protocols: A Review](https://www.sciencedirect.com/science/article/abs/pii/S1389128619317116)
* [2020 - Automating the fuzzing triage process](https://dr.ntu.edu.sg/handle/10356/140674)
* [2020 - COMPARING AFL SCALABILITY IN VIRTUAL-AND NATIVE ENVIRONMENT](https://jyx.jyu.fi/bitstream/handle/123456789/69772/URN%3ANBN%3Afi%3Ajyu-202006084029.pdf?sequence=1)
* [2020 - SYMBION: Interleaving Symbolic with Concrete Execution](https://conand.me/publications/gritti-symbion-2020.pdf)
* [2020 - Not All Coverage Measurements Are Equal: Fuzzing by Coverage Accounting for Input Prioritization](https://ajax4sec.github.io/papers/ndss20-fall-paper422.pdf)
* [2019 - Toward the Analysis of Embedded Firmware through Automated Re-hosting](http://subwire.net/papers/pretender-final.pdf)
* [2019 - FUZZIFICATION: Anti-Fuzzing Techniques](https://www.usenix.org/system/files/sec19fall_jung_prepub.pdf)
* [2018 - VulinOSS: A Dataset of Security Vulnerabilities in Open-source Systems](https://antonisgkortzis.github.io/files/GMS_MSR_18.pdf)
* [2018 - HDDr: A Recursive Variantof the Hierarchical Delta Debugging Algorithm](https://sci-hub.se/https://doi.org/10.1145/3278186.3278189)
* [2017 - Coarse Hierarchical Delta Debugging](https://sci-hub.se/10.1109/ICSME.2017.26)
* [2017 - VUDDY: A Scalable Approach for Vulnerable CodeClone Discovery](https://squizz617.github.io/pubs/vuddy-sp17.pdf)
* [2017 - Postmortem Program Analysis with Hardware-Enhanced Post-Crash Artifacts](https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-xu.pdf)
* [2017 - Synthesizing Program Input Grammars](https://obastani.github.io/docs/pldi17.pdf)
* [2017 - Designing New Operating Primitives to Improve Fuzzing Performance](https://acmccs.github.io/papers/p2313-xuA.pdf)
* [2017 - Instruction Punning: Lightweight Instrumentation for x86-64](https://dl.acm.org/doi/pdf/10.1145/3062341.3062344?download=true)
* [2016 - Modernizing Hierarchical Delta Debugging](https://sci-hub.se/https://doi.org/10.1145/2994291.2994296)
* [2016 - VulPecker: An Automated Vulnerability Detection SystemBased on Code Similarity Analysis](http://www.cs.utsa.edu/~shxu/socs/VulPecker.pdf)
* [2016 - CREDAL: Towards Locating a Memory Corruption Vulnerability with Your Core Dump](https://mudongliang.github.io/files/papers/p529-xu.pdf)
* [2016 - RETracer: Triaging Crashes by Reverse Execution fromPartial Memory Dumps](https://www.microsoft.com/en-us/research/wp-content/uploads/2016/06/retracer-2.pdf)
* [2015 - PIE: Parser Identification in Embedded Systems](http://www.s3.eurecom.fr/docs/acsac15_cojocar.pdf)
* [2010 - Iterative Delta Debugging](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.296.5948&rep=rep1&type=pdf)
* [2009 - Dynamic Test Generation To Find Integer Bugs in x86 Binary Linux Programs](https://argp.github.io/public/50a11f65857c12c76995f843dbfe6dda.pdf)
* [2006 - HDD: Hierarchical Delta Debugging](https://sci-hub.se/https://doi.org/10.1145/1134285.1134307)
### Surveys, SoKs, and Studies
* [2023 - An Empirical Study on AST-level mutation-based fuzzing techniques for JavaScript Engines](https://dl.acm.org/doi/abs/10.1145/3609437.3609440)
* [2023 - Software Bug Detection: Challenges and Synergies](https://drops.dagstuhl.de/opus/volltexte/2023/19230/pdf/dagrep_v013_i003_p092_23131.pdf)
* [2023 - Demystify the Fuzzing Methods: A Comprehensive Survey](https://dl.acm.org/doi/abs/10.1145/3623375)
* [2023 - The Human Side of Fuzzing: Challenges Faced by Developers During Fuzzing Activities](https://posl.ait.kyushu-u.ac.jp/~kamei/publications/Nourry_TOSEM2023.pdf)
* [2023 - ASanity: On Bug Shadowing by Early ASan Exits](https://wootconference.org/papers/woot23-paper34.pdf)
* [2023 - A Case Study on Fuzzing Satellite Firmware](https://www.ndss-symposium.org/wp-content/uploads/2023/06/spacesec2023-230707-paper.pdf)
* [2023 - Fuzzing the Latest NTFS in Linux with Papora: An Empirical Study](https://arxiv.org/pdf/2304.07166.pdf)
* [2023 - Fuzzing REST APIs for Bugs: An Empirical Analysis](https://link.springer.com/chapter/10.1007/978-981-19-7513-4_28)
* [2023 - Automated Binary Analysis: A Survey](https://link.springer.com/chapter/10.1007/978-3-031-22677-9_21)
* [2023 - Fuzzers for stateful systems: Survey and Research Directions](https://arxiv.org/pdf/2301.02490.pdf)
* [2022 - Detecting Vulnerability on IoT Device Firmware: A Survey](https://www.ieee-jas.net/en/article/id/e04bfa93-5629-4069-859b-35ecf4dc503b)
* [2022 - Fuzzing of Embedded Systems: A Survey](https://dl.acm.org/doi/pdf/10.1145/3538644)
* [2022 - Embedded Fuzzing: a Review of Challenges, Tools, and Solutions](https://www.iris.unict.it/bitstream/20.500.11769/533199/1/paper%20%284%29.pdf)
* [2022 - An empirical study of vulnerability discovery methods over the past ten years](https://www.sciencedirect.com/science/article/pii/S0167404822002115)
* [2022 - Fuzzing vulnerability discovery techniques: Survey, challenges and future directions](https://www.sciencedirect.com/science/article/pii/S0167404822002073)
* [2022 - Fuzzing: A Survey for Roadmap](https://dl.acm.org/doi/abs/10.1145/3512345)
* [2022 - How Long Do Vulnerabilities Live in the Code? A Large-Scale Empirical Measurement Study on FOSS Vulnerability Lifetimes](https://www.usenix.org/system/files/sec22summer_alexopoulos.pdf)
* [2021 - Protocol Reverse-Engineering Methods and Tools: A Survey](https://www.sciencedirect.com/science/article/abs/pii/S0140366421004382)
* [2021 - Exploratory Review of Hybrid Fuzzing for Automated Vulnerability Detection](https://ieeexplore.ieee.org/abstract/document/9541397)
* [2021 - A Systematic Review of Network Protocol Fuzzing Techniques](https://ieeexplore.ieee.org/abstract/document/9482063)
* [2021 - Vulnerability Detection is Just the Beginning](https://arxiv.org/pdf/2103.05160.pdf)
* [2021 - Evaluating Synthetic Bugs](https://wkr.io/publication/asiaccs-2021-bugs.pdf)
* [2020 - A Practical, Principled Measure of Fuzzer Appeal:A Preliminary Study](https://qrs20.techconf.org/QRS2020_FULL/pdfs/QRS2020-4LGdOos7NAbR8M2s6S6ezE/891300a510/891300a510.pdf)
* [2020 - A Systemic Review of Kernel Fuzzing](https://dl.acm.org/doi/abs/10.1145/3444370.3444586)
* [2020 - A Survey of Hybrid Fuzzing based on Symbolic Execution](https://dl.acm.org/doi/abs/10.1145/3444370.3444570)
* [2020 - A Study on Using Code Coverage Information Extracted from Binary to Guide Fuzzing](https://www.cscjournals.org/manuscript/Journals/IJCSS/Volume14/Issue5/IJCSS-1589.pdf)
* [2020 - Study of Security Flaws in the Linux Kernel by Fuzzing](https://ieeexplore.ieee.org/abstract/document/9271516)
* [2020 - Dynamic vulnerability detection approaches and tools: State of the Art](https://ieeexplore.ieee.org/abstract/document/9268686)
* [2020 - Fuzzing: Challenges and Reflections](https://www.comp.nus.edu.sg/~abhik/pdf/IEEE-SW-Fuzzing.pdf)
* [2020 - The Relevance of Classic Fuzz Testing: Have We Solved This One?](https://arxiv.org/pdf/2008.06537.pdf)
* [2020 - A Practical, Principled Measure of Fuzzer Appeal:A Preliminary Study](https://agroce.github.io/qrs20-1.pdf)
* [2020 - SoK: All You Ever Wanted to Know About x86/x64 Binary Disassembly But Were Afraid to Ask](https://arxiv.org/ftp/arxiv/papers/2007/2007.14266.pdf)
* [2020 - A Quantitative Comparison of Coverage-Based Greybox Fuzzers](https://sites.google.com/site/yoshidaatnu/TsuzukiAST2020.pdf)
* [2020 - A Survey of Security Vulnerability Analysis, Discovery, Detection, and Mitigation on IoT Devices](https://www.mdpi.com/1999-5903/12/2/27)
* [2020 - A systematic review of fuzzing based on machine learning techniques](https://arxiv.org/pdf/1908.01262.pdf)
* [2019 - A Survey of Binary Code Similarity](https://arxiv.org/pdf/1909.11424.pdf)
* [2019 - The Art, Science, and Engineering of Fuzzing: A Survey](https://arxiv.org/pdf/1812.00140.pdf)
* [2012 - Regression testingminimization, selection and prioritization: a survey](https://www.sci-hub.ren/10.1002/stvr.430)