├── .github
    └── workflows
    │   └── link_checker.yml
├── .gitignore
├── README.md
└── checker.py


/.github/workflows/link_checker.yml:
--------------------------------------------------------------------------------
 1 | name: Link Checker
 2 | 
 3 | on:
 4 |   schedule:
 5 |     - cron: "0 0 1 * *" # Run monthly
 6 |   workflow_dispatch: # Allow manual trigger
 7 | 
 8 | jobs:
 9 |   check-links:
10 |     runs-on: ubuntu-latest
11 |     permissions:
12 |       contents: write
13 |       pull-requests: write
14 | 
15 |     steps:
16 |       - uses: actions/checkout@v3
17 |         with:
18 |           fetch-depth: 0
19 | 
20 |       - name: Check for existing PR
21 |         id: check-pr
22 |         run: |
23 |           pr_exists=$(gh pr list --json number,headRefName --jq '.[] | select(.headRefName=="update-link-status") | .number')
24 |           echo "pr_exists=${pr_exists:-false}" >> $GITHUB_OUTPUT
25 |         env:
26 |           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
27 | 
28 |       - name: Set up Python
29 |         if: steps.check-pr.outputs.pr_exists == 'false'
30 |         uses: actions/setup-python@v4
31 |         with:
32 |           python-version: "3.x"
33 | 
34 |       - name: Install dependencies
35 |         if: steps.check-pr.outputs.pr_exists == 'false'
36 |         run: |
37 |           python -m pip install --upgrade pip
38 |           pip install requests beautifulsoup4
39 | 
40 |       - name: Check links and collect results
41 |         if: steps.check-pr.outputs.pr_exists == 'false'
42 |         id: check
43 |         run: |
44 |           python checker.py 2> link_check_results.txt
45 |           CHANGES_MADE=$?
46 | 
47 |           if [ $CHANGES_MADE -eq 0 ]; then
48 |             echo "REPORT<<EOF" >> $GITHUB_ENV
49 |             echo "## Link Checker Report - $(date +'%Y-%m-%d')" >> $GITHUB_ENV
50 |             echo "" >> $GITHUB_ENV
51 |             echo "### Issues Found" >> $GITHUB_ENV
52 |             echo "\`\`\`" >> $GITHUB_ENV
53 |             cat link_check_results.txt >> $GITHUB_ENV
54 |             echo "\`\`\`" >> $GITHUB_ENV
55 |             echo "" >> $GITHUB_ENV
56 |             echo "### Legend" >> $GITHUB_ENV
57 |             echo "- ✓ : Link is accessible and secure" >> $GITHUB_ENV
58 |             echo "- ⚠ : Link is accessible but has SSL/security issues" >> $GITHUB_ENV
59 |             echo "- ✗ : Link is not accessible" >> $GITHUB_ENV
60 |             echo "" >> $GITHUB_ENV
61 |             echo "### Summary by Issue Type" >> $GITHUB_ENV
62 |             echo "\`\`\`" >> $GITHUB_ENV
63 |             echo "Insecure SSL: $(grep -c 'Insecure SSL' link_check_results.txt)" >> $GITHUB_ENV
64 |             echo "Connection Timeout: $(grep -c 'Timeout' link_check_results.txt)" >> $GITHUB_ENV
65 |             echo "Connection Refused: $(grep -c 'Connection refused' link_check_results.txt)" >> $GITHUB_ENV
66 |             echo "DNS Resolution Failed: $(grep -c 'DNS resolution failed' link_check_results.txt)" >> $GITHUB_ENV
67 |             echo "Connection Errors: $(grep -c 'Connection error' link_check_results.txt)" >> $GITHUB_ENV
68 |             echo "\`\`\`" >> $GITHUB_ENV
69 |             echo "EOF" >> $GITHUB_ENV
70 |             echo "changes_detected=true" >> $GITHUB_OUTPUT
71 |           else
72 |             echo "changes_detected=false" >> $GITHUB_OUTPUT
73 |           fi
74 | 
75 |       - name: Create Pull Request
76 |         if: |
77 |           steps.check-pr.outputs.pr_exists == 'false' && 
78 |           steps.check.outputs.changes_detected == 'true'
79 |         uses: peter-evans/create-pull-request@v5
80 |         with:
81 |           token: ${{ secrets.GITHUB_TOKEN }}
82 |           commit-message: "docs: update link status indicators"
83 |           title: "docs: update link status indicators"
84 |           body: ${{ env.REPORT }}
85 |           branch: update-link-status
86 |           base: master
87 |           delete-branch: true
88 |           labels: |
89 |             automated-pr
90 |             documentation
91 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | .venv
2 | tags
3 | link_check_results.txt
4 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Note
  2 | 
  3 | The sole purpose of this repository is to help me organize recent academic papers related to _fuzzing_, _binary analysis_, _IoT security_, and _general exploitation_. This is a non-exhausting list, even though I'll try to keep it updated...
  4 | Feel free to suggest decent papers via a PR.
  5 | 
  6 | ## Table of Contents
  7 | 
  8 | - [Note](#note)
  9 |   - [Table of Contents](#table-of-contents)
 10 |   - [Read &amp; Tagged](#read--tagged)
 11 |   - [Unread](#unread)
 12 |     - [General fuzzing implementations](#general-fuzzing-implementations)
 13 |     - [AI/LLM](#aillm)
 14 |     - [IoT fuzzing](#iot-fuzzing)
 15 |     - [Firmware Emulation](#firmware-emulation)
 16 |     - [Network fuzzing](#network-fuzzing)
 17 |     - [Kernel fuzzing](#kernel-fuzzing)
 18 |     - [Format specific fuzzing](#format-specific-fuzzing)
 19 |     - [Exploitation](#exploitation)
 20 |     - [Static Binary Analysis](#static-binary-analysis)
 21 |     - [Misc](#misc)
 22 |     - [Surveys, SoKs, and Studies](#surveys-soks-and-studies)
 23 | 
 24 | ## Read & Tagged
 25 | 
 26 | - [2023 - Dissecting American Fuzzy Lop A FuzzBench Evaluation](https://www.ndss-symposium.org/wp-content/uploads/fuzzing2022_23004_paper.pdf) ✓
 27 |   - **Tags:**: AFL, collisions, hitcounts, timeout, novelty search, corpus culling, score calculation, corpus scheduling, splicing
 28 | - [2022 - DARWIN: Survival of the Fittest Fuzzing Mutators](https://arxiv.org/pdf/2210.11783.pdf) ✓
 29 |   - **Tags:** mutation scheduling, evolution strategy, AFL, AFL-MOpT, fuzzbench, magma, ecofuzz
 30 | - [2022 - Removing Uninteresting Bytes in Software Fuzzing](https://ieeexplore.ieee.org/abstract/document/9787966) ✓
 31 |   - **Tags:** seed optimization, seed minimization, diar, coverage-guided
 32 | - [2021 - An Empirical Study of OSS-Fuzz Bugs](https://arxiv.org/pdf/2103.11518.pdf) ✓
 33 |   - **Tags:** flaky bugs, clusterfuzz, sanitizer, bug detection, bug classification, time-to-fix, time-to-detect
 34 | - [2020 - Corpus Distillation for Effective Fuzzing](https://arxiv.org/pdf/1905.13055.pdf) ✓
 35 |   - **Tags:** corpus minimization, afl-cmin, google fuzzer test suite, FTS, minset, AFL
 36 | - [2020 - Symbolic execution with SymCC: Don't interpret, compile!](https://www.usenix.org/system/files/sec20-poeplau.pdf) ✓
 37 |   - **Tags:** KLEE, QSYM, LLVM, C, C++, compiler, symbolic execution, concolic execution, source code level, IR, angr, Z3, DARPA corpus, AFL
 38 | - [2020 - WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats](https://andreafioraldi.github.io/assets/weizz-issta2020.pdf) ✓
 39 |   - **Tags:** REDQUEEN, chunk-based formats, AFLSmart, I2S, checksums, magix bytes, QEMU, Eclipser, short fuzzing runs,
 40 | - [2020 - Efficient Binary-Level Coverage Analysis](https://ui.adsabs.harvard.edu/abs/2020arXiv200414191A/abstract) ✓
 41 |   - **Tags:** bcov, detour + trampoline, basic block coverage, sliced microexecution, superblocks, strongly connected components, dominator graph, BAP, angr, IDA, DynamoRIO, Intel PI, BAP, angr, IDA, DynamoRIO, Intel PIN
 42 | - [2020 - Test-Case Reduction via Test-Case Generation: Insights From the Hypothesis Reducer](https://drmaciver.github.io/papers/reduction-via-generation-preview.pdf) ✓
 43 |   - **Tags:** Test case reducer, property based testing, CSmith, test case generation, hierachical delta debugging
 44 | - [2020 - AFL++: Combining Incremental Steps of Fuzzing Research](https://aflplus.plus/papers/aflpp-woot2020.pdf) ✗
 45 |   - **Tags:** AFL++, AFL, MOpt, LAF-Intel, Fuzzbench, Ngram, RedQueen, Unicorn, QBDI, CmpLog, AFLFast
 46 | - [2020 - FirmXRay: Detecting Bluetooth Link Layer Vulnerabilities From Bare-Metal Firmware](https://dl.acm.org/doi/pdf/10.1145/3372297.3423344) ✓
 47 |   - **Tags:** Ghdira, static analysis, sound disassembly, base address finder, BLE, vulnerability discovery
 48 | - [2020 - P2IM: Scalable and Hardware-independent Firmware Testing via Automatic Peripheral Interface Modeling](https://www.usenix.org/system/files/sec20spring_feng_prepub_0.pdf) ✓
 49 |   - **Tags:** HALucinator, emulation, firmware, QEMU, AFL, requires source, MCU, peripheral abstraction
 50 | - [2020 - What Exactly Determines the Type? Inferring Types with Context](https://sci-hub.se/https://ieeexplore.ieee.org/document/9159142) ✓
 51 |   - **Tags:** context assisted type inference, stripped binaries, variable and type reconstruction, IDA Pro, Word2Vec, CNN,
 52 | - [2020 - Causal Testing: Understanding Defects’ Root Causes](https://arxiv.org/pdf/1809.06991.pdf) ✓
 53 |   - **Tags:** Defects4J, causal relationships, Eclipse plugin, unit test mutation, program trace diffing, static value diffing, user study
 54 | - [2020 - AURORA: Statistical Crash Analysis for Automated Root Cause Explanation](https://www.usenix.org/system/files/sec20fall_blazytko_prepub.pdf) ⚠
 55 |   - **Tags:** RCA, program traces, input diversification, Intel PIN, Rust, CFG,
 56 | - [2020 - ParmeSan: Sanitizer-guided Greybox Fuzzing](https://download.vusec.net/papers/parmesan_sec20.pdf) ✓
 57 |   - Tags: interprocedural CFG, data flow analysis, directed fuzzing (DGF), disregarding 'hot paths', LAVA-M based primitives, LLVM, Angora, AFLGo, ASAP, santizer dependent
 58 | - [2020 - Magma: A Ground-Truth Fuzzing Benchmark](https://hexhive.epfl.ch/magma/docs/preprint.pdf) ✓
 59 |   - **Tags:** best practices, fuzzer benchmarking, ground truth, Lava-M
 60 | - [2020 - Fitness Guided Vulnerability Detection with Greybox Fuzzing](https://www.csa.iisc.ac.in/~raghavan/ReadingMaterial/sbst20.pdf) ✓
 61 |   - **Tags:** AFL, vuln specific fitness metric (headroom), buffer/integer overflow detection, AFLGo, pointer analysis, CIL, bad benchmarking
 62 | - [2020 - GREYONE: Data Flow Sensitive Fuzzing](https://www.usenix.org/system/files/sec20spring_gan_prepub.pdf) ✓
 63 |   - **Tags:** data-flow fuzzing, taint-guided mutation, input prioritization, _constraint conformance_, REDQUEEN, good evaluation, VUzzer
 64 | - [2020 - FairFuzz-TC: a fuzzer targeting rare branches](https://sci-hub.se/https://link.springer.com/article/10.1007/s10009-020-00569-w) ✓
 65 |   - **Tags:** AFL, required seeding, _branch mask_
 66 | - [2020 - Fitness Guided Vulnerability Detection with Greybox Fuzzing](https://www.csa.iisc.ac.in/~raghavan/ReadingMaterial/sbst20.pdf) ✓
 67 |   - **Tags:** AFL, vuln specific fitness metric (headroom), buffer/integer overflow detection, AFLGo, pointer analysis, CIL, bad evaluation
 68 | - [2020 - TOFU: Target-Oriented FUzzer](https://arxiv.org/pdf/2004.14375.pdf) ✓
 69 |   - **Tags:** DGF, structured mutations, staged fuzzing/learning of cli args, target fitness, structure aware, Dijkstra for priority, AFLGo, Superion
 70 | - [2020 - FuZZan: Efficient Sanitizer Metadata Design for Fuzzing](https://nebelwelt.net/files/20ATC.pdf) ✓
 71 |   - **Tags:**: sanitizer metadata, optimization, ASAN, MSan, AFL
 72 | - [2020 - Boosting Fuzzer Efficiency: An Information Theoretic Perspective](https://mboehme.github.io/paper/FSE20.Entropy.pdf) ✓
 73 |   - **Tags:**: Shannon entropy, seed power schedule, libfuzzer, active SLAM, DGF, fuzzer efficiency
 74 | - [2020 - Learning Input Tokens for Effective Fuzzing](https://publications.cispa.saarland/3098/1/lFuzzer-preprint.pdf) ✓
 75 |   - **Tags:** dynamic taint tracking, parser checks, magic bytes, creation of dict inputs for fuzzers
 76 | - [2020 - A Review of Memory Errors Exploitation in x86-64](https://www.mdpi.com/2073-431X/9/2/48/htm) ✓
 77 |   - **Tags:** NX, canaries, ASLR, new mitigations, mitigation evaluation, recap on memory issues
 78 | - [2020 - SoK: The Progress, Challenges, and Perspectives of Directed Greybox Fuzzing](https://arxiv.org/pdf/2005.11907.pdf) ✓
 79 |   - **Tags:** SoK, directed grey box fuzzing, AFL, AFL mutation operators, DGF vs CGF
 80 | - [2020 - MemLock: Memory Usage Guided Fuzzing](https://wcventure.github.io/pdf/ICSE2020_MemLock.pdf) ✓
 81 |   - **Tags:** memory consumption, AFL, memory leak, uncontrolled-recursion, uncontrolled-memory-allocation, static analysis
 82 | - [2019 - Matryoshka: Fuzzing Deeply Nested Branches](https://arxiv.org/pdf/1905.12228.pdf) ✓
 83 |   - **Tags:** AFL, QSYM, Angora, path constraints, nested conditionals, (post) dominator trees, gradient descent, REDQUEEN, LAVA-M
 84 | - [2019 - Building Fast Fuzzers](https://arxiv.org/pdf/1911.07707.pdf) ✓
 85 |   - **Tags:** grammar based fuzzing, optimization, bold claims, comparison to badly/non-optimized fuzzers, python, lots of micro-optimizations, nice protocolling of failures, bad ASM optimization
 86 | - [2019 - Not All Bugs Are the Same: Understanding, Characterizing, and Classifying the Root Cause of Bugs](https://arxiv.org/pdf/1907.11031.pdf) ✓
 87 |   - **Tags:** RCA via bug reports, classification model, F score,
 88 | - [2019 - AntiFuzz: Impeding Fuzzing Audits of Binary Executables](https://www.usenix.org/system/files/sec19-guler.pdf) ✓
 89 |   - **Tags:** anti fuzzing, prevent crashes, delay executions, obscure coverage information, overload symbolic execution
 90 | - [2019 - MOpt: Optimized Mutation Scheduling for Fuzzers](https://www.usenix.org/system/files/sec19-lyu.pdf) ✓
 91 |   - **Tags:** mutation scheduling, particle swarm optimization (PSO), AFL, AFL mutation operators, VUzzer,
 92 | - [2019 - FuzzFactory: Domain-Specific Fuzzing with Waypoints](https://dl.acm.org/doi/pdf/10.1145/3360600?download=true) ✓
 93 |   - **Tags:** domain-specific fuzzing, AFL, LLVM, solve hard constraints like cmp, find dynamic memory allocations, binary-based
 94 | - [2019 - Fuzzing File Systems via Two-Dimensional Input Space Exploration](https://taesoo.kim/pubs/2019/xu:janus.pdf) ✓
 95 |   - **Tags:** Ubuntu, file systems, library OS, ext4, brtfs, meta block mutations, edge cases
 96 | - [2019 - REDQUEEN: Fuzzing with Input-to-State Correspondence](https://nyx-fuzz.com/papers/redqueen.pdf) ⚠
 97 |   - **Tags:** feedback-driven, AFL, magic-bytes, nested contraints, input-to-state correspondence, I2S
 98 | - [2019 - PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary](https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_04A-1_Song_paper.pdf) ✓
 99 |   - **Tags:** kernel, android, userland, embedded, hardware, Linux, device driver, WiFi
100 | - [2019 - FirmFuzz: Automated IoT Firmware Introspection and Analysis](https://nebelwelt.net/publications/files/19IOTSP.pdf) ✓
101 |   - **Tags:** emulation, firmadyne, BOF, XSS, CI, NPD, semi-automatic
102 | - [2019 - Firm-AFL: High-Throughput Greybox Fuzzing of IoT Firmware via Augmented Process Emulation](https://www.usenix.org/system/files/sec19-zheng_0.pdf) ✓
103 |   - **Tags:** emulation, qemu, afl, full vs user mode, syscall redirect, "augmented process emulation", firmadyne
104 | - [2018 - A Survey of Automated Root Cause Analysisof Software Vulnerability](https://sci-hub.se/10.1007/978-3-319-93554-6_74) ✓
105 |   - **Tags:** Exploit mitigations, fuzzing basics, symbolic execution basics, fault localization, high level
106 | - [2018 - PhASAR: An Inter-procedural Static Analysis Framework for C/C++](https://link.springer.com/content/pdf/10.1007%2F978-3-030-17465-1_22.pdf) ✓
107 |   - **Tags:** LLVM, (inter-procedural) data-flow analysis, call-graph, points-to, class hierachy, CFG, IR
108 | - [2018 - INSTRIM: Lightweight Instrumentation for Coverage-guided Fuzzing](https://www.csie.ntu.edu.tw/~hchsiao/pub/2018_BAR.pdf) ✓
109 |   - **Tags:** LLVM, instrumentation optimization, graph algorithms, selective instrumentation, coverage calculation
110 | - [2018 - What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices](http://s3.eurecom.fr/docs/ndss18_muench.pdf) ✓
111 |   - **Tags:** embedded, challenges, heuristics, emulation, crash classification, fault detection
112 | - [2018 - Evaluating Fuzz Testing](https://arxiv.org/abs/1808.09700) ✓
113 |   - **Tags:** fuzzing evaluation, good practices, bad practices
114 | - [2017 - Root Cause Analysis of Software Bugs using Machine Learning Techniques](https://sci-hub.se/10.1109/CONFLUENCE.2017.7943132) ✓
115 |   - **Tags:** ML, RC prediction for filed bug reports, unsupervised + supervised combination, RC categorisation, F score
116 | - [2017 - kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels](https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-schumilo.pdf) ✓
117 |   - **Tags:** intel PT, kernel, AFL, file systems, Windows, NTFS, Linux, ext, macOS, APFS, driver, feedback-driven
118 | - [2016 - Driller: Argumenting Fuzzing Through Selective Symbolic Execution](https://sites.cs.ucsb.edu/~vigna/publications/2016_NDSS_Driller.pdf) ✓
119 |   - **Tags:** DARPA, CGC, concolic execution, hybrid fuzzer, binary based
120 | - [2015 - Challenges with Applying Vulnerability Prediction Models](https://www.microsoft.com/en-us/research/wp-content/uploads/2015/04/ChallengesVulnerabilityModelsMicrosoft_HotSOS.pdf) ✓
121 |   - **Tags:** VPM vs DPM, prediction models on large scale systems, files with frequent changes leave more vulns, older code exhibits more vulns
122 | - [2014 - Optimizing Seed Selection for Fuzzing](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-rebert.pdf) ✓
123 |   - **Tags:** BFF, (weighted) minset, peach, cover set problem, seed transferabilty, time minset, size minset, round robin
124 | - [2013 - Automatic Recovery of Root Causes from Bug-Fixing Changes](https://ink.library.smu.edu.sg/cgi/viewcontent.cgi?article=3024&context=sis_research) ✓
125 |   - **Tags:** ML + SCA, F score, AST, PPA, source tree analysis
126 | 
127 | ## Unread
128 | 
129 | Unread papers categorized by a common main theme.
130 | 
131 | ### General fuzzing implementations
132 | 
133 | - [2025 - Adaptive mutation based on multi-population evolution strategy for greybox fuzzing](https://www.sciencedirect.com/science/article/abs/pii/S002002552500091X)
134 | - [2025 - BaSFuzz: Fuzz testing based on difference analysis for seed bytes](https://www.sciencedirect.com/science/article/abs/pii/S0164121225000081)
135 | - [2025 - Grey-Box Fuzzing in Constrained Ultra-Large Systems: Lessons for SE Communit](https://arxiv.org/pdf/2501.10269)
136 | - [2025 - CherryPicker: A Parallel Solving and State Sharing Hybrid Fuzzing System](https://ieeexplore.ieee.org/abstract/document/10842464)
137 | - [2025 - Novelty Not Found: Exploring Input Shadowing in Fuzzing through Adaptive Fuzzer Restarts](https://dl.acm.org/doi/pdf/10.1145/3712186)
138 | - [2025 - AutoFuzz: automatic fuzzer-sanitizer scheduling with multi-armed bandit](https://link.springer.com/article/10.1007/s11219-025-09707-6)
139 | - [2025 - RuMono: Fuzz Driver Synthesis for Rust Generic APIs](https://dl.acm.org/doi/pdf/10.1145/3709359)
140 | - [2025 - Improving seed quality with historical fuzzing results](https://www.sciencedirect.com/science/article/abs/pii/S0950584924002568)
141 | - [2025 - A Fuzzing Tool Based on Automated Grammar Detection](https://www.mdpi.com/2674-113X/3/4/28)
142 | - [2025 - ROSA: Finding Backdoors with Fuzzing](https://binsec.github.io/assets/publications/papers/2025-icse.pdf)
143 | - [2025 - Invivo Fuzzing by Amplifying Actual Executions](https://mpi-softsec.github.io/papers/ICSE25-invivo.pdf) ✓
144 | - [2025 - QMSan: Efficiently Detecting Uninitialized Memory Errors During Fuzzing](http://nebelwelt.net/files/25NDSS3.pdf) ✓
145 | - [2024 - LibAFL-DiFuzz: Advanced Architecture Enabling Directed Fuzzing](https://arxiv.org/abs/2412.19143)
146 | - [2024 - Program Environment Fuzzing](https://arxiv.org/abs/2404.13951)
147 | - [2024 - Logos: Log Guided Fuzzing for Protocol Implementations](http://www.wingtecher.com/themes/WingTecherResearch/assets/papers/paper_from_24/Logos_issta24.pdf) ✓
148 | - [2024 - DDGF: Dynamic Directed Greybox Fuzzing with Path Profiling](https://dl.acm.org/doi/abs/10.1145/3650212.3680324) ✓
149 | - [2024 - Sleuth: A Switchable Dual-Mode Fuzzer to Investigate Bug Impacts Following a Single PoC](https://dl.acm.org/doi/pdf/10.1145/3650212.3680316) ✓
150 | - [2024 - Tumbling Down the Rabbit Hole: How do Assisting Exploration Strategies Facilitate Grey-box Fuzzing?](https://arxiv.org/pdf/2409.14541) ✓
151 | - [2024 - Modularizing Directed Greybox Fuzzing for Binaries over Multiple CPU Architectures](https://link.springer.com/chapter/10.1007/978-3-031-64171-8_5) ✓
152 | - [2024 - LOOL: Low-Overhead, Optimization-Log-Guided Compiler Fuzzing](https://dl.acm.org/doi/pdf/10.1145/3678722.3685533) ✓
153 | - [2024 - Visualization Task Taxonomy to Understand the Fuzzing Internals](https://dl.acm.org/doi/pdf/10.1145/3678722.3685530) ✓
154 | - [2024 - Directed or Undirected: Investigating Fuzzing Strategies in a CI/CD Setup](https://dl.acm.org/doi/abs/10.1145/3678722.3685532) ✓
155 | - [2024 - ZigZagFuzz: Interleaved Fuzzing of Program Options and Files](https://swtv.kaist.ac.kr/publications/2024_TOSEM_ZigZagFuzz_final_camera_ready.pdf) ✓
156 | - [2024 - Tango: Extracting Higher-Order Feedback through State Inference](http://nebelwelt.net/files/24RAID.pdf) ✓
157 | - [2024 - Directed Fuzzing Based on Bottleneck Detection](https://dl.acm.org/doi/abs/10.1145/3670105.3670111) ✓
158 | - [2024 - Look Ma, No Input Samples! Mining Input Grammars from Code with Symbolic Parsing](https://dl.acm.org/doi/abs/10.1145/3663529.3663790) ✓
159 | - [2024 - HuntFUZZ: Enhancing Error Handling Testing through Clustering Based Fuzzing](https://arxiv.org/pdf/2407.04297) ✓
160 | - [2024 - AIMFuzz: Automated Function-Level In-Memory Fuzzing on Binaries](https://dl.acm.org/doi/abs/10.1145/3634737.3644996) ✓
161 | - [2024 - Data Coverage for Guided Fuzzing](http://www.wingtecher.com/themes/WingTecherResearch/assets/papers/paper_from_24/Data_Security24.pdf) ✓
162 | - [2024 - Fuzzing at Scale: The Untold Story of the Scheduler](https://arxiv.org/pdf/2406.18058) ✓
163 | - [2024 - FOX: Coverage-guided Fuzzing as Online Stochastic Control](https://arxiv.org/abs/2406.04517) ✓
164 | - [2024 - Fuzzing-based grammar learning from a minimal set of seed inputs](https://www.sciencedirect.com/science/article/abs/pii/S259011842300062X) ✓
165 | - [2024 - LinFuzz: Program-Sensitive Seed Scheduling Greybox Fuzzing Based on LinUCB Algorithm](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=10538260) ✓
166 | - [2024 - Graphuzz: Data-driven Seed Scheduling for Coverage-guided Greybox Fuzzing](https://dl.acm.org/doi/pdf/10.1145/3664603) ✓
167 | - [2024 - Towards Tightly-coupled Hybrid Fuzzing via Excavating Input Specifications](https://ieeexplore.ieee.org/abstract/document/10418578) ✓
168 | - [2024 - BazzAFL: Moving Fuzzing Campaigns Towards Bugs Via Grouping Bug-Oriented Seeds](https://www.computer.org/csdl/journal/tq/5555/01/10506549/1WlI5nzxKw0) ✓
169 | - [2024 - DeepGo: Predictive Directed Greybox Fuzzing](https://www.ndss-symposium.org/wp-content/uploads/2024-514-paper.pdf) ✓
170 | - [2024 - LibAFL QEMU: A Library for Fuzzing-oriented Emulation](https://s3.eurecom.fr/docs/bar24_malmain.pdf) ✓
171 | - [2023 - Beyond the Coverage Plateau: A Comprehensive Study of Fuzz Blockers](https://dl.acm.org/doi/pdf/10.1145/3605157.3605177) ✓
172 | - [2023 - NestFuzz: Enhancing Fuzzing with Comprehensive Understanding of Input Processing Logic](https://secsys.fudan.edu.cn/_upload/article/files/56/ed/788960544d56a38258aca7d3c8b5/216e599a-d6f6-4308-aa0b-ef45166a8431.pdf) ✓
173 | - [2023 - DSFuzz: Detecting Deep State Bugs with Dependent State Exploration](https://dl.acm.org/doi/abs/10.1145/3576915.3616594) ✓
174 | - [2023 - FA-Fuzz: A Novel Scheduling Scheme Using Firefly Algorithm for Mutation-Based Fuzzing](https://ieeexplore.ieee.org/abstract/document/10305545) ✓
175 | - [2023 - Make out like a (Multi-Armed) Bandit: Improving the Odds of Fuzzer Seed Scheduling with T-Scheduler](https://arxiv.org/pdf/2312.04749) ✓
176 | - [2023 - SYNTONY: Potential-Aware Fuzzing with Particle Swarm Optimization](https://www.sciencedirect.com/science/article/abs/pii/S0164121223002753) ✓
177 | - [2023 - Triereme: Speeding up hybrid fuzzing through efficient query scheduling](https://goto.ucsd.edu/~gleissen/papers/triereme.pdf) ✓
178 | - [2023 - Hybrid Testing: Combining Static Analysis and Directed Fuzzing](https://dspace.mit.edu/handle/1721.1/151679) ✓
179 | - [2023 - Titan : Efficient Multi-target Directed Greybox Fuzzing](https://5hadowblad3.github.io/files/Oakland24-Titan.pdf) ✓
180 | - [2023 - SpecFuzzer: A Tool for Inferring Class Specifications via Grammar-based Fuzzing](https://facumolina.github.io/files/specfuzzer-tooldemo-ase2023.pdf) ✓
181 | - [2023 - Hopper: Interpretative Fuzzing for Libraries](https://arxiv.org/pdf/2309.03496.pdf) ✓
182 | - [2023 - Enhancing Coverage-Guided Fuzzing via Phantom Program](https://shadowmydx.github.io/papers/fse2023a.pdf) ✓
183 | - [2023 - Hyperfuzzing: black-box security hypertesting with a grey-box fuzzer](https://arxiv.org/pdf/2308.09081.pdf) ✓
184 | - [2023 - SHAPFUZZ: Efficient Fuzzing via Shapley-Guided Byte Selection](https://arxiv.org/pdf/2308.09239.pdf) ✓
185 | - [2023 - PSOFuzz - Fuzzing Processors with Particle Swarm Optimization](https://arxiv.org/pdf/2307.14480.pdf) ✓
186 | - [2023 - SymRustC: A Hybrid Fuzzer for Rust](https://dl.acm.org/doi/abs/10.1145/3597926.3604927) ✓
187 | - [2023 - Finch: Fuzzing with Quantitative and Adaptive Hot-Bytes Identification](https://arxiv.org/pdf/2307.02289.pdf) ✓
188 | - [2023 - HyperGo: Probability-based Directed Hybrid Fuzzing](https://arxiv.org/pdf/2307.07815.pdf) ✓
189 | - [2023 - CrabSandwich: Fuzzing Rust with Rust](https://dl.acm.org/doi/abs/10.1145/3605157.3605176) ✓
190 | - [2023 - InFuzz: An Interactive Tool for Enhancing Efficiency in Fuzzing through Visual Bottleneck Analysis](https://dl.acm.org/doi/abs/10.1145/3605157.3605847) ✓
191 | - [2023 - Rare Path Guided Fuzzing∗](https://dl.acm.org/doi/pdf/10.1145/3597926.3598136) ✓
192 | - [2023 - Guiding Greybox Fuzzing with Mutation Testing](https://dl.acm.org/doi/pdf/10.1145/3597926.3598107) ✓
193 | - [2023 - FGo: A Directed Grey-box Fuzzer with Probabilistic Exponential cut-the-loss Strategies](https://arxiv.org/pdf/2307.05961.pdf) ✓
194 | - [2023 - FISHFUZZ: Catch Deeper Bugs by Throwing Larger Nets](https://nebelwelt.net/publications/files/23SEC5.pdf) ✓
195 | - [2023 - PosFuzz: augmenting greybox fuzzing with effective position distribution](https://link.springer.com/article/10.1186/s42400-023-00143-2) ✓
196 | - [2023 - Bottleneck Analysis via Grammar-based Performance Fuzzing\*](https://ieeexplore.ieee.org/abstract/document/10132229) ✓
197 | - [2023 - What Happens When We Fuzz? Investigating OSS-Fuzz Bug History](https://arxiv.org/pdf/2305.11433.pdf) ✓
198 | - [2023 - Toss a Fault to Your Witcher: Applying Grey-box Coverage-Guided Mutational Fuzzing to Detect SQL and Command Injection Vulnerabilities](https://adamdoupe.com/publications/witcher-oakland2023.pdf) ✓
199 | - [2023 - Large Language Models are Edge-Case Fuzzers: Testing Deep Learning Libraries via FuzzGPT](https://arxiv.org/pdf/2304.02014.pdf) ✓
200 | - [2023 - SBFT Tool Competition 2023 - Fuzzing Track](https://arxiv.org/pdf/2304.10070.pdf) ✓
201 | - [2023 - CarpetFuzz: Automatic Program Option Constraint Extraction from Documentation for Fuzzing](https://www.usenix.org/system/files/sec23fall-prepub-467-wang-dawei.pdf) ✓
202 | - [2023 - Learning Seed-Adaptive Mutation Strategies for Greybox Fuzzing](https://github.com/kupl/SeamFuzz-Artifact/blob/main/SeamFuzz-accepted-version.pdf) ✓
203 | - [2023 - Directed Greybox Fuzzing with Stepwise Constraint Focusing](https://arxiv.org/pdf/2303.14895.pdf) ✓
204 | - [2023 - Generation-based fuzzing? Don’t build a new generator, reuse!](https://www.sciencedirect.com/science/article/pii/S0167404823000883) ✓
205 | - [2023 - RCABench: Open Benchmarking Platform for Root Cause Analysis](https://arxiv.org/pdf/2303.05029.pdf) ✓
206 | - [2023 - Arvin: Greybox Fuzzing Using Approximate Dynamic CFG Analysis](https://hexhive.epfl.ch/publications/files/23AsiaCCS.pdf) ✓
207 | - [2023 - DAISY: Effective Fuzz Driver Synthesis with Object Usage Sequence Analysis](http://www.wingtecher.com/themes/WingTecherResearch/assets/papers/ICSE-SEIP23.pdf) ✓
208 | - [2023 - autofz: Automated Fuzzer Composition at Runtime](https://gts3.org/assets/papers/2023/fu:autofz.pdf) ✓
209 | - [2023 - Towards Hybrid Fuzzing with Multi-level Coverage Tree and Reinforcement Learning in Greybox Fuzzing](https://dixiyao.github.io/assests/papers/1776.pdf) ✓
210 | - [2023 - Fuzzing, Symbolic Execution, and Expert Guidance for Better Testing](https://ieeexplore.ieee.org/abstract/document/10021305) ✓
211 | - [2023 - Fuzzing vs SBST: Intersections & Differences](https://dl.acm.org/doi/abs/10.1145/3573074.3573102) ✓
212 | - [2023 - Evaluating the Fork-Awareness of Coverage-Guided Fuzzers](https://arxiv.org/pdf/2301.05060.pdf) ✓
213 | - [2023 - Homo in Machina: Improving Fuzz Testing Coverage via Compartment Analysis](https://arxiv.org/pdf/2212.11162.pdf) ✓
214 | - [2023 - The fun in fuzzing - The debugging techniquie comes into its own](https://dl.acm.org/doi/pdf/10.1145/3580504) ✓
215 | - [2023 - Reachable Coverage: Estimating Saturation in Fuzzing](https://mboehme.github.io/paper/ICSE23.Effectiveness.pdf) ✓
216 | - [2023 - A Seed Scheduling Method With a Reinforcement Learning for a Coverage Guided Fuzzing](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=10005088) ✓
217 | - [2023 - SelectFuzz: Efficient Directed Fuzzing with Selective Path Exploration](https://www.computer.org/csdl/proceedings-article/sp/2023/933600b050/1Js0DBwgpwY) ✓
218 | - [2022 - Explainable Fuzzer Evaluation](https://arxiv.org/pdf/2212.09519.pdf) ✓
219 | - [2022 - Rare-Seed Generation for Fuzzing](https://arxiv.org/pdf/2212.09004.pdf) ✓
220 | - [2022 - How to Compare Fuzzers](https://arxiv.org/pdf/2212.03075.pdf) ✓
221 | - [2022 - Valkyrie: Improving Fuzzing Performance Through Deterministic Techniques](https://www.cs.ucdavis.edu/~hchen/paper/rong2022valkyrie.pdf) ✓
222 | - [2022 - FUZZING DEEPER LOGIC WITH IMPEDING FUNCTION TRANSFORMATION](https://hammer.purdue.edu/articles/thesis/FUZZING_DEEPER_LOGIC_WITH_IMPEDING_FUNCTION_TRANSFORMATION/21663506) ✓
223 | - [2022 - Alphuzz: Monte Carlo Search on Seed-Mutation Tree for Coverage-Guided Fuzzing](https://dl.acm.org/doi/abs/10.1145/3564625.3564660) ✓
224 | - [2022 - AutoGenD: fuzz driver generation for binary libraries without header files and symbol information](https://www.spiedigitallibrary.org/conference-proceedings-of-spie/12503/1250306/AutoGenD--fuzz-driver-generation-for-binary-libraries-without-header/10.1117/12.2657278.short?SSO=1) ✓
225 | - [2022 - Mutation Optimization of Directional Fuzzing for Cumulative Defects](https://www.jos.org.cn/josen/article/abstract/6491) ✓
226 | - [2022 - IMPROVING AFL++ CMPLOG: TACKLING THE BOTTLENECKS](https://arxiv.org/pdf/2211.08357.pdf) ✓
227 | - [2022 - One Fuzz Doesn’t Fit All: Optimizing Directed Fuzzing via Target-tailored Program State Restriction](https://hexhive.epfl.ch/publications/files/22ACSAC2.pdf) ✓
228 | - [2022 - POLYFUZZ: Holistic Greybox Fuzzing of Multi-Language Systems](https://www.usenix.org/system/files/sec23summer_411-li_wen-prepub.pdf) ✓
229 | - [2022 - Sydr-Fuzz: Continuous Hybrid Fuzzing and Dynamic Analysis for Security Development Lifecycle](https://arxiv.org/pdf/2211.11595.pdf) ✓
230 | - [2022 - Nimbus: Toward Speed Up Function Signature Recovery via Input Resizing and Multi-Task Learning](https://arxiv.org/pdf/2211.04219.pdf) ✓
231 | - [2022 - So Many Fuzzers, So Little Time](https://assist-project.github.io/papers/So-Many-Fuzzers@ASE-22.pdf) ✓
232 | - [2022 - SLOPT: Bandit Optimization Framework for Mutation-Based Fuzzing](https://arxiv.org/pdf/2211.03285.pdf) ✓
233 | - [2022 - DriveFuzz: Discovering Autonomous Driving Bugs through Driving Quality-Guided Fuzzing](https://arxiv.org/pdf/2211.01829.pdf) ✓
234 | - [2022 - UltraFuzz: Towards Resource-saving in Distributed Fuzzing](https://www.computer.org/csdl/journal/ts/5555/01/09939114/1I1KHo9MOPe) ✓
235 | - [2022 - Snappy: Efficient Fuzzing with Adaptive and Mutable Snapshots](https://download.vusec.net/papers/snappy_acsac22.pdf) ✓
236 | - [2022 - FuzzerAid: Grouping Fuzzed Crashes Based On Fault Signatures](https://arxiv.org/pdf/2209.01244.pdf) ✓
237 | - [2022 - Automatically Seed Corpus and Fuzzing Executables Generation Using Test Framework](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=9867993) ✓
238 | - [2022 - CAMFuzz: Explainable Fuzzing with Local Interpretation](https://cybersecurity.springeropen.com/articles/10.1186/s42400-022-00116-x) ✓
239 | - [2022 - Efficient Greybox Fuzzing to Detect Memory Errors](https://www.comp.nus.edu.sg/~gregory/papers/rezzan.pdf) ✓
240 | - [2022 - LibAFL: A Framework to Build Modular and Reusable Fuzzers](https://www.s3.eurecom.fr/docs/ccs22_fioraldi.pdf) ✗
241 | - [2022 - FishFuzz: Throwing Larger Nets to Catch Deeper Bugs](https://arxiv.org/pdf/2207.13393.pdf) ✓
242 | - [2022 - SYMSAN: Time and Space Efficient Concolic Execution via Dynamic Data-flow Analysis](https://www.cs.ucr.edu/~csong/sec22-symsan.pdf) ✓
243 | - [2022 - AMSFuzz: An adaptive mutation schedule for fuzzing](https://www.sciencedirect.com/science/article/abs/pii/S0957417422013203) ✓
244 | - [2022 - FixReverter: A Realistic Bug Injection Methodology for Benchmarking Fuzz Testing](https://www.usenix.org/system/files/sec22-zhang-zenong.pdf) ✓
245 | - [2022 - Multiple Targets Directed Greybox Fuzzing](https://arxiv.org/pdf/2206.14977.pdf) ✓
246 | - [2022 - Combining BMC and Fuzzing Techniques for Finding Software Vulnerabilities in Concurrent Programs](https://arxiv.org/pdf/2206.06043.pdf) ✓
247 | - [2022 - DocTer: Documentation-Guided Fuzzing for Testing Deep Learning API Functions](https://www.cs.purdue.edu/homes/lintan/publications/docter-issta22.pdf) ✓
248 | - [2022 - Obtaining Fuzzing Results with Different Timeouts](https://ieeexplore.ieee.org/abstract/document/9787974) ✓
249 | - [2022 - FASSFuzzer—An Automated Vulnerability Detection System for Android System Services](https://web.archive.org/web/20220501200656id_/http://www.csroc.org.tw/journal/JOC33-2/JOC3302-17.pdf) ✓
250 | - [2022 - WindRanger: A Directed Greybox Fuzzer driven by Deviation Basic Blocks](https://dl.acm.org/doi/10.1145/3510003.3510197) ✗
251 | - [2022 - Drifuzz: Harvesting Bugs in Device Drivers from Golden Seeds](https://messlab.moyix.net/papers/drifuzz_sec22.pdf) ✓
252 | - [2022 - GraphFuzz: Library API Fuzzing with Lifetime-aware Dataflow Graphs](https://hgarrereyn.github.io/GraphFuzz/research/GraphFuzz_ICSE_2022.pdf) ✓
253 | - [2022 - AcoFuzz: Adaptive Energy Allocation for Greybox Fuzzing](https://ieeexplore.ieee.org/abstract/document/9787956) ✓
254 | - [2022 - TargetFuzz: Using DARTs to Guide Directed Greybox Fuzzers](https://www.honda-ri.de/pubs/pdf/4940.pdf) ✓
255 | - [2022 - Fast Fuzzing for Memory Errors](https://arxiv.org/pdf/2204.02773.pdf) ✓
256 | - [2022 - Stateful Greybox Fuzzing](https://arxiv.org/pdf/2204.02545.pdf) ✓
257 | - [2022 - Metamorphic Fuzzing of C++ Libraries](https://www.doc.ic.ac.uk/~afd/homepages/papers/pdfs/2022/ICST.pdf) ✓
258 | - [2022 - Effective Seed Scheduling for Fuzzing with Graph Centrality Analysis](https://arxiv.org/pdf/2203.12064.pdf) ✓
259 | - [2022 - Comparing Fuzzers on a Level Playing Field with FuzzBench](https://discovery.ucl.ac.uk/id/eprint/10144606/1/Comparing%20Fuzzers%20on%20a%20Level%20Playing%20Field%20with%20FuzzBench.pdf) ✓
260 | - [2022 - Vulnerability-oriented directed fuzzing for binary programs](https://www.nature.com/articles/s41598-022-07355-5) ✓
261 | - [2022 - An Improvement of AFL Based On The Function Call Depth](https://ieeexplore.ieee.org/document/9674138) ✓
262 | - [2022 - FuzzingDriver: the Missing Dictionary to Increase Code Coverage in Fuzzers](https://arxiv.org/pdf/2201.04853.pdf) ✓
263 | - [2022 - BeDivFuzz: Integrating Behavioral Diversity into Generator-based Fuzzing](https://arxiv.org/pdf/2202.13114.pdf) ✓
264 | - [2022 - One Fuzzing Strategy to Rule Them All](https://shadowmydx.github.io/papers/icse22-main-1314.pdf) ✓
265 | - [2022 - Grammars for Free: Toward Grammar Inference for Ad Hoc Parsers](https://arxiv.org/pdf/2202.01021.pdf) ✓
266 | - [2022 - Fuzzing Class Specifications](https://arxiv.org/pdf/2201.10874.pdf) ✓
267 | - [2022 - Mutation Analysis: Answering the Fuzzing Challenge](https://arxiv.org/pdf/2201.11303.pdf) ✓
268 | - [2022 - Ferry: State-Aware Symbolic Execution for Exploring State-Dependent Program Paths](https://yangzhemin.github.io/papers/ferry-security22.pdf) ✓
269 | - [2022 - BEACON : Directed Grey-Box Fuzzing with Provable Path Pruning](https://qingkaishi.github.io/public_pdfs/SP22.pdf) ✓
270 | - [2022 - MORPHUZZ: Bending (Input) Space to Fuzz Virtual Devices](https://www.usenix.org/system/files/sec22summer_bulekov.pdf) ✓
271 | - [2021 - A parallel fuzzing method based on two-stage mutation](https://www.spiedigitallibrary.org/conference-proceedings-of-spie/12085/1208511/A-parallel-fuzzing-method-based-on-two-stage-mutation/10.1117/12.2624946.short) ✓
272 | - [2021 - Better Pay Attention Whilst Fuzzing](https://arxiv.org/pdf/2112.07143.pdf) ✓
273 | - [2021 - Diar: Removing Uninteresting Bytes from Seeds in Software Fuzzing](https://arxiv.org/pdf/2112.13297.pdf) ✓
274 | - [2021 - Reducing Time-To-Fix For Fuzzer Bugs](https://ruimaranhao.com/assets/pdfs/ase2021.pdf) ✓
275 | - [2021 - Casr-Cluster: Crash Clustering for Linux Applications](https://arxiv.org/pdf/2112.13719.pdf) ✓
276 | - [2021 - Fuzzm: Finding Memory Bugs through Binary-Only Instrumentation and Fuzzing of WebAssembly](https://arxiv.org/pdf/2110.15433.pdf) ✓
277 | - [2021 - InstruGuard: Find and Fix Instrumentation Errors for Coverage-based Greybox Fuzzing](https://github.com/TCA-ISCAS/InstruGuard/blob/main/InstruGuard!%20Find%20and%20Fix%20Instrumentation%20Errors%20for%20Coverage-based%20Greybox%20Fuzzing.pdf) ✓
278 | - [2021 - POSTER: OS Independent Fuzz Testing of I/O Boundary](https://dl.acm.org/doi/abs/10.1145/3460120.3485359) ✓
279 | - [2021 - HDBFuzzer–Target-oriented Hybrid Directed Binary Fuzzer](https://dl.acm.org/doi/abs/10.1145/3487075.3487124) ✓
280 | - [2021 - ovAFLow: Detecting Memory Corruption Bugs with Fuzzing-based Taint Inference](https://jcst.ict.ac.cn/EN/10.1007/s11390-021-1600-9) ✓
281 | - [2021 - SyzScope: Revealing High-Risk Security Impacts of Fuzzer-Exposed Bugs in Linux kernel](https://etenal.me/wp-content/uploads/2021/10/SyzScope-final.pdf) ✓
282 | - [2021 - SiliFuzz: Fuzzing CPUs by proxy](https://arxiv.org/abs/2110.11519) ✓
283 | - [2021 - Same Coverage, Less Bloat: Accelerating Binary-only Fuzzing with Coverage-preserving Coverage-guided Tracing](https://arxiv.org/abs/2209.03441) ✓
284 | - [2021 - Facilitating Parallel Fuzzing with Mutually-exclusive Task Distribution](https://arxiv.org/pdf/2109.08635.pdf) ✓
285 | - [2021 - PATA: Fuzzing with Path Aware Taint Analysis](http://www.wingtecher.com/themes/WingTecherResearch/assets/papers/sp22.pdf) ✓
286 | - [2021 - BSOD: Binary-only Scalable fuzzing Of device Drivers](https://dmnk.co/raid21-bsod.pdf) ✓
287 | - [2021 - FuzzBench: An Open Fuzzer Benchmarking Platform and Service](https://dl.acm.org/doi/pdf/10.1145/3468264.3473932) ✓
288 | - [2021 - My Fuzzer Beats Them All! Developing a Framework for Fair Evaluation and Comparison of Fuzzers](https://arxiv.org/pdf/2108.07076.pdf) ✓
289 | - [2021 - Scalable Fuzzing of Program Binaries with E9AFL](https://www.comp.nus.edu.sg/~abhik/pdf/ASE21.pdf) ✓
290 | - [2021 - HyperFuzzer: An Efficient Hybrid Fuzzer for Virtual CPUs](https://patricegodefroid.github.io/public_psfiles/hyperfuzzer-ccs21.pdf) ✓
291 | - [2021 - BigMap: Future-proofing Fuzzers with Efficient Large Maps](https://ieeexplore.ieee.org/abstract/document/9505052) ✓
292 | - [2021 - Token-Level Fuzzing](https://seclab.cs.ucsb.edu/files/publications/Salls2021Token_Level.pdf) ✓
293 | - [2021 - Hashing Fuzzing: Introducing Input Diversity to Improve Crash Detection](https://repository.mdx.ac.uk/download/5e44872ed0f410c636f70e852fef175fabc46b40e719cf8913b1e750288e305d/390968/main_TSE.pdf) ✗
294 | - [2021 - LeanSym: Efficient Hybrid Fuzzing Through Conservative Constraint Debloating](https://download.vusec.net/papers/leansym_raid21.pdf) ✓
295 | - [2021 - ESRFuzzer: an enhanced fuzzing framework for physical SOHO router devices to discover multi-Type vulnerabilities](https://cybersecurity.springeropen.com/articles/10.1186/s42400-021-00091-9) ✓
296 | - [2021 - KCFuzz: Directed Fuzzing Based on Keypoint Coverage](https://link.springer.com/chapter/10.1007/978-3-030-78609-0_27) ✓
297 | - [2021 - TCP-Fuzz: Detecting Memory and Semantic Bugs in TCP Stacks with Fuzzing](https://www.usenix.org/conference/atc21/presentation/zou) ✓
298 | - [2021 - Fuzzing with optimized grammar-aware mutation strategies](https://ieeexplore.ieee.org/abstract/document/9469897) ✓
299 | - [2021 - Directed Fuzzing for Use-After-FreeVulnerabilities Detection](http://www.lirmm.fr/afadl2021/papers/afadl2020_paper_4.pdf) ✓
300 | - [2021 - DIFUZZRTL: Differential Fuzz Testing to FindCPU Bugs](https://lifeasageek.github.io/papers/jaewon-difuzzrtl.pdf) ✓
301 | - [2021 - Z-Fuzzer: device-agnostic fuzzing of Zigbee protocol implementation](https://dl.acm.org/doi/abs/10.1145/3448300.3468296) ✓
302 | - [2021 - Fuzzing with Multi-dimensional Control of Mutation Strategy](https://link.springer.com/chapter/10.1007/978-3-030-79728-7_27) ✓
303 | - [2021 - Using a Guided Fuzzer and Preconditions to Achieve Branch Coverage with Valid Inputs](https://link.springer.com/chapter/10.1007/978-3-030-79379-1_5) ✓
304 | - [2021 - RIFF: Reduced Instruction Footprint for Coverage-Guided Fuzzing](http://www.wingtecher.com/themes/WingTecherResearch/assets/papers/atc21.pdf) ✓
305 | - [2021 - CoCoFuzzing: Testing Neural Code Models with Coverage-Guided Fuzzing](https://arxiv.org/pdf/2106.09242.pdf) ✓
306 | - [2021 - Seed Selection for Successful Fuzzing](https://nebelwelt.net/files/21ISSTA2.pdf) ✓
307 | - [2021 - Gramatron: Effective Grammar-Aware Fuzzing](https://nebelwelt.net/files/21ISSTA.pdf) ✓
308 | - [2021 - Hyntrospect: a fuzzer for Hyper-V devices](https://www.sstic.org/media/SSTIC2021/SSTIC-actes/hyntrospect_a_fuzzer_for_hyper-v_devices/SSTIC2021-Article-hyntrospect_a_fuzzer_for_hyper-v_devices-dubois.pdf) ✓
309 | - [2021 - FUZZOLIC: mixing fuzzing and concolic execution](https://www.sciencedirect.com/science/article/pii/S0167404821001929) ✓
310 | - [2021 - QFuzz: Quantitative Fuzzing for Side Channels](https://arxiv.org/pdf/2106.03346.pdf) ✓
311 | - [2021 - Revizor: Fuzzing for Leaks in Black-box CPUs](https://arxiv.org/pdf/2105.06872.pdf) ✓
312 | - [2021 - Unleashing Fuzzing Through Comprehensive, Efficient, and Faithful Exploitable-Bug Exposing](https://ieeexplore.ieee.org/abstract/document/9430753) ✓
313 | - [2021 - Constraint-guided Directed Greybox Fuzzing](https://www.usenix.org/system/files/sec21fall-lee-gwangmu.pdf) ✓
314 | - [2021 - Test-Case Reduction and Deduplication Almost forFree with Transformation-Based Compiler Testing](https://www.doc.ic.ac.uk/~afd/homepages/papers/pdfs/2021/PLDI.pdf) ✓
315 | - [2021 - RULF: Rust Library Fuzzing via API Dependency Graph Traversal](https://arxiv.org/pdf/2104.12064.pdf) ✓
316 | - [2021 - STOCHFUZZ: Sound and Cost-effective Fuzzing of Stripped Binaries by Incremental and Stochastic Rewriting](https://www.cs.purdue.edu/homes/zhan3299/res/SP21b.pdf) ✓
317 | - [2021 - PS-Fuzz: Efficient Graybox Firmware Fuzzing Based on Protocol State](https://search.proquest.com/openview/bd00ff3647f2802721db0e14448f8c2b/1?pq-origsite=gscholar&cbl=4585459) ✓
318 | - [2021 - MuDelta: Delta-Oriented Mutation Testing at Commit Time](https://orbilu.uni.lu/bitstream/10993/46742/1/RelevantMutantPrediction%20%281%29.pdf) ✓
319 | - [2021 - CollabFuzz: A Framework for Collaborative Fuzzing](https://download.vusec.net/papers/collabfuzz_eurosec21.pdf) ✓
320 | - [2021 - MUTAGEN: Faster Mutation-Based Random Testing](http://www.cse.chalmers.se/~mista/assets/pdf/icse21-src.pdf) ✓
321 | - [2021 - Inducing Subtle Mutations with Program Repair](http://rahul.gopinath.org/resources/icstw2021/schwander2021inducing.pdf) ✓
322 | - [2021 - Differential Analysis of X86-64 Instruction Decoders](https://easychair.org/publications/preprint/1LHr) ✓
323 | - [2021 - On Introducing Automatic Test Case Generation in Practice: A Success Story and Lessons Learned](https://arxiv.org/pdf/2103.00465.pdf) ✓
324 | - [2021 - A Priority Based Path Searching Method for Improving Hybrid Fuzzing](https://www.sciencedirect.com/science/article/pii/S0167404821000663) ✓
325 | - [2021 - IntelliGen: Automatic Driver Synthesis for Fuzz Testing](http://www.wingtecher.com/themes/WingTecherResearch/assets/papers/icse_seip_0221.pdf) ✓
326 | - [2021 - icLibFuzzer: Isolated-context libFuzzer for Improving Fuzzer Comparability](https://bar2021.moyix.net/bar2021-preprint13.pdf) ✓
327 | - [2021 - SN4KE: Practical Mutation Testing at Binary Level](https://bar2021.moyix.net/bar2021-preprint17.pdf) ✓
328 | - [2021 - One Engine to Fuzz ’em All: Generic Language Processor Testing with Semantic Validation](https://faculty.ist.psu.edu/wu/papers/polyglot.pdf) ✓
329 | - [2021 - Growing A Test Corpus with Bonsai Fuzzing](https://rohan.padhye.org/files/bonsai-icse21.pdf) ✓
330 | - [2021 - Fuzzing Symbolic Expressions](https://arxiv.org/pdf/2102.06580.pdf) ✓
331 | - [2021 - JMPscare: Introspection for Binary-Only Fuzzing](https://bar2021.moyix.net/bar2021-preprint3.pdf) ✓
332 | - [2021 - An Improved Directed Grey-box Fuzzer](https://ieeexplore.ieee.org/abstract/document/9338761) ✓
333 | - [2021 - A Binary Protocol Fuzzing Method Based on SeqGAN](https://ieeexplore.ieee.org/abstract/document/9339152) ✓
334 | - [2021 - Refined Grey-Box Fuzzing with Sivo](https://arxiv.org/pdf/2102.02394.pdf) ✓
335 | - [2021 - PSOFuzzer: A Target-Oriented Software Vulnerability Detection Technology Based on Particle Swarm Optimization](https://www.mdpi.com/2076-3417/10/4/1270) ✓
336 | - [2021 - MooFuzz: Many-Objective Optimization Seed Schedule for Fuzzer](https://www.mdpi.com/2227-7390/9/3/205/htm) ✓
337 | - [2021 - CMFuzz: context-aware adaptive mutation for fuzzers](https://link.springer.com/article/10.1007/s10664-020-09927-3) ✓
338 | - [2021 - GTFuzz: Guard Token Directed Grey-Box Fuzzing](https://ieeexplore.ieee.org/abstract/document/9320425) ✓
339 | - [2021 - ProFuzzBench: A Benchmark for Stateful Protocol Fuzzing](https://arxiv.org/pdf/2101.05102.pdf) ✓
340 | - [2021 - SymQEMU:Compilation-based symbolic execution for binaries](http://www.s3.eurecom.fr/docs/ndss21_symqemu.pdf) ✓
341 | - [2021 - CONCOLIC EXECUTION TAILORED FOR HYBRID FUZZING THESIS](https://repository.gatech.edu/server/api/core/bitstreams/ae7b1a66-f74f-42f9-94a2-c549c0ae5ddc/content) ⚠
342 | - [2021 - Breaking Through Binaries: Compiler-quality Instrumentationfor Better Binary-only Fuzzing](http://static1.1.sqspcdn.com/static/f/543048/28391424/1610229123433/FIBRE_USENIX_21.pdf?token=XvHn0I3h9MvSnRBV%2Fo4dQ675sEA%3D) ✓
343 | - [2021 - AlphaFuzz: Evolutionary Mutation-based Fuzzing as Monte Carlo Tree Search](https://arxiv.org/pdf/2101.00612.pdf) ✓
344 | - [2020 - Fuzzing with Fast Failure Feedback](https://arxiv.org/pdf/2012.13516.pdf) ✓
345 | - [2020 - LAFuzz: Neural Network for Efficient Fuzzing](https://ieeexplore.ieee.org/abstract/document/9288180) ✓
346 | - [2020 - MaxAFL: Maximizing Code Coverage with a Gradient-Based Optimization Technique](https://www.mdpi.com/2079-9292/10/1/11) ✓
347 | - [2020 - Program State Abstraction for Feedback-Driven Fuzz Testing using Likely Invariants](https://arxiv.org/pdf/2012.11182.pdf) ✓
348 | - [2020 - PMFuzz: Test Case Generation for Persistent Memory Programs](https://asplos-conference.org/abstracts/asplos21-paper8-extended_abstract.pdf) ✓
349 | - [2020 - FuSeBMC: A White-Box Fuzzer for Finding Security Vulnerabilities in C Programs](https://arxiv.org/pdf/2012.11223.pdf) ✓
350 | - [2020 - Integrity: Finding Integer Errors by Targeted Fuzzing](https://link.springer.com/chapter/10.1007/978-3-030-63086-7_20) ✓
351 | - [2020 - ConFuzz: Coverage-guided Property Fuzzing for Event-driven Programs](https://kcsrk.info/papers/confuzz_padl21.pdf) ✓
352 | - [2020 - AFLTurbo: Speed up Path Discovery for Greybox Fuzzing](https://ieeexplore.ieee.org/abstract/document/9251057) ✓
353 | - [2020 - Fuzzing Channel-Based Concurrency Runtimes using Types and Effects](http://soft.vub.ac.be/Publications/2020/vub-tr-soft-20-14.pdf) ✓
354 | - [2020 - DeFuzz: Deep Learning Guided Directed Fuzzing](https://arxiv.org/pdf/2010.12149.pdf) ✓
355 | - [2020 - CrFuzz: Fuzzing Multi-purpose Programs through InputValidation](https://www.cs.ucr.edu/~csong/fse20-crfuzz.pdf) ✓
356 | - [2020 - EPfuzzer: Improving Hybrid Fuzzing with Hardest-to-reach Branch Prioritization](http://itiis.org/digital-library/23867) ✓
357 | - [2020 - Fuzzing Based on Function Importance by Interprocedural Control Flow Graph](https://arxiv.org/abs/2010.03482v3) ✓
358 | - [2020 - UNIFUZZ: A Holistic and Pragmatic Metrics-Driven Platform for Evaluating Fuzzers](https://arxiv.org/pdf/2010.01785.pdf) ✓
359 | - [2020 - PathAFL: Path-Coverage Assisted Fuzzing](https://dl.acm.org/doi/abs/10.1145/3320269.3384736) ✓
360 | - [2020 - Path Sensitive Fuzzing for Native Applications](https://ieeexplore.ieee.org/abstract/document/9208709) ✓
361 | - [2020 - UniFuzz: Optimizing Distributed Fuzzing via Dynamic Centralized Task Scheduling](https://arxiv.org/pdf/2009.06124.pdf) ✓
362 | - [2020 - Fuzzing Error Handling Code using Context-Sensitive Software Fault Injection](https://www.usenix.org/system/files/sec20-jiang.pdf) ✓
363 | - [2020 - SpecFuzz: Bringing Spectre-type vulnerabilities to the surface](https://www.usenix.org/system/files/sec20-oleksenko.pdf) ✓
364 | - [2020 - Zeror: Speed Up Fuzzing with Coverage-sensitive Tracing and Scheduling](http://www.wingtecher.com/themes/WingTecherResearch/assets/papers/ase20.pdf) ✓
365 | - [2020 - MUZZ: Thread-aware Grey-box Fuzzing for Effective Bug Hunting in Multithreaded Programs](https://arxiv.org/pdf/2007.15943.pdf) ✓
366 | - [2020 - Evolutionary Grammar-Based Fuzzing](https://arxiv.org/pdf/2008.01150.pdf) ✓
367 | - [2020 - AFLpro: Direction sensitive fuzzing](https://sci-hub.se/http://www.sciencedirect.com/science/article/pii/S2214212619305733) ✓
368 | - [2020 - CSI-Fuzz: Full-speed Edge Tracing Using Coverage Sensitive Instrumentation](https://sci-hub.se/10.1109/TDSC.2020.3008826) ✓
369 | - [2020 - Scalable Greybox Fuzzing for Effective Vulnerability Management DISS](https://mediatum.ub.tum.de/doc/1509837/file.pdf) ✓
370 | - [2020 - HotFuzz Discovering Algorithmic Denial-of-Service Vulnerabilities through Guided Micro-Fuzzing](https://pdfs.semanticscholar.org/6515/a12fc8615a401e3c7a80d5ada59e5d057971.pdf) ✓
371 | - [2020 - Fuzzing Binaries for Memory Safety Errors with QASan](https://www.researchgate.net/publication/342493914_Fuzzing_Binaries_for_Memory_Safety_Errors_with_QASan) ✓
372 | - [2020 - Suzzer: A Vulnerability-Guided Fuzzer Based on Deep Learning](https://link.springer.com/chapter/10.1007%2F978-3-030-42921-8_8) ✓
373 | - [2020 - IJON: Exploring Deep State Spaces via Fuzzing](https://nyx-fuzz.com/papers/ijon.pdf) ⚠
374 | - [2020 - Binary-level Directed Fuzzing for Use-After-Free Vulnerabilities](https://arxiv.org/pdf/2002.10751.pdf) ✓
375 | - [2020 - PANGOLIN: Incremental Hybrid Fuzzing with Polyhedral Path Abstraction](https://qingkaishi.github.io/public_pdfs/SP2020.pdf) ✓
376 | - [2020 - UEFI Firmware Fuzzing with Simics Virtual Platform](http://web.cecs.pdx.edu/~zhenkun/pub/uefi-fuzzing-dac20.pdf) ✓
377 | - [2020 - Typestate-Guided Fuzzer for Discovering Use-after-Free Vulnerabilities](https://yuleisui.github.io/publications/icse20.pdf) ✓
378 | - [2020 - FuzzGuard: Filtering out Unreachable Inputs in Directed Grey-box Fuzzing through Deep Learning](https://www.usenix.org/system/files/sec20summer_zong_prepub.pdf) ✓
379 | - [2020 - HyDiff: Hybrid Differential Software Analysis](https://yannicnoller.github.io/assets/pdf/icse2020_noller_hydiff.pdf) ✓
380 | - [2019 - Engineering a Better Fuzzer with SynergicallyIntegrated Optimizations](http://www.wingtecher.com/themes/WingTecherResearch/assets/papers/issre19_betterfuzzer.pdf) ✓
381 | - [2019 - Superion: Grammar-Aware Greybox Fuzzing](https://arxiv.org/pdf/1812.01197.pdf) ✓
382 | - [2019 - ProFuzzer: On-the-fly Input Type Probing for Better Zero-day Vulnerability Discovery](https://wcventure.github.io/FuzzingPaper/Paper/SP19_Profuzz.pdf) ✓
383 | - [2019 - Grimoire: Synthesizing Structure while Fuzzing](https://www.usenix.org/system/files/sec19-blazytko.pdf) ✓
384 | - [2019 - Ptrix: Efficient Hardware-Assisted Fuzzing for COTS Binary](https://arxiv.org/pdf/1905.10499.pdf) ✓
385 | - [2019 - SAVIOR: Towards Bug-Driven Hybrid Testing](https://arxiv.org/pdf/1906.07327.pdf) ✓
386 | - [2019 - FUDGE: Fuzz Driver Generation at Scale](https://storage.googleapis.com/gweb-research2023-media/pubtools/5118.pdf) ✓
387 | - [2019 - NAUTILUS: Fishing for Deep Bugs with Grammars](https://www.syssec.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2018/12/17/NDSS19-Nautilus.pdf) ⚠
388 | - [2019 - Send Hardest Problems My Way: Probabilistic Path Prioritization for Hybrid Fuzzing](https://www.cs.ucr.edu/~heng/pubs/digfuzz_ndss19.pdf) ✓
389 | - [2019 - EnFuzz: Ensemble Fuzzing with Seed Synchronization among Diverse Fuzzers](https://www.usenix.org/system/files/sec19-chen-yuanliang.pdf) ✓
390 | - [2018 - Fuzz Testing in Practice: Obstacles and Solutions](https://sci-hub.se/10.1109/SANER.2018.8330260) ✓
391 | - [2018 - PAFL: Extend Fuzzing Optimizations of Single Mode to Industrial Parallel Mode](http://wingtecher.com/themes/WingTecherResearch/assets/papers/fse18-pafl.pdf) ✓
392 | - [2018 - PTfuzz: Guided Fuzzing with Processor Trace Feedback](https://sci-hub.se/10.1109/ACCESS.2018.2851237) ✓
393 | - [2018 - Angora: Efficient Fuzzing by Principled Search](https://web.cs.ucdavis.edu/~hchen/paper/chen2018angora.pdf) ✓
394 | - [2018 - FairFuzz: A Targeted Mutation Strategy for Increasing Greybox Fuzz Testing Coverage](https://www.carolemieux.com/fairfuzz-ase18.pdf) ✓
395 | - [2018 - NEUZZ: Efficient Fuzzing with Neural Program Smoothing](https://arxiv.org/pdf/1807.05620.pdf) ✓
396 | - [2018 - CollAFL: path Sensitive Fuzzing](http://chao.100871.net/papers/oakland18.pdf) ✗
397 | - [2018 - Full-speed Fuzzing: Reducing Fuzzing Overhead through Coverage-guided Tracing](https://arxiv.org/pdf/1812.11875.pdf) ✓
398 | - [2018 - QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing](https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-yun.pdf) ✓
399 | - [2018 - Coverage-based Greybox Fuzzing as Markov Chain](https://mboehme.github.io/paper/TSE18.pdf) ✓
400 | - [2018 - MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation](http://www.cs.columbia.edu/~suman/docs/moonshine.pdf) ✓
401 | - [2018 - Singularity: Pattern Fuzzing for Worst Case Complexity](https://fredfeng.github.io/papers/fse18.pdf) ✓
402 | - [2018 - Smart Greybox Fuzzing](https://arxiv.org/pdf/1811.09447.pdf) ✓
403 | - [2018 - Hawkeye: Towards a Desired Directed Grey-box Fuzzer](https://chenbihuan.github.io/paper/ccs18-chen-hawkeye.pdf) ✓
404 | - [2018 - PerfFuzz: Automatically Generating Pathological Inputs](https://www.carolemieux.com/perffuzz-issta2018.pdf) ✓
405 | - [2018 - FairFuzz: A Targeted Mutation Strategy for Increasing Greybox Fuzz Testing Coverage](https://www.carolemieux.com/fairfuzz-ase18.pdf) ✓
406 | - [2018 - Enhancing Memory Error Detection for Large-Scale Applications and Fuzz Testing](https://lifeasageek.github.io/papers/han-meds.pdf) ✓
407 | - [2018 - T-Fuzz: fuzzing by program transformation](https://nebelwelt.net/publications/files/18Oakland.pdf) ✓
408 | - [2017 - Evaluating and improving fault localization](https://www.sci-hub.se/10.1109/ICSE.2017.62) ✓
409 | - [2017 - IMF: Inferred Model-based Fuzzer](https://acmccs.github.io/papers/p2345-hanA.pdf) ✓
410 | - [2017 - Synthesizing Program Input Grammars](https://arxiv.org/pdf/1608.01723) ✓
411 | - [2017 - Steelix: Program-State Based Binary Fuzzing](https://dl.acm.org/doi/10.1145/3106237.3106295) ✓
412 | - [2017 - Designing New Operating Primitives to ImproveFuzzing Performance](https://acmccs.github.io/papers/p2313-xuA.pdf) ✓
413 | - [2017 - VUzzer: Application-aware Evolutionary Fuzzing](https://download.vusec.net/papers/vuzzer_ndss17.pdf) ✓
414 | - [2017 - DIFUZE: Interface Aware Fuzzing for Kernel Drivers](https://acmccs.github.io/papers/p2123-corinaA.pdf) ✓
415 | - [2017 - Instruction Punning: Lightweight Instrumentation for x86-64](https://dl.acm.org/doi/pdf/10.1145/3062341.3062344?download=true) ✓
416 | - [2017 - Designing New Operating Primitives to Improve Fuzzing Performance](https://dl.acm.org/doi/pdf/10.1145/3133956.3134046) ✓
417 | - [2014 - A Large-Scale Analysis of the Security of Embedded Firmwares](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-costin.pdf) ✓
418 | - [2013 - Scheduling Black-box Mutational Fuzzing](https://softsec.kaist.ac.kr/~sangkilc/papers/woo-ccs13.pdf) ✓
419 | - [2013 - Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations](https://www.usenix.org/system/files/conference/usenixsecurity13/sec13-paper_haller.pdf) ✓
420 | - [2013 - RPFuzzer: A Framework for Discovering Router Protocols Vulnerabilities Based on Fuzzing](http://www.itiis.org/journals/tiis/digital-library/manuscript/file/20353/14.TIIS-RP-2012-Dec-0966.R1.pdf) ✓
421 | - [2011 - Offset-Aware Mutation based Fuzzing for Buffer Overflow Vulnerabilities: Few Preliminary Results](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5954459) ✓
422 | - [2010 - TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5504701) ✓
423 | - [2009 - Taint-based Directed Whitebox Fuzzing](https://people.csail.mit.edu/rinard/paper/icse09.pdf) ✓
424 | - [2009 - Dynamic Test Generation To Find Integer Bugs in x86 Binary Linux Programs](https://argp.github.io/public/50a11f65857c12c76995f843dbfe6dda.pdf) ✓
425 | - [2008 - Grammar-based Whitebox Fuzzing](https://people.csail.mit.edu/akiezun/pldi-kiezun.pdf) ✓
426 | - [2008 - Vulnerability Analysis for X86 Executables Using Genetic Algorithm and Fuzzing](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=4682289) ✓
427 | - [2008 - KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs](https://hci.stanford.edu/cstr/reports/2008-03.pdf) ✓
428 | - [2008 - Automated Whitebox Fuzz Testing](https://patricegodefroid.github.io/public_psfiles/ndss2008.pdf) ✓
429 | - [2005 - DART: Directed Automated Random Testing](https://web.eecs.umich.edu/~weimerw/2014-6610/reading/p213-godefroid.pdf) ✓
430 | - [1994 - Dominators, Super Blocks, and Program Coverage](https://www.sci-hub.se/10.1145/174675.175935) ✓
431 | 
432 | ### Harnessing
433 | 
434 | - [2023 - AFGen: Whole-Function Fuzzing for Applications and Libraries](https://www.computer.org/csdl/proceedings-article/sp/2024/313000a011/1RjE9PjiDss) ✓
435 | - [2023 - NaNofuzz: A Usable Tool for Automatic Test Generation](https://cmumatt.github.io/assets/NaNofuzz_2023.pdf) ✓
436 | 
437 | ### AI/LLM
438 | 
439 | - [2025 - SAFLITE: Fuzzing Autonomous Systems via Large Language Models](https://arxiv.org/pdf/2412.18727)
440 | - [2025 - Large Language Model assisted Hybrid Fuzzing](https://arxiv.org/pdf/2412.15931)
441 | - [2025 - A Roadmap for Software Testing in Open-Collaborative and AI-Powered Era](https://dl.acm.org/doi/pdf/10.1145/3709355)
442 | - [2025 - LLM-Powered Fuzz Testing of Automotive Diagnostic Protocols](https://www.sae.org/publications/technical-papers/content/2025-01-8091/)
443 | - [2024 - Fixing Security Vulnerabilities with AI in OSS-Fuzz](https://arxiv.org/abs/2411.03346)
444 | - [2024 - Pentest GPT: Evaluating and Harnessing Large Language Models for Automated Penetration Testing](https://www.usenix.org/system/files/usenixsecurity24-deng.pdf)
445 | - [2024 - AutoSafeCoder: A Multi-Agent Framework for Securing LLM Code Generation through Static Analysis and Fuzz Testing](https://arxiv.org/abs/2409.10737v2)
446 | - [2024 - Fixing Security Vulnerabilities with AI in OSS-Fuzz](https://arxiv.org/pdf/2411.03346) ✓
447 | - [2024 - ChatHTTPFuzz: Large Language Model-Assisted IoT HTTP Fuzzing](https://arxiv.org/pdf/2411.11929) ✓
448 | - [2024 - Harnessing Large Language Models for Seed Generation in Greybox Fuzzing](https://arxiv.org/pdf/2411.18143) ✓
449 | - [2024 - Magneto: A Step-Wise Approach to Exploit Vulnerabilities in Dependent Libraries via LLM-Empowered Directed Fuzzing](https://dl.acm.org/doi/abs/10.1145/3691620.3695531) ✓
450 | - [2024 - Fuzzing BusyBox: Leveraging LLM and Crash Reuse for Embedded Bug Unearthing](https://www.usenix.org/system/files/usenixsecurity24-asmita.pdf) ✓
451 | - [2024 - My Fuzzers Won’t Build: An Empirical Study of Fuzzing Build Failures](https://dl.acm.org/doi/abs/10.1145/3688842) ✓
452 | - [2024 - ECG: Augmenting Embedded Operating System Fuzzing via LLM-based Corpus Generation](http://www.wingtecher.com/themes/WingTecherResearch/assets/papers/paper_from_24/ECG_EMSOFT24.pdf) ✓
453 | - [2024 - FUZZCODER: Byte-level Fuzzing Test via Large Language Mode](https://arxiv.org/pdf/2409.01944) ✓
454 | - [2024 - CyberSecEval 2: A Wide-Ranging Cybersecurity Evaluation Suite for Large Language Models](https://arxiv.org/abs/2404.13161)
455 | - [2024 - ProphetFuzz: Fully Automated Prediction and Fuzzing of High-Risk Option Combinations with Only Documentation via Large Language Model](https://arxiv.org/pdf/2409.00922) ✓
456 | - [2024 - Is “AI” Useful for Fuzzing? (Keynote)](https://dl.acm.org/doi/abs/10.1145/3678722.3695731) ✓
457 | - [2024 - Initial Seeds Generation Using LLM for IoT Device Fuzzing](https://ieeexplore.ieee.org/abstract/document/10710191) ✓
458 | - [2024 - Your Fix Is My Exploit: Enabling Comprehensive DL Library API Fuzzing with Large Language Models](https://www.computer.org/csdl/proceedings-article/icse/2025/056900a508/215aWTZ8XRe) ✓
459 | - [2024 - WhiteFox: White-Box Compiler Fuzzing Empowered by Large Language Models](https://yangchenyuan.github.io/files/OOPSLA24-WhiteFox.pdf) ✓
460 | - [2024 - The Mutators Reloaded: Fuzzing Compilers with Large Language Model Generated Mutation Operators](https://connglli.github.io/pdfs/metamut_asplos24.pdf) ✓
461 | - [2024 - A Coverage-Guided Fuzzing Method for Automatic Software Vulnerability Detection Using Reinforcement Learning-Enabled Multi-Level Input Mutation](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=10580893) ✓
462 | - [2024 - LLAMAFUZZ: Large Language Model Enhanced Greybox Fuzzing](https://arxiv.org/abs/2406.07714) ✓
463 | - [2024 - Survey on Large Language Model (LLM) Security and Privacy: The Good, the Bad, and the Ugly](https://arxiv.org/pdf/2312.02003) ✓
464 | - [2024 - Generative AI and Large Language Models for Cyber Security: All Insights You Need](https://arxiv.org/pdf/2405.12750) ✓
465 | - [2024 - Large Language Model guided Protocol Fuzzing](https://www.ndss-symposium.org/wp-content/uploads/2024-556-paper.pdf) ✓
466 | - [2024 - When Fuzzing Meets LLMs: Challenges and Opportunities](https://arxiv.org/pdf/2404.16297) ✓
467 | - [2024 - Fuzz4All: Universal Fuzzing with Large Language Models](https://www.software-lab.org/publications/icse2024_Fuzz4All.pdf) ✓
468 | - [2024 - Large Language Models for Cyber Security: A Systematic Literature Review](https://arxiv.org/pdf/2405.04760) ✓
469 | - [2024 - LLM4Vuln: A Unified Evaluation Framework for Decoupling and Enhancing LLMs’ Vulnerability Reasoning](https://arxiv.org/pdf/2401.16185) ✓
470 | - [2024 - Fuzzing BusyBox: Leveraging LLM and Crash Reuse for Embedded Bug Unearthing](https://arxiv.org/pdf/2403.03897) ✓
471 | - [2024 - Prompt Fuzzing for Fuzz Driver Generation](https://arxiv.org/pdf/2312.17677) ✓
472 | - [2023 - HOW FAR HAVE WE GONE IN VULNERABILITY DETECTION USING LARGE LANGUAGE MODELS](https://arxiv.org/pdf/2311.12420) ✓
473 | - [2023 - KernelGPT: Enhanced Kernel Fuzzing via Large Language Models](https://arxiv.org/pdf/2401.00563) ✓
474 | - [2023 - Exploring the Limits of ChatGPT in Software Security Applications](https://arxiv.org/pdf/2312.05275) ✓
475 | - [2023 - LLM-Based Code Generation Method for Golang Compiler Testing](https://guqiuhan.github.io/assets/pdf/conference-paper.pdf) ✓
476 | - [2023 - Large Language Model guided Protocol Fuzzing](https://mpi-softsec.github.io/papers/NDSS24-chatafl.pdf) ✓
477 | - [2023 - AI-assisted Vulnerability Analysis And Classification Framework for UDS on CAN-bus Fuzzer](https://www.researchgate.net/profile/Golam-Kayas/publication/374415112_AI-assisted_Vulnerability_Analysis_And_Classification_Framework_for_UDS_on_CAN-bus_Fuzzer/links/651c6261b0df2f20a20ae412/AI-assisted-Vulnerability-Analysis-And-Classification-Framework-for-UDS-on-CAN-bus-Fuzzer.pdf) ✓
478 | - [2023 - GPTFUZZER: Red Teaming Large Language Models with Auto-Generated Jailbreak Prompts](https://arxiv.org/pdf/2309.10253.pdf) ✓
479 | - [2023 - FUZZLLM: A NOVEL AND UNIVERSAL FUZZING FRAMEWORK FOR PROACTIVELY DISCOVERING JAILBREAK VULNERABILITIES IN LARGE LANGUAGE MODELS](https://arxiv.org/pdf/2309.05274.pdf) ✓
480 | - [2023 - Universal Fuzzing via Large Language Models](https://arxiv.org/pdf/2308.04748.pdf) ✓
481 | - [2023 - Understanding Large Language Model Based Fuzz Driver Generation](https://arxiv.org/pdf/2307.12469.pdf) ✓
482 | - [2023 - Large Language Models for Fuzzing Parsers](https://dl.acm.org/doi/abs/10.1145/3605157.3605173) ✓
483 | - [2023 - Large Language Models Are Zero-Shot Fuzzers: Fuzzing Deep-Learning Libraries via Large Language Models](https://dl.acm.org/doi/abs/10.1145/3597926.3598067) ✓
484 | - [2023 - Augmenting Greybox Fuzzing with Generative AI](https://arxiv.org/pdf/2306.06782.pdf) ✓
485 | - [2023 - Understanding Programs by Exploiting (Fuzzing) Test Cases](https://arxiv.org/pdf/2305.13592.pdf) ✓
486 | 
487 | ### IoT fuzzing
488 | 
489 | - [2025 - EmbedFuzz: High Speed Fuzzing through Transplantation](https://arxiv.org/pdf/2412.12746)
490 | - [2024 - Parallel Fuzzing of IoT Messaging Protocols through Collaborative Packet Generation](http://www.wingtecher.com/themes/WingTecherResearch/assets/papers/paper_from_24/MPFuzz_EMSOFT24.pdf) ✓
491 | - [2024 - TWFuzz: Fuzzing Embedded Systems with Three Wires](https://dl.acm.org/doi/abs/10.1145/3652032.3657568) ✓
492 | - [2024 - IoTFuzzSentry: Hunting Bugs In The IoT Wilderness In Operational Phase Using Payload Fuzzing](https://dl.acm.org/doi/abs/10.1145/3626232.3658642) ✓
493 | - [2024 - TAIFuzz: taint analysis instrumentation-based firmware fuzzing system](https://www.spiedigitallibrary.org/conference-proceedings-of-spie/13181/131814D/TAIFuzz-taint-analysis-instrumentation-based-firmware-fuzzing-system/10.1117/12.3031105.full) ✓
494 | - [2024 - RIoTFuzzer: Companion App Assisted Remote Fuzzing for Detecting Vulnerabilities in IoT Devices](https://cse.seu.edu.cn/_upload/article/files/4e/cb/457914eb4249b778299c9d33acdd/2b22fda2-e00c-441a-b7a6-e61c0d12de57.pdf) ✓
495 | - [2024 - FIRMRCA: Towards Post-Fuzzing Analysis on ARM Embedded Firmware with Efficient Event-based Fault Localization](https://arxiv.org/pdf/2410.18483) ✓
496 | - [2024 - MSLFuzzer: black-box fuzzing of SOHO router devices via message segment list inference](https://cybersecurity.springeropen.com/articles/10.1186/s42400-023-00186-5) ✓
497 | - [2024 - MULTIFUZZ: A Multi-Stream Fuzzer For Testing Monolithic Firmware](https://www.usenix.org/system/files/sec24summer-prepub-805-chesser.pdf) ✓
498 | - [2023 - KVFL: Key-Value-Based Persistent Fuzzing for IoT Web Servers](https://academic.oup.com/comjnl/advance-article-abstract/doi/10.1093/comjnl/bxad110/7456153?login=false) ✓
499 | - [2023 - Firmulti Fuzzer: Discovering Multi-process Vulnerabilities in IoT Devices with Full System Emulation and VMI](https://dl.acm.org/doi/abs/10.1145/3605758.3623493) ✓
500 | - [2023 - Fuzzability Testing Framework for Incomplete Firmware Binary](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=10189855) ✓
501 | - [2023 - Fuzzing Embedded Systems Using Debug Interfaces](https://publications.cispa.saarland/3950/1/issta23-gdbfuzz.pdf) ✓
502 | - [2023 - Icicle: A Re-Designed Emulator for Grey-Box Firmware Fuzzing](https://arxiv.org/pdf/2301.13346.pdf) ✓
503 | - [2022 - FirmSolo: Enabling dynamic analysis of binary Linux-based IoT kernel modules](https://www.usenix.org/system/files/sec23summer_190-angelakopoulos-prepub.pdf) ✓
504 | - [2022 - FuzzDocs: An Automated Security Evaluation Framework for IoT](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=9895405) ✓
505 | - [2022 - AflIot: Fuzzing on linux-based IoT device with binary-level instrumentation](https://www.sciencedirect.com/science/article/pii/S0167404822002838) ✓
506 | - [2022 - Tardis: Coverage-Guided Embedded Operating System Fuzzing](http://www.wingtecher.com/themes/WingTecherResearch/assets/papers/Emsoft22_Tardis.pdf) ✓
507 | - [2022 - Efficient greybox fuzzing of applications in Linux-based IoT devices via enhanced user-mode emulation](https://cenzhang.github.io/files/pubs/2022-issta-equafl.pdf) ✓
508 | - [2022 - Trampoline Over the Air: Breaking in IoT Devices Through MQTT Brokers](https://ieeexplore.ieee.org/abstract/document/9797386) ✓
509 | - [2022 - PDFuzzerGen: Policy-Driven Black-Box Fuzzer Generation for Smart Devices](https://www.hindawi.com/journals/scn/2022/9788219/) ✓
510 | - [2022 - RW-Fuzzer: A Fuzzing Method for Vulnerability Mining on Router Web Interface](https://www.hindawi.com/journals/wcmc/2022/5311295/) ✓
511 | - [2022 - IoTInfer: Automated Blackbox Fuzz Testing of IoT Network Protocols Guided by Finite State Machine Inference](https://ieeexplore.ieee.org/abstract/document/9794676) ✓
512 | - [2022 - Debugger-driven Embedded Fuzzing](https://ieeexplore.ieee.org/abstract/document/9787842) ✓
513 | - [2022 - Game of Hide-and-Seek: Exposing Hidden Interfaces in Embedded Web Applications of IoT Devices](https://dl.acm.org/doi/abs/10.1145/3485447.3512213) ✓
514 | - [2022 - 𝜇AFL: Non-intrusive Feedback-driven Fuzzing for Microcontroller Firmware](https://arxiv.org/pdf/2202.03013.pdf) ✓
515 | - [2022 - FirVer: Concolic Testing for Systematic Validation of Firmware Binaries](https://web.cecs.pdx.edu/~zhenkun/pub/aspdac22.pdf) ✓
516 | - [2022 - Fuzzware: Using Precise MMIO Modeling for Effective Firmware Fuzzing](https://sites.cs.ucsb.edu/~vigna/publications/2022_USENIXSecurity_Fuzzware.pdf) ✓
517 | - [2021 - CPscan: Detecting Bugs Caused by Code Pruning in IoT Kernels](https://dl.acm.org/doi/abs/10.1145/3460120.3484738) ✓
518 | - [2021 - An Efficient Feedback-enhanced Fuzzing Scheme for Linux-based IoT Firmwares](http://wenku.sougen.cn/static/publications/CT1281.pdf) ✗
519 | - [2021 - A Fuzzing Method for Embedded Software](https://ieeexplore.ieee.org/abstract/document/9587220) ✓
520 | - [2021 - Large-scale Firmware Vulnerability Analysis Based on Code Similarity](https://ieeexplore.ieee.org/abstract/document/9524216/) ✓
521 | - [2021 - Towards Fast and Scalable Firmware Fuzzing with Dual-Level Peripheral Modeling](https://ieeexplore.ieee.org/abstract/document/9564029) ✓
522 | - [2021 - Riding the IoT Wave with VFuzz: Discovering Security Flaws in Smart Home](https://ieeexplore.ieee.org/abstract/document/9663293) ✓
523 | - [2021 - Zero WFuzzer: Target-Oriented Fuzzing for Web Interface of Embedded Devices](https://ieeexplore.ieee.org/abstract/document/9544451) ✓
524 | - [2021 - StFuzzer: Contribution-Aware Coverage-Guided Fuzzing for Smart Devices](https://www.hindawi.com/journals/scn/2021/1987844/) ✓
525 | - [2021 - Rtkaller: State-aware Task Generation for RTOS Fuzzing](http://www.wingtecher.com/themes/WingTecherResearch/assets/papers/emsoft21.pdf)
526 | - [2021 - IFIZZ: Deep-State and Efficient Fault-Scenario Generation to Test IoT Firmware](https://nesa.zju.edu.cn/download/liu_pdf_ifizz.pdf) ✓
527 | - [2021 - Automatic Vulnerability Detection in Embedded Devices and Firmware: Survey and Layered Taxonomies](https://dl.acm.org/doi/abs/10.1145/3432893) ✓
528 | - [2021 - Fuzzing the Internet of Things: A Review on the Techniques and Challenges for Efficient Vulnerability Discovery in Embedded Systems](https://ieeexplore.ieee.org/abstract/document/9344712) ✓
529 | - [2021 - FIRM-COV: High-Coverage Greybox Fuzzing for IoT Firmware via Optimized Process Emulation](https://ieeexplore.ieee.org/abstract/document/9489311) ✓
530 | - [2020 - Verification of Embedded Software Binaries using Virtual Prototypes](https://link.springer.com/chapter/10.1007/978-3-030-54828-5_6) ✓
531 | - [2020 - μSBS: Static Binary Sanitization of Bare-metal Embedded Devices forFault Observability](https://www.usenix.org/system/files/raid20-salehi.pdf) ✓
532 | - [2020 - Device-agnostic Firmware Execution is Possible: A Concolic Execution Approach for Peripheral Emulation](https://dl.acm.org/doi/abs/10.1145/3427228.3427280) ✓
533 | - [2020 - Vulnerability Detection in SIoT Applications: A Fuzzing Method on their Binaries](https://ieeexplore.ieee.org/abstract/document/9259242) ✓
534 | - [2020 - FirmAE: Towards Large-Scale Emulation of IoT Firmware forDynamic Analysis](https://syssec.kaist.ac.kr/pub/2020/kim_acsac2020.pdf) ✓
535 | - [2020 - FIRMNANO: Toward IoT Firmware Fuzzing Through Augmented Virtual Execution](https://ieeexplore.ieee.org/abstract/document/9237719) �
536 | - [2020 - ARM-AFL: Coverage-Guided Fuzzing Framework for ARM-Based IoT Devices](https://link.springer.com/chapter/10.1007/978-3-030-61638-0_14) ✓
537 | - [2020 - Bug detection in embedded environments by fuzzing and symbolic execution](https://ieeexplore.ieee.org/document/9245083) ✓
538 | - [2020 - EM-Fuzz: Augmented Firmware Fuzzing via Memory Checking](http://www.wingtecher.com/themes/WingTecherResearch/assets/papers/EMSOFT20.pdf) ✓
539 | - [2020 - Verification of Embedded Binaries using Coverage-guided Fuzzing with System C-based Virtual Prototypes](http://www.informatik.uni-bremen.de/agra/doc/konf/2020GLSVLSI_Verification-of-Embedded-Binaries-using-Coverage-guided-Fuzzing-with-SystemC-Virtual-Prototypes.pdf) �
540 | - [2020 - DICE: Automatic Emulation of DMA Input Channels for Dynamic Firmware Analysis](https://arxiv.org/pdf/2007.01502.pdf) ✓
541 | - [2020 - Fw‐fuzz: A code coverage‐guided fuzzing framework for network protocols on firmware](https://onlinelibrary.wiley.com/doi/full/10.1002/cpe.5756) ✓
542 | - [2020 - Taint-Driven Firmware Fuzzing of Embedded Systems](https://melisasavich.com/assets/pdf/taint-driven-firmware-fuzzing-embedded-systems-thesis.pdf) ✓
543 | - [2020 - A Dynamic Instrumentation Technology for IoT Devices](https://link.springer.com/chapter/10.1007/978-3-030-50399-4_29) ✓
544 | - [2020 - Vulcan: a state-aware fuzzing tool for wear OS ecosystem](https://dl.acm.org/doi/abs/10.1145/3386901.3397492) ✓
545 | - [2020 - A Novel Concolic Execution Approach on Embedded Device](https://dl.acm.org/doi/abs/10.1145/3377644.3377654) ✓
546 | - [2020 - HFuzz: Towards automatic fuzzing testing of NB-IoT core network protocols implementations](https://www.sciencedirect.com/science/article/pii/S0167739X19324409) ✓
547 | - [2020 - FIRMCORN: Vulnerability-Oriented Fuzzing of IoT Firmware via Optimized Virtual Execution](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8990098) ✓
548 | - [2018 - IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing](https://www.ndss-symposium.org/wp-content/uploads/2018/02/ndss2018_01A-1_Chen_paper.pdf) ✓
549 | - [2017 - Towards Automated Dynamic Analysis for Linux-based Embedded Firmware](https://www.ndss-symposium.org/wp-content/uploads/2017/09/towards-automated-dynamic-analysis-linux-based-embedded-firmware.pdf) ✓
550 | - [2016 - Scalable Graph-based Bug Search for Firmware Images](https://www.cs.ucr.edu/~heng/pubs/genius-ccs16.pdf) ✓
551 | - [2015 - SURROGATES: Enabling Near-Real-Time Dynamic Analyses of Embedded Systems](https://www.usenix.org/system/files/conference/woot15/woot15-paper-koscher.pdf) ✓
552 | - [2015 - Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware](https://www.ndss-symposium.org/wp-content/uploads/2017/09/11_1_2.pdf) ✓
553 | - [2014 - A Large-Scale Analysis of the Security of Embedded Firmwares](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-costin.pdf) ✓
554 | - [2013 - RPFuzzer: A Framework for Discovering Router Protocols Vulnerabilities Based on Fuzzing](https://koreascience.kr/article/JAKO201326951843452.pdf) ✓
555 | 
556 | ### Firmware Emulation
557 | 
558 | - [2025 - IoT Firmware Emulation and Its Security Application in Fuzzing: A Critical Revisit](https://www.mdpi.com/1999-5903/17/1/19)
559 | - [2024 - SyncEmu: Enabling Dynamic Analysis of Stateful Trusted Applications](https://ieeexplore.ieee.org/abstract/document/10628764) ✓
560 | - [2022 - What You See is Not What You Get: Revealing Hidden Memory Mapping for Peripheral Modeling](https://dl.acm.org/doi/pdf/10.1145/3545948.3545957) ✓
561 | - [2022 - What Your Firmware Tells You Is Not How You Should Emulate It: A Specification-Guided Approach for Firmware Emulation (Extended Version)](https://arxiv.org/pdf/2208.07833.pdf) ✓
562 | - [2022 - BEERR: Bench of Embedded system Experiments for Reproducible Research](https://www.s3.eurecom.fr/docs/silm22_olivier.pdf) ✓
563 | - [2022 - FIRMWIRE: Transparent Dynamic Analysis for Cellular Baseband Firmware](https://hernan.de/research/papers/firmwire-ndss22-hernandez.pdf) ✓
564 | - [2022 - An Automated Approach to Re-Hosting Embedded Firmware Through Removing Hardware Dependencies](https://hammer.purdue.edu/articles/thesis/An_Automated_Approach_to_Re-Hosting_Embedded_Firmware_Through_Removing_Hardware_Dependencies/17131628) ✓
565 | - [2021 - FIRMGUIDE: Boosting the Capability of Rehosting Embedded Linux Kernels through Model-Guided Kernel Execution](https://yajin.org/papers/ase21_firmguide.pdf) ✓
566 | - [2021 - Automatic Firmware Emulation through Invalidity-guided Knowledge Inference(Extended Version)](https://arxiv.org/pdf/2107.07759.pdf) ✓
567 | - [2021 - Firmware Re-hosting Through Static Binary-level Porting](https://arxiv.org/pdf/2107.09856.pdf) ✓
568 | - [2021 - Jetset: Targeted Firmware Rehosting for Embedded Systems](https://www.usenix.org/system/files/sec21fall-johnson.pdf) ✓
569 | - [2021 - Automatic Firmware Emulation through Invalidity-guided Knowledge Inference](https://www.usenix.org/system/files/sec21fall-zhou.pdf) ✓
570 | 
571 | ### Network fuzzing
572 | 
573 | - [2025 - AFLNet Five Years Later: On Coverage-Guided Protocol Fuzzing](https://arxiv.org/pdf/2412.20324)
574 | - [2025 - SGMFuzz: State Guided Mutation Protocol Fuzzing](https://ieeexplore.ieee.org/abstract/document/10829865)
575 | - [2024 - Stateful protocol fuzzing with statemap-based reverse state selection](https://arxiv.org/pdf/2408.06844) ✓
576 | - [2024 - No Peer, no Cry: Network Application Fuzzing via Fault Injection](https://mschloegel.me/paper/bars2024fuzztructionnet.pdf) ✓
577 | - [2024 - Stateful protocol fuzzing with statemap-based reverse state selection](https://arxiv.org/pdf/2408.06844) ✓
578 | - [2024 - Gudifu: Guided Differential Fuzzing for HTTP Request Parsing Discrepancies](https://www.onarlioglu.com/publications/raid2024gudifu.pdf) ✓
579 | - [2024 - Netfuzzlib: Adding First-Class Fuzzing Support to Network Protocol Implementations](https://papers.mathyvanhoef.com/esorics2024.pdf) ✓
580 | - [2023 - NSFuzz: Towards Eficient and State-Aware Network Service Fuzzing - RCR Report](https://dl.acm.org/doi/pdf/10.1145/3580599) ✓
581 | - [2023 - INTENDER: Fuzzing Intent-Based Networking with Intent-State Transition Guidance](https://www.usenix.org/system/files/sec23fall-prepub-285_kim-jiwon.pdf) ✓
582 | - [2023 - NSFuzz: Towards Eficient and State-Aware Network Service Fuzzing](https://dl.acm.org/doi/pdf/10.1145/3580598) ✓
583 | - [2022 - FitM: Binary-Only Coverage-Guided Fuzzing for Stateful Network Protocols](https://www.ndss-symposium.org/wp-content/uploads/bar2022_23008_paper.pdf) ✓
584 | - [2022 - WThreadAFL:Deterministic Greybox Fuzzing for Multi-threadNetwork Servers](https://conferences.sigcomm.org/events/apnet2022/posters/WThreadAFL.pdf) ✓
585 | - [2022 - Model-Based Grey-Box Fuzzing of Network Protocols](https://www.hindawi.com/journals/scn/2022/6880677/) ✓
586 | - [2022 - Registered Report: NSFuzz: Towards Efficient and State-Aware Network Service Fuzzing](https://www.ndss-symposium.org/wp-content/uploads/fuzzing2022_23006_paper.pdf) ✓
587 | - [2022 - SnapFuzz: An Efficient Fuzzing Framework for Network Applications](https://arxiv.org/pdf/2201.04048.pdf) ✓
588 | - [2022 - REST API Fuzzing by Coverage Level Guided Blackbox Testing](https://arxiv.org/pdf/2112.15485.pdf) ✓
589 | - [2022 - SNPSFuzzer: A Fast Greybox Fuzzer for Stateful Network Protocols using Snapshots](https://arxiv.org/pdf/2202.03643.pdf) ✓
590 | - [2022 - WAFL: Binary-Only WebAssembly Fuzzing with Fast Snapshots](https://dl.acm.org/doi/abs/10.1145/3503921.3503924) ✓
591 | - [2021 - Nyx-Net: Network Fuzzing with Incremental Snapshots](https://arxiv.org/pdf/2111.03013.pdf) ✓
592 | - [2021 - RapidFuzz: Accelerating Fuzzing via Generative Adversarial Networks](https://www.sciencedirect.com/science/article/abs/pii/S0925231221010122) ✓
593 | - [2021 - StateAFL: Greybox Fuzzing for Stateful Network Servers](https://arxiv.org/pdf/2110.06253.pdf) ✓
594 | - [2020 - AFLNET: A Greybox Fuzzer for Network Protocols](https://www.comp.nus.edu.sg/~abhik/pdf/AFLNet-ICST20.pdf) ✓
595 | - [2020 - Finding Security Vulnerabilities in Network Protocol Implementations](https://arxiv.org/pdf/2001.09592.pdf) ✓
596 | 
597 | ### Kernel fuzzing
598 | 
599 | - [2025 - SyzParam: Incorporating Runtime Parameters into Kernel Driver Fuzzing](https://arxiv.org/pdf/2501.10002)
600 | - [2024 - OZZ: Identifying Kernel Out-of-Order Concurrency Bugs with In-Vivo Memory Access Reordering](https://gts3.org/assets/papers/2024/jeong:ozz.pdf) ✓
601 | - [2024 - SyzLego: Enhancing Kernel Directed Greybox Fuzzing via Dependency Inference and Scheduling](https://link.springer.com/chapter/10.1007/978-3-031-75757-0_9) ✓
602 | - [2024 - A Little Goes a Long Way: Tuning Configuration Selection for Continuous Kernel Fuzzing](https://paulgazzillo.com/papers/icse25.pdf) ✓
603 | - [2024 - CountDown: Refcount-guided Fuzzing for Exposing Temporal Memory Errors in Linux Kernel](https://huhong789.github.io/papers/bai:countdown.pdf) ✓
604 | - [2024 - Approaches to determining the attack surface for fuzzing the Linux kernel](https://www.e3s-conferences.org/articles/e3sconf/pdf/2024/61/e3sconf_uesf2024_03005.pdf) ✓
605 | - [2024 - SyzGen++: Dependency Inference for Augmenting Kernel Driver Fuzzing](https://www.cs.ucr.edu/~zhiyunq/pub/oakland24_syzgenplusplus.pdf) ✓
606 | - [2024 - SyzRetrospector: A Large-Scale Retrospective Study of Syzbot](https://arxiv.org/pdf/2401.11642) ✓
607 | - [2024 - SyzRisk: A Change-Pattern-Based Continuous Kernel Regression Fuzzer](http://nebelwelt.net/files/24AsiaCCS.pdf) ✓
608 | - [2024 - MOCK: Optimizing Kernel Fuzzing Mutation with Context-aware Dependency](https://www.ndss-symposium.org/wp-content/uploads/2024-131-paper.pdf) ✓
609 | - [2023 - SyzDirect: Directed Greybox Fuzzing for Linux Kernel](https://dl.acm.org/doi/abs/10.1145/3576915.3623146) ✓
610 | - [2023 - SyzBridge: Bridging the Gap in Exploitability Assessment of Linux Kernel Bugs in the Linux Ecosystem](https://etenal.me/download/SyzBridge.pdf) ✓
611 | - [2023 - KextFuzz: A Practical Fuzzer for macOS Kernel EXTensions on Apple Silicon](https://www.computer.org/csdl/journal/tq/5555/01/10315961/1S2UHhBqryU) ✓
612 | - [2023 - WinkFuzz: Model-based Script Synthesis for Fuzzing](https://dl.acm.org/doi/abs/10.1145/3591365.3592946) ✓
613 | - [2023 - SyzDescribe: Principled, Automated, Static Generation of Syscall Descriptions for Kernel Drivers](https://www.cs.ucr.edu/~zhiyunq/pub/oakland23_syzdescribe.pdf) ✓
614 | - [2023 - ACTOR: Action-Guided Kernel Fuzzing](https://nebelwelt.net/files/23SEC6.pdf) ✓
615 | - [2023 - KextFuzz: Fuzzing macOS Kernel EXTensions on Apple Silicon via Exploiting Mitigations](https://www.usenix.org/system/files/sec23fall-prepub-425-yin-tingting.pdf) ✓
616 | - [2023 - BoKASAN: Binary-only Kernel Address Sanitizer for Effective Kernel Fuzzing](https://www.usenix.org/system/files/sec23fall-prepub-325-cho-mingi.pdf) ✓
617 | - [2023 - DDRace: Finding Concurrency UAF Vulnerabilities in Linux Drivers with Directed Fuzzing](https://www.usenix.org/system/files/sec23fall-prepub-193-yuan-ming.pdf) ✓
618 | - [2023 - Towards Unveiling Exploitation Potential With Multiple Error Behaviors for Kernel Bugs](https://ieeexplore.ieee.org/abstract/document/10048506) ✓
619 | - [2023 - No Grammar, No Problem: Towards Fuzzing the Linux Kernel without System-Call Descriptions](https://www.ndss-symposium.org/wp-content/uploads/2023/02/ndss2023_f688_paper.pdf) ✓
620 | - [2022 - PrIntFuzz: fuzzing Linux drivers via automated virtual device simulation](https://dl.acm.org/doi/pdf/10.1145/3533767.3534226) ✓
621 | - [2022 - KSG: Augmenting Kernel Fuzzing with System Call Specification Generation](http://www.wingtecher.com/themes/WingTecherResearch/assets/papers/atc22.pdf) ✓
622 | - [2022 - Demystifying the Dependency Challenge in Kernel Fuzzing](https://dl.acm.org/doi/pdf/10.1145/3510003.3510126) ✓
623 | - [2022 - Midas: Systematic Kernel TOCTTOU Protection](https://www.usenix.org/system/files/sec22summer_bhattacharyya.pdf) ✓
624 | - [2021 - Evaluating Code Coverage for Kernel Fuzzers via Function Call Graph](https://ieeexplore.ieee.org/abstract/document/9618942) ✓
625 | - [2021 - ACHyb: a hybrid analysis approach to detect kernel access control vulnerabilities](https://dl.acm.org/doi/abs/10.1145/3468264.3468627) ✓
626 | - [2021 - CVFuzz: Detecting complexity vulnerabilities in OpenCL kernels via automated pathological input generation](https://www.sciencedirect.com/science/article/abs/pii/S0167739X21003526) ✓
627 | - [2021 - HEALER: Relation Learning Guided Kernel Fuzzing](www.wingtecher.com/themes/WingTecherResearch/assets/papers/healer-sosp21.pdf)
628 | - [2021 - SyzVegas: Beating Kernel Fuzzing Odds with Reinforcement Learning](https://www.usenix.org/conference/usenixsecurity21/presentation/wang-daimeng) ✓
629 | - [2021 - NTFUZZ: Enabling Type-Aware Kernel Fuzzing on Windows with Static Binary Analysis](https://islab-sogang.github.io/data/oakland2021.pdf) ✓
630 | - [2021 - Undo Workarounds for Kernel Bugs](https://www.cs.ucr.edu/~zhiyunq/pub/sec21_undo_workarounds.pdf) ✓
631 | - [2020 - A Hybrid Interface Recovery Method for Android Kernels Fuzzing](https://qrs20.techconf.org/QRS2020_FULL/pdfs/QRS2020-4LGdOos7NAbR8M2s6S6ezE/891300a335/891300a335.pdf) ✓
632 | - [2020 - FINDING RACE CONDITIONS IN KERNELS:FROM FUZZING TO SYMBOLIC EXECUTION - THESIS](https://gts3.org/assets/papers/2020/xu:thesis.pdf) ✓
633 | - [2020 - Agamotto: Accelerating Kernel Driver Fuzzing with Lightweight Virtual Machine Checkpoints](https://www.usenix.org/conference/usenixsecurity20/presentation/song) ✓
634 | - [2020 - X-AFL: a kernel fuzzer combining passive and active fuzzing](https://dl.acm.org/doi/abs/10.1145/3380786.3391400) ✓
635 | - [2020 - Identification of Kernel Memory Corruption Using Kernel Memory Secret Observation Mechanism](https://search.ieice.org/bin/summary.php?id=e103-d_7_1462) ✓
636 | - [2020 - HFL: Hybrid Fuzzing on the Linux Kernel](https://www.ndss-symposium.org/wp-content/uploads/2020/02/24018.pdf) ✓
637 | - [2020 - Realistic Error Injection for System Calls](https://arxiv.org/pdf/2006.04444.pdf) ✓
638 | - [2020 - KRACE: Data Race Fuzzing for Kernel File Systems](https://taesoo.kim/pubs/2020/xu:krace.pdf) ✓
639 | - [2020 - USBFuzz: A Framework for Fuzzing USB Drivers by Device Emulation](https://hexhive.epfl.ch/publications/files/20SEC3.pdf) ✓
640 | - [2019 - Fuzzing File Systems via Two-Dimensional Input Space Exploration](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8835267) ✓
641 | - [2019 - Razzer: Finding Kernel Race Bugs through Fuzzing](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8835326) ✓
642 | - [2019 - Unicorefuzz: On the Viability of Emulation for Kernel space Fuzzing](https://www.usenix.org/system/files/woot19-paper_maier.pdf) ✓
643 | - [2017 - Stateful Fuzzing of Wireless Device Drivers in an Emulated Environment](https://pdfs.semanticscholar.org/26b9/97d7a83ce950db6d311ee65c268e756e0794.pdf) ✓
644 | - [2017 - DIFUZE: Interface Aware Fuzzing for Kernel Drivers](https://acmccs.github.io/papers/p2123-corinaA.pdf) ✓
645 | - [2008 - Fuzzing Wi-Fi Drivers to Locate Security Vulnerabilities](https://www.di.fc.ul.pt/~nuno/PAPERS/EDCC08.pdf) ⚠
646 | 
647 | ### Format specific fuzzing
648 | 
649 | - [2025 - Smart Contract Fuzzing Towards Profitable Vulnerabilities](https://arxiv.org/pdf/2501.08834)
650 | - [2025 - DUMPLING: Fine-grained Differential JavaScript Engine Fuzzing](http://nebelwelt.net/files/25NDSS2.pdf) ✓
651 | - [2024 - SQLPass: A Semantic Effective Fuzzing Method for DBMS](https://ieeexplore.ieee.org/abstract/document/10633453) ✓
652 | - [2024 - Atlas: Automating Cross-Language Fuzzing on Android Closed-Source Libraries](https://dl.acm.org/doi/abs/10.1145/3650212.3652133) ✓
653 | - [2024 - Tacoma: Enhanced Browser Fuzzing with Fine-Grained Semantic Alignment](https://dl.acm.org/doi/abs/10.1145/3650212.3680351) ✓
654 | - [2024 - Applying Fuzz Driver Generation to Native C/C++ Libraries of OEM Android Framework: Obstacles and Solutions](https://yuanxzhang.github.io/paper/fuzzgen++-ase24industry.pdf) ✓
655 | - [2024 - CrossFire: Fuzzing macOS Cross-XPU Memory on Apple Silicon](https://dl.acm.org/doi/abs/10.1145/3658644.3690376) ✓
656 | - [2024 - BArcherFuzzer: An Android System Services Fuzzier via Transaction Dependencies of BpBinder](https://cdn.techscience.cn/files/iasc/2024/TSP_IASC-39-3/TSP_IASC_47509/TSP_IASC_47509.pdf) ✓
657 | - [2024 - BRF: Fuzzing the eBPF Runtime](https://dl.acm.org/doi/pdf/10.1145/3643778) ✓
658 | - [2024 - Monarch: A Fuzzing Framework for Distributed File Systems](https://hexhive.epfl.ch/publications/files/24ATC.pdf) ✓
659 | - [2023 - Android Fuzzing: Balancing User-Inputs and Intents](https://ieeexplore.ieee.org/abstract/document/10132258) ✓
660 | - [2023 - ItyFuzz: Snapshot-Based Fuzzer for Smart Contract](https://arxiv.org/pdf/2306.17135.pdf) ✓
661 | - [2023 - BRF: eBPF Runtime Fuzzer](https://arxiv.org/pdf/2305.08782.pdf) ✓
662 | - [2023 - MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation](https://www.usenix.org/system/files/sec23fall-prepub-7-xu-jinyan.pdf) ✓
663 | - [2023 - EFCF: High Performance Smart Contract Fuzzing for Exploit Generation](https://arxiv.org/pdf/2304.06341.pdf) ✓
664 | - [2023 - ODDFUZZ: Discovering Java Deserialization Vulnerabilities via Structure-Aware Directed Greybox Fuzzing](https://arxiv.org/pdf/2304.04233.pdf) ✓
665 | - [2023 - VIDEZZO: Dependency-aware Virtual Device Fuzzing](https://nebelwelt.net/files/23Oakland4.pdf) ✓
666 | - [2023 - HyPFuzz: Formal-Assisted Processor Fuzzing](https://arxiv.org/pdf/2304.02485.pdf) ✓
667 | - [2023 - FUZZILLI: Fuzzing for JavaScript JIT Compiler Vulnerabilities](https://www.ndss-symposium.org/wp-content/uploads/2023/02/ndss2023_f290_paper.pdf) ✓
668 | - [2022 - SFuzz: Slice-based Fuzzing for Real-Time Operating Systems](https://dl.acm.org/doi/abs/10.1145/3548606.3559367) ✓
669 | - [2022 - LFUZZ: Exploiting Locality for File-system Fuzzing](https://www.cs.fsu.edu/files/reports/TR220922.pdf) ✓
670 | - [2022 - MUNDOFUZZ: Hypervisor Fuzzing with Statistical Coverage Testing and Grammar Inference](https://lifeasageek.github.io/papers/cheolwoo-mundofuzz.pdf) ✓
671 | - [2022 - DTLS-Fuzzer: A DTLS Protocol State Fuzzer](https://assist-project.github.io/papers/DTLS-Fuzzer@ICST-22.pdf) ✓
672 | - [2022 - FuzzUSB: Hybrid Stateful Fuzzing of USB Gadget Stacks](https://www.computer.org/csdl/proceedings-article/sp/2022/131600a632/1A4Q3mz4uLm) ✓
673 | - [2022 - TheHuzz: Instruction Fuzzing of Processors Using Golden-Reference Models for Finding Software-Exploitable Vulnerabilities](https://arxiv.org/pdf/2201.09941.pdf) ✓
674 | - [2021 - V-Shuttle: Scalable and Semantics-Aware Hypervisor Virtual Device Fuzzing](https://nesa.zju.edu.cn/download/pgn_pdf_V-SHUTTLE.pdf) ✓
675 | - [2021 - FormatFuzzer: Effective Fuzzing of Binary File Formats](https://arxiv.org/pdf/2109.11277.pdf) ✓
676 | - [2020 - NYX: Greybox Hypervisor Fuzzing using Fast Snapshots and Affine Types](https://www.usenix.org/system/files/sec21summer_schumilo.pdf) ✓
677 | - [2020 - Tree2tree Structural Language Modeling for Compiler Fuzzing](https://link.springer.com/chapter/10.1007/978-3-030-60245-1_38) ✓
678 | - [2020 - Detecting Critical Bugs in SMT Solvers Using Blackbox Mutational Fuzzing](https://arxiv.org/pdf/2004.05934.pdf) ✓
679 | - [2020 - JS Engine - Montage: A Neural Network Language Model-Guided JavaScript Engine Fuzzer](https://arxiv.org/abs/2001.04107.pdf) ✓
680 | - [2020 - JS Engine - Fuzzing JavaScript Engines with Aspect-preserving Mutation](https://taesoo.kim/pubs/2020/park:die.pdf) ✓
681 | - [2020 - CUDA Compiler - CUDAsmith: A Fuzzer for CUDA Compilers](http://jiangbo.buaa.edu.cn/compsac20-CUDAsmith.pdf) ✓
682 | - [2020 - Smart Contracts - sFuzz: An Efficient Adaptive Fuzzer for Solidity Smart Contracts](https://arxiv.org/abs/2004.08563) ✓
683 | - [2019 - Compiler Fuzzing: How Much Does It Matter?](https://srg.doc.ic.ac.uk/files/papers/compilerbugs-oopsla-19.pdf) ✓
684 | - [2019 - Smart Contracts - Harvey: A Greybox Fuzzer for Smart Contracts](https://arxiv.org/abs/1905.06944.pdf) ✓
685 | - [2017 - XML - Skyfire: Data-Driven Seed Generation for Fuzzing](https://www.ieee-security.org/TC/SP2017/papers/42.pdf) ✓
686 | 
687 | ### Exploitation
688 | 
689 | - [2025 - AIRBUGCATCHER: Automated Wireless Reproduction of IoT Bugs](https://asset-group.github.io/papers/airbugcatcher.pdf)
690 | - [2024 - Revealing the exploitability of heap overflow through PoC analysis](https://link.springer.com/article/10.1186/s42400-024-00244-6) ✓
691 | - [2024 - Take a Step Further: Understanding Page Spray in Linux Kernel Exploitation](https://arxiv.org/pdf/2406.02624) ✓
692 | - [2024 - K-LEAK: Towards Automating the Generation of Multi-Step Infoleak Exploits against the Linux Kernel](https://www.cs.ucr.edu/~zhiyunq/pub/ndss24_kleak.pdf) ✓
693 | - [2023 - Enhanced Memory Corruption Detection in C/C++ Programs](https://dl.acm.org/doi/abs/10.1145/3605731.3605903) ✓
694 | - [2023 - Automated Exploitable Heap Layout Generation for Heap Overflows Through Manipulation Distance-Guided Fuzzing](https://www.usenix.org/system/files/sec23fall-prepub-581-zhang-bin.pdf) ✓
695 | - [2023 - The Most Dangerous Codec in the World: Finding and Exploiting Vulnerabilities in H.264 Decoders](https://wrv.github.io/h26forge.pdf) ✓
696 | - [2023 - Detecting Exploit Primitives Automatically for Heap Vulnerabilities on Binary Programs](https://arxiv.org/pdf/2212.13990.pdf) ✓
697 | - [2022 - RiscyROP: Automated Return-Oriented Programming Attacks on RISC-V and ARM64](https://www.syssec.wiwi.uni-due.de/fileadmin/fileupload/I-SYSSEC/research/RiscyROP.pdf) ✓
698 | - [2022 - Automatic Permission Check Analysis for Linux Kernel](https://www.computer.org/csdl/journal/tq/5555/01/09750908/1ClSWBlV5ao) ✓
699 | - [2022 - OS-Aware Vulnerability Prioritization via Differential Severity Analysis](https://www.usenix.org/system/files/sec22-wu-qiushi.pdf) ✓
700 | - [2022 - Arbiter: Bridging the Static and Dynamic Divide in Vulnerability Discovery on Binary Programs](https://www.usenix.org/system/files/sec22fall_vadayath.pdf) ✗
701 | - [2022 - KASPER: Scanning for Generalized Transient Execution Gadgets in the Linux Kernel](https://download.vusec.net/papers/kasper_ndss22.pdf) ✓
702 | - [2022 - MaMaDroid 2.0 - The Holes of control flow graphs](https://arxiv.org/pdf/2202.13922.pdf) ✓
703 | - [2022 -ShadowHeap: Memory Safety through Efficient Heap Metadata Validation](https://isyou.info/jowua/papers/jowua-v12n4-1.pdf) ✓
704 | - [2022 - MACH2: System for Root Cause Analysis of Kernel Vulnerabilities \[THESIS\]](https://smartech.gatech.edu/bitstream/handle/1853/66274/DESAI-UNDERGRADUATERESEARCHOPTIONTHESIS-2021.pdf?sequence=1)
705 | - [2021 - Automated Bug Hunting With Data-Driven Symbolic Root Cause Analysis](https://dl.acm.org/doi/abs/10.1145/3460120.3485363) ✓
706 | - [2021 - MAJORCA: Multi-Architecture JOP and ROP Chain Assembler](https://arxiv.org/pdf/2111.05781.pdf) ✓
707 | - [2021 - A Novel Method for the Automatic Generation of JOP Chain Exploits](https://link.springer.com/chapter/10.1007/978-3-030-84614-5_7) ✓
708 | - [2021 - V0Finder: Discovering the Correct Origin of Publicly Reported Software Vulnerabilities](https://ccs.korea.ac.kr/pds/SECURITY21.pdf) ✓
709 | - [2021 - Identifying Valuable Pointers in Heap Data](https://mickens.seas.harvard.edu/files/mickens/files/memory_cartography.pdf) ✓
710 | - [2021 - OCTOPOCS: Automatic Verification of Propagated Vulnerable Code Using Reformed Proofs of Concept](https://ccs.korea.ac.kr/pds/DSN21.pdf) ✓
711 | - [2021 - Characterizing Vulnerabilities in a Major Linux Distribution](https://ksiresearch.org/seke/seke20paper/paper033.pdf) ✓
712 | - [2021 - MAZE: Towards Automated Heap Feng Shui](https://www.usenix.org/system/files/sec21fall-wang-yan.pdf) ✓
713 | - [2021 - Vulnerability Detection in C/C++ Source Code With Graph Representation Learning](https://ieeexplore.ieee.org/abstract/document/9376145) ✓
714 | - [2021 - mallotROPism: a metamorphic engine for malicious software variation development](https://link.springer.com/article/10.1007/s10207-021-00541-y) ✓
715 | - [2020 - Automatic Techniques to Systematically Discover New Heap Exploitation Primitives](https://www.usenix.org/system/files/sec20-yun.pdf) ✓
716 | - [2020 - Shadow-Heap: Preventing Heap-based Memory Corruptions by Metadata Validation](https://lukasatkinson.de/research/Bouche2020ShadowHeapValidation.pdf) ✓
717 | - [2020 - Practical Fine-Grained Binary Code Randomization](https://dl.acm.org/doi/abs/10.1145/3427228.3427292) ✓
718 | - [2020 - Tiny-CFA: Minimalistic Control-Flow Attestation UsingVerified Proofs of Execution](https://arxiv.org/abs/2011.07400) ⚠
719 | - [2020 - Greybox Automatic Exploit Generation for Heap Overflows in Language Interpreters - PHD THESIS](https://seanhn.files.wordpress.com/2020/11/heelan_phd_thesis.pdf) ✓
720 | - [2020 - ABCFI: Fast and Lightweight Fine-Grained Hardware-Assisted Control-Flow Integrity](https://www.sci-hub.se/10.1109/TCAD.2020.3012640) ✓
721 | - [2020 - HeapExpo: Pinpointing Promoted Pointers to Prevent Use-After-Free Vulnerabilities](http://moyix.net/~moyix/papers/heapexpo.pdf) ✗
722 | - [2020 - Localizing Patch Points From One Exploit](https://arxiv.org/pdf/2008.04516.pdf) ✓
723 | - [2020 - Speculative Dereferencing of Registers: Reviving Foreshadow](https://arxiv.org/pdf/2008.02307.pdf) ✓
724 | - [2020 - HAEPG: An Automatic Multi-hop Exploitation Generation Framework](https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7338205/) ✓
725 | - [2020 - Exploiting More Binaries by Using Planning to Assemble ROP Exploiting More Binaries by Using Planning to Assemble ROP Attacks Attacks](https://scholars.unh.edu/cgi/viewcontent.cgi?article=2376&context=thesis) ✓
726 | - [2020 - ROPminer: Learning-Based Static Detection of ROP Chain Considering Linkability of ROP Gadgets](https://search.ieice.org/bin/summary.php?id=e103-d_7_1476) ✓
727 | - [2020 - KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities](http://www.cs.ucr.edu/~zhiyunq/pub/sec20_koobe.pdf) ✓
728 | - [2020 - Preventing Return Oriented Programming Attacks By Preventing Return Instruction Pointer Overwrites](https://www.csee.umbc.edu/~allgood1/papers/611-rop.pdf) ✓
729 | - [2020 - KASLR: Break It, Fix It, Repeat](http://cc0x1f.net/publications/kaslr.pdf) ✓
730 | - [2020 - ShadowGuard : Optimizing the Policy and Mechanism of Shadow Stack Instrumentation using Binary Static Analysis](https://arxiv.org/pdf/2002.07748.pdf) ✓
731 | - [2020 - VulHunter: An Automated Vulnerability Detection System Based on Deep Learning and Bytecode](https://link.springer.com/chapter/10.1007/978-3-030-41579-2_12) ✓
732 | - [2020 - Analysis and Evaluation of ROPInjector](http://dione.lib.unipi.gr/xmlui/bitstream/handle/unipi/12622/Tsioutsias_1633.pdf) ✓
733 | - [2020 - API Misuse Detection in C Programs: Practice on SSL APIs](https://www.worldscientific.com/doi/abs/10.1142/S0218194019400205) ✓
734 | - [2020 - KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities](http://www.cs.ucr.edu/~zhiyunq/pub/sec20_koobe.pdf) ✓
735 | - [2020 - Egalito: Layout-Agnostic Binary Recompilation](http://www.cs.columbia.edu/~junfeng/papers/egalito-asplos20.pdf) ✓
736 | - [2020 - Verifying Software Vulnerabilities in IoT Cryptographic Protocols](https://arxiv.org/pdf/2001.09837.pdf) ✓
737 | - [2020 - μRAI: Securing Embedded Systems with Return Address Integrity](https://nebelwelt.net/files/20NDSS.pdf) ✓
738 | - [2020 - Preventing Return Oriented Programming Attacks By Preventing Return Instruction Pointer Overwrites](https://www.csee.umbc.edu/~allgood1/papers/611-rop.pdf) ✓
739 | - [2019 - Kernel Protection Against Just-In-Time Code Reuse](https://dl.acm.org/doi/abs/10.1145/3277592) ✓
740 | - [2019 - Kernel Exploitation Via Uninitialized Stack](https://infocon.org/cons/DEF%20CON/DEF%20CON%2019/DEF%20CON%2019%20presentations/DEF%20CON%2019%20-%20Cook-Kernel-Exploitation.pdf) ✓
741 | - [2019 - KEPLER: Facilitating Control-flow Hijacking Primitive Evaluation for Linux Kernel Vulnerabilities](https://www.usenix.org/system/files/sec19-wu-wei.pdf) ✓
742 | - [2019 - SLAKE: Facilitating Slab Manipulation for Exploiting Vulnerabilities in the Linux Kernel](https://dl.acm.org/doi/abs/10.1145/3319535.3363212) ✓
743 | - [2018 - HeapHopper: Bringing Bounded Model Checkingto Heap Implementation Security](https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-eckert.pdf) ✓
744 | - [2018 - K-Miner: Uncovering Memory Corruption in Linux](https://www.ndss-symposium.org/wp-content/uploads/2018/02/ndss2018_05A-1_Gens_paper.pdf) ✓
745 | - [2017 - HAIT: Heap Analyzer with Input Tracing](https://www.scitepress.org/papers/2017/64208/64208.pdf) ✓
746 | - [2017 - DROP THE ROP: Fine-grained Control-flow Integrity for the Linux Kernel](https://www.blackhat.com/docs/asia-17/materials/asia-17-Moreira-Drop-The-Rop-Fine-Grained-Control-Flow-Integrity-For-The-Linux-Kernel-wp.pdf) ✓
747 | - [2017 - kR^X: Comprehensive Kernel Protection against Just-In-Time Code Reuse](https://dl.acm.org/doi/abs/10.1145/3064176.3064216) ✓
748 | - [2017 - Unleashing Use-Before-Initialization Vulnerabilities in the Linux Kernel Using Targeted Stack Spraying](https://www.ndss-symposium.org/wp-content/uploads/2017/09/ndss2017_09-2_Lu_paper.pdf) ✓
749 | - [2017 - Towards Automated Dynamic Analysis for Linux-based Embedded Firmware](https://www.ndss-symposium.org/wp-content/uploads/2017/09/towards-automated-dynamic-analysis-linux-based-embedded-firmware.pdf) ✓
750 | - [2016 - Scalable Graph-based Bug Search for Firmware Images](https://www.cs.ucr.edu/~heng/pubs/genius-ccs16.pdf) ✓
751 | - [2015 - Cross-Architecture Bug Search in Binary Executables](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7163056) ✓
752 | - [2015 - SURROGATES: Enabling Near-Real-Time Dynamic Analyses of Embedded Systems](https://www.usenix.org/system/files/conference/woot15/woot15-paper-koscher.pdf) ✓
753 | - [2015 - From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel](http://repository.root-me.org/Exploitation%20-%20Syst%C3%A8me/Unix/EN%20-%20From%20collision%20to%20exploitation%3A%20Unleashing%20Use-After-Free%20vulnerabilities%20in%20Linux%20Kernel.pdf) ✓
754 | - [2015 - PIE: Parser Identification in Embedded Systems](http://www.s3.eurecom.fr/docs/acsac15_cojocar.pdf) ✓
755 | - [2014 - ret2dir: Rethinking Kernel Isolation](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-kemerlis.pdf) ✓
756 | - [2014 - Make It Work, Make It Right, Make It Fast: Building a Platform-Neutral Whole-System Dynamic Binary Analysis Platform](https://www.cs.ucr.edu/~heng/pubs/issta14.pdf) ✓
757 | - [2011 - Linux kernel vulnerabilities: state-of-the-art defenses and open problems](https://dl.acm.org/doi/abs/10.1145/2103799.2103805) ✓
758 | - [2011 - Protecting the Core: Kernel Exploitation Mitigations](http://census.gr/media/bheu-2011-wp.pdf) ✓
759 | - [2015 - From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel](http://repository.root-me.org/Exploitation%20-%20Syst%C3%A8me/Unix/EN%20-%20From%20collision%20to%20exploitation%3A%20Unleashing%20Use-After-Free%20vulnerabilities%20in%20Linux%20Kernel.pdf) ✓
760 | - [2014 - ret2dir: Rethinking Kernel Isolation](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-kemerlis.pdf) ✓
761 | - [2012 - Anatomy of a Remote Kernel Exploit](https://www.cs.dartmouth.edu/sergey/cs258/2012/Dan-Rosenberg-lecture.pdf) ⚠
762 | - [2012 - A Heap of Trouble: Breaking the Linux Kernel SLOB Allocator](http://vulnfactory.org/research/slob.pdf) ✗
763 | - [2011 - Linux kernel vulnerabilities: state-of-the-art defenses and open problems](https://dl.acm.org/doi/abs/10.1145/2103799.2103805) ✓
764 | - [2011 - Protecting the Core: Kernel Exploitation Mitigations](http://census.gr/media/bheu-2011-wp.pdf) ✓
765 | 
766 | ### Static Binary Analysis
767 | 
768 | - [2025 - LLM-Powered Static Binary Taint Analysis](https://dl.acm.org/doi/pdf/10.1145/3711816)
769 | - [2025 - BinHunter: A Fine-Grained Graph Representation for Localizing Vulnerabilities in Binary Executables](https://r-mukund.github.io/pdf/2024-ACSAC.pdf)
770 | - [2024 - Effectiveness of ChatGPT for Static Analysis: How Far Are We?Effectiveness of ChatGPT for Static Analysis: How Far Are We?](https://dl.acm.org/doi/abs/10.1145/3664646.3664777) ✓
771 | - [2024 - Bin2Summary: Beyond Function Name Prediction in Stripped Binaries with Functionality-Specific Code Embeddings](https://dl.acm.org/doi/pdf/10.1145/3643729) ✓
772 | - [2021 - ICALLEE: Recovering Call Graphs for Binaries](https://arxiv.org/pdf/2111.01415.pdf) ✓
773 | - [2021 - EnBinDiff: Identifying Data-only Patches for Binaries](https://www.computer.org/csdl/journal/tq/5555/01/09645381/1zc6LAcyvHG) ✓
774 | - [2021 - VIVA: Binary Level Vulnerability Identification via Partial Signature](https://ieeexplore.ieee.org/abstract/document/9425910) ✓
775 | - [2021 - Overview of the advantages and disadvantages of static code analysis tools](https://courses.cs.ut.ee/MTAT.03.270/2021_spring/uploads/Main/report-draft.pdf) ✓
776 | - [2021 - Multi-Level Cross-Architecture Binary Code Similarity Metric](https://link.springer.com/article/10.1007/s13369-021-05630-7) ✓
777 | - [2020 - VulDetector: Detecting Vulnerabilities using Weighted Feature Graph Comparison](https://ieeexplore.ieee.org/abstract/document/9309254) ✓
778 | - [2020 - DEEPBINDIFF: Learning Program-Wide Code Representations for Binary Diffing](https://www.ndss-symposium.org/wp-content/uploads/2020/02/24311-paper.pdf) ✓
779 | - [2020 - BinDeep: A Deep Learning Approach to Binary Code Similarity Detection](https://www.sci-hub.se/10.1016/j.eswa.2020.114348) ✓
780 | - [2020 - Revisiting Binary Code Similarity Analysis using Interpretable Feature Engineering and Lessons Learned](https://0xdkay.me/pub/2020/kim-arxiv2020.pdf) ✓
781 | - [2020 - iDEA: Static Analysis on the Security of Apple Kernel Drivers](http://homes.sice.indiana.edu/luyixing/bib/CCS20-iDEA.pdf) ✓
782 | - [2020 - HART: Hardware-Assisted Kernel Module Tracing on Arm](https://sci-hub.se/10.1007/978-3-030-58951-6) ✓
783 | - [2020 - AN APPROACH TO COMPARING CONTROL FLOW GRAPHS BASED ON BASIC BLOCK MATCHING](http://www.ijcse.com/docs/INDJCSE20-11-03-237.pdf) ✓
784 | - [2020 - How Far We Have Come: Testing Decompilation Correctness of C Decompilers](https://monkbai.github.io/files/issta-20.pdf) ✓
785 | - [2020 - Dynamic Binary Lifting and Recompilation DISS](https://escholarship.org/content/qt8pz574mn/qt8pz574mn_noSplash_b11493cfba04b6b9c737eb3e42038820.pdf) ✓
786 | - [2020 - Similarity Based Binary Backdoor Detection via Attributed Control Flow Graph](https://ieeexplore.ieee.org/abstract/document/9085069) ✓
787 | - [2020 - IoTSIT: A Static Instrumentation Tool for IoT Devices](https://ieeexplore.ieee.org/document/9084145) ✓
788 | - [2019 - Code Similarity Detection using AST and Textual Information](http://www.ijpe-online.com/EN/10.23940/ijpe.19.10.p14.26832691) ✗
789 | - [2018 - CodEX: Source Code Plagiarism DetectionBased on Abstract Syntax Trees](https://ceur-ws.org/Vol-2259/aics_33.pdf) ✓
790 | - [2017 - rev.ng: a unified binary analysis framework to recover CFGs and function boundaries](https://dl.acm.org/doi/abs/10.1145/3033019.3033028) ✓
791 | - [2017 - Angr: The Next Generation of Binary Analysis](https://ieeexplore.ieee.org/abstract/document/8077799) ✓
792 | - [2016 - Binary code is not easy](https://dl.acm.org/doi/abs/10.1145/2931037.2931047) ✓
793 | - [2015 - Cross-Architecture Bug Search in Binary Executables](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7163056) ✓
794 | - [2014 - A platform for secure static binary instrumentation](https://dl.acm.org/doi/abs/10.1145/2576195.2576208) ✓
795 | - [2013 - MIL: A language to build program analysis tools through static binary instrumentation](https://ieeexplore.ieee.org/abstract/document/6799106) ✓
796 | - [2013 - Binary Code Analysis](https://ieeexplore.ieee.org/abstract/document/6583187) ✓
797 | - [2013 - A compiler-level intermediate representation based binary analysis and rewriting system](https://dl.acm.org/doi/abs/10.1145/2465351.2465380) ✓
798 | - [2013 - Protocol reverse engineering through dynamic and static binary analysis](https://www.sciencedirect.com/science/article/abs/pii/S1005888513602174) ✓
799 | - [2013 - BinaryPig: Scalable Static Binary Analysis Over Hadoop](https://media.blackhat.com/us-13/US-13-Hanif-Binarypig-Scalable-Malware-Analytics-in-Hadoop-WP.pdf) ✓
800 | - [2011 - BAP: A Binary Analysis Platform](https://link.springer.com/chapter/10.1007/978-3-642-22110-1_37) ✓
801 | - [2009 - Syntax tree fingerprinting for source code similarity detection](https://www.researchgate.net/publication/221219530_Syntax_tree_fingerprinting_for_source_code_similarity_detection) ✓
802 | - [2008 - BitBlaze: A New Approach to Computer Security via Binary Analysis](https://link.springer.com/chapter/10.1007/978-3-540-89862-7_1) ✓
803 | - [2005 - Practical analysis of stripped binary code](https://dl.acm.org/doi/abs/10.1145/1127577.1127590) ✓
804 | - [2004 - Detecting kernel-level rootkits through binary analysis](https://ieeexplore.ieee.org/abstract/document/1377219) ✓
805 | 
806 | ### Misc
807 | 
808 | - [2025 RangeSanitizer: Detecting Memory Errors with Efficient Range Checks](https://download.vusec.net/papers/rsan_sec25.pdf)
809 | - [2024 - Tyche: Making Sense of Property-Based Testing Effectiveness](https://harrisongoldste.in/papers/uist24-tyche.pdf) ✓
810 | - [2024 - ARVO: Atlas of Reproducible Vulnerabilities for Open Source Software](https://arxiv.org/pdf/2408.02153) ✓
811 | - [2024 - LeanBin: Harnessing Lifting and Recompilation to Debloat Binaries](https://arxiv.org/pdf/2406.16162) ✓
812 | - [2024 - Operation Mango: Scalable Discovery of Taint-Style Vulnerabilities in Binary Firmware Services](https://wilgibbs.com/papers/mango_usenix24.pdf) ✗
813 | - [2024 - A Binary-level Thread Sanitizer or Why Sanitizing on the Binary Level is Hard](https://www.usenix.org/system/files/sec24fall-prepub-921-schilling.pdf) ✓
814 | - [2023 - MTSan: A Feasible and Practical Memory Sanitizer for Fuzzing COTS Binaries](https://www.usenix.org/system/files/sec23fall-prepub-279-chen-xingman.pdf) ✓
815 | - [2023 - ARMore: Pushing Love Back Into Binaries](https://nebelwelt.net/files/23SEC3.pdf) ✓
816 | - [2023 - gMutant: A gCov based Mutation Testing Analyser](https://dl.acm.org/doi/abs/10.1145/3578527.3578546) ✓
817 | - [2022 - Auto Off-Target: Enabling Thorough and Scalable Testing for Complex Software Systems](https://dl.acm.org/doi/pdf/10.1145/3551349.3556915) ✓
818 | - [2022 - GRIN: Make Rewriting More Precise](https://dl.acm.org/doi/fullHtml/10.1145/3523181.3523207) ✓
819 | - [2022 - CFINSIGHT: A Comprehensive Metric for CFI Policies](https://www.ndss-symposium.org/wp-content/uploads/2022-165-paper.pdf) ✓
820 | - [2022 - Odin: On-Demand Instrumentation with On-the-Fly Recompilation](http://www.wingtecher.com/themes/WingTecherResearch/assets/papers/odin-final.pdf) ✓
821 | - [2022 - Debloating Address Sanitizer](https://www.usenix.org/system/files/sec22summer_zhang-yuchen.pdf) ✓
822 | - [2021 - FMViz: Visualizing Tests Generated by AFL at the Byte-level](https://arxiv.org/pdf/2112.13207.pdf) ✓
823 | - [2021 - Raising MIPS Binaries to LLVM IR](https://link.springer.com/chapter/10.1007/978-3-030-92571-0_6) ✓
824 | - [2021 - yzGen: Automated Generation of Syscall Specification of Closed-Source macOS Drivers](https://www.cs.ucr.edu/~zhiyunq/pub/ccs21_syzgen.pdf) ✓
825 | - [2021 - Igor: Crash Deduplication Through Root-Cause Clustering](http://www.nebelwelt.net/publications/files/21CCS.pdf) ✓
826 | - [2021 - UAFSan: an object-identifier-based dynamic approach for detecting use-after-free vulnerabilities](https://dl.acm.org/doi/abs/10.1145/3460319.3464835) ✓
827 | - [2021 - SyML: Guiding Symbolic Execution Toward Vulnerable States Through Pattern Learning](https://conand.me/publications/ruaro-syml-2021.pdf) ✓
828 | - [2021 - LLSC: A Parallel Symbolic Execution Compiler for LLVM IR](https://continuation.passing.style/static/papers/fsedemo21.pdf) ✓
829 | - [2021 - FuzzSplore: Visualizing Feedback-Driven Fuzzing Techniques](https://arxiv.org/pdf/2102.02527.pdf) ✓
830 | - [2020 - Memory Error Detection Based on Dynamic Binary Translation](https://ieeexplore.ieee.org/abstract/document/9295756/keywords#keywords) ✓
831 | - [2020 - Sydr: Cutting Edge Dynamic Symbolic Execution](https://arxiv.org/pdf/2011.09269.pdf) ✓
832 | - [2020 - DrPin: A dynamic binary instumentator for multiple processor architectures](https://sol.sbc.org.br/index.php/sscad/article/view/14074/13922) ✓
833 | - [2020 - MVP: Detecting Vulnerabilities using Patch-Enhanced Vulnerability Signatures](https://www.usenix.org/system/files/sec20-xiao.pdf) ✓
834 | - [2020 - Collecting Vulnerable Source Code from Open-Source Repositories for Dataset Generation](https://www.mdpi.com/2076-3417/10/4/1270) ✓
835 | - [2020 - LEOPARD: Identifying Vulnerable Code for Vulnerability Assessment through Program Metrics](https://arxiv.org/pdf/1901.11479.pdf) ✓
836 | - [2020 - Dynamic Program Analysis Tools in GCC and CLANG Compilers](https://sci-hub.se/https://doi.org/10.1134/S0361768820010089) ✓
837 | - [2020 - On Using k-means Clustering for Test Suite Reduction](https://sci-hub.se/https://ieeexplore.ieee.org/document/9155590) ✓
838 | - [2020 - Optimizing the Parameters of an Evolutionary Algorithm for Fuzzing and Test Data Generation](https://sci-hub.se/10.1109/ICSTW50294.2020.00061) ✓
839 | - [2020 - Inputs from Hell: Learning Input Distributions for Grammar-Based Test Generation](https://publications.cispa.saarland/3167/7/inputs-from-hell.pdf) ✓
840 | - [2020 - IdSan: An identity-based memory sanitizer for fuzzing binaries](https://arxiv.org/pdf/2007.13113.pdf) ✓
841 | - [2020 - An experimental study oncombining automated andstochastic test data generation - MASTER THESIS](https://gupea.ub.gu.se/bitstream/2077/65502/1/gupea_2077_65502_1.pdf) ✓
842 | - [2020 - FuzzGen: Automatic Fuzzer Generation](https://www.usenix.org/system/files/sec20fall_ispoglou_prepub.pdf) ✓
843 | - [2020 - Fuzzing: On the Exponential Cost of Vulnerability Discovery](https://mboehme.github.io/paper/FSE20.EmpiricalLaw.pdf) ✓
844 | - [2020 - Poster: Debugging Inputs](https://publications.cispa.saarland/3062/1/icse2020-poster-paper42-camera-ready.pdf) ✓
845 | - [2020 - API Misuse Detection in C Programs: Practice on SSL APIs](https://www.worldscientific.com/doi/abs/10.1142/S0218194019400205) ✓
846 | - [2020 - Egalito: Layout-Agnostic Binary Recompilation](http://www.cs.columbia.edu/~junfeng/papers/egalito-asplos20.pdf) ✓
847 | - [2020 - Verifying Software Vulnerabilities in IoT Cryptographic Protocols](https://arxiv.org/pdf/2001.09837.pdf) ✓
848 | - [2020 - μRAI: Securing Embedded Systems with Return Address Integrity](https://nebelwelt.net/files/20NDSS.pdf) ✓
849 | - [2020 - Fast Bit-Vector Satisfiability](https://qingkaishi.github.io/public_pdfs/ISSTA20-Trident.pdf) ✓
850 | - [2020 - MARDU: Efficient and Scalable Code Re-randomization](https://www.unexploitable.systems/uploads/jelesnianski:mardu-systor.pdf) ✓
851 | - [2020 - Towards formal verification of IoT protocols: A Review](https://www.sciencedirect.com/science/article/abs/pii/S1389128619317116) ✓
852 | - [2020 - Automating the fuzzing triage process](https://dr.ntu.edu.sg/handle/10356/140674) ✓
853 | - [2020 - COMPARING AFL SCALABILITY IN VIRTUAL-AND NATIVE ENVIRONMENT](https://jyx.jyu.fi/bitstream/handle/123456789/69772/URN%3ANBN%3Afi%3Ajyu-202006084029.pdf) ✓
854 | - [2020 - SYMBION: Interleaving Symbolic with Concrete Execution](https://conand.me/publications/gritti-symbion-2020.pdf) ✓
855 | - [2020 - Not All Coverage Measurements Are Equal: Fuzzing by Coverage Accounting for Input Prioritization](https://www.ndss-symposium.org/wp-content/uploads/2020/02/24422.pdf) ✓
856 | - [2019 - Toward the Analysis of Embedded Firmware through Automated Re-hosting](http://subwire.net/papers/pretender-final.pdf) ✓
857 | - [2019 - FUZZIFICATION: Anti-Fuzzing Techniques](https://www.usenix.org/system/files/sec19fall_jung_prepub.pdf) ✓
858 | - [2018 - VulinOSS: A Dataset of Security Vulnerabilities in Open-source Systems](https://antonisgkortzis.github.io/files/GMS_MSR_18.pdf) ✓
859 | - [2018 - HDDr: A Recursive Variantof the Hierarchical Delta Debugging Algorithm](https://sci-hub.se/https://doi.org/10.1145/3278186.3278189) ✓
860 | - [2017 - Coarse Hierarchical Delta Debugging](https://sci-hub.se/10.1109/ICSME.2017.26) ✓
861 | - [2017 - VUDDY: A Scalable Approach for Vulnerable CodeClone Discovery](https://ccs.korea.ac.kr/pds/SNP17.pdf) ✓
862 | - [2017 - Postmortem Program Analysis with Hardware-Enhanced Post-Crash Artifacts](https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-xu.pdf) ✓
863 | - [2017 - Synthesizing Program Input Grammars](https://dl.acm.org/doi/pdf/10.1145/3062341.3062349) ✓
864 | - [2017 - Designing New Operating Primitives to Improve Fuzzing Performance](https://acmccs.github.io/papers/p2313-xuA.pdf) ✓
865 | - [2017 - Instruction Punning: Lightweight Instrumentation for x86-64](https://dl.acm.org/doi/pdf/10.1145/3062341.3062344?download=true) ✓
866 | - [2016 - Modernizing Hierarchical Delta Debugging](https://sci-hub.se/https://doi.org/10.1145/2994291.2994296) ✓
867 | - [2016 - VulPecker: An Automated Vulnerability Detection SystemBased on Code Similarity Analysis](https://dl.acm.org/doi/pdf/10.1145/2991079.2991102) ✓
868 | - [2016 - CREDAL: Towards Locating a Memory Corruption Vulnerability with Your Core Dump](https://mudongliang.github.io/files/papers/p529-xu.pdf) ✓
869 | - [2016 - RETracer: Triaging Crashes by Reverse Execution fromPartial Memory Dumps](https://www.microsoft.com/en-us/research/wp-content/uploads/2016/06/retracer-2.pdf) ✓
870 | - [2015 - PIE: Parser Identification in Embedded Systems](http://www.s3.eurecom.fr/docs/acsac15_cojocar.pdf) ✓
871 | - [2010 - Iterative Delta Debugging](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.296.5948&rep=rep1&type=pdf) ✓
872 | - [2009 - Dynamic Test Generation To Find Integer Bugs in x86 Binary Linux Programs](https://argp.github.io/public/50a11f65857c12c76995f843dbfe6dda.pdf) ✓
873 | - [2006 - HDD: Hierarchical Delta Debugging](https://sci-hub.se/https://doi.org/10.1145/1134285.1134307) ✓
874 | 
875 | ### Surveys, SoKs, and Studies
876 | 
877 | - [2025 - Fuzzing drones for anomaly detection: A systematic literature review](https://ink.library.smu.edu.sg/cgi/viewcontent.cgi?params=/context/sis_research/article/10910/&path_info=fuzzing_drones_for_anomaly_detection_review_computers_n_security_minor_review.pdf)
878 | - [2025 - SoK: Towards Effective Automated Vulnerability Repair](https://arxiv.org/pdf/2501.18820)
879 | - [2025 - SoK: Unraveling the Veil of OS Kernel Fuzzing](https://arxiv.org/pdf/2501.16165)
880 | - [2024 - SoK: Prudent Evaluation Practices for Fuzzing](https://oaklandsok.github.io/papers/schloegel2024.pdf)
881 | - [2024 - An Empirical Examination of Fuzzer Mutator Performance](https://www.jonbell.net/preprint/issta24-mutator.pdf) ✓
882 | - [2024 - An Empirical Study on the Distance Metric in Guiding Directed Grey-box Fuzzing](https://arxiv.org/pdf/2409.12701) ✓
883 | - [2024 - Exploring the Adoption of Fuzz Testing in Open-Source Software: A Case Study of the Go Community](https://posl.ait.kyushu-u.ac.jp/~kamei/publications/Nourry_ICSME2024.pdf) ✓
884 | - [2024 - Is Stateful Fuzzing Really Challenging?](https://arxiv.org/pdf/2406.07071) ✓
885 | - [2024 - Fuzzing Frameworks for Server-side Web Applications: A Survey](https://arxiv.org/abs/2406.03208) ✓
886 | - [2024 - SoK: Where to Fuzz? Assessing Target Selection Methods in Directed Fuzzing](https://mlsec.org/docs/2024c-asiaccs.pdf) ✓
887 | - [2024 - A Survey of Protocol Fuzzing](https://arxiv.org/pdf/2401.01568) ✓
888 | - [2024 - Large Language Models Based Fuzzing Techniques: A Survey](https://arxiv.org/pdf/2402.00350) ✓
889 | - [2024 - Fuzzing: Progress, Challenges, and Perspectives](https://cdn.techscience.cn/files/cmc/2024/TSP_CMC-78-1/TSP_CMC_42361/TSP_CMC_42361.pdf) ✓
890 | - [2023 - A systematic review of fuzzing](https://link.springer.com/article/10.1007/s00500-023-09306-2) ✓
891 | - [2023 - An Empirical Study on AST-level mutation-based fuzzing techniques for JavaScript Engines](https://dl.acm.org/doi/abs/10.1145/3609437.3609440) ✓
892 | - [2023 - Software Bug Detection: Challenges and Synergies](https://drops.dagstuhl.de/opus/volltexte/2023/19230/pdf/dagrep_v013_i003_p092_23131.pdf) ✓
893 | - [2023 - Demystify the Fuzzing Methods: A Comprehensive Survey](https://dl.acm.org/doi/abs/10.1145/3623375) ✓
894 | - [2023 - The Human Side of Fuzzing: Challenges Faced by Developers During Fuzzing Activities](https://posl.ait.kyushu-u.ac.jp/~kamei/publications/Nourry_TOSEM2023.pdf) ✓
895 | - [2023 - ASanity: On Bug Shadowing by Early ASan Exits](https://wootconference.org/papers/woot23-paper34.pdf) ✓
896 | - [2023 - A Case Study on Fuzzing Satellite Firmware](https://www.ndss-symposium.org/wp-content/uploads/2023/06/spacesec2023-230707-paper.pdf) ✓
897 | - [2023 - Fuzzing the Latest NTFS in Linux with Papora: An Empirical Study](https://arxiv.org/pdf/2304.07166.pdf) ✓
898 | - [2023 - Fuzzing REST APIs for Bugs: An Empirical Analysis](https://link.springer.com/chapter/10.1007/978-981-19-7513-4_28) ✓
899 | - [2023 - Automated Binary Analysis: A Survey](https://link.springer.com/chapter/10.1007/978-3-031-22677-9_21) ✓
900 | - [2023 - Fuzzers for stateful systems: Survey and Research Directions](https://arxiv.org/pdf/2301.02490.pdf) ✓
901 | - [2022 - Detecting Vulnerability on IoT Device Firmware: A Survey](https://www.ieee-jas.net/en/article/id/e04bfa93-5629-4069-859b-35ecf4dc503b) ✓
902 | - [2022 - Fuzzing of Embedded Systems: A Survey](https://dl.acm.org/doi/pdf/10.1145/3538644) ✓
903 | - [2022 - Embedded Fuzzing: a Review of Challenges, Tools, and Solutions](https://www.iris.unict.it/bitstream/20.500.11769/533199/1/paper%20%284%29.pdf) ✓
904 | - [2022 - An empirical study of vulnerability discovery methods over the past ten years](https://www.sciencedirect.com/science/article/pii/S0167404822002115) ✓
905 | - [2022 - Fuzzing vulnerability discovery techniques: Survey, challenges and future directions](https://www.sciencedirect.com/science/article/pii/S0167404822002073) ✓
906 | - [2022 - Fuzzing: A Survey for Roadmap](https://dl.acm.org/doi/abs/10.1145/3512345) ✓
907 | - [2022 - How Long Do Vulnerabilities Live in the Code? A Large-Scale Empirical Measurement Study on FOSS Vulnerability Lifetimes](https://www.usenix.org/system/files/sec22summer_alexopoulos.pdf) ✓
908 | - [2021 - Protocol Reverse-Engineering Methods and Tools: A Survey](https://www.sciencedirect.com/science/article/abs/pii/S0140366421004382) ✓
909 | - [2021 - Exploratory Review of Hybrid Fuzzing for Automated Vulnerability Detection](https://ieeexplore.ieee.org/abstract/document/9541397) ✓
910 | - [2021 - A Systematic Review of Network Protocol Fuzzing Techniques](https://ieeexplore.ieee.org/abstract/document/9482063) ✓
911 | - [2021 - Vulnerability Detection is Just the Beginning](https://arxiv.org/pdf/2103.05160.pdf) ✓
912 | - [2021 - Evaluating Synthetic Bugs](https://wkr.io/publication/asiaccs-2021-bugs.pdf) ✓
913 | - [2020 - A Practical, Principled Measure of Fuzzer Appeal:A Preliminary Study](https://qrs20.techconf.org/QRS2020_FULL/pdfs/QRS2020-4LGdOos7NAbR8M2s6S6ezE/891300a510/891300a510.pdf) ✓
914 | - [2020 - A Systemic Review of Kernel Fuzzing](https://dl.acm.org/doi/abs/10.1145/3444370.3444586) ✓
915 | - [2020 - A Survey of Hybrid Fuzzing based on Symbolic Execution](https://dl.acm.org/doi/abs/10.1145/3444370.3444570) ✓
916 | - [2020 - A Study on Using Code Coverage Information Extracted from Binary to Guide Fuzzing](https://www.cscjournals.org/manuscript/Journals/IJCSS/Volume14/Issue5/IJCSS-1589.pdf) ✓
917 | - [2020 - Study of Security Flaws in the Linux Kernel by Fuzzing](https://ieeexplore.ieee.org/abstract/document/9271516) ✓
918 | - [2020 - Dynamic vulnerability detection approaches and tools: State of the Art](https://ieeexplore.ieee.org/abstract/document/9268686) ✓
919 | - [2020 - Fuzzing: Challenges and Reflections](https://www.comp.nus.edu.sg/~abhik/pdf/IEEE-SW-Fuzzing.pdf) ✓
920 | - [2020 - The Relevance of Classic Fuzz Testing: Have We Solved This One?](https://arxiv.org/pdf/2008.06537.pdf) ✓
921 | - [2020 - A Practical, Principled Measure of Fuzzer Appeal:A Preliminary Study](https://agroce.github.io/qrs20-1.pdf) ✓
922 | - [2020 - SoK: All You Ever Wanted to Know About x86/x64 Binary Disassembly But Were Afraid to Ask](https://arxiv.org/pdf/2007.14266) ✓
923 | - [2020 - A Quantitative Comparison of Coverage-Based Greybox Fuzzers](https://dl.acm.org/doi/10.1145/3387903.3389304) ✓
924 | - [2020 - A Survey of Security Vulnerability Analysis, Discovery, Detection, and Mitigation on IoT Devices](https://www.mdpi.com/1999-5903/12/2/27) ✓
925 | - [2020 - A systematic review of fuzzing based on machine learning techniques](https://arxiv.org/pdf/1908.01262.pdf) ✓
926 | - [2019 - A Survey of Binary Code Similarity](https://arxiv.org/pdf/1909.11424.pdf) ✓
927 | - [2019 - The Art, Science, and Engineering of Fuzzing: A Survey](https://arxiv.org/pdf/1812.00140.pdf) ✓
928 | - [2012 - Regression testing minimization, selection and prioritization: a survey](https://www.sci-hub.se/10.1002/stvr.430) ✓
929 | 


--------------------------------------------------------------------------------
/checker.py:
--------------------------------------------------------------------------------
  1 | import concurrent.futures
  2 | import random
  3 | import re
  4 | import sys
  5 | import time
  6 | from collections import defaultdict
  7 | from pathlib import Path
  8 | from urllib.parse import urljoin, urlparse
  9 | 
 10 | import requests
 11 | import urllib3
 12 | from bs4 import BeautifulSoup
 13 | 
 14 | # Unicode symbols
 15 | SUCCESS_SYMBOL = "✓"
 16 | FAIL_SYMBOL = "✗"
 17 | INSECURE_SYMBOL = "⚠"
 18 | 
 19 | # Silence insecure request warnings
 20 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
 21 | 
 22 | 
 23 | class RateLimiter:
 24 |     """Simple rate limiter to track and limit requests per domain."""
 25 | 
 26 |     def __init__(self, min_delay=2):
 27 |         self.last_request = defaultdict(float)
 28 |         self.min_delay = min_delay
 29 | 
 30 |     def wait_if_needed(self, domain):
 31 |         """Wait if we need to respect rate limiting for this domain."""
 32 |         last_time = self.last_request[domain]
 33 |         now = time.time()
 34 | 
 35 |         if last_time > 0:
 36 |             elapsed = now - last_time
 37 |             if elapsed < self.min_delay:
 38 |                 time.sleep(self.min_delay - elapsed + random.uniform(0.1, 0.5))
 39 | 
 40 |         self.last_request[domain] = time.time()
 41 | 
 42 | 
 43 | def is_valid_url(url):
 44 |     """Validate URL format and structure."""
 45 |     try:
 46 |         result = urlparse(url)
 47 |         return all([result.scheme, result.netloc])
 48 |     except Exception:
 49 |         return False
 50 | 
 51 | 
 52 | def clean_url(url):
 53 |     """Clean and normalize URL."""
 54 |     try:
 55 |         # Remove any trailing slashes and normalize
 56 |         url = url.strip("/")
 57 |         parsed = urlparse(url)
 58 |         return urljoin(parsed.scheme + "://" + parsed.netloc, parsed.path)
 59 |     except Exception:
 60 |         return url
 61 | 
 62 | 
 63 | def find_markdown_files(root_dir):
 64 |     """Recursively find all markdown files in the repository."""
 65 |     return list(Path(root_dir).rglob("*.md"))
 66 | 
 67 | 
 68 | def extract_links_with_lines(markdown_file):
 69 |     """Extract links and their line numbers from markdown file."""
 70 |     links = []
 71 |     with open(markdown_file, "r", encoding="utf-8") as f:
 72 |         for line_num, line in enumerate(f, 1):
 73 |             # Match markdown links [text](url)
 74 |             matches = re.finditer(r"\[([^\]]+)\]\(([^)]+)\)", line)
 75 |             for match in matches:
 76 |                 # Skip relative links and anchors
 77 |                 url = match.group(2)
 78 |                 if not url.startswith(("http://", "https://")):
 79 |                     continue
 80 | 
 81 |                 links.append(
 82 |                     {
 83 |                         "line_num": line_num,
 84 |                         "line": line.rstrip(),
 85 |                         "url": url,
 86 |                         "start": match.start(),
 87 |                         "end": match.end(),
 88 |                     }
 89 |                 )
 90 |     return links
 91 | 
 92 | 
 93 | def check_link(url, rate_limiter):
 94 |     """Check if link is accessible with rate limiting."""
 95 |     if not is_valid_url(url):
 96 |         return False, True, f"Invalid URL format: {url}"
 97 | 
 98 |     cleaned_url = clean_url(url)
 99 |     domain = urlparse(cleaned_url).netloc
100 |     rate_limiter.wait_if_needed(domain)
101 | 
102 |     try:
103 |         headers = {
104 |             "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/91.0.4472.124 Safari/537.36",
105 |             "Accept": "text/html,application/xhtml+xml,application/pdf,application/xml;q=0.9,*/*;q=0.8",
106 |             "Accept-Language": "en-US,en;q=0.5",
107 |             "Accept-Encoding": "gzip, deflate, br",
108 |             "Connection": "keep-alive",
109 |         }
110 | 
111 |         try:
112 |             response = requests.get(
113 |                 cleaned_url,
114 |                 headers=headers,
115 |                 timeout=15,
116 |                 allow_redirects=True,
117 |                 verify=True,
118 |                 stream=True,  # Use streaming to avoid downloading large files
119 |             )
120 | 
121 |             content_type = response.headers.get("Content-Type", "").lower()
122 | 
123 |             if ".pdf" in cleaned_url.lower() and "application/pdf" not in content_type:
124 |                 return False, True, "URL suggests PDF but received non-PDF content"
125 | 
126 |             if "text/html" in content_type or "application/xhtml" in content_type:
127 |                 content_sample = next(response.iter_content(16384)).decode(
128 |                     errors="ignore"
129 |                 )
130 |                 soup = BeautifulSoup(content_sample, "html.parser")
131 | 
132 |                 # Check title and body content for 404 indicators
133 |                 error_indicators = [
134 |                     "404",
135 |                     "not found",
136 |                     "error",
137 |                     "page does not exist",
138 |                     "page not found",
139 |                     "does not exist",
140 |                     "no longer available",
141 |                 ]
142 | 
143 |                 if soup.title and any(
144 |                     ind in soup.title.string.lower() for ind in error_indicators
145 |                 ):
146 |                     return False, True, "404 page detected (title)"
147 | 
148 |                 body_text = soup.get_text().lower()
149 |                 if any(ind in body_text for ind in error_indicators):
150 |                     return False, True, "404 page detected (content)"
151 | 
152 |                 if len(content_sample) < 1000 and (
153 |                     "404" in body_text or "not found" in body_text
154 |                 ):
155 |                     return (
156 |                         False,
157 |                         True,
158 |                         "Likely 404 page (short content with error message)",
159 |                     )
160 | 
161 |             elif any(t in content_type for t in ["pdf", "octet-stream", "binary"]):
162 |                 content_length = response.headers.get("Content-Length")
163 |                 if (
164 |                     content_length and int(content_length) < 100
165 |                 ):  # Suspiciously small for a PDF
166 |                     return False, True, "File too small to be valid"
167 | 
168 |             return response.status_code == 200, True, None
169 | 
170 |         except requests.exceptions.SSLError:
171 |             # Retry without SSL verification
172 |             response = requests.get(
173 |                 cleaned_url,
174 |                 headers=headers,
175 |                 timeout=15,
176 |                 allow_redirects=True,
177 |                 verify=False,
178 |                 stream=True,
179 |             )
180 |             return True, False, "Insecure SSL"
181 | 
182 |     except requests.exceptions.Timeout:
183 |         return False, True, "Timeout"
184 |     except requests.exceptions.ConnectionError as e:
185 |         if "Errno 111" in str(e):
186 |             return False, True, "Connection refused"
187 |         if "RemoteDisconnected" in str(e):
188 |             return False, True, "Remote server disconnected"
189 |         if "NameResolutionError" in str(e):
190 |             return False, True, "DNS resolution failed"
191 |         if "IncompleteRead" in str(e):
192 |             return False, True, "Connection broken while reading response"
193 |         return False, True, "Connection error"
194 |     except requests.exceptions.RequestException as e:
195 |         return False, True, str(e)
196 |     except Exception as e:
197 |         return False, True, f"Unexpected error: {str(e)}"
198 | 
199 | 
200 | def get_domain(url):
201 |     """Extract domain from URL."""
202 |     try:
203 |         return urlparse(url).netloc
204 |     except:
205 |         return None
206 | 
207 | 
208 | def process_markdown_file(file_path):
209 |     """Process a single markdown file and return if changes were made."""
210 |     links = extract_links_with_lines(file_path)
211 |     if not links:
212 |         return False
213 | 
214 |     # Group links by domain
215 |     domain_grouped_links = {}
216 |     for link in links:
217 |         domain = get_domain(link["url"])
218 |         if domain not in domain_grouped_links:
219 |             domain_grouped_links[domain] = []
220 |         domain_grouped_links[domain].append(link)
221 | 
222 |     # Process domains sequentially with rate limiting
223 |     rate_limiter = RateLimiter(
224 |         min_delay=3
225 |     )  # At least 3 seconds between requests to same domain
226 |     url_status = {}
227 | 
228 |     # Reduce concurrent workers to be more conservative
229 |     with concurrent.futures.ThreadPoolExecutor(max_workers=3) as executor:
230 |         for domain, domain_links in domain_grouped_links.items():
231 |             # Process each domain's links with rate limiting
232 |             futures = {
233 |                 executor.submit(check_link, link["url"], rate_limiter): link
234 |                 for link in domain_links
235 |             }
236 | 
237 |             # Add small delay between different domains
238 |             time.sleep(1)
239 | 
240 |             for future in concurrent.futures.as_completed(futures):
241 |                 link = futures[future]
242 |                 try:
243 |                     is_accessible, is_secure, error = future.result()
244 |                     url_status[link["url"]] = (is_accessible, is_secure)
245 |                     if error:
246 |                         print(f"Warning for {link['url']}: {error}", file=sys.stderr)
247 |                 except Exception as e:
248 |                     print(f"Error checking {link['url']}: {str(e)}", file=sys.stderr)
249 |                     url_status[link["url"]] = (False, True)
250 | 
251 |     with open(file_path, "r", encoding="utf-8") as f:
252 |         lines = f.readlines()
253 | 
254 |     changes_made = False
255 |     new_lines = []
256 | 
257 |     for i, line in enumerate(lines):
258 |         line_num = i + 1
259 |         current_links = [l for l in links if l["line_num"] == line_num]
260 | 
261 |         if not current_links:
262 |             new_lines.append(line)
263 |             continue
264 | 
265 |         # Remove existing symbols
266 |         clean_line = re.sub(r"[✓✗⚠]\s*$", "", line.rstrip())
267 | 
268 |         # Add new symbols
269 |         symbols = []
270 |         for link in current_links:
271 |             is_accessible, is_secure = url_status[link["url"]]
272 |             if is_accessible and is_secure:
273 |                 symbols.append(SUCCESS_SYMBOL)
274 |             elif is_accessible and not is_secure:
275 |                 symbols.append(INSECURE_SYMBOL)
276 |             else:
277 |                 symbols.append(FAIL_SYMBOL)
278 | 
279 |         new_line = f"{clean_line} {' '.join(symbols)}\n".replace("  ", " ")
280 |         if new_line.strip() != line.strip():
281 |             changes_made = True
282 | 
283 |         new_lines.append(new_line)
284 | 
285 |     if changes_made:
286 |         with open(file_path, "w", encoding="utf-8") as f:
287 |             f.writelines(new_lines)
288 | 
289 |     return changes_made
290 | 
291 | 
292 | def main():
293 |     """Main function to process all markdown files or a single URL."""
294 |     if len(sys.argv) > 1:
295 |         url = sys.argv[1]
296 |         rate_limiter = RateLimiter(min_delay=3)
297 |         is_accessible, is_secure, error = check_link(url, rate_limiter)
298 | 
299 |         if error:
300 |             print(f"Warning for {url}: {error}", file=sys.stderr)
301 | 
302 |         if is_accessible and is_secure:
303 |             print(f"{url}: {SUCCESS_SYMBOL}")
304 |         elif is_accessible and not is_secure:
305 |             print(f"{url}: {INSECURE_SYMBOL}")
306 |         else:
307 |             print(f"{url}: {FAIL_SYMBOL}")
308 | 
309 |         sys.exit(0 if is_accessible else 1)
310 | 
311 |     repo_root = Path.cwd()
312 |     markdown_files = find_markdown_files(repo_root)
313 | 
314 |     changes_made = False
315 |     for md_file in markdown_files:
316 |         if process_markdown_file(md_file):
317 |             changes_made = True
318 |             print(f"Updated links in: {md_file}")
319 | 
320 |     sys.exit(0 if changes_made else 1)
321 | 
322 | 
323 | if __name__ == "__main__":
324 |     main()
325 | 


--------------------------------------------------------------------------------