├── .gitignore
├── LICENSE
├── README.md
├── auto_download.py
├── check_for_duplicates.py
└── out
    └── .gitignore


/.gitignore:
--------------------------------------------------------------------------------
1 | README2.md
2 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) Ada Logics (https://adalogics.com)
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Software security paper list
  2 | 
  3 | 
  4 | This repository contains a curated list of papers relevant to:
  5 | * software security;
  6 | * program analysis; and
  7 | * systems security.
  8 | 
  9 | The list is divided into further sub-topics and include a sub-topic called "General" for papers that either have not been sorted into a sub-topic yet or do not fit into any sub-topics.
 10 | 
 11 | 
 12 | This list is maintained by:
 13 | * [David Korczynski](https://twitter.com/Davkorcz); and
 14 | * [Adam Korczynski](https://twitter.com/AdamKorcz4)
 15 | 
 16 | PRs are very welcome.
 17 | 
 18 | ### Download all automatically
 19 | The `auto_download.py` script can be used to download either all of the papers or the papers for a given subtopic.
 20 | 
 21 | `auto_download.py` will create a directory `out` in the current working directory if it does not already exist. Then it will create another folder in `out` with the name of the sub-topic you are choosing to download or `All` in case you download all papers.
 22 | 
 23 | Example uses:
 24 | ```
 25 | # Download all papers
 26 | python ./auto_download.py All
 27 | 
 28 | # Download all papers related to Fuzzing
 29 | python ./auto_download.py Fuzzing
 30 | 
 31 | # Download all papers related to Malware
 32 | python ./auto_download.py Malware
 33 | ```
 34 | 
 35 | ### Other paper lists
 36 | * [Awesome fuzzing](https://github.com/cpuu/awesome-fuzzing)
 37 | * [Recent Papers Related To Fuzzing](https://github.com/wcventure/FuzzingPaper)
 38 | * [Awesome Virtualization](https://github.com/Wenzel/awesome-virtualization)
 39 | 
 40 | 
 41 | # Papers
 42 | Table of contents:
 43 | * [General](#General)
 44 | * [Android](#Android)
 45 | * [Control-flow integrity](#control-flow-integrity)
 46 | * [Cyber-physical](#Cyber-physical)
 47 | * [Symbolic execution](#Symbolic-execution)
 48 | * [Virtualisation](#Virtualisation)
 49 | * [Fuzzing](#Fuzzing)
 50 | * [Malware](#Malware)
 51 | * [Binary analysis](#binary-analysis)
 52 | 
 53 | ## General
 54 | - [Bag of On-Phone ANNs to Secure IoT Objects Using Wearable and Smartphone Biometrics](https://ieeexplore.ieee.org/document/10106441)
 55 | - [A Randomized Dynamic Program Analysis Technique for Detecting Real Deadlocks](https://www.cis.upenn.edu/~mhnaik/papers/pldi09b.pdf)
 56 | - [Randomized Active Atomicity Violation Detection in Concurrent Programs](https://parlab.eecs.berkeley.edu/sites/all/parlab/files/Randomized%20Active%20Atomicity%20Violation%20Detection%20in%20Concurrent%20Programs.pdf)
 57 | - [Privacy Oracle: a System for Finding Application Leaks with Black Box Differential Testing](https://homes.cs.washington.edu/~yoshi/papers/PrivacyOracle/privacyoracle-ccs2008.pdf)
 58 | - [TypeSan: Practical Type Confusion Detection](https://nebelwelt.net/publications/files/16CCS2.pdf)
 59 | - [HexType: Efficient Detection of Type Confusion Errors for C++](https://nebelwelt.net/files/17CCS.pdf)
 60 | - [Dynamic Test Generation To Find Integer Bugs in x86 Binary Linux Programs](https://people.eecs.berkeley.edu/~daw/papers/smartfuzz-use09.pdf)
 61 | - [Vulcan Binary transformation in a distributed environment](https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/tr-2001-50.pdf)
 62 | - [Automated Detection, Exploitation, and Elimination of Double-Fetch Bugs using Modern CPU Features](https://arxiv.org/pdf/1711.01254.pdf)
 63 | - [Path-Exploration Lifting: Hi-Fi Tests for Lo-Fi Emulators](https://people.eecs.berkeley.edu/~dawnsong/papers/2012%20Path%20Exploration%20Lifting%20Hi%20Fi%20Tests%20for%20Lo%20Fi%20Emulators.pdf)
 64 | - [Robust Signatures for Kernel Data Structures](https://www.cc.gatech.edu/~brendan/ccs09_siggen.pdf)
 65 | - [DELTA: A Security Assessment Framework for Software-Defined Networks](https://pdfs.semanticscholar.org/ad1d/64e9e431681a088db680adcf1cb479fc22fc.pdf)
 66 | - [Simplifying and Isolating Failure-Inducing Input](https://www.cs.purdue.edu/homes/xyzhang/fall07/Papers/delta-debugging.pdf)
 67 | - [Fitness-Guided Path Exploration in Dynamic Symbolic Execution](https://www.microsoft.com/en-us/research/wp-content/uploads/2009/06/dsn09-fitnex1.pdf)
 68 | - [Enforceable Security Policies](https://www.cs.cornell.edu/fbs/publications/EnfSecPols.pdf)
 69 | - [Enemy of the State: A State-Aware Black-Box Web Vulnerability Scanner](https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final225.pdf)
 70 | - [Feedback-directed Random Test Generation](https://homes.cs.washington.edu/~mernst/pubs/feedback-testgen-icse2007.pdf)
 71 | - [Probability-Based Parameter Selection for Black-Box Fuzz Testing](http://webblaze.cs.berkeley.edu/papers/FLAX.pdf)
 72 | - [FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications]()
 73 | - [Representation Dependence Testing using Program Inversion](https://core.ac.uk/download/pdf/207770249.pdf)
 74 | - [Deriving Input Syntactic Structure From Execution](https://www.cs.purdue.edu/homes/xyzhang/Comp/fse08.pdf)
 75 | - [SoftBound: Highly Compatible and Complete Spatial Memory Safety for C](https://www.cs.rutgers.edu/~santosh.nagarakatte/papers/pldi09_softbound.pdf)
 76 | - [CodeAlchemist: Semantics-Aware Code Generation to Find Vulnerabilities in JavaScript Engines](https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_05A-5_Han_paper.pdf)
 77 | - [CETS: Compiler-Enforced Temporal Safety for C](https://www.cs.rutgers.edu/~santosh.nagarakatte/papers/ismm10-cets.pdf)
 78 | - [Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software](http://bitblaze.cs.berkeley.edu/papers/taintcheck-full.pdf)
 79 | - [NEZHA: Efficient Domain-Independent Differential Testing](https://www.cs.columbia.edu/~suman/docs/nezha.pdf)
 80 | - [Prospex: Protocol Specification Extraction](https://sites.cs.ucsb.edu/~chris/research/doc/oakland09_prospex.pdf)
 81 | - [Understanding Integer Overflow in C/C++](https://www.cs.utah.edu/~regehr/papers/overflow12.pdf)
 82 | - [Polyglot: Automatic Extraction of Protocol Message Format using Dynamic Binary Analysis](http://bitblaze.cs.berkeley.edu/papers/polyglot_ccs07_av.pdf)
 83 | - [QTEP: Quality-Aware Test Case Prioritization](http://asset.uwaterloo.ca/qtep/qtep.pdf)
 84 | - [Race Directed Random Testing of Concurrent Programs](https://www.cs.columbia.edu/~junfeng/09fa-e6998/papers/racefuzz.pdf)
 85 | - [Type Casting Verification: Stopping an Emerging Attack Vector](https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-lee.pdf)
 86 | - [Towards Optimization-Safe Systems: Analyzing the Impact of Undefined Behavior](https://people.csail.mit.edu/nickolai/papers/wang-stack.pdf)
 87 | - [Disco: Running commodity operating systems on scalable multiprocessors](http://www.cs.cornell.edu/courses/cs6411/2018sp/papers/bugnion97disco.pdf)
 88 | - [Jump-Oriented Programming: A New Class of Code-Reuse Attack](https://people.engr.ncsu.edu/tkbletsc/pubs/JOP.pdf)
 89 | - [Can DREs Provide Long-Lasting Security? The Case of Return-Oriented Programming and the AVC Advantage](https://www.usenix.org/legacy/events/evtwote09/tech/full_papers/checkoway.pdf)
 90 | - [Decoupling dynamic program analysis from execution in virtual environments](https://www.usenix.org/legacy/event/usenix08/tech/full_papers/chow/chow.pdf)
 91 | - [Understanding data lifetime via whole system simulation.](https://benpfaff.org/papers/taint.pdf)
 92 | - [Minos: Control Data Attack Prevention Orthogonal to Memory Model](http://people.cs.uchicago.edu/~ftchong/papers/micro2004.pdf)
 93 | - [Tainting is Not Pointless](https://web.stanford.edu/group/mast/cgi-bin/drupal/system/files/2010.taintingpoint.osr_.pdf)
 94 | - [Size Does Matter: Why Using Gadget-Chain Length to Prevent Code-Reuse Attacks is Hard](http://www.syssec-project.eu/m/page-media/3/sec14-paper-goktas.pdf)
 95 | - [ROPMEMU: A Framework for the Analysis of Complex Code-Reuse Attacks](http://www.s3.eurecom.fr/docs/asiaccs16_graziano.pdf)
 96 | - [A virtual machine based information flow control system for policy enforcement](https://www.cs.vu.nl/~ast/Publications/Papers/entcs-2008.pdf)
 97 | - [The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86)](https://hovav.net/ucsd/dist/geometry.pdf)
 98 | - [SPIDER: Enabling Fast Patch Propagation In Related Software Repositories](https://seclab.cs.ucsb.edu/files/publications/machiry2020_spider.pdf)
 99 | - [HALucinator: Firmware Re-hosting Through Abstraction Layer Emulation](https://seclab.cs.ucsb.edu/files/publications/gustafson2020_halucinator.pdf)
100 | - [PhishTime: Continuous Longitudinal Measurement of the Effectiveness of Anti-phishing Blacklists](https://www.usenix.org/system/files/sec20-oest-phishtime.pdf)
101 | - [Exploiting Uses of Uninitialized Stack Variables in Linux Kernels to Leak Kernel Pointers](https://www.usenix.org/system/files/woot20-paper-cho.pdf)
102 | - [Sleak: automating address space layout derandomization](https://sites.cs.ucsb.edu/~vigna/publications/2019_ACSAC_Sleak.pdf)
103 | - [Matched and Mismatched SOCs: A Qualitative Study on Security Operations Center Issues](https://adamdoupe.com/publications/matched-and-mismatched-socs-ccs2019.pdf)
104 | - [GuardION: Practical Mitigation of DMA-Based Rowhammer Attacks on ARM](https://research.vu.nl/files/75478203/Veen2018_Chapter_GuardIONPracticalMitigationOfD.pdf)
105 | - [Measuring E-mail header injections on the world wide web](https://sites.cs.ucsb.edu/~chris/research/doc/sac18_email.pdf)
106 | - [Detecting Deceptive Reviews Using Generative Adversarial Networks](https://arxiv.org/pdf/1805.10364.pdf)
107 | - [HeapHopper: Bringing Bounded Model Checking to Heap Implementation Security](https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-eckert.pdf)
108 | - [Rampart: Protecting Web Applications from CPU-Exhaustion Denial-of-Service Attacks](https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-meng.pdf)
109 | - [Exploitation and Mitigation of Authentication Schemes Based on Device-Public Information](https://dl.acm.org/doi/pdf/10.1145/3134600.3134615)
110 | - [Piston: Uncooperative Remote Runtime Patching](https://sites.cs.ucsb.edu/~chris/research/doc/acsac17_piston.pdf)
111 | - [Rise of the HaCRS: Augmenting Autonomous Cyber Reasoning Systems with Human Assistance](https://acmccs.github.io/papers/p347-shoshitaishviliA.pdf)
112 | - [Gossip: Automatically Identifying Malicious Domains from Mailing List Discussions](https://sites.cs.ucsb.edu/~vigna/publications/2017_AsiaCCS_gossip.pdf)
113 | - [POISED: Spotting Twitter Spam Off the Beaten Paths](https://arxiv.org/pdf/1708.09058.pdf)
114 | - [How Shall We Play a Game?: A Game-theoretical Model for Cyber-warfare Games](https://users.ece.cmu.edu/~youzhib/paper/bao2017csf.pdf)
115 | - [Obfuscation-Resilient Privacy Leak Detection for Mobile Apps Through Differential Analysis](https://reyammer.io/publications/2017_ndss_agrigento.pdf)
116 | - [BOOMERANG: Exploiting the Semantic Gap in Trusted Execution Environments](https://sites.cs.ucsb.edu/~cspensky/pdfs/ndss17-final227.pdf)
117 | - [Something from Nothing (There): Collecting Global IPv6 Datasets from DNS](https://sites.cs.ucsb.edu/~vigna/publications/2017_PAM_CollectingIPv6.pdf)
118 | - [BootStomp: On the Security of Bootloaders in Mobile Devices](https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-redini.pdf)
119 | - [DR. CHECKER: A Soundy Analysis for Linux Kernel Drivers](https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-machiry.pdf)
120 | - [Taming Transactions: Towards Hardware-Assisted Control Flow Integrity Using Transactional Memory](https://sites.cs.ucsb.edu/~vigna/publications/2016_RAID_Transactional.pdf)
121 | - [SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis](https://sites.cs.ucsb.edu/~vigna/publications/2016_SP_angrSoK.pdf)
122 | - [Quickly generating diverse valid test inputs with reinforcement learning](https://people.eecs.berkeley.edu/~rohanpadhye/files/rlcheck-icse20.pdf)
123 | - [Mining Temporal Properties of Data Invariants](https://www.carolemieux.com/icse15-quarry-src-abstract.pdf)
124 | - [General LTL Specification Mining](https://www.cs.ubc.ca/~bestchai/papers/texada-ase15_final.pdf)
125 | - [Investigating Program BehaviorUsing the Texada LTL Specifications Miner](https://www.carolemieux.com/texada_ase15_demos_final.pdf)
126 | - [Know Your Achilles' Heel: Automatic Detection of Network Critical Services](https://sites.cs.ucsb.edu/~vigna/publications/2015_ACSAC_Achilles.pdf)
127 | - [Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware](https://www.ndss-symposium.org/wp-content/uploads/2017/09/11_1_2.pdf)
128 | - [EVILCOHORT: Detecting Communities of Malicious Accounts on Online Services](https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-stringhini.pdf)
129 | - [Meerkat: Detecting Website Defacements through Image-based Object Recognition](https://sites.cs.ucsb.edu/~chris/research/doc/usenix15_meerkat.pdf)
130 | - [How the ELF Ruined Christmas](https://sites.cs.ucsb.edu/~chris/research/doc/usenix15_elf.pdf)
131 | - [ZigZag: Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities](https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-weissbacher.pdf)
132 | - [Framing Dependencies Introduced by Underground Commoditization](https://cseweb.ucsd.edu/~savage/papers/WEIS15.pdf)
133 | - [The harvester, the botmaster, and the spammer: on the relations between the different actors in the spam landscape](https://www.ucl.ac.uk/jill-dando-institute/sites/jill-dando-institute/files/harvesters-asiaccs2014.pdf)
134 | - [PExy: The Other Side of Exploit Kits](https://kapravelos.com/publications/pexy-DIMVA14.pdf)
135 | - [The Dark Alleys of Madison Avenue: Understanding Malicious Advertisements](https://www.kapravelos.com/publications/malvertisments-IMC14.pdf)
136 | - [Rippler: Delay injection for service dependency detection](https://sites.cs.ucsb.edu/~chris/research/doc/infocom14_rippler.pdf)
137 | - [Eyes of a Human, Eyes of a Program: Leveraging Different Views of the Web for Analysis and Detection](https://sites.cs.ucsb.edu/~vigna/publications/2014_RAID_EagleEye.pdf)
138 | - [Extracting probable command and control signatures for detecting botnets](https://sites.cs.ucsb.edu/~chris/research/doc/sac14_botnetcnc.pdf)
139 | - [Stranger danger: exploring the ecosystem of ad-based URL shortening services](https://core.ac.uk/download/pdf/34593962.pdf)
140 | - [Relevant change detection: a framework for the precise extraction of modified and novel web-based content as a filtering technique for analysis engines](https://seclab.cs.ucsb.edu/files/publications/Borgolte2014Relevant_Change.pdf)
141 | - [Message in a bottle: sailing past censorship](https://sites.cs.ucsb.edu/~chris/research/doc/acsac13_message.pdf)
142 | - [deDacota: toward preventing server-side XSS via automatic code and data separation](https://sites.cs.ucsb.edu/~vigna/publications/2013_CCS_deDacota.pdf)
143 | - [Follow the green: growth and dynamics in twitter follower markets](https://seclab.bu.edu/papers/follower_markets-imc2013.pdf)
144 | - [COMPA: Detecting Compromised Accounts on Social Networks](https://www.ucl.ac.uk/jill-dando-institute/sites/jill-dando-institute/files/compa-full-paper.pdf)
145 | - [Clickonomics: Determining the Effect of Anti-Piracy Measures for One-Click Hosting](https://sites.cs.ucsb.edu/~chris/research/doc/ndss13_clickonomics.pdf)
146 | - [Practical Attacks against the I2P Network](https://sites.cs.ucsb.edu/~chris/research/doc/raid13_i2p.pdf)
147 | - [EARs in the wild: large-scale analysis of execution after redirect vulnerabilities](https://sefcom.asu.edu/publications/ears-in-the-wild-sac2013.pdf)
148 | - [Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting](https://seclab.cs.ucsb.edu/files/publications/Nikiforakis2013Cookieless_monster.pdf)
149 | - [Revolver: An Automated Approach to the Detection of Evasive Web-based Malware](https://www.yancomm.net/papers/2013%20-%20USENIX%20Security%20-%20Revolver.pdf)
150 | - [Steal This Movie: Automatically Bypassing DRM Protection in Streaming Media Services](https://www.usenix.org/system/files/conference/usenixsecurity13/sec13-paper_wang_3.pdf)
151 | - [Two years of short URLs internet measurement: security threats and countermeasures](https://seclab.cs.ucsb.edu/files/publications/Maggi2013Two_years.pdf)
152 | - [PeerPress: utilizing enemies' P2P strength against them](https://people.engr.tamu.edu/guofei/paper/PeerPress-CCS12.pdf)
153 | - [You are what you include: large-scale evaluation of remote javascript inclusions](https://www.kapravelos.com/publications/jsinclusions-CCS12.pdf)
154 | - [Tracking Memory Writes for Malware Classification and Code Reuse Identification](https://sites.cs.ucsb.edu/~vigna/publications/2012_DIMVA_memwrite.pdf)
155 | - [ViewPoints: differential string analysis for discovering client- and server-side input validation inconsistencies](https://sites.cs.ucsb.edu/~bultan/publications/issta12.pdf)
156 | - [A quantitative study of accuracy in system call-based malware detection](https://sites.cs.ucsb.edu/~chris/research/doc/issta12_malmodels.pdf)
157 | - [Enforcing dynamic spectrum access with spectrum permits](https://sites.cs.ucsb.edu/~chris/research/doc/mobihoc12_gelato.pdf)
158 | - [Detecting social cliques for automated privacy control in online social networks](https://www.cse.usf.edu/dsg/data/publications/papers/privacy_survey_imrul.pdf)
159 | - [B@bel: Leveraging Email Delivery for Spam Mitigation](https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final59.pdf)
160 | - [PUBCRAWL: Protecting Users and Businesses from CRAWLers](https://sites.cs.ucsb.edu/~vigna/publications/2012_USENIX_pubcrawl.pdf)
161 | - [Poultry markets: on the underground economy of twitter followers](https://seclab.bu.edu/people/gianluca/papers/poultry-WOSN12.pdf)
162 | - [Past-sensitive pointer analysis for symbolic execution](https://srg.doc.ic.ac.uk/files/papers/pastsensitive-fse-20.pdf)
163 | - [MVEDSUA: Higher Availability Dynamic Software Updates via Multi-Version Execution](http://www.cs.umd.edu/~mwh/papers/mvedsua.pdf)
164 | - [Computing summaries of string loops in C for better testing and refactoring](https://srg.doc.ic.ac.uk/files/papers/loops-pldi-19.pdf)
165 | - [A segmented memory model for symbolic execution](https://srg.doc.ic.ac.uk/files/papers/segmem-esecfse-19.pdf)
166 | - [FreeDA: deploying incompatible stock dynamic analyses in production via multi-version execution](https://srg.doc.ic.ac.uk/files/papers/freeda-cf-18.pdf)
167 | - [RetroWrite: Statically Instrumenting COTS Binaries for Fuzzing and Sanitization](https://hexhive.epfl.ch/publications/files/20Oakland.pdf)
168 | - [BLESA: Spoofing Attacks against Reconnections in Bluetooth Low Energy](https://www.usenix.org/system/files/woot20-paper-wu.pdf)
169 | - [SMoTherSpectre: Exploiting Speculative Execution through Port Contention](https://arxiv.org/pdf/1903.01843.pdf)
170 | - [PoLPer: Process-Aware Restriction of Over-Privileged Setuid Calls in Legacy Applications](https://chungkim.io/doc/codaspy19-polper.pdf)
171 | - [BenchIoT: A Security Benchmark for the Internet of Things](https://hexhive.epfl.ch/publications/files/19DSN.pdf)
172 | - [Butterfly Attack: Adversarial Manipulation of Temporal Properties of Cyber-Physical Systems](https://nebelwelt.net/files/19RTSS.pdf)
173 | - [SoK: Shining Light on Shadow Stacks](https://hexhive.epfl.ch/publications/files/19Oakland.pdf)
174 | - [Pythia: Remote Oracles for the Masses](https://www.usenix.org/system/files/sec19-tsai.pdf)
175 | - [CUP: Comprehensive User-Space Protection for C/C++](https://nebelwelt.net/publications/files/18AsiaCCS.pdf)
176 | - [Milkomeda: Safeguarding the Mobile GPU Interface Using WebGL Security Checks](https://nebelwelt.net/files/18CCS2.pdf)
177 | - [Block Oriented Programming: Automating Data-Only Attacks](https://arxiv.org/pdf/1805.04767.pdf)
178 | - [CFIXX: Object Type Integrity for C++](https://hexhive.epfl.ch/publications/files/18NDSS.pdf)
179 | - [ACES: Automatic Compartments for Embedded Systems](https://engineering.purdue.edu/dcsl/publications/papers/2018/aces_usenixsec18_revision.pdf)
180 | - [Memory Safety for Embedded Devices with nesCheck](https://hexhive.epfl.ch/publications/files/17AsiaCCS2.pdf)
181 | - [DataShield: Configurable Data Confidentiality and Integrity](https://hexhive.epfl.ch/publications/files/17AsiaCCS.pdf)
182 | - [Protecting Bare-Metal Embedded Systems with Privilege Overlays](https://nebelwelt.net/files/17Oakland.pdf)
183 | - [Venerable Variadic Vulnerabilities Vanquished](https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-biswas.pdf)
184 | - [One Process to Reap Them All: Garbage Collection as-a-Service](https://nebelwelt.net/files/17VEE.pdf)
185 | - [Enforcing Least Privilege Memory Views for Multithreaded Applications](https://www.cs.purdue.edu/homes/hsu62/ccs16_smv.pdf)
186 | - [Forgery-Resistant Touch-based Authentication on Mobile Devices](http://www.mariofrank.net/paper/2016_AsiaCCS_ForgeryResistantTouchAuth.pdf)
187 | - [VTrust: Regaining Trust on Virtual Calls](https://dingelish.com/vtrust.pdf)
188 | - [PSHAPE: Automatically Combining Gadgets for Arbitrary Method Execution](http://bodden.de/pubs/fbt+16pshape.pdf)
189 | - [Klotski: Efficient Obfuscated Execution against Controlled-Channel Attacks](https://www.cs.ucr.edu/~csong/asplos20-klotski.pdf)
190 | - [PatchScope: Memory Object Centric Patch Diffing](https://www.cs.ucr.edu/~heng/pubs/PatchScope_ccs20.pdf)
191 | - [Chaser: An Enhanced Fault Injection Tool for Tracing Soft Errors in MPI Applications](https://www.cs.ucr.edu/~heng/pubs/Chaser.pdf)
192 | - [ChaffyScript: Vulnerability-Agnostic Defense of JavaScript Exploits via Memory Perturbation](https://www.cs.ucr.edu/~heng/pubs/ChaffyScript_securecomm2019.pdf)
193 | - [Extracting Conditional Formulas for Cross-Platform Bug Search](https://www.cs.ucr.edu/~heng/pubs/asiaccs2017.pdf)
194 | - [Neural Network-based Graph Embedding for Cross-Platform Binary Code Similarity Detection](https://arxiv.org/pdf/1708.06525.pdf)
195 | - [SoK: Cyber Insurance - Technical Challenges and a System Security Roadmap](https://oaklandsok.github.io/papers/dambra2020.pdf)
196 | - [BakingTimer: privacy analysis of server-side request processing time](https://igor-santos.net/papers/2019/2019-sanchez-rola-acsac-bakingtimer.pdf)
197 | - [Data-Confined HTML5 Applications](https://devd.me/papers/dcs-esorics.pdf)
198 | - [SoK: Eternal War in Memory](https://people.eecs.berkeley.edu/~dawnsong/papers/Oakland13-SoK-CR.pdf)
199 | - [High System-Code Security with Low Overhead](https://pure.royalholloway.ac.uk/portal/files/25073434/oakland15.pdf)
200 | - [Code-Pointer Integrity](https://www.usenix.org/system/files/conference/osdi14/osdi14-paper-kuznetsov.pdf)
201 | - [-OVERIFY: Optimizing Programs for Fast Verification](https://www.usenix.org/system/files/conference/hotos13/hotos13-final69.pdf)
202 | 
203 | 
204 | ## Android
205 | - [Android Permissions Demystified](https://people.eecs.berkeley.edu/~dawnsong/papers/2011%20Android%20permissions%20demystified.pdf)
206 | - [IntelliDroid: A Targeted Input Generator for the Dynamic Analysis of Android Malware](https://security.csl.toronto.edu/papers/mwong_ndss2016.pdf)
207 | - [PScout: Analyzing the Android Permission Specification](https://security.csl.toronto.edu/papers/PScout-CCS2012-web.pdf)
208 | - [Broken Fingers: On the Usage of the Fingerprint API in Android](https://reyammer.io/publications/2018_ndss_fingerprint.pdf)
209 | - [Going Native: Using a Large-Scale Analysis of Android Apps to Create a Practical Native-Code Sandboxing Policy](https://www.lasca.ic.unicamp.br/paulo/papers/2016-NDSS-vitor.afonso-going.native.android.pdf)
210 | - [TriggerScope: Towards Detecting Logic Bombs in Android Applications](https://sites.cs.ucsb.edu/~vigna/publications/2016_SP_Triggerscope.pdf)
211 | - [BareDroid: Large-Scale Analysis of Android Apps on Real Devices](https://sites.cs.ucsb.edu/~vigna/publications/2015_ACSAC_Baredroid.pdf)
212 | - [Grab 'n Run: Secure and Practical Dynamic Code Loading for Android Applications](https://reyammer.io/publications/2015_acsac_grabandrun.pdf)
213 | - [NJAS: Sandboxing Unmodified Applications in non-rooted Devices Running stock Android](https://dl.acm.org/doi/pdf/10.1145/2808117.2808122)
214 | - [On the Security and Engineering Implications of Finer-Grained Access Controls for Android Developers and Users](https://reyammer.io/publications/2015_dimva_permissions.pdf)
215 | - [EdgeMiner: Automatically Detecting Implicit Control Flow Transitions through the Android Framework](https://sites.cs.ucsb.edu/~chris/research/doc/ndss15_edgeminer.pdf)
216 | - [CLAPP: characterizing loops in Android applications](https://reyammer.io/publications/2015_fse_clapp.pdf)
217 | - [What the App is That? Deception and Countermeasures in the Android User Interface](https://sites.cs.ucsb.edu/~chris/research/doc/oakland15_uideception.pdf)
218 | - [Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications](https://reyammer.io/publications/2014_ndss_android-remote-code-execution.pdf)
219 | - [An empirical study of cryptographic misuse in android applications](https://www.cs.umd.edu/class/fall2017/cmsc818O/papers/crypto-misuse-android.pdf)
220 | - [Automatic Generation of Non-intrusive Updates for Third-Party Libraries in Android Applications](https://www.usenix.org/system/files/raid2019-duan.pdf)
221 | - [Parallel Space Traveling: A Security Analysis of App-Level Virtualization in Android](https://www.cs.ucr.edu/~heng/pubs/sacmat2020.pdf)
222 | 
223 | 
224 | ## Control-flow integrity
225 | - [Fine-Grained Control-Flow Integrity for Kernel Software](https://nebelwelt.net/files/16EUROSP.pdf)
226 | - [Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-davi.pdf)
227 | - [Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM](https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/42808.pdf)
228 | 
229 | 
230 | ## Cyber-physical
231 | - [TRUST.IO: Protecting Physical Interfaces on Cyber-physical Systems](https://seclab.cs.ucsb.edu/files/publications/Spensky2020_Trust.pdf)
232 | 
233 | ## Symbolic execution
234 | - [Symbolic Execution and Program Testing](https://www.cs.umd.edu/class/fall2014/cmsc631/papers/king-symbolic-execution.pdf)
235 | - [DART: Directed Automated Random Testing](https://web.eecs.umich.edu/~weimerw/2014-6610/reading/p213-godefroid.pdf)
236 | - [Directed Greybox Fuzzing](https://acmccs.github.io/papers/p2329-bohmeAemb.pdf)
237 | - [The s2e platform: Design, implementation, and applications](https://dslab.epfl.ch/pubs/s2e-tocs.pdf)
238 | - [S2E: A Platform for In-Vivo Multi-Path Analysis of Software Systems](https://cseweb.ucsd.edu/~dstefan/cse291-fall16/papers/s2e.pdf)
239 | - [Klee: Unassisted and automatic generation of high-coverage tests for complex systems programs](https://hci.stanford.edu/cstr/reports/2008-03.pdf)
240 | - [Exe: automatically generating inputs of death](https://web.stanford.edu/~engler/exe-ccs-06.pdf)
241 | - [CUTE: A Concolic Unit Testing Engine for C](http://mir.cs.illinois.edu/marinov/publications/SenETAL05CUTE.pdf)
242 | - [Qsym : A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing](https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-yun.pdf)
243 | - [All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask)](https://users.ece.cmu.edu/~aavgerin/papers/Oakland10.pdf)
244 | - [CAB-Fuzz: Practical Concolic Testing Techniques for COTS Operating Systems](https://www.usenix.org/system/files/conference/atc17/atc17-kim.pdf)
245 | - [Driller: Augmenting Fuzzing Through Selective Symbolic Execution](https://sites.cs.ucsb.edu/~vigna/publications/2016_NDSS_Driller.pdf)
246 | - [Enhancing Symbolic Execution with Veritesting](https://users.ece.cmu.edu/~aavgerin/papers/veritesting-icse-2014.pdf)
247 | - [SYMBION: Interleaving Symbolic with Concrete Execution](https://seclab.cs.ucsb.edu/files/publications/gritti2020_symbion.pdf)
248 | - [AutoPandas: Neural-Backed Generators for ProgramSynthesis](https://people.eecs.berkeley.edu/~ksen/papers/autopandas2.pdf)
249 | - [Chopped symbolic execution](https://srg.doc.ic.ac.uk/files/papers/chopper-icse-18.pdf)
250 | - [PARTI: a multi-interval theory solver for symbolic execution](https://srg.doc.ic.ac.uk/files/papers/parti-ase-18.pdf)
251 | - [Accelerating array constraints in symbolic execution](https://srg.doc.ic.ac.uk/files/papers/klee-array-17.pdf)
252 | - [Automatic testing of symbolic execution engines via program generation and differential testing](https://srg.doc.ic.ac.uk/files/papers/symex-engine-tester-ase-17.pdf)
253 | - [Floating-point symbolic execution: a case study in n-version programming](https://srg.doc.ic.ac.uk/files/papers/klee-n-version-fp-ase-17.pdf)
254 | - [A DSL Approach to Reconcile Equivalent Divergent Program Executions](https://srg.doc.ic.ac.uk/files/papers/varan-dsl-atc-17.pdf)
255 | - [Analysing the program analyser](https://spiral.imperial.ac.uk/bitstream/10044/1/29767/8/16-analysers-v2025.pdf)
256 | - [Shadow of a doubt: testing for divergences between software versions](https://srg.doc.ic.ac.uk/files/papers/shadow-icse-16.pdf)
257 | - [Symbooglix: A Symbolic Execution Engine for Boogie Programs](https://www.doc.ic.ac.uk/~afd/homepages/papers/pdfs/2016/ICST.pdf)
258 | - [VARAN the Unbelievable: An Efficient N-version Execution Framework](https://srg.doc.ic.ac.uk/files/papers/varan-asplos-15.pdf)
259 | - [Targeted program transformations for symbolic execution](https://www.doc.ic.ac.uk/~cristic/papers/symex-transf-fse-ni-15.pdf)
260 | - [Shadow symbolic execution for better testing of evolving software](https://srg.doc.ic.ac.uk/files/papers/shadow-icse-nier-14.pdf)
261 | - [Covrig: a framework for the analysis of code, test, and coverage evolution in real software](https://spiral.imperial.ac.uk/bitstream/10044/1/23359/2/covrig-issta-14.pdf)
262 | - [Multi-solver Support in Symbolic Execution](https://srg.doc.ic.ac.uk/files/papers/klee-multisolver-cav-13.pdf)
263 | - [Efficient State Merging in Symbolic Execution](https://www.unibw.de/patch/papers/pldi12.pdf/@@download/file/pldi12.pdf)
264 | - [Testing Closed-Source Binary Device Drivers with DDT](https://www.usenix.org/legacy/events/atc10/tech/full_papers/Kuznetsov.pdf)
265 | - [Running symbolic execution forever](https://srg.doc.ic.ac.uk/files/papers/moklee-issta-20.pdf)
266 | 
267 | 
268 | ## Program instrumentation
269 | - [Valgrind: A framework for heavyweight dynamic binary instrumentation](https://www.cs.columbia.edu/~junfeng/09fa-e6998/papers/valgrind.pdf)
270 | - [Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation](https://www.cs.ucr.edu/~heng/teaching/cs260-winter2017/luk05pin.pdf)
271 | - [Llvm: A compilation framework for lifelong program analysis & transformation](https://llvm.org/pubs/2003-09-30-LifelongOptimizationTR.pdf)
272 | - [PEBIL: Efficient Static Binary Instrumentation for Linux](http://users.sdsc.edu/~lcarring/Papers/2010_ISPASS.pdf)
273 | - [DECAF++: Elastic Whole-System Dynamic Taint Analysis](https://www.cs.ucr.edu/~heng/pubs/DECAF++.pdf)
274 | - [Make It Work, Make It Right, Make It Fast: Building a Platform-Neutral Whole-System Dynamic Binary Analysis Platform](https://www.cs.ucr.edu/~heng/pubs/issta14.pdf)
275 | - [Repeateable Reverse Engineering for the Greater Good with PANDA](https://mice.cs.columbia.edu/getTechreport.php?techreportID=1588&disposition=inline&format=pdf)
276 | 
277 | 
278 | ## Sanitizer
279 | - [AddressSanitizer: A Fast Address Sanity Checker](https://www.usenix.org/system/files/conference/atc12/atc12-final39.pdf)
280 | - [MemorySanitizer: fast detector of uninitialized memory use in C++](https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43308.pdf)
281 | - [ThreadSanitizer – data race detection in practice](https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/35604.pdf)
282 | - [FuZZan: Efficient Sanitizer Metadata Design for Fuzzing](https://www.usenix.org/system/files/atc20-jeon.pdf)
283 | 
284 | ## Virtualisation
285 | - [Xen and the Art of Virtualization](https://www.cl.cam.ac.uk/research/srg/netos/papers/2003-xensosp.pdf)
286 | - [QEMU, a Fast and Portable Dynamic Translator](https://www.usenix.org/legacy/publications/library/proceedings/usenix05/tech/freenix/full_papers/bellard/bellard.pdf)
287 | - [Kvm: the linux virtual machine monitor](https://www.kernel.org/doc/ols/2007/ols2007v1-pages-225-230.pdf)
288 | - [Virtualization without direct execution or jitting: Designing a portable virtual machine infrastructure.](http://bochs.sourceforge.net/Virtualization_Without_Hardware_Final.pdf)
289 | - [Argos: an emulator for fingerprinting zero-day attacks](https://www.few.vu.nl/argos/papers/argos_eurosys06.pdf)
290 | - [Digtool: A Virtualization-Based Framework for Detecting Kernel Vulnerabilities](https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-pan.pdf)
291 | 
292 | 
293 | 
294 | 
295 | 
296 | ## Fuzzing
297 | - [USBFuzz: A Framework for Fuzzing USB Drivers by Device Emulation](https://www.usenix.org/system/files/sec20-peng_0.pdf)
298 | - [FirmFuzz: Automated IoT Firmware Introspection and Analysis](http://web.mit.edu/ha22286/www/papers/IoTS&P19.pdf)
299 | - [Evaluating Fuzz Testing](https://arxiv.org/pdf/1808.09700.pdf)
300 | - [Billions and Billions of Constraints: Whitebox Fuzz Testing in Production](https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/main-may10.pdf)
301 | - [Fuzzing: The State of the Art](https://fuzzinginfo.files.wordpress.com/2012/05/dsto-tn-1043-pr.pdf)
302 | - [Automated Test Input Generation for Android: Are We There Yet?](https://arxiv.org/pdf/1503.07217.pdf)
303 | - [Send Hardest Problems My Way: Probabilistic Path Prioritization for Hybrid Fuzzing](https://www.cs.ucr.edu/~heng/pubs/digfuzz_ndss19.pdf)
304 | - [Scheduling Black-box Mutational Fuzzing](https://users.ece.cmu.edu/~sangkilc/papers/ccs13-woo.pdf)
305 | - [T-Fuzz: Fuzzing by Program Transformation](https://www.yancomm.net/papers/2018%20-%20SP%20-%20T-Fuzz.pdf)
306 | - [Hawkeye: Towards a Desired Directed Grey-box Fuzzer](https://chenbihuan.github.io/paper/ccs18-chen-hawkeye.pdf)
307 | - [Taint-based Directed Whitebox Fuzzing](https://people.csail.mit.edu/rinard/paper/icse09.pdf)
308 | - [Detecting Atomic-Set Serializability Violations in Multithreaded Programs through Active Randomized Testing](https://www.cs.cityu.edu.hk/~wkchan/papers/icse10-lai+cheung+chan.pdf)
309 | - [Statically-Directed Dynamic Automated Test Generation](https://www.domagoj-babic.com/uploads/Pubs/ISSTA11sandwich/issta11sandwich.pdf)
310 | - [Systematic Fuzzing and Testing of TLS Libraries](https://www.nds.ruhr-uni-bochum.de/media/nds/veroeffentlichungen/2016/10/19/tls-attacker-ccs16.pdf)
311 | - [STADS: Software Testing as Species Discovery](https://arxiv.org/pdf/1803.02130.pdf)
312 | - [PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary](https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_04A-1_Song_paper.pdf)
313 | - [Random Testing for Security: Blackbox vs. Whitebox Fuzzing](https://patricegodefroid.github.io/public_psfiles/abstract-rt2007.pdf)
314 | - [perf fuzzer: Targeted Fuzzing of the perf event open() System Call](http://web.eece.maine.edu/~vweaver/projects/perf_events/fuzzer/2015_perf_fuzzer_tr.pdf)
315 | - [PULSAR: Stateful Black-Box Fuzzing of Proprietary Network Protocols](https://hugogascon.com/publications/2015-securecomm.pdf)
316 | - [Learn&Fuzz: Machine Learning for Input Fuzzing](https://arxiv.org/pdf/1701.07232.pdf)
317 | - [Model-Based Whitebox Fuzzing for Program Binaries](https://mboehme.github.io/paper/ASE16.pdf)
318 | - [FairFuzz: A Targeted Mutation Strategy for Increasing Greybox Fuzz Testing Coverage](https://www.carolemieux.com/fairfuzz-ase18.pdf)
319 | - [LZfuzz: a fast compression-based fuzzer for poorly documented protocols](https://digitalcommons.dartmouth.edu/cgi/viewcontent.cgi?article=1318&context=cs_tr)
320 | - [jFuzz: A Concolic Whitebox Fuzzer for Java](https://ece.uwaterloo.ca/~vganesh/Publications_files/vg-NFM2009-jFuzz.pdf)
321 | - [T-Fuzz: Model-Based Fuzzing for Robustness Testing of Telecommunication Protocols](https://core.ac.uk/download/pdf/187598761.pdf)
322 | - [VUzzer: Application-aware Evolutionary Fuzzing](https://download.vusec.net/papers/vuzzer_ndss17.pdf)
323 | - [MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation](https://www.cs.columbia.edu/~suman/docs/moonshine.pdf)
324 | - [Automated Whitebox Fuzz Testing](https://patricegodefroid.github.io/public_psfiles/ndss2008.pdf)
325 | - [KameleonFuzz: Evolutionary Fuzzing for Black-Box XSS Detection](https://www.cs.huji.ac.il/~ai/projects/2014/EvolutionaryXSSDetector/files/original_article.pdf)
326 | - [Grammar-based Whitebox Fuzzing](https://people.csail.mit.edu/akiezun/pldi-kiezun.pdf)
327 | - [Skyfire: Data-Driven Seed Generation for Fuzzing](https://www.ieee-security.org/TC/SP2017/papers/42.pdf)
328 | - [CollAFL: Path Sensitive Fuzzing](http://barbie.uta.edu/~xlren/Fuzzing/path-sensitive-fuzzing.pdf)
329 | - [PerfFuzz: Automatically Generating Pathological Inputs](https://www.carolemieux.com/perffuzz-issta2018.pdf)
330 | - [Pex–White Box Test Generation for .NET](https://web.eecs.umich.edu/~weimerw/2014-6610/reading/pex.pdf)
331 | - [IMF: Inferred Model-based Fuzzer](https://acmccs.github.io/papers/p2345-hanA.pdf)
332 | - [Many-Core Compiler Fuzzing](http://multicore.doc.ic.ac.uk/tools/CLsmith/PLDI15/paper.pdf)
333 | - [QuickFuzz: An Automatic Random Fuzzer for Common File Formats](https://people.kth.se/~buiras/publications/QFHaskell2016.pdf)
334 | - [Steelix: program-state based binary fuzzing](https://people.engr.tamu.edu/guofei/paper/Wang_TISSEC11_TaintScope.pdf)
335 | - [kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels](https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-schumilo.pdf)
336 | - [Fuzzing with Code Fragments](https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final73.pdf)
337 | - [Optimizing Seed Selection for Fuzzing](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-rebert.pdf)
338 | - [Protocol State Fuzzing of TLS Implementations](https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-de-ruiter.pdf)
339 | - [Checksum-Aware Fuzzing Combined with Dynamic Taint Analysis and Symbolic Execution]()
340 | - [A Framework for File Format Fuzzing with Genetic Algorithms](https://trace.tennessee.edu/cgi/viewcontent.cgi?article=2402&context=utk_graddiss)
341 | - [Differential Testing for Software](https://www.hpl.hp.com/hpjournal/dtj/vol10num1/vol10num1art9.pdf)
342 | - [Effective Random Testing of Concurrent Programs](https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.73.876&rep=rep1&type=pdf)
343 | - [HFL: Hybrid Fuzzing on the Linux Kernel](https://www.unexploitable.systems/publication/kimhfl/)
344 | - [HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Guided Micro-Fuzzing](https://www.researchgate.net/publication/339164746_HotFuzz_Discovering_Algorithmic_Denial-of-Service_Vulnerabilities_Through_Guided_Micro-Fuzzing)
345 | - [HYPER-CUBE: High-Dimensional Hypervisor Fuzzing](https://www.syssec.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2020/02/07/Hyper-Cube-NDSS20.pdf)
346 | - [Not All Coverage Measurements Are Equal: Fuzzing by Coverage Accounting for Input Prioritization](https://www.ndss-symposium.org/wp-content/uploads/2020/02/24422.pdf)
347 | - [REDQUEEN: Fuzzing with Input-to-State Correspondence](https://www.syssec.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2018/12/17/NDSS19-Redqueen.pdf)
348 | - [Life after Speech Recognition: Fuzzing Semantic Misinterpretation for Voice Assistant Applications](https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_08-4_Zhang_paper.pdf)
349 | - [INSTRIM: Lightweight Instrumentation for Coverage-guided Fuzzing](https://www.ndss-symposium.org/wp-content/uploads/2018/07/bar2018_14_Hsu_paper.pdf)
350 | - [IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing](http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2018/02/ndss2018_01A-1_Chen_paper.pdf)
351 | - [What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices](http://s3.eurecom.fr/docs/ndss18_muench.pdf)
352 | - [Fuzzing JavaScript Engines with Aspect-preserving Mutation](https://jakkdu.github.io/pubs/2020/park:die.pdf)
353 | - [IJON: Exploring Deep State Spaces via Fuzzing](https://www.syssec.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2020/02/27/IJON-Oakland20.pdf)
354 | - [Krace: Data Race Fuzzing for Kernel File Systems](https://www.cc.gatech.edu/~mxu80/pubs/xu:krace.pdf)
355 | - [Pangolin:Incremental Hybrid Fuzzing with Polyhedral Path Abstraction](https://qingkaishi.github.io/public_pdfs/SP2020.pdf)
356 | - [Full-speed Fuzzing: Reducing Fuzzing Overhead through Coverage-guided Tracing](https://www.computer.org/csdl/proceedings-article/sp/2019/666000b122/19skgbGVFEQ)
357 | - [Fuzzing File Systems via Two-Dimensional Input Space Exploration](https://www.computer.org/csdl/proceedings-article/sp/2019/666000a594/19skfLYOpaw)
358 | - [NEUZZ: Efficient Fuzzing with Neural Program Smoothing](https://www.computer.org/csdl/proceedings-article/sp/2019/666000a900/19skg5XghG0)
359 | - [Razzer: Finding Kernel Race Bugs through Fuzzing](https://www.computer.org/csdl/proceedings-article/sp/2019/666000a296/19skfwZLirm)
360 | - [Program-Adaptive Mutational Fuzzing](https://softsec.kaist.ac.kr/~sangkilc/papers/cha-oakland15.pdf)
361 | - [TaintScope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection](https://ieeexplore.ieee.org/abstract/document/5504701)
362 | - [FANS: Fuzzing Android Native System Services via Automated Interface Analysis](https://www.usenix.org/conference/usenixsecurity20/presentation/liu)
363 | - [Analysis of DTLS Implementations Using Protocol State Fuzzing](https://www.usenix.org/conference/usenixsecurity20/presentation/fiterau-brostean)
364 | - [EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit](https://www.usenix.org/conference/usenixsecurity20/presentation/yue)
365 | - [Fuzzing Error Handling Code using Context-Sensitive Software Fault Injection](https://www.usenix.org/conference/usenixsecurity20/presentation/jiang)
366 | - [FuzzGen: Automatic Fuzzer Generation](https://www.usenix.org/conference/usenixsecurity20/presentation/ispoglou)
367 | - [ParmeSan: Sanitizer-guided Greybox Fuzzing](https://www.usenix.org/conference/usenixsecurity20/presentation/osterlund)
368 | - [SpecFuzz: Bringing Spectre-type vulnerabilities to the surface](https://www.usenix.org/conference/usenixsecurity20/presentation/oleksenko)
369 | - [FuzzGuard: Filtering out Unreachable Inputs in Directed Grey-box Fuzzing through Deep Learning](https://www.usenix.org/conference/usenixsecurity20/presentation/zong)
370 | - [Montage: A Neural Network Language Model-Guided JavaScript Engine Fuzzer](https://www.usenix.org/conference/usenixsecurity20/presentation/lee-suyoung)
371 | - [GREYONE: Data Flow Sensitive Fuzzing](https://www.usenix.org/conference/usenixsecurity20/presentation/gan)
372 | - [Fuzzification: Anti-Fuzzing Techniques](https://www.usenix.org/conference/usenixsecurity19/presentation/jung)
373 | - [AntiFuzz: Impeding Fuzzing Audits of Binary Executables](https://www.usenix.org/conference/usenixsecurity19/presentation/guler)
374 | - [Charm: Facilitating Dynamic Analysis of Device Drivers of Mobile Systems](https://www.usenix.org/conference/usenixsecurity18/presentation/talebi)
375 | - [OSS-Fuzz - Google's continuous fuzzing service for open source software](https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/serebryany)
376 | - [Intriguer: Field-Level Constraint Solving for Hybrid Fuzzing](https://dl.acm.org/citation.cfm?id=3354249)
377 | - [Learning to Fuzz from Symbolic Execution with Application to Smart Contracts](https://files.sri.inf.ethz.ch/website/papers/ccs19-ilf.pdf)
378 | - [Matryoshka: fuzzing deeply nested branches](https://web.cs.ucdavis.edu/~hchen/paper/chen2019matryoshka.pdf)
379 | - [SemFuzz: Semantics-based Automatic Generation of Proof-of-Concept Exploits](https://www.informatics.indiana.edu/xw7/papers/p2139-you.pdf)
380 | - [AFL-based Fuzzing for Java with Kelinci](https://dl.acm.org/citation.cfm?id=3138820)
381 | - [SlowFuzz: Automated Domain-Independent Detection of Algorithmic Complexity Vulnerabilities](https://arxiv.org/pdf/1708.08437.pdf)
382 | - [DIFUZE: Interface Aware Fuzzing for Kernel Drivers](https://acmccs.github.io/papers/p2123-corinaA.pdf)
383 | - [Coverage-based Greybox Fuzzing as Markov Chain](https://ieeexplore.ieee.org/abstract/document/8233151)
384 | - [eFuzz: A Fuzzer for DLMS/COSEM Electricity Meters](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.817.5616&rep=rep1&type=pdf)
385 | - [Taming compiler fuzzers](https://www.cs.utah.edu/~regehr/papers/pldi13.pdf)
386 | - [SAGE: whitebox fuzzing for security testing](https://dl.acm.org/citation.cfm?id=2094081)
387 | - [Synthesizing Racy Tests](https://www.cs.purdue.edu/homes/suresh/papers/pldi15a.pdf)
388 | - [Coverage-Directed Differential Testing of JVM Implementations](https://chengniansun.bitbucket.io/papers/pldi16.pdf)
389 | - [Synthesizing Program Input Grammars](https://arxiv.org/pdf/1608.01723.pdf)
390 | - [Angora: Efficient Fuzzing by Principled Search](https://web.cs.ucdavis.edu/~hchen/paper/chen2018angora.pdf)
391 | - [Well There’s Your Problem: Isolating the Crash-Inducing Bits in a Fuzzed File](https://resources.sei.cmu.edu/asset_files/TechnicalNote/2012_004_001_28149.pdf)
392 | - [IFuzzer: An Evolutionary Interpreter Fuzzer using Genetic Programming](https://download.vusec.net/papers/ifuzzer-esorics16.pdf)
393 | - [Designing New Operating Primitives to Improve Fuzzing Performance](https://multics69.github.io/pages/pubs/fuzzing-xu-ccs17.pdf)
394 | - [Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations](https://www.cs.vu.nl/~herbertb/papers/dowser_usenixsec13.pdf)
395 | - [Automated Testing for SQL Injection Vulnerabilities: An Input Mutation Approach](https://www.researchgate.net/profile/Cu_Nguyen/publication/262048518_Automated_Testing_for_SQL_Injection_Vulnerabilities_An_Input_Mutation_Approach/links/00b495367f13ad00a5000000/Automated-Testing-for-SQL-Injection-Vulnerabilities-An-Input-Mutation-Approach.pdf)
396 | - [Turning Programs against Each Other: High Coverage Fuzz-Testing using Binary-Code Mutation and Dynamic Slicing](https://www.ida.liu.se/~ulfka17/papers/FSE2015.pdf)
397 | - [KiF: A stateful SIP Fuzzer](https://hal.inria.fr/inria-00166947/PDF/Kif_A_stateful_SIP_Fuzzer.pdf)
398 | - [GRT: Program-Analysis-Guided Random Testing](https://people.kth.se/~artho/papers/lei-ase2015.pdf)
399 | - [Autodafe: an Act of Software Torture](https://infoscience.epfl.ch/record/140525/files/Vuagnoux05.pdf)
400 | - [Singularity: Pattern Fuzzing for Worst Case Complexity](https://www.cs.utexas.edu/users/isil/fse18.pdf)
401 | - [Exploring Abstraction Functions in Fuzzing](https://sites.cs.ucsb.edu/~vigna/publications/2020_CNS_FuzzSense.pdf)
402 | - [FuzzFactory: domain-specific fuzzing with waypoints](https://dl.acm.org/doi/pdf/10.1145/3360600)
403 | - [Zest: Validity Fuzzing and Parametric Generators for Effective Random Testing](https://www.researchgate.net/profile/Koushik_Sen8/publication/329388154_Zest_Validity_Fuzzing_and_Parametric_Generators_for_Effective_Random_Testing/links/5c45bb0a299bf12be3d7f286/Zest-Validity-Fuzzing-and-Parametric-Generators-for-Effective-Random-Testing.pdf)
404 | - [Semantic fuzzing with zest](https://arxiv.org/pdf/1812.00078.pdf)
405 | - [JQF: coverage-guided property-based testing in Java](https://people.eecs.berkeley.edu/~rohanpadhye/files/jqf-issta19.pdf)
406 | - [FUDGE: fuzz driver generation at scale](https://storage.googleapis.com/pub-tools-public-publication-data/pdf/df9df05d2f5bfe279dc1c0ce6cf51072d5ee1feb.pdf)
407 | - [FairFuzz: Targeting Rare Branches to Rapidly Increase Greybox Fuzz Testing Coverage](https://arxiv.org/pdf/1709.07101.pdf)
408 | - [FIRM-AFL: High-Throughput Greybox Fuzzing of IoT Firmware via Augmented Process Emulation](https://www.cs.ucr.edu/~heng/pubs/FirmAFL.pdf)
409 | - [Be Sensitive and Collaborative: Analyzing Impact of Coverage Metrics in Greybox Fuzzing](https://www.usenix.org/system/files/raid2019-wang-jinghan.pdf)
410 | - [Enhancing Memory Error Detection for Large-Scale Applications and Fuzz Testing](http://cps.kaist.ac.kr/papers/18-MEDS-han.pdf)
411 | 
412 | 
413 | ## Malware
414 | - [An Abstract Theory of Computer Viruses](https://www.cin.ufpe.br/~ruy/crypto/virus/ala01.pdf)
415 | - [Precise system-wide concatic malware unpacking](https://arxiv.org/pdf/1908.09204.pdf)
416 | - [A characterisation of system-wide propagation in the malware landscape](https://arxiv.org/pdf/1908.10167.pdf)
417 | - [Capturing Malware Propagations with Code Injections and Code-Reuse Attacks](https://acmccs.github.io/papers/p1691-korczynskiA.pdf)
418 | - [System-level support for intrusion recovery](http://www.syssec-project.eu/m/page-media/3/diskduster-dimva12.pdf)
419 | - [Repeconstruct: reconstructing binaries with self-modifying code and import address table destruction](https://www.semanticscholar.org/paper/RePEconstruct%3A-reconstructing-binaries-with-code-Korczynski/28d1465ed7e378d4cf778f58fe4c4eaf33652251)
420 | - [Automated classification and analysis of internet malware](https://jon.oberheide.org/files/raid07-malware.pdf)
421 | - [WYSINWYX: What You See Is Not What You eXecute](https://research.cs.wisc.edu/wpis/papers/wysinwyx.final.pdf)
422 | - [Quincy: Detecting Host-Based Code Injection Attacks in Memory Dumps](https://net.cs.uni-bonn.de/fileadmin/ag/martini/Staff/barabosch_quincy_dimva2017.pdf)
423 | - [Bee master: Detecting host-based code injection attacks](https://net.cs.uni-bonn.de/fileadmin/ag/martini/Staff/barabosch_bee_master_dimva_2014.pdf)
424 | - [Host-based code injection attacks: A popular technique used by malware](https://net.cs.uni-bonn.de/fileadmin/ag/martini/Staff/barabosch_HBCIAs_MALCON_2014.pdf)
425 | - [Scalable, Behavior-Based Malware Clustering](https://sites.cs.ucsb.edu/~chris/research/doc/ndss09_cluster.pdf)
426 | - [A View on Current Malware Behaviors](https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.448.3918&rep=rep1&type=pdf)
427 | - [Dynamic analysis of malicious code](https://sites.cs.ucsb.edu/~chris/research/doc/virology06_dynamic.pdf)
428 | - [Behavior abstraction in malware analysis.](https://hal.inria.fr/inria-00536500/file/RV-preprint.pdf)
429 | - [Detecting Hardware-Assisted Virtualization](https://christian-rossow.de/publications/detectvt-dimva2016.pdf)
430 | - [BitScope: Automatically Dissecting Malicious Binaries](http://bitblaze.cs.berkeley.edu/papers/bitscope_tr_2007.pdf)
431 | - [On the Limits of Information Flow Techniques for Malware Analysis and Containment](https://www.comp.nus.edu.sg/~prateeks/papers/saxena-dimva08.pdf)
432 | - [Understanding Linux Malware](https://reyammer.io/publications/2018_oakland_linuxmalware.pdf)
433 | - [Ether: Malware Analysis via Hardware Virtualization Extensions](http://ether.gtisc.gatech.edu/ether_ccs_2008.pdf)
434 | - [Dynamic Spyware Analysis](http://bitblaze.cs.berkeley.edu/papers/usenix07.pdf)
435 | - [A Survey on Automated Dynamic Malware Analysis Techniques and Tools](https://publications.sba-research.org/publications/malware_survey.pdf)
436 | - [CodeXt: Automatic Extraction of Obfuscated Attack Code from Memory Dump](https://cs.gmu.edu/~xwangc/Publications/ISC2014-AttackCodeExtraction-final.pdf)
437 | - [A Survey of Mobile Malware in the Wild](https://www.cs.odu.edu/~cs441/Papers/sec-011.pdf)
438 | - [Attacks on More Virtual Machine Emulators](http://pferrie.tripod.com/papers/attacks2.pdf)
439 | - [Malware as interaction machines: A new framework for behavior modelling](https://www.researchgate.net/profile/Herve_Debar/publication/220673358_Malware_as_interaction_machines_A_new_framework_for_behavior_modelling/links/0fcfd5087b15854379000000/Malware-as-interaction-machines-A-new-framework-for-behavior-modelling.pdf)
440 | - [Malware dynamic recompilation](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6759227)
441 | - [Secure and advanced unpacking using computer emulation.](https://link.springer.com/article/10.1007/s11416-007-0046-0)
442 | - [Renovo: A Hidden Code Extractor for Packed Executables](http://bitblaze.cs.berkeley.edu/papers/renovo.pdf)
443 | - [Emulating Emulation-Resistant Malware](http://bitblaze.cs.berkeley.edu/papers/VMSec02-kang.pdf)
444 | - [Backtracking intrusions](https://www2.cs.duke.edu/courses/cps210/spring06/papers/p190-king.pdf)
445 | - [Counteracting Data-Only Malware with Code Pointer Examination](https://www.sec.in.tum.de/i20/publications/counteracting-data-only-malware-with-code-pointer-examination/@@download/file/kittelraid2015.pdf)
446 | - [The power of procrastination: Detection and mitigation of execution-stalling malicious code](https://publik.tuwien.ac.at/files/PubDat_204777.pdf)
447 | - [Polymorphic worm detection using structural information of executables.](https://www.auto.tuwien.ac.at/~chris/research/doc/raid05_polyworm.pdf)
448 | - [Static disassembly of obfuscated binaries](https://sites.cs.ucsb.edu/~chris/research/doc/usenix04_disasm.pdf)
449 | - [Testing closedsource binary device drivers with ddt](https://dslab.epfl.ch/pubs/ddt.pdf)
450 | - [The dropper effect: Insights into malware distribution with downloader graph analytics](http://users.umiacs.umd.edu/~tdumitra/papers/CCS-2015.pdf)
451 | - [Exploiting diverse observation perspectives to get insights on the malware landscape](https://ieeexplore.ieee.org/document/5544291)
452 | - [Scalability, fidelity and stealth in the drakvuf dynamic malware analysis system](https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.684.5968&rep=rep1&type=pdf)
453 | - [Graph matching networks for learning the similarity of graph structured objects](https://arxiv.org/pdf/1904.12787.pdf)
454 | - [Detecting environment-sensitive malware](http://www.syssec-project.eu/m/page-media/3/disarm-raid11.pdf)
455 | - [Omniunpack: Fast, generic, and safe unpacking of malware](https://wiki.smu.edu.sg/flyer/images/2/26/OmniUnpack.pdf)
456 | - [Exploring multiple execution paths for malware analysis](https://sites.cs.ucsb.edu/~chris/research/doc/oakland07_explore.pdf)
457 | - [Malpedia: A collaborative effort to inventorize the malware landscape](https://journal.cecyf.fr/ojs/index.php/cybin/article/download/17/20)
458 | - [Rop payload detection using speculative code execution](https://www3.cs.stonybrook.edu/~mikepo/papers/ropscan.malware11.pdf)
459 | - [Sweetbait: Zero-hour worm detection and containment using low- and high-interaction honeypots](https://www.portokalidis.net/files/sweetbait_tr05.pdf)
460 | - [Paranoid android: Versatile protection for smartphones](http://www.syssec-project.eu/m/page-media/3/paranoid-android-acsac10.pdf)
461 | - [Detecting system emulators](https://publik.tuwien.ac.at/files/pub-inf_5317.pdf)
462 | - [Large-scale analysis of malware downloaders](https://chrisdietri.ch/files/downloaders-dimva12.pdf)
463 | - [Prudent practices for designing malware experiments: Status quo and outlook](https://oaklandsok.github.io/papers/rossow2012.pdf)
464 | - [Polyunpack: Automating the hidden-code extraction of unpack-executing malware](https://www.acsac.org/2006/papers/122.pdf)
465 | - [AVCLASS: A Tool for Massive Malware Labeling](http://software.imdea.org/~juanca/papers/avclass_raid16.pdf)
466 | - [A fast automaton-based method for detecting anomalous program behaviors](http://seclab.cs.sunysb.edu/seclab/pubs/ieee01.pdf)
467 | - [Malrec: Compact fulltrace malware recording for retrospective deep analysis](https://par.nsf.gov/servlets/purl/10084747)
468 | - [Eureka: A framework for enabling static malware analysis](http://www.csl.sri.com/users/vinod/papers/Eureka.pdf)
469 | - [Pointless tainting?: Evaluating the practicality of pointer tainting](https://www.cs.vu.nl/~herbertb/papers/pointless_eurosys09.pdf)
470 | - [Deepmem: Learning graph neural network models for fast and robust memory forensic analysis](https://www.cs.ucr.edu/~heng/pubs/deepmem_ccs18.pdf)
471 | - [Sok: Deep packer inspection: A longitudinal study of the complexity of run-time packers](http://s3.eurecom.fr/docs/oakland15_packing.pdf)
472 | - [Evading android runtime analysis via sandbox detection](https://users.ece.cmu.edu/~tvidas/papers/ASIACCS14.pdf)
473 | - [Persistent data-only malware: Function hooks without code](https://www.ndss-symposium.org/wp-content/uploads/2017/09/11_2_1.pdf)
474 | - [Deep ground truth analysis of current android malware](https://www.cs.bgsu.edu/sanroy/Files/papers/amd2017.pdf)
475 | - [Mose: Live migration based on-the-fly software emulation](http://web.eng.fiu.edu/aperezpo/CAE_R/OSPapers/Analysis-2.pdf)
476 | - [Toward automated dynamic malware analysis using cwsandbox](https://www.ei.ruhr-uni-bochum.de/media/nds/veroeffentlichungen/2011/08/17/j2holz.pdf)
477 | - [Cxpinspector: Hypervisorbased, hardware-assisted system monitoring](https://www.syssec.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2012/11/26/TR-HGI-2012-002.pdf)
478 | - [A generic approach to automatic deobfuscation of executable code](https://www.sysnet.ucsd.edu/~bjohanne/assets/papers/2015oakland.pdf)
479 | - [Symbolic execution of obfuscated code](https://www2.cs.arizona.edu/people/debray/Publications/ccs2015-symbolic.pdf)
480 | - [V2e: Combining hardware virtualization and software emulation for transparent and extensible malware analysis](https://www.cs.ucr.edu/~heng/pubs/v2e.pdf)
481 | - [Droidscope: Seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis](https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final107.pdf)
482 | - [Panorama: Capturing system-wide information flow for malware detection and analysis](http://bitblaze.cs.berkeley.edu/papers/panorama.pdf)
483 | - [Dissecting android malware: Characterization and Evolution](https://www.csc2.ncsu.edu/faculty/xjiang4/pubs/OAKLAND12.pdf)
484 | - [Abusing File Processing in Malware Detectors for Fun and Profit](https://www.cs.cornell.edu/~shmat/shmat_oak12av.pdf)
485 | - [Input Generation via Decomposition and Re-Stitching: Finding Bugs in Malware](http://bitblaze.cs.berkeley.edu/papers/restitching.pdf)
486 | - [Hulk: Eliciting Malicious Behavior in Browser Extensions](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-kapravelos.pdf)
487 | - [Mining specifications of malicious behavior](https://publik.tuwien.ac.at/files/pub-inf_5316.pdf)
488 | - [When Malware is Packin' Heat; Limits of Machine Learning Classifiers Based on Static Analysis Features](https://www.ndss-symposium.org/wp-content/uploads/2020/02/24310-paper.pdf)
489 | - [Neurlux: dynamic malware analysis without feature engineering](https://arxiv.org/pdf/1910.11376.pdf)
490 | - [Using Loops For Malware Classification Resilient to Feature-unaware Perturbations](https://sites.cs.ucsb.edu/~chris/research/doc/acsac18_loops.pdf)
491 | - [Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates](https://sites.cs.ucsb.edu/~vigna/publications/2018_NDSS_CloudStrife.pdf)
492 | - [MineSweeper: An In-depth Look into Drive-by Cryptocurrency Mining and Its Defense](https://download.vusec.net/papers/minesweeper_ccs18.pdf)
493 | - [Dark Hazard: Learning-based, Large-Scale Discovery of Hidden Sensitive Operations in Android Apps](https://www.cs.ucr.edu/~heng/pubs/ndss2017.pdf)
494 | - [JSForce: A Forced Execution Engine for Malicious JavaScript Detection](https://arxiv.org/pdf/1701.07860.pdf)
495 | - [Things You May Not Know About Android (Un)Packers: A Systematic Study based on Whole-System Emulation](https://homes.luddy.indiana.edu/xw7/papers/duan2018ndss.pdf)
496 | - [Measuring and Disrupting Anti-Adblockers Using Differential Execution Analysis](https://homepage.divms.uiowa.edu/~mshafiq/files/adblock-ndss2018.pdf)
497 | - [malWASH: Washing Malware to Evade Dynamic Analysis](https://www.usenix.org/system/files/conference/woot16/woot16-paper-ispoglou.pdf)
498 | - [Jarhead analysis and detection of malicious Java applets](https://publications.sba-research.org/publications/acsac12_jarhead.pdf)
499 | - [Blacksheep: detecting compromised hosts in homogeneous crowds](https://www.yancomm.net/papers/2012%20-%20CCS%20-%20Blacksheep.pdf)
500 | - [BareCloud: Bare-metal Analysis-based Evasive Malware Detection](https://sites.cs.ucsb.edu/~chris/research/doc/usenix14_barecloud.pdf)
501 | - [Making Malory Behave Maliciously: Targeted Fuzzing of Android Execution Environments](https://www.software-lab.org/publications/icse2017-fuzzdroid.pdf)
502 | - [A Static, Packer-Agnostic Filter to Detect Similar Malware Samples](https://sites.cs.ucsb.edu/~chris/research/doc/dimva12_unpacked.pdf)
503 | - [FlashDetect: ActionScript 3 Malware Detection](https://sites.cs.ucsb.edu/~chris/research/doc/raid12_flash.pdf)
504 | 
505 | 
506 | ## Binary analysis
507 | - [ByteWeight: Learning to Recognize Functions in Binary Code](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-bao.pdf)
508 | - [CoDisasm: Medium Scale Concatic Disassembly of Self-Modifying Binaries with Overlapping Instructions](https://hal.inria.fr/hal-01257908/document)
509 | - [Minemu: The World’s Fastest Taint Tracker](http://www.few.vu.nl/~herbertb/papers/minemu_raid11.pdf)
510 | - [When good instructions go bad: Generalizing return-oriented programming to risc.](https://sjmulder.nl/dl/pdf/unsorted/2008%20-%20Bachanan%20et%20al%20-%20When%20Good%20Instructions%20Go%20Bad.pdf)
511 | - [An API for Runtime Code Patching](http://www.cs.umd.edu/~hollings/papers/apijournal.pdf)
512 | - [Reverse Engineering of Binary Device Drivers with RevNIC](https://dslab.epfl.ch/pubs/revnic.pdf)
513 | - [https://apps.dtic.mil/sti/pdfs/AD1034415.pdf](https://apps.dtic.mil/sti/pdfs/AD1034415.pdf)
514 | - [Graph-based comparison of executable objects](https://static.googleusercontent.com/media/www.zynamics.com/en//downloads/bindiffsstic05-1.pdf)
515 | - [TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones](https://static.usenix.org/event/osdi10/tech/full_papers/Enck.pdf)
516 | - [Structural Comparison of Executable Objects](https://static.googleusercontent.com/media/www.zynamics.com/en//downloads/dimva_paper2.pdf)
517 | - [ Labeling library functions in stripped binaries](https://ftp.cs.wisc.edu/par-distr-sys/papers/Jacobson11Unstrip.pdf)
518 | - [Jakstab: A static analysis platform for binaries](https://www.cs.rhul.ac.uk/home/uaac003/papers/cav08.pdf)
519 | - [Learning to Analyze Binary Computer Code](https://www.aaai.org/Papers/AAAI/2008/AAAI08-127.pdf)
520 | - [Architecture-independent dynamic information flow tracking](https://repository.library.northeastern.edu/files/neu:1345/fulltext.pdf)
521 | - [Decompilation of binary programs.](https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.14.8073&rep=rep1&type=pdf)
522 | - [A Platform for Secure Static Binary Instrumentation](http://seclab.cs.sunysb.edu/seclab/pubs/vee14.pdf)
523 | - [Tupni: Automatic Reverse Engineering of Input Formats](https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/tupni-ccs08.pdf)
524 | - [RETracer: Triaging Crashes by Reverse Execution from Partial Memory Dumps](https://softsec.kaist.ac.kr/~sangkilc/papers/cui-icse16.pdf)
525 | - [Cryptographic Function Detection in Obfuscated Binaries via Bit-precise Symbolic Loop Mapping](https://faculty.ist.psu.edu/wu/papers/CryptoHunt.pdf)
526 | - [Karonte: Detecting Insecure Multi-binary Interactions in Embedded Firmware](https://sefcom.asu.edu/publications/karonte-oakland2020.pdf)
527 | - [BootKeeper: Validating Software Integrity Properties on Boot Firmware Images](https://arxiv.org/pdf/1903.12505.pdf)
528 | - [BinTrimmer: Towards Static Binary Debloating Through Abstract Interpretation](https://sites.cs.ucsb.edu/~chris/research/doc/dimva19_bintrimmer.pdf)
529 | - [Ramblr: Making Reassembly Great Again](https://www.ndss-symposium.org/wp-content/uploads/2017/09/ndss2017_10-5_Wang_paper_0.pdf)
530 | - [rev.ng: a unified binary analysis framework to recover CFGs and function boundaries](https://hexhive.epfl.ch/publications/files/17CC.pdf)
531 | - [Enabling sophisticated analyses of ×86 binaries with RevGen](https://dslab.epfl.ch/pubs/revgen.pdf)
532 | - [HI-CFG: Construction by Binary Analysis and Application to Attack Polymorphism](https://core.ac.uk/download/pdf/189202772.pdf)
533 | - [DeepBinDiff: Learning Program-Wide Code Representations for Binary Diffing](https://www.ndss-symposium.org/wp-content/uploads/2020/02/24311-paper.pdf)
534 | 


--------------------------------------------------------------------------------
/auto_download.py:
--------------------------------------------------------------------------------
 1 | import os
 2 | import sys
 3 | import requests
 4 | from pathlib import Path
 5 | 
 6 | def download_list(listname):
 7 | 
 8 |     out_dir = os.path.join("out", listname)
 9 |     if not os.path.isdir(out_dir):
10 |         os.mkdir(out_dir)
11 | 
12 |     print("Downloading papers from list %s"%(listname))
13 | 
14 |     # Get the markdown
15 |     list_readme = "README.md"
16 | 
17 |     if listname == "All":
18 |         grab_all = True
19 |         should_grab = True
20 |     else:
21 |         grab_all = False
22 |         should_grab = False
23 | 
24 |     # Open the list and go through each bullet
25 |     with open(list_readme, "r") as lrf:
26 | 
27 |         for line in lrf:
28 |             # If we have defined a listname then we should only get the papers from this list.
29 |             if grab_all == False and listname != None:
30 |                 if should_grab == False:
31 |                     if "##" in line and listname in line:
32 |                         should_grab = True
33 |                         continue
34 |                 if should_grab and "##" in line:
35 |                     should_grab = False
36 | 
37 |             if should_grab:
38 |                 print("Trying %s"%(line))
39 |                 if (    "-" in line and 
40 |                         "[" in line and 
41 |                         "]" in line and 
42 |                         "(" in line and 
43 |                         ")" in line and 
44 |                         ".pdf" in line):
45 |                     # we assume this is a line with a link to a paper, so we proceed to download it
46 |                     #print("Will try to extract paper %s"%(line))
47 | 
48 |                     try:
49 |                         start = line.find("[")
50 |                         end = line.find("]")
51 |                         name = line[start+1:end].replace(" ","_").replace(",", "_")
52 |                         print("Name: %s"%(name))
53 | 
54 |                         # Now get the URL
55 |                         start = line.find("(")
56 |                         end = line.find(")")
57 |                         URL = line[start+1:end]
58 |                         print("URL: %s"%(URL))
59 | 
60 |                         response=requests.get(URL)
61 |                         filetowrite=Path(os.path.join(out_dir, "%s.pdf"%(name)))
62 |                         filetowrite.write_bytes(response.content)
63 |                     except:
64 |                         continue
65 |             else:
66 |                 print("Skipping %s"%(line))
67 | 
68 | if __name__ == "__main__":
69 |     if len(sys.argv) != 2:
70 |         print("Usage: python ./auto_download.py TOPIC_NAME")
71 |     download_list(sys.argv[1])
72 | 


--------------------------------------------------------------------------------
/check_for_duplicates.py:
--------------------------------------------------------------------------------
 1 | lines = []
 2 | lines_without_duplicates = []
 3 | 
 4 | with open ("README.md", "r") as rm:
 5 |     for line in rm:
 6 |         lines.append(line)
 7 | 
 8 | 
 9 | dups = set()
10 | for l_1 in lines:
11 |     if "- [" not in l_1:
12 |         lines_without_duplicates.append(l_1)
13 |         continue
14 |     occurrences = 0
15 |     for l_2 in lines:
16 |         if l_1.lower()[0:25] == l_2.lower()[0:25]:
17 |             occurrences += 1
18 | 
19 |     if occurrences > 1:
20 |         print("Double line detected %d times: %s"%(occurrences, l_1.replace("\n", "")))
21 | 
22 |         # Only add if it is not in the dict
23 |         set_entry = l_1[0:25].lower()
24 |         if set_entry not in dups:
25 |             dups.add(set_entry)
26 |             lines_without_duplicates.append(l_1)
27 |     else:
28 |         lines_without_duplicates.append(l_1)
29 | 
30 | 
31 | newfile = "".join(lines_without_duplicates)
32 | with open("README2.md", "w+") as rm2:
33 |     rm2.write(newfile)
34 | 


--------------------------------------------------------------------------------
/out/.gitignore:
--------------------------------------------------------------------------------
1 | *
2 | !.gitignore
3 | 


--------------------------------------------------------------------------------