https://github.com/0xricksanchez/paper_collection

Academic papers related to fuzzing, binary analysis, and exploit dev, which I want to read or have already read

Note

The sole purpose of this repository is to help me organize recent academic papers related to fuzzing, binary analysis, IoT security, and general exploitation. This is a non-exhausting list, even though I'll try to keep it updated... Feel free to suggest decent papers via a PR.

Read & Tagged

• 2020 - GREYONE: Data Flow Sensitive Fuzzing
  • Tags: data-flow fuzzing, taint-guided mutation, input prioritization, constraint conformance, REDQUEEN, good evaluation, VUzzer
• 2020 - FairFuzz-TC: a fuzzer targeting rare branches
  • Tags: AFL, required seeding, branch mask
• 2020 - Fitness Guided Vulnerability Detection with Greybox Fuzzing
  • Tags: AFL, vuln specific fitness metric (headroom), buffer/integer overflow detection, AFLGo, pointer analysis, CIL, bad evaluation
• 2020 - TOFU: Target-Oriented FUzzer
  • Tags: DGF, structured mutations, staged fuzzing/learning of cli args, target fitness, structure aware, Dijkstra for priority, AFLGo, Superion
• 2020 - FuZZan: Efficient Sanitizer Metadata Design for Fuzzing
  • Tags:: sanitizer metadata, optimization, ASAN, MSan, AFL
• 2020 - Boosting Fuzzer Efficiency: An Information Theoretic Perspective
  • Tags:: Shannon entropy, seed power schedule, libfuzzer, active SLAM, DGF, fuzzer efficiency
• 2020 - Learning Input Tokens for Effective Fuzzing
  • Tags: dynamic taint tracking, parser checks, magic bytes, creation of dict inputs for fuzzers
• 2020 - A Review of Memory Errors Exploitation in x86-64
  • Tags: NX, canaries, ASLR, new mitigations, mitigation evaluation, recap on memory issues
• 2020 - SoK: The Progress, Challenges, and Perspectives of Directed Greybox Fuzzing
  • Tags: SoK, directed grey box fuzzing, AFL, AFL mutation operators, DGF vs CGF
• 2020 - MemLock: Memory Usage Guided Fuzzing
  • Tags: memory consumption, AFL, memory leak, uncontrolled-recursion, uncontrolled-memory-allocation, static analysis
• 2019 - AntiFuzz: Impeding Fuzzing Audits of Binary Executables
  • Tags: anti fuzzing, prevent crashes, delay executions, obscure coverage information, overload symbolic execution
• 2019 - MOpt: Optimized Mutation Scheduling for Fuzzers
  • Tags: mutation scheduling, particle swarm optimization (PSO), AFL, AFL mutation operators, VUzzer,
• 2019 - FuzzFactory: Domain-Specific Fuzzing with Waypoints
  • Tags: domain-specific fuzzing, AFL, LLVM, solve hard constraints like cmp, find dynamic memory allocations, binary-based
• 2019 - Fuzzing File Systems via Two-Dimensional Input Space Exploration
  • Tags: Ubuntu, file systems, library OS, ext4, brtfs, meta block mutations, edge cases
• 2019 - REDQUEEN: Fuzzing with Input-to-State Correspondence
  • Tags: feedback-driven, AFL, magic-bytes, nested contraints, input-to-state correspondence
• 2019 - PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary
  • Tags: kernel, android, userland, embedded, hardware, Linux, device driver, WiFi
• 2019 - FirmFuzz: Automated IoT Firmware Introspection and Analysis
  • Tags: emulation, firmadyne, BOF, XSS, CI, NPD, semi-automatic
• 2019 - Firm-AFL: High-Throughput Greybox Fuzzing of IoT Firmware via Augmented Process Emulation
  • Tags: emulation, qemu, afl, full vs user mode, syscall redirect, "augmented process emulation", firmadyne
• 2018 - PhASAR: An Inter-procedural Static Analysis Framework for C/C++
  • Tags: LLVM, (inter-procedural) data-flow analysis, call-graph, points-to, class hierachy, CFG, IR
• 2018 - INSTRIM: Lightweight Instrumentation forCoverage-guided Fuzzing
  • Tags: LLVM, instrumentation optimization, graph algorithms, selective instrumentation, coverage calculation
• 2018 - What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices
  • Tags: embedded, challenges, heuristics, emulation, crash classification, fault detection
• 2018 - Evaluating Fuzz Testing
  • Tags: fuzzing evaluation, good practices, bad practices
• 2017 - kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels
  • Tags: intel PT, kernel, AFL, file systems, Windows, NTFS, Linux, ext, macOS, APFS, driver, feedback-driven
• 2016 - Driller: Argumenting Fuzzing Through Selective Symbolic Execution
  • Tags: DARPA, CGC, concolic execution, hybrid fuzzer, binary based

Unread

Unread papers categorized by a common main theme.

General fuzzing implementations

• 2020 - Scalable Greybox Fuzzing for Effective Vulnerability Management DISS
• 2020 - HotFuzz Discovering Algorithmic Denial-of-Service Vulnerabilities through Guided Micro-Fuzzing
• 2020 - Fuzzing Binaries for Memory Safety Errors with QASan
• 2020 - Suzzer: A Vulnerability-Guided Fuzzer Based on Deep Learning
• 2020 - AURORA: Statistical Crash Analysis for Automated Root Cause Explanation
• 2020 - IJON: Exploring Deep State Spaces via Fuzzing
• 2020 - Binary-level Directed Fuzzing for Use-After-Free Vulnerabilities
• 2020 - ParmeSan: Sanitizer-guided Greybox Fuzzing
• 2020 - AFLNET: A Greybox Fuzzer for Network Protocols
• 2020 - PANGOLIN: Incremental Hybrid Fuzzing with Polyhedral Path Abstraction
• 2020 - UEFI Firmware Fuzzing with Simics Virtual Platform
• 2020 - Finding Security Vulnerabilities in Network Protocol Implementations
• 2020 - Typestate-Guided Fuzzer for Discovering Use-after-Free Vulnerabilities
• 2020 - FuzzGuard: Filtering out Unreachable Inputs in Directed Grey-box Fuzzing through Deep Learning
• 2020 - HyDiff: Hybrid Differential Software Analysis
• 2019 - Building Fast Fuzzers
• 2019 - Superion: Grammar-Aware Greybox Fuzzing
• 2019 - Compiler Fuzzing: How Much Does It Matter?
• 2019 - ProFuzzer: On-the-fly Input Type Probing for Better Zero-day Vulnerability Discovery
• 2019 - Grimoire: Synthesizing Structure while Fuzzing
• 2019 - Ptrix: Efficient Hardware-Assisted Fuzzing for COTS Binary
• 2019 - SAVIOR: Towards Bug-Driven Hybrid Testing
• 2019 - Matryoshka: Fuzzing Deeply Nested Branches
• 2019 - FUDGE: Fuzz Driver Generation at Scale
• 2019 - NAUTILUS: Fishing for Deep Bugs with Grammars
• 2019 - Send Hardest Problems My Way: Probabilistic Path Prioritization for Hybrid Fuzzing
• 2019 - EnFuzz: Ensemble Fuzzing with Seed Synchronization among Diverse Fuzzers
• 2018 - Angora: Efficient Fuzzing by Principled Search
• 2018 - FairFuzz: A Targeted Mutation Strategy for Increasing Greybox Fuzz Testing Coverage
• 2018 - NEUZZ: Efficient Fuzzing with Neural Program Smoothing
• 2018 - CollAFL: Path Sensitive Fuzzing
• 2018 - Full-speed Fuzzing: Reducing Fuzzing Overhead through Coverage-guided Tracing
• 2018 - QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing
• 2018 - Coverage-based Greybox Fuzzing as Markov Chain
• 2018 - MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation
• 2018 - Singularity: Pattern Fuzzing for Worst Case Complexity
• 2018 - Smart Greybox Fuzzing
• 2018 - Hawkeye: Towards a Desired Directed Grey-box Fuzzer
• 2018 - PerfFuzz: Automatically Generating Pathological Inputs
• 2018 - FairFuzz: A Targeted Mutation Strategy for Increasing Greybox Fuzz Testing Coverage
• 2018 - Enhancing Memory Error Detection forLarge-Scale Applications and Fuzz Testing
• 2018 - T-Fuzz: fuzzing by program transformation
• 2017 - IMF: Inferred Model-based Fuzzer
• 2017 - Steelix: Program-State Based Binary Fuzzing
• 2017 - VUzzer: Application-aware Evolutionary Fuzzing
• 2014 - Make It Work, Make It Right, Make It Fast: Building a Platform-Neutral Whole-System Dynamic Binary Analysis Platform
• 2013 - Scheduling Black-box Mutational Fuzzing
• 2013 - Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations
• 2011 - Offset-Aware Mutation based Fuzzing for Buffer Overflow Vulnerabilities: Few Preliminary Results
• 2010 - TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection
• 2009 - Taint-based Directed Whitebox Fuzzing
• 2008 - Grammar-based Whitebox Fuzzing
• 2008 - Vulnerability Analysis for X86 Executables Using Genetic Algorithm and Fuzzing
• 2008 - KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs
• 2008 - Automated Whitebox Fuzz Testing
• 2005 - DART: Directed Automated Random Testing

IoT fuzzing

• 2020 - P2IM: Scalable and Hardware-independent Firmware Testing via Automatic Peripheral Interface Modeling
• 2020 - DICE: Automatic Emulation of DMA Input Channels for Dynamic Firmware Analysis
• 2020 - Fw‐fuzz: A code coverage‐guided fuzzing framework for network protocols on firmware
• 2020 - TAINT-DRIVEN FIRMWARE FUZZING OF EMBEDDED SYSTEMS THESIS
• 2020 - A Dynamic Instrumentation Technology for IoT Devices
• 2020 - Vulcan: a state-aware fuzzing tool for wear OS ecosystem
• 2020 - A Novel Concolic Execution Approach on Embedded Device
• 2020 - HFuzz: Towards automatic fuzzing testing of NB-IoT core network protocols implementations
• 2020 - FIRMCORN: Vulnerability-Oriented Fuzzing of IoT Firmware via Optimized Virtual Execution
• 2018 - IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing
• 2017 - Towards Automated Dynamic Analysis for Linux-based Embedded Firmware
• 2016 - Scalable Graph-based Bug Search for Firmware Images
• 2015 - SURROGATES: Enabling Near-Real-Time Dynamic Analyses of Embedded Systems
• 2015 - Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware
• 2014 - A Large-Scale Analysis of the Security of Embedded Firmwares
• 2013 - RPFuzzer: A Framework for Discovering Router Protocols Vulnerabilities Based on Fuzzing

Kernel fuzzing

• 2020 - Agamotto: Accelerating Kernel Driver Fuzzing with Lightweight Virtual Machine Checkpoints
• 2020 - X-AFL: a kernel fuzzer combining passive and active fuzzing
• 2020 - Identification of Kernel Memory Corruption Using Kernel Memory Secret Observation Mechanism
• 2020 - HFL: Hybrid Fuzzing on the Linux Kernel
• 2020 - Realistic Error Injection for System Calls
• 2020 - KRACE: Data Race Fuzzing for Kernel File Systems
• 2020 - USBFuzz: A Framework for Fuzzing USB Drivers by Device Emulation
• 2019 - Fuzzing File Systems via Two-Dimensional Input Space Exploration
• 2019 - Razzer: Finding Kernel Race Bugs through Fuzzing
• 2019 - Unicorefuzz: On the Viability of Emulation for Kernel space Fuzzing
• 2017 - Stateful Fuzzing of Wireless Device Drivers in an Emulated Environment
• 2017 - DIFUZE: Interface Aware Fuzzing for Kernel Drivers
• 2008 - Fuzzing Wi-Fi Drivers to Locate Security Vulnerabilities

Format specific fuzzing

• 2020 - JS Engine - Montage: A Neural Network Language Model-Guided JavaScript Engine Fuzzer
• 2020 - JS Engine - Fuzzing JavaScript Engines with Aspect-preserving Mutation
• 2020 - CUDA Compiler - CUDAsmith: A Fuzzer for CUDA Compilers
• 2020 - Smart Contracts - sFuzz: An Efficient Adaptive Fuzzer for Solidity Smart Contracts
• 2019 - Smart Contracts - Harvey: A Greybox Fuzzer for Smart Contracts
• 2017 - XML - Skyfire: Data-Driven Seed Generation for Fuzzing

Exploitation

• 2020 - HAEPG: An Automatic Multi-hop Exploitation Generation Framework
• 2020 - Exploiting More Binaries by Using Planning to Assemble ROP Exploiting More Binaries by Using Planning to Assemble ROP Attacks Attacks
• 2020 - ROPminer: Learning-Based Static Detection of ROP Chain Considering Linkability of ROP Gadgets
• 2020 - KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities
• 2020 - Preventing Return Oriented Programming Attacks By Preventing Return Instruction Pointer Overwrites
• 2020 - KASLR: Break It, Fix It, Repeat
• 2020 - ShadowGuard : Optimizing the Policy and Mechanism of Shadow Stack Instrumentation using Binary Static Analysis
• 2020 - VulHunter: An Automated Vulnerability Detection System Based on Deep Learning and Bytecode
• 2020 - Analysis and Evaluation of ROPInjector
• 2019 - Kernel Protection Against Just-In-Time Code Reuse
• 2019 - Kernel Exploitation Via Uninitialized Stack
• 2019 - KEPLER: Facilitating Control-flow Hijacking Primitive Evaluation for Linux Kernel Vulnerabilities
• 2019 - SLAKE: Facilitating Slab Manipulation for Exploiting Vulnerabilities in the Linux Kernel
• 2018 - K-Miner: Uncovering Memory Corruption in Linux
• 2017 - DROP THE ROP: Fine-grained Control-flow Integrity for the Linux Kernel
• 2017 - kR^X: Comprehensive Kernel Protection against Just-In-Time Code Reuse
• 2017 - Unleashing Use-Before-Initialization Vulnerabilities in the Linux Kernel Using Targeted Stack Spraying
• 2015 - From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel
• 2014 - ret2dir: Rethinking Kernel Isolation
• 2012 - Anatomy of a Remote Kernel Exploit
• 2012 - A Heap of Trouble: Breaking the Linux Kernel SLOB Allocator
• 2011 - Linux kernel vulnerabilities: state-of-the-art defenses and open problems
• 2011 - Protecting the Core: Kernel Exploitation Mitigations

Static Binary Analysis

• 2020 - Dynamic Binary Lifting and Recompilation DISS
• 2020 - Similarity Based Binary Backdoor Detection via Attributed Control Flow Graph
• 2020 - IoTSIT: A Static Instrumentation Tool for IoT Devices
• 2017 - rev.ng: a unified binary analysis framework to recover CFGs and function boundaries
• 2017 - Angr: The Next Generation of Binary Analysis
• 2016 - Binary code is not easy
• 2015 - Cross-Architecture Bug Search in Binary Executables
• 2014 - A platform for secure static binary instrumentation
• 2013 - MIL: A language to build program analysis tools through static binary instrumentation
• 2013 - Binary Code Analysis
• 2013 - A compiler-level intermediate representation based binary analysis and rewriting system
• 2013 - Protocol reverse engineering through dynamic and static binary analysis
• 2013 - BinaryPig: Scalable Static Binary Analysis Over Hadoop
• 2011 - BAP: A Binary Analysis Platform
• 2008 - BitBlaze: A New Approach to Computer Security via Binary Analysis
• 2005 - Practical analysis of stripped binary code
• 2004 - Detecting kernel-level rootkits through binary analysis

Misc

• 2020 - FuzzGen: Automatic Fuzzer Generation
• 2020 - Fuzzing: On the Exponential Cost of Vulnerability Discovery
• 2020 - Efficient Binary-Level Coverage Analysis
• 2020 - Poster: Debugging Inputs
• 2020 - API Misuse Detection in C Programs: Practice on SSL APIs
• 2020 - Egalito: Layout-Agnostic Binary Recompilation
• 2020 - Verifying Software Vulnerabilities in IoT Cryptographic Protocols
• 2020 - μRAI: Securing Embedded Systems with Return Address Integrity
• 2020 - Fast Bit-Vector Satisfiability
• 2020 - MARDU: Efficient and Scalable Code Re-randomization
• 2020 - Towards formal verification of IoT protocols: A Review
• 2020 - Automating the fuzzing triage process
• 2020 - Test-Case Reduction via Test-Case Generation: Insights From the Hypothesis Reducer
• 2020 - COMPARING AFL SCALABILITY IN VIRTUAL-AND NATIVE ENVIRONMENT
• 2020 - SYMBION: Interleaving Symbolic with Concrete Execution
• 2020 - Not All Coverage Measurements Are Equal: Fuzzing by Coverage Accounting for Input Prioritization
• 2019 - Toward the Analysis of Embedded Firmware through Automated Re-hosting
• 2019 - FUZZIFICATION: Anti-Fuzzing Techniques
• 2017 - Synthesizing Program Input Grammars
• 2017 - Designing New Operating Primitives to Improve Fuzzing Performance
• 2017 - Instruction Punning: Lightweight Instrumentation for x86-64
• 2015 - PIE: Parser Identification in Embedded Systems
• 2014 - Optimizing Seed Selection for Fuzzing
• 2009 - Dynamic Test Generation To Find Integer Bugs in x86 Binary Linux Programs

Surveys & SoK

• 2020 - A Survey of Security Vulnerability Analysis, Discovery, Detection, and Mitigation on IoT Devices