Vulnerability Detection using Dynamic Analysis

We have been doing a survey on published research papers which is trying to detect security vulnerabilities in programs or applications using dynamic analysis. Our work is mainly focused on mainly four domains – desktop based binary applications, Android applications, embedded or firmware binaries and web related scripting language based applications. This blog post is a high level overview of our upcoming survey paper.

Before going to the details of our findings, we would like to discuss some of the questions which we had in our mind when we started this project

  • When is a bug a security vulnerability?

A defect in a program which causes the violation of at least one of the basic goals of security – confidentiality, integrity and availability (CIA).

  • What is an exploit?

A piece of code, application or the input that takes the advantage of a security bug present in the vulnerable program to gain some information or cause some abnormality in its behavior.

  • How do we differentiate static and dynamic analysis?

Static analysis evaluates code without executing it while dynamic analysis tests the behavior of code during execution. Dynamic analysis enables monitoring of the code during the program execution.

  • Which all are the dynamic analysis techniques we are going to survey?

We are surveying the following techniques:

Dynamic taint analysis  runs a  program and  observes which  computations are  affected by predefined  taint sources such as user  input.

Symbolic  execution  automatically  builds a logical formula describing a program execution path, which reduces the problem of reasoning about the execution to the domain of  logic.

Concolic testing uses symbolic execution in conjunction with an automated theorem proving or constraint solver to generate concrete inputs with the aim of maximizing code in-order to find new bugs. It is also known as hybrid testing.

Fuzzing involves generation of various – expected, unexpected and random inputs to the program to observe its behavior – mainly crash.

Guided fuzzing uses fuzzing in conjunction with symbolic execution or concolic testing or dynamic taint analysis with an aim to improve the efficiency in finding crashes in the program under testing

    • Which are the various vulnerabilities commonly discovered using these analysis
Vulnerability typeDescriptionCIA triad violation
Program crashCould be due to various reasons including logic errors, critical exceptions, segfault etc.A & I
EIP overwriteExtended Instruction Pointer (EIP) points to the next instruction to be executed. If it is overwritten with an arbitrary value, the program can be crashed or can be diverted to take different execution path which is not intended by the developer of the application.A & I
Integer overflowThe result of an arithmetic operation exceeds the maximum or minimum limit of the integer data type used to store the resulting value and hence it resets to zero. An overflow condition may give results leading to crash or unintended behavior.A & I
Out-of-bound readThis vulnerability allows to read the data past the end or beginning of the buffer/array.C
NULL pointer dereferenceThe application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exitA
Double freeThe program tries to call free() twice on the same memory address causes crashA
Use after freeThis bug occurs when the program tries to read the memory which is already freed. This causes program crash. In certain circumstances doubly freeing memory may result in a write-what-where condition, allowing an attacker to execute arbitrary code.CIA
Race conditionThe program is concurrently executed by different processes using a shared resource with improper synchronization leading to data inconsistencyI
Stack based buffer overflowA condition where the buffer being written is full and the adjacent memory locations on the stack are also overwritten. Buffer overflow often leads to crash, execution of arbitrary code execution and subversion of program executionCIA
Format string vulnerabilityThe program uses a function that accepts a format string as an argument, but the format string originates from an external source. Using this vulnerability, an attacker can either crash the program, execute arbitrary code by changing the value of EIP register or read unauthorized informationCIA
Code injectionIf an application allows user input to contain code segment, there is a possibility that artibitary commands can be executed if the input is not properly sanitizedCIA
Cross site scriptingThe web application incorrectly sanitizes the input and result of the injected script is visible when page is generated. XSS is most commonly used for information disclosure. It can be also used to execute arbitrary codeCIA
SQL injectionThe SQL queries used in the server side of the web application includes an incorrectly sanitized user input. Using this vulnerability, the attacker will be able to read/update/delete the information in the database.C & I
Denial of Service attackThe application could not limit the amount or size of resources requested by user, ending up consuming more resources than intended. This would prevent valid users from accessing the application as the entire system resource is consumed by the attackerA
Privilege escalationAn act of exploiting a bug in the application to gain elevated access to resourcesC
Authentication bypassThe presence of backdoors in the form of hardcoded credentials and intentionally hidden authentication interfaces.C

The tabular form of our findings:

#DomainTechniqueMindmap TitlePaper titleVulnerabilities detectedExploits generatedGoogle Link
1AndroidFuzzingAutomated security testing of Android applications on the cloudA whitebox approach for automated security testing of Android applications on the cloudProgram crashhttps://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=A+whitebox+approach+for+automated+security+testing+of+Android+applications+on+the+cloud&btnG=
2AndroidFuzzingDroidFuzzerDroidFuzzer: Fuzzing the Android Apps withIntent-Filter TagProgram crashhttps://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=DroidFuzzer%3A+Fuzzing+the+Android+Apps+withIntent-Filter+Tag&btnG=
3AndroidFuzzingIntent fuzzerIntent fuzzer: crafting intents of deathProgram crashhttps://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Intent+fuzzer%3A+crafting+intents+of+death&btnG=
4BinaryConcolic testingAutiomatic Exploit GeneratorAEG: Automatic Exploit GenerationStack based buffer overflow, format stringReturn-to-libchttps://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=AEG%3A+Automatic+Exploit+Generation&btnG=
5BinaryConcolic testingBORGThe BORG: Nanoprobing Binaries for Buffer OverreadsNULL Pointer dereferencehttps://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=The+BORG%3A+Nanoprobing+Binaries+for+Buffer+Overreads&btnG=
6BinaryConcolic testingCAB-FuzzCAB-FUZZ: Practical Concolic Testing Techniques for COTS OperatingSystemsProgram crashhttps://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=CAB-FUZZ%3A+Practical+Concolic+Testing+Techniques+for+COTS+OperatingSystems&btnG=
7BinaryConcolic testingCRAXCRAX: Software Crash Analysis for Automatic Exploit Generation by Modeling Attacks as Symbolic ContinuationsEIP OverflowShellcode, return-to-libchttps://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=CRAX%3A+Software+Crash+Analysis+for+Automatic+Exploit+Generation+by+Modeling+Attacks+as+Symbolic+Continuations&btnG=
8BinaryConcolic testingMACEMACE: Model-inference-Assisted Concolic Explorationfor Protocol and Vulnerability DiscoveryEIP Overflow, Out-of-bound read, NULL pointer dereferencehttps://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=MACE%3A+Model-inference-Assisted+Concolic+Explorationfor+Protocol+and+Vulnerability+Discovery&btnG=
9BinaryDynamic Taint AnalysisAXGENAutomatic Generation of Control Flow Hijacking Exploits for Software VulnerabilitiesEIP Overflowhttps://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Automatic+Generation+of+Control+Flow+Hijacking+Exploits+for+Software+Vulnerabilities&btnG=
10BinaryDynamic Taint AnalysisQ: Exploit HardeningQ: Exploit Hardening Made EasyEIP OverflowROP-exploithttps://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Q%3A+Exploit+Hardening+Made+Easy&btnG=
11BinaryGuided FuzzingA Hybrid Symbolic Execution Assisted FuzzingMethodA Hybrid Symbolic Execution Assisted FuzzingMethodProgram crashhttps://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=A+Hybrid+Symbolic+Execution+Assisted+FuzzingMethod&btnG=
12BinaryGuided FuzzingAutomated whitebox fuzztestingAutomated whitebox fuzztestingProgram crashhttps://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Automated+whitebox+fuzztesting&btnG=
13BinaryGuided FuzzingBuzzfuzzTaint-based directed whitebox fuzzingProgram crashhttps://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Taint-based+directed+whitebox+fuzzing&btnG=
14BinaryGuided FuzzingDowserDowsing for overflows: A guided fuzzer to find buffer boundary violationsEIP Overflowhttps://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Dowsing+for+overflows%3A+A+guided+fuzzer+to+find+buffer+boundary+violations&btnG=
15BinaryGuided FuzzingDrillerDriller: AugmentingFuzzing Through Selective Symbolic ExecutionProgram crashhttps://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Driller%3A+AugmentingFuzzing+Through+Selective+Symbolic+Execution&btnG=
16BinaryGuided FuzzingTaintscopeTaintScope: A checksum-aware directed fuzzing tool for automatic software vulnerability detectionEIP overflow, Integer overflow, NULL pointer derferencehttps://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=TaintScope%3A+A+checksum-aware+directed+fuzzing+tool+for+automatic+software+vulnerability+detection&btnG=
17BinaryGuided FuzzingVUzzerVUzzer: Application-aware Evolutionary FuzzingOut-of-bound read, NULL pointer dereference, Double freehttps://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=VUzzer%3A+Application-aware+Evolutionary+Fuzzing&btnG=
18BinarySymbolic ExecutionDARTDART: directed automated random testingEIP overflowhttps://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=DART%3A+directed+automated+random+testing&btnG=
19BinarySymbolic ExecutionPEX: White Box Test Generation for .NETPex–White Box Test Generation for .NETProgram crash, NULL pointer dereferenechttps://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Pex%E2%80%93White+Box+Test+Generation+for+.NET&btnG=
20BinarySymbolic ExecutionReplayerReplayer: automatic protocol replay by binary analysisProgram crashhttps://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Replayer%3A+automatic+protocol+replay+by+binary+analysis&btnG=
21BinarySymbolic ExecutionSoK (state of) the art of war offensive binarySoK (state of) the art of war offensive binaryEIP OverflowROP exploit, Shellcodehttps://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Replayer%3A+automatic+protocol+replay+by+binary+analysisSoK+%28state+of%29+the+art+of+war+offensive+binary&btnG=
22BinarySymbolic ExecutionSymbolic cross checking of data parallel FP codeSymbolic cross checking of data parallel FP codeUse after freehttps://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Symbolic+cross+checking+of+data+parallel+FP+code&btnG=
23BinarySymbolic ExecutionUC-Symbolic ExecutionUnder-Constrained Symbolic Execution: Correctness Checking for Real CodeOut-of-bound read, NULL pointer dereference, use after freehttps://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Under-Constrained+Symbolic+Execution%3A+Correctness+Checking+for+Real+Code&btnG=
24BinarySymbolic ExecutionVeritestingEnhancing Symbolic Execution with VeritestingProgram crashhttps://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Enhancing+Symbolic+Execution+with+Veritesting&btnG=
25EmbeddedConcolic testingAvatarA Framework to Support Dynamic Security
Analysis of Embedded Systems’ Firmwares
Authentication bypasshttps://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=%22A+Framework+to+Support+Dynamic+Security+Analysis+of+Embedded+Systems%E2%80%99+Firmwares%22&btnG=
26EmbeddedSymbolic ExecutionFIRMADYNETowards Automated Dynamic Analysis for
Linux-based Embedded Firmware
EIP overwrite, code injectionhttps://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=%22Towards+Automated+Dynamic+Analysis+for+Linux-based+Embedded+Firmware%22&btnG=
27EmbeddedSymbolic ExecutionFirmaliceFirmalice - Automatic Detection of Authentication
Bypass Vulnerabilities in Binary Firmware
Authentication bypasshttps://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=%22Firmalice+-+Automatic+Detection+of+Authentication+Bypass+Vulnerabilities+in+Binary+Firmware%22&btnG=
28ScriptingFuzzingEnemy of the State:A State-Aware Black-Box Web Vulnerability ScannerEnemy of the State:A State-Aware Black-Box Web Vulnerability ScannerXSS, SQLihttps://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Enemy+of+the+State%3AA+State-Aware+Black-Box+Web+Vulnerability+Scanner&btnG=
29ScriptingSymbolic ExecutionA Symbolic Execution Framework for JavaScriptA Symbolic Execution Framework for JavaScriptCode injectionhttps://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=A+Symbolic+Execution+Framework+for+JavaScript&btnG=
30ScriptingSymbolic ExecutionFinding bugs in dynamic web appsFinding bugs in dynamic web appsProgram crashhttps://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Finding+bugs+in+dynamic+web+apps&btnG=
31ScriptingSymbolic ExecutionWalerToward Automated Detection ofLogic Vulnerabilities in Web ApplicationsXSS, SQLihttps://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Toward+Automated+Detection+ofLogic+Vulnerabilities+in+Web+Applications&btnG=
32ScriptingSymbolic ExecutionWAPTECWAPTEC: whitebox analysis of web applications for parameter tampering exploit constructionXSS, SQLi, DoShttps://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=WAPTEC%3A+whitebox+analysis+of+web+applications+for+parameter+tampering+exploit+construction&btnG=

This is the link to the mindmap version of the table: http://app.mindmapmaker.org/#m:mmc88ebaf011214664b5ccbf67cc6179b7. Once the diagram is loaded, you can click on the techniques to expand the papers published under that domain.

The aforementioned mindmap diagram is a visual representation of the hierarchical information of our findings.  The central idea of our survey is the vulnerability detection using dynamic analysis.  As mentioned earlier, we have only considered 4 domains: binary, web/scripting, embedded/firmware and Android, mainly because these are the main areas where some significant amount of work is done in finding vulnerabilities. Each domain is further branched to various sub-branched based on various dynamic analysis techniques.

The pink colour nodes in the diagram represent a publication. It is usually the framework developed by the publishers or the title of the research paper to detect vulnerability using the dynamic analysis technique class mentioned in the parent node.  The publication node is always branched into two 1) outcome and 2) framework.

Outcome describes the type of vulnerabilities they were able to discover using their approach and sometimes their system may generate exploit scripts automatically. In most cases, the exploit scripts are generated for:

  1. Return-to-libc attack: when there is a buffer overflow vulnerability and the stack is WX protected, the processor will refuse to execute code at certain memory locations where program can write, failing to execute the user loaded shellcode in the stack. The attacker can circumvent this protection by combing the address of the system calls code (libc) present in memory which is executable.
  2. Return oriented programming is an advanced version of stack-smashing attack where the attacker gains the control over the call stack and uses the sequence of machine code already present in the memory to change the control-flow to perform arbitrary operations.

The sub branches of the framework describes the details of :

  • The novel path prioritization techniques introduced in the paper in-order to reduce the search space. It could be for avoiding loops and path explosion, target code blocks which  are more likely to be vulnerable due to the presence of system calls etc.
  • The reuse or modification of any existing tools like concolic testing or symbolic execution frameworks, fuzzers, constraint solvers, automatic theorem solvers, previously published approaches etc
  • Inputs from the static analysis techniques to construct call graph, extract plausible vulnerable components using data flow analysis etc
  • Test execution environment: whether the application is run on embedded/mobile hardware directly or on emulator
  • Vulnerability analysis module to verify whether the critical exceptions or program crash can be classified as a true positive
  • Exploit development module in the framework

This is a high level overview of our ongoing work, stay tuned for the comprehensive study of the survey on vulnerability detection using dynamic analysis.

References

Chen, Z., Guo, S., & Fu, D. (2012). A Directed Fuzzing Based on the Dynamic Symbolic Execution and Extended Program Behavior Model. In 2012 Second International Conference on Instrumentation, Measurement, Computer, Communication and Control (pp. 1641–1644). https://doi.org/10.1109/IMCCC.2012.382
Pham, V.-T., Böhme, M., Santosa, A. E., Căciulescu, A. R., & Roychoudhury, A. (2018). Smart Greybox Fuzzing. ArXiv:1811.09447 [Cs]. Retrieved from http://arxiv.org/abs/1811.09447
Padhye, R., Lemieux, C., Sen, K., Papadakis, M., & Le Traon, Y. (2019). Semantic fuzzing with zest. In Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis  - ISSTA 2019 (pp. 329–340). Beijing, China: ACM Press. https://doi.org/10.1145/3293882.3330576
aflgo. (2019). aflgo/aflgo. Retrieved from https://github.com/aflgo/aflgo (Original work published 2017)
Secunia, S. (n.d.). Vulnerability Review 2018. Flexera. Retrieved from https://www.flexera.com/media/pdfs/research-svm-vulnerability-review-2018.pdf
Mitre, C. (2019). Vulnerability distribution of cve security vulnerabilities by types. Retrieved September 23, 2018, from https://www.cvedetails.com/vulnerabilities-by-types.php
Wichmann, B. A., Canning, A. A., Clutterbuck, D. L., Winsborrow, L. A., Ward, N. J., & Marsh, D. W. R. (1995). Industrial perspective on static analysis. Software Engineering Journal, 10(2), 69–75. https://doi.org/10.1049/sej.1995.0010
Molnar, D., Li, X. C., & Wagner, D. A. (2009). Dynamic Test Generation to Find Integer Bugs in x86 Binary Linux Programs. In Proceedings of the 18th Conference on USENIX Security Symposium (pp. 67–82). Berkeley, CA, USA: USENIX Association. Retrieved from http://dl.acm.org/citation.cfm?id=1855768.1855773
Chen, Y., Groce, A., Zhang, C., Wong, W.-K., Fern, X., Eide, E., & Regehr, J. (2013). Taming Compiler Fuzzers. In Proceedings of the 34th ACM SIGPLAN Conference on Programming Language Design and Implementation (pp. 197–208). New York, NY, USA: ACM. https://doi.org/10.1145/2491956.2462173
Zhang, C., Groce, A., & Alipour, M. A. (2014). Using Test Case Reduction and Prioritization to Improve Symbolic Execution. In Proceedings of the 2014 International Symposium on Software Testing and Analysis (pp. 160–170). New York, NY, USA: ACM. https://doi.org/10.1145/2610384.2610392
Ognawala, S., Hutzelmann, T., Psallida, E., & Pretschner, A. (2018). Improving Function Coverage with Munch: A Hybrid Fuzzing and Directed Symbolic Execution Approach. In Proceedings of the 33rd Annual ACM Symposium on Applied Computing (pp. 1475–1482). New York, NY, USA: ACM. https://doi.org/10.1145/3167132.3167289
Person, S., Yang, G., Rungta, N., & Khurshid, S. (2011). Directed Incremental Symbolic Execution. In Proceedings of the 32Nd ACM SIGPLAN Conference on Programming Language Design and Implementation (pp. 504–515). New York, NY, USA: ACM. https://doi.org/10.1145/1993498.1993558
Li, Y., Su, Z., Wang, L., & Li, X. (2013). Steering Symbolic Execution to Less Traveled Paths. In Proceedings of the 2013 ACM SIGPLAN International Conference on Object Oriented Programming Systems Languages & Applications (pp. 19–32). New York, NY, USA: ACM. https://doi.org/10.1145/2509136.2509553
Qin, F., Wang, C., Li, Z., Kim, H., Zhou, Y., & Wu, Y. (2006). LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks. In Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture (pp. 135–148). Washington, DC, USA: IEEE Computer Society. https://doi.org/10.1109/MICRO.2006.29
Cheng, W., Zhao, Q., Yu, B., & Hiroshige, S. (2006). TaintTrace: Efficient Flow Tracing with Dynamic Binary Rewriting. In 11th IEEE Symposium on Computers and Communications (ISCC’06) (pp. 749–754). https://doi.org/10.1109/ISCC.2006.158
Newsome, J. (2005). Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In Network and Distributed System Security Symposium.
Effective File Format Fuzzing – Thoughts, Techniques and Results (Black Hat Europe 2016). (2018, July 13). Retrieved November 1, 2018, from https://j00ru.vexillium.org/talks/blackhat-eu-effective-file-format-fuzzing-thoughts-techniques-and-results/
Zalewski, M. (2014, November 7). Pulling JPEGs out of thin air. Retrieved November 1, 2018, from https://lcamtuf.blogspot.com/2014/11/pulling-jpegs-out-of-thin-air.html
Mitre, C. (n.d.). CWE - CWE-787: Out-of-bounds Write (3.1). Retrieved October 31, 2018, from https://cwe.mitre.org/data/definitions/787.html
Mitre, C. (n.d.). CWE - CWE-200: Information Exposure (3.1). Retrieved October 31, 2018, from https://cwe.mitre.org/data/definitions/200.html
Mitre, C. (n.d.). CWE - CWE-369: Divide By Zero (3.1). Retrieved October 31, 2018, from https://cwe.mitre.org/data/definitions/369.html
Mitre, C. (n.d.). CWE - CWE-401: Improper Release of Memory Before Removing Last Reference ('Memory Leak’) (3.1). Retrieved October 31, 2018, from https://cwe.mitre.org/data/definitions/401.html
Lee, H., Grosse, R., Ranganath, R., & Ng, A. Y. (2009). Convolutional Deep Belief Networks for Scalable Unsupervised Learning of Hierarchical Representations. In Proceedings of the 26th Annual International Conference on Machine Learning (pp. 609–616). New York, NY, USA: ACM. https://doi.org/10.1145/1553374.1553453
Arjovsky, M., Chintala, S., & Bottou, L. (2017). Wasserstein GAN. Retrieved from https://arxiv.org/abs/1701.07875
Goodfellow, I. J., Pouget-Abadie, J., Mirza, M., Xu, B., Warde-Farley, D., Ozair, S., … Bengio, Y. (2014). Generative Adversarial Nets. In Proceedings of the 27th International Conference on Neural Information Processing Systems - Volume 2 (pp. 2672–2680). Cambridge, MA, USA: MIT Press. Retrieved from http://dl.acm.org/citation.cfm?id=2969033.2969125
Hu, Z., Shi, J., Huang, Y., Xiong, J., & Bu, X. (2018). GANFuzz: A GAN-based Industrial Network Protocol Fuzzing Framework. In Proceedings of the 15th ACM International Conference on Computing Frontiers (pp. 138–145). New York, NY, USA: ACM. https://doi.org/10.1145/3203217.3203241
She, D., Pei, K., Epstein, D., Yang, J., Ray, B., & Jana, S. (2018). NEUZZ: Efficient Fuzzing with Neural Program Learning. ArXiv:1807.05620 [Cs]. Retrieved from http://arxiv.org/abs/1807.05620
Lv, C., Ji, S., Li, Y., Zhou, J., Chen, J., Zhou, P., & Chen, J. (2018). SmartSeed: Smart Seed Generation for Efficient Fuzzing. ArXiv:1807.02606 [Cs]. Retrieved from http://arxiv.org/abs/1807.02606
Nichols, N., Raugas, M., Jasper, R., & Hilliard, N. (2017). Faster Fuzzing: Reinitialization with Deep Neural Models. ArXiv:1711.02807 [Cs]. Retrieved from http://arxiv.org/abs/1711.02807
Mitre, C. (n.d.). CWE - CWE-476: NULL Pointer Dereference (3.1). Retrieved October 31, 2018, from https://cwe.mitre.org/data/definitions/476.html
Mitre, C. (n.d.). CWE - CWE-416: Use After Free (3.1). Retrieved October 31, 2018, from https://cwe.mitre.org/data/definitions/416.html
Mitre, C. (n.d.). CWE - CWE-415: Double Free (3.1). Retrieved October 31, 2018, from https://cwe.mitre.org/data/definitions/415.html
Mitre, C. (n.d.). CWE - CWE-288: Authentication Bypass Using an Alternate Path or Channel (3.1). Retrieved October 31, 2018, from https://cwe.mitre.org/data/definitions/288.html
Mitre, C. (n.d.). CWE - CWE-190: Integer Overflow or Wraparound (3.1). Retrieved October 31, 2018, from https://cwe.mitre.org/data/definitions/190.html
Mitre, C. (n.d.). CWE - CWE-134: Use of Externally-Controlled Format String (3.1). Retrieved October 31, 2018, from https://cwe.mitre.org/data/definitions/134.html
Mitre, C. (n.d.). CWE - CWE-122: Heap-based Buffer Overflow (3.1). Retrieved October 31, 2018, from https://cwe.mitre.org/data/definitions/122.html
Mitre, C. (n.d.). CWE - CWE-125: Out-of-bounds Read (3.1). Retrieved October 31, 2018, from https://cwe.mitre.org/data/definitions/125.html
Mitre, C. (n.d.). CWE - CWE-121: Stack-based Buffer Overflow (3.1). Retrieved October 31, 2018, from https://cwe.mitre.org/data/definitions/121.html
Cho, K., van Merrienboer, B., Gulcehre, C., Bahdanau, D., Bougares, F., Schwenk, H., & Bengio, Y. (2014). Learning Phrase Representations using RNN Encoder-Decoder for Statistical Machine Translation. ArXiv:1406.1078 [Cs, Stat]. Retrieved from http://arxiv.org/abs/1406.1078
Hochreiter, S., & Schmidhuber, J. (1997). Long Short-term Memory. Neural Comput., 9(9), 1735–1780. https://doi.org/10.1162/neco.1997.9.8.1735
Systems, A. (2006, November). PDF Reference: Adobe portable document format. Version 1.7. Retrieved from https://www.adobe.com/content/dam/acom/en/devnet/acrobat/pdfs/pdf_reference_1-7.pdf
Godefroid, P., Kiezun, A., & Levin, M. Y. (2008). Grammar-based Whitebox Fuzzing. In Proceedings of the 29th ACM SIGPLAN Conference on Programming Language Design and Implementation (pp. 206–215). New York, NY, USA: ACM. https://doi.org/10.1145/1375581.1375607
Zhang, B., Ye, J., Feng, C., & Tang, C. (2017). S2F: Discover Hard-to-Reach Vulnerabilities by Semi-Symbolic Fuzz Testing. In 2017 13th International Conference on Computational Intelligence and Security (CIS) (pp. 548–552). Hong Kong: IEEE. https://doi.org/10.1109/CIS.2017.00127
Xu, W., Kashyap, S., Min, C., & Kim, T. (2017). Designing New Operating Primitives to Improve Fuzzing Performance. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (pp. 2313–2328). New York, NY, USA: ACM. https://doi.org/10.1145/3133956.3134046
Han, H., & Cha, S. K. (2017). IMF: Inferred Model-based Fuzzer. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (pp. 2345–2358). New York, NY, USA: ACM. https://doi.org/10.1145/3133956.3134103
Sim, K. Y., Kuo, F.-C., & Merkel, R. (2011). Fuzzing the Out-of-memory Killer on Embedded Linux: An Adaptive Random Approach. In Proceedings of the 2011 ACM Symposium on Applied Computing (pp. 387–392). New York, NY, USA: ACM. https://doi.org/10.1145/1982185.1982268
Mendonça, M., & Neves, N. (2008). Fuzzing Wi-Fi Drivers to Locate Security Vulnerabilities. In 2008 Seventh European Dependable Computing Conference (pp. 110–119). Kaunas, Lithuania: IEEE. https://doi.org/10.1109/EDCC-7.2008.22
Hodován, R., & Kiss, Á. (2016). Fuzzing JavaScript Engine APIs. In Proceedings of the 12th International Conference on Integrated Formal Methods - Volume 9681 (pp. 425–438). Berlin, Heidelberg: Springer-Verlag. https://doi.org/10.1007/978-3-319-33693-0_27
Godefroid, P., Peleg, H., & Singh, R. (2017). Learn&Fuzz: Machine Learning for Input Fuzzing. In Proceedings of the 32Nd IEEE/ACM International Conference on Automated Software Engineering (pp. 50–59). Piscataway, NJ, USA: IEEE Press. Retrieved from http://dl.acm.org/citation.cfm?id=3155562.3155573
Grieco, G., Ceresa, M., Mista, A., & Buiras, P. (2017). QuickFuzz Testing for Fun and Profit. J. Syst. Softw., 134(C), 340–354. https://doi.org/10.1016/j.jss.2017.09.018