Exploiting Hardware Performance Counters with Flow and Context Sensitive Profiling In: PLDI, 1997. ,
DOI : 10.1145/258915.258924
URL : http://www.cse.ohio-state.edu/~rountev/788/papers/ammons_pldi97.pdf
Efficient Detection of All Pointer and Array Access Errors, 1994. ,
Data structures and algorithms (6.7 Strong Components), 1983. ,
Cling: A Memory Allocator to Mitigate Dangling Pointers, USENIX Security Symposium. USENIX Association, 2010. ,
A Stack Memory Abstraction and Symbolic Analysis Framework for Executables, ACM Transactions on Software Engineering and Methodology, vol.25, issue.2, 2016. ,
DOI : 10.1109/COMPSAC.2007.163
Dangling pointer: POINTER. SMASHING THE POINTER FOR FUN AND PROFIT. Black Hat USA, 2007. ,
Statically-directed dynamic automated test generation, 2011. ,
An All-in-One Toolkit for Automated White-Box Testing, Lecture Notes in Computer Science, 2014. ,
DOI : 10.1007/978-3-319-09099-3_4
Sound and Quasi-Complete Detection of Infeasible Test Requirements, 2015 IEEE 8th International Conference on Software Testing, Verification and Validation (ICST), 2015. ,
DOI : 10.1109/ICST.2015.7102607
Hoard: a scalable memory allocator for multithreaded applications, In: SIGPLAN Not, pp.362-1340, 2000. ,
A few billion lines of code later, Communications of the ACM, vol.53, issue.2, 2010. ,
DOI : 10.1145/1646353.1646374
Sequoll: A framework for model checking binaries, 2013 IEEE 19th Real-Time and Embedded Technology and Applications Symposium (RTAS), 2013. ,
DOI : 10.1109/RTAS.2013.6531083
WYSINWYX, ACM Transactions on Programming Languages and Systems, vol.32, issue.6, 2010. ,
DOI : 10.1145/1749608.1749612
Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications, 2008 IEEE Symposium on Security and Privacy (sp 2008), 2008. ,
DOI : 10.1109/SP.2008.17
URL : http://repository.cmu.edu/cgi/viewcontent.cgi?article=1001&context=ece
BAP: A Binary Analysis Platform, Proceedings of the 23rd international conference on Computer aided verification. CAV'11, 2011. ,
DOI : 10.1007/978-3-642-14295-6_27
URL : http://users.ece.cmu.edu/~ejschwar/papers/cav11.pdf
DieHard: probabilistic memory safety for unsafe languages, 2006. ,
Practical memory checking with Dr. Memory, International Symposium on Code Generation and Optimization (CGO 2011), 2011. ,
DOI : 10.1109/CGO.2011.5764689
URL : http://www.cag.lcs.mit.edu/commit/papers/2011/bruening-cgo11-drmemory.pdf
Undangle: early detection of dangling pointers in use-after-free and double-free vulnerabilities, Proceedings of the 2012 International Symposium on Software Testing and Analysis, ISSTA 2012, 2012. ,
DOI : 10.1145/2338965.2336769
Abstract interpretation, Proceedings of the 4th ACM SIGACT-SIGPLAN symposium on Principles of programming languages , POPL '77, 1977. ,
DOI : 10.1145/512950.512973
URL : https://hal.archives-ouvertes.fr/hal-00930103
KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs, 2008. ,
Bugalyze.com -Detecting Bugs Using Decompilation and Data Flow Analysis ,
Behind the scenes in SANTE: a combination of static and dynamic analyses, Automated Software Engineering, vol.25, issue.7, 2014. ,
DOI : 10.1145/1146238.1146255
URL : https://hal.archives-ouvertes.fr/hal-00818147
Lessons In Static Binary Analysis, In: BlackHat US, 2012. ,
S2E: a platform for in-vivo multi-path analysis of software systems, 2011. ,
The S2E Platform, ACM Transactions on Computer Systems, vol.30, issue.1, 2012. ,
DOI : 10.1145/2110356.2110358
Compile-time deallocation of individual objects, Proceedings of the 2006 international symposium on Memory management , ISMM '06, 2006. ,
DOI : 10.1145/1133956.1133975
Symbolic execution for software testing, Communications of the ACM, vol.56, issue.2, 2013. ,
DOI : 10.1145/2408776.2408795
On the detection of custom memory allocators in C binaries, Empirical Software Engineering, vol.32, issue.3, 2016. ,
DOI : 10.1145/1133956.1133968
CWE-415. Double Free. url: https://cwe.mitre ,
Use After Free. url: https ,
Efficiently Detecting All Dangling Pointer Uses in Production Servers, International Conference on Dependable Systems and Networks (DSN'06), 2006. ,
DOI : 10.1109/DSN.2006.31
Cyber Grand Challenge ,
BINSEC/SE: A Dynamic Symbolic Execution Toolkit for Binary-Level Analysis, 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER), 2016. ,
DOI : 10.1109/SANER.2016.43
Specification of concretization and symbolization policies in symbolic execution, Proceedings of the 25th International Symposium on Software Testing and Analysis, ISSTA 2016, 2016. ,
DOI : 10.1109/ASE.2004.1342749
BINSEC: Binary Code Analysis with Low-Level Regions, Lecture Notes in Computer Science, 2015. ,
DOI : 10.1007/978-3-662-46681-0_17
Recovering High-Level Conditions from Binary Programs, FM. Ed. by John S. Fitzgerald et al. Lecture Notes in Computer Science, 2016. ,
DOI : 10.1109/SP.2015.47
The yices smt solver, 2006. ,
Use-after-Free: New Protections, and how to Defeat them. Bromium. https://labs.bromium.com/2015/01/17/use-after-free-new-protections- and-how-to-defeat-them, 2015. ,
Binary-level static analysis ,
LAVA: Large-Scale Automated Vulnerability Addition REIL: A platform-independent intermediate representation of disassembled code for static code analysis, IEEE Symposium on Security and Privacy, p.CanSecWest, 2009. ,
Uncovering Use-After-Free Conditions in Compiled Code, 2015 10th International Conference on Availability, Reliability and Security, 2015. ,
DOI : 10.1109/ARES.2015.61
Solving Exists/Forall Problems With Yices, 13th International Workshop on Satisfiability Modulo Theories, 2015. ,
A Comparative Study of Industrial Static Analysis Tools, Electronic Notes in Theoretical Computer Science, vol.217, 2008. ,
DOI : 10.1016/j.entcs.2008.06.039
A scalable concurrent malloc (3) implementation for FreeBSD, Proc. of the BSDCan Conference, 2006. ,
Scalable memory allocation using jemalloc. https://www.facebook. com / notes / facebook -engineering / scalable -memory -allocation -using - jemalloc/480222803919, 2011. ,
Finding the needle in the heap, Proceedings of the 6th Workshop on Software Security, Protection, and Reverse Engineering, SSPREW '16, 2016. ,
DOI : 10.1109/ICSE.2015.80
URL : https://hal.archives-ouvertes.fr/tel-01681707
GUEB : Static Detection of Use-After-Free on Binary, 2015. ,
A Comparison of Memory Allocators for Multicore and Multithread Applications: A Quantitative Approach, 2011. ,
Understanding the heap by breaking it. Black Hat USA, 2007. ,
A Comprehensive Complexity Analysis of User-Level Memory Allocator Algorithms, 2012 Brazilian Symposium on Computing System Engineering, 2012. ,
DOI : 10.1109/SBESC.2012.27
Stagefright exploit reliably attacks Android phones ,
Using static analysis to detect use-after-free on binary code, 1st Symposium on Digital Trust in Auvergne, 2014. ,
DOI : 10.1007/s11416-014-0203-1
Guided Dynamic Symbolic Execution Using Subgraph Control-Flow Information, Lecture Notes in Computer Science, vol.10, issue.3, 2016. ,
DOI : 10.1109/ICSE.2015.80
Statically detecting Useafter-Free on Binary Code ,
DOI : 10.1007/s11416-014-0203-1
How browsers work : Behind the scenes of modern web browsers ,
Detecting aliased stale pointers via static analysis: An architecture independent practical application of pointer analysis and graph theory to find bugs in binary code, 2009. ,
DART: directed automated random testing, In: SIGPLAN Not, 2005. ,
SAGE, Communications of the ACM, vol.55, issue.3, 2012. ,
DOI : 10.1145/2093548.2093564
Free-Me: a static analysis for automatic individual object reclamation, 2006. ,
Higher-order test generation In: PLDI, 2011. ,
DOI : 10.1145/1993498.1993529
Most serious Linux privilege-escalation bug ever is under active exploit. http://arstechnica.com/security/2016/10/most-serious-linux- privilege-escalation-bug-ever-is-under-active-exploit ,
Static Use-After-Free Detector for C/C++. https : //blog.trailofbits.com/2016/03/09/the-problem-with-dynamic-program- analysis ,
Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations, Proceedings of the 22Nd USENIX Conference on Security. SEC'13. USENIX Association, 2013. ,
Fast Allocation and Deallocation of Memory Based on Object Lifetimes, In: Softw., Pract. Exper, 1990. ,
Nesting of reducible and irreducible loops, ACM Transactions on Programming Languages and Systems, vol.19, issue.4, pp.164-0925, 1997. ,
DOI : 10.1145/262004.262005
Quantifying the performance of garbage collection vs. explicit memory management, 2006. ,
Finding use-after-free bugs with static analysis. https : / / sean . heelan.io, 2009. ,
Practical analysis of stripped binary code, In: SIGARCH Computer Architecture News, 2005. ,
Information technology ? Programming languages ? C ISO ,
Information technology ? Programming languages ? C ISO Storage durations of objects, IEC, vol.9899, issue.2, pp.2011-2017, 2012. ,
malloc(3) Revisited, USENIX Annual Technical Conference . Ed. by Fred Douglis. USENIX Association, 1998. ,
Static analysis of x86 executables: = Statische Analyse von Programmen in x86, 2010. ,
Symbolic execution and program testing, Communications of the ACM, vol.19, issue.7, pp.1-0782, 1976. ,
DOI : 10.1145/360248.360252
Heap Abstractions for Static Analysis, ACM Computing Surveys, vol.49, issue.2, 2014. ,
DOI : 10.1145/774572.774594
URL : http://arxiv.org/pdf/1403.4910
Handbook of Open Source Tools. 1st. 5 Apache Portable Runtime (apr) 5.1 APR Memory Pool, 2010. ,
DOI : 10.1007/978-1-4419-7719-9
Undecidability of static analysis, ACM Letters on Programming Languages and Systems, vol.1, issue.4, 2002. ,
DOI : 10.1145/161494.161501
URL : http://athos.rutgers.edu/~landi/loplas92.ps
Preventing Use-after-free with Dangling Pointers Nullification, Proceedings 2015 Network and Distributed System Security Symposium, 2015. ,
DOI : 10.14722/ndss.2015.23238
Dynamically validating static memory leak warnings, Proceedings of the 2013 International Symposium on Software Testing and Analysis, ISSTA 2013, 2013. ,
DOI : 10.1145/2483760.2483778
Adobe Reader's Custom Memory Management: a Heap of Trouble ,
Microsoft Edge MemGC Internals, 2015. ,
Random walks on graphs: A survey, 1993. ,
Directed Symbolic Execution, In: SAS. Ed. by Eran Yahav. Lecture Notes in Computer Science, vol.19, issue.7, 2011. ,
DOI : 10.1145/1755913.1755946
URL : http://drum.lib.umd.edu/bitstream/1903/11374/3/CS-TR-4979-r1.pdf
Modeling the heap: A practical approach " . https://www.youtube. com/watch?v=AbiVYHVU0mQ, 2008. ,
Z3: An Efficient SMT Solver, Lecture Notes in Computer Science, 2008. ,
KATCH: high-coverage testing of software patches, 2013. ,
How Heartbleed Broke the Internet ? And Why It Can Happen Again. https://www.wired.com, 2014. ,
GFlags and PageHeap. https://msdn.microsoft.com/en-us/library, p.549561 ,
Binary code is not easy, Proceedings of the 25th International Symposium on Software Testing and Analysis, ISSTA 2016, 2016. ,
DOI : 10.1109/CSAC.2004.17
A Survey of Satisfiability Modulo Theory, 2016. ,
DOI : 10.1007/978-3-662-46681-0_10
URL : https://hal.archives-ouvertes.fr/hal-01332051
SoftBound: highly compatible and complete spatial memory safety for c, 2009. ,
CETS, Proceedings of the 2010 international symposium on Memory management, ISMM '10, 2010. ,
DOI : 10.1145/1806651.1806657
DieHarder, Proceedings of the 17th ACM conference on Computer and communications security, CCS '10 ,
DOI : 10.1145/1866307.1866371
CCured: Type-safe Retrofitting of Legacy Code, 2002. ,
Watchdog, ACM SIGARCH Computer Architecture News, vol.40, issue.3, 2012. ,
DOI : 10.1145/2366231.2337181
WatchdogLite, Proceedings of Annual IEEE/ACM International Symposium on Code Generation and Optimization, CGO '14, 2014. ,
DOI : 10.1145/2581122.2544147
Boolector 2.0 system description, In: Journal on Satisfiability Boolean Modeling and Computation, 2014. ,
Boolector 2.0 system description, In: Journal on Satisfiability Boolean Modeling and Computation, 2014. ,
Valgrind: a framework for heavyweight dynamic binary instrumentation, 2007. ,
Mitigating Dangling Pointer Bugs Using Frame Poisoning ,
Survey of satisfiability modulo theories (SMT) . In: Banff International Research Station for Mathematical Innovation and Discovery (BIRS) Workshop Lecture Videos. Banff International Research Station for Mathematical Innovation and Discovery ,
Developer's Guide: Resource Pools ,
PartitionAlloc -A shallow dive and some rand ,
Windows internals, 2012. ,
Tag-Protector, Proceedings of the Third Workshop on Cryptography and Security in Computing Systems, CS2 '16, 2016. ,
DOI : 10.1145/1755688.1755707
TCMalloc : Thread-Caching Malloc ,
Abstraction Recovery for Scalable Static Binary Analysis ,
AddressSanitizer: A Fast Address Sanity Checker ,
Fuzzing: Brute Force Vulnerability Discovery, 2007. ,
Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management, In: SAS. Ed. by Radhia Cousot. Lecture Notes in Computer Science, 2003. ,
DOI : 10.1016/j.scico.2005.02.010
URL : https://doi.org/10.1016/j.scico.2005.02.010
Etymology of the computer bug: History and folklore, American Speech, 1987. ,
Life After the Isolated Heap ,
CUTE: a concolic unit testing engine for C ", In: SIGSOFT Softw. Eng. Notes, 2005. ,
DOI : 10.21236/ada482657
URL : https://www.ideals.illinois.edu/bitstream/2142/11107/2/CUTE%20A%20Concolic%20Unit%20Testing%20Engine%20for%20C.pdf
BitBlaze: A New Approach to Computer Security via Binary Analysis, Proceedings of the 4th International Conference on Information Systems Security (ICISS), 2008. ,
DOI : 10.1145/1315245.1315261
URL : http://bitblaze.cs.berkeley.edu/papers/bitblaze_iciss08.pdf
Store a new value in pointers immediately after free(). https ,
Driller: Augmenting Fuzzing Through Selective Symbolic Execution, Proceedings 2016 Network and Distributed System Security Symposium, 2016. ,
DOI : 10.14722/ndss.2016.23368
Eternal War in Memory, IEEE Security & Privacy, vol.12, issue.3, 2014. ,
DOI : 10.1109/MSP.2014.44
Testing Flow Graph Reducibility, In: J. Comput. Syst. Sci, 1974. ,
DOI : 10.1145/800125.804040
URL : http://ecommons.cornell.edu/bitstream/1813/6008/1/73-159.pdf
Is It the Beginning of the End For Use-After-Free Exploitation? Palo Alto Network, 2014. ,
Open bugs ,
Understanding the low fragmentation heap, 2010. ,
Technical Analysis of ProFTPD Response Pool Use-after-free (CVE-2011- 4130) http : / / www . vupen . com / blog, 20120110. ,
Partition Memory Models for Program Analysis, 2016. ,
DOI : 10.1007/978-3-319-52234-0_29
Efficiently solving quantified bit-vector formulas, Formal Methods in System Design, vol.42, issue.1, 2013. ,
DOI : 10.1016/0022-0000(80)90027-6
URL : http://research.microsoft.com/%7Eleonardo/fmcad10.pdf
Dynamic Storage Allocation: A Survey and Critical Review, Lecture Notes in Computer Science, 1995. ,
An Efficient and Backwards-Compatible Transformation to Ensure Memory Safety of C Programs, Proceedings of the 12th ACM SIGSOFT International Symposium on the Foundations of Software Engineering (FSE), 2004. ,
Garbage collection internals for Flash Player and Adobe AIR ,
FreeSentry: Protecting Against Use-After-Free Vulnerabilities Due to Dangling Pointers, Proceedings 2015 Network and Distributed System Security Symposium, 2015. ,
DOI : 10.14722/ndss.2015.23190
Execution synthesis, Proceedings of the 5th European conference on Computer systems, EuroSys '10, 2010. ,
DOI : 10.1145/1755913.1755946
VTint: Protecting Virtual Function Tables' Integrity, Proceedings 2015 Network and Distributed System Security Symposium, 2015. ,
DOI : 10.14722/ndss.2015.23099
Regular Property Guided Dynamic Symbolic Execution, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, 2015. ,
DOI : 10.1109/ICSE.2015.80
Clang Static Analyzer ,
The MonoREIL static code analysis framework. https://www. zynamics.com/binnavi/manual/html/mono_reil.html. [Graa] GrammaTech. CodeSonar. https ,
CodeSonar Binary Code Analysis. https://www.grammatech.com/ products/binary-analysis ,
A garbage collector for C and C++ ,
Fortify Static Code Analyzer. http : / / www8 . hp . com / us / en / software - solutions/static-code-analysis-sast/. [LLV] LLVM. The LLVM Compiler Infrastructure ,
Electric Fence ,
White Box Testing (SAST) http : / / www . veracode . com / products / binary-static-analysis-sast ,
AFL (american fuzzy lop) ,