, Exploiting Hardware Performance Counters with Flow and Context Sensitive Profiling In: PLDI, 1997.
DOI : 10.1145/258915.258924
URL : http://www.cse.ohio-state.edu/~rountev/788/papers/ammons_pldi97.pdf
, Efficient Detection of All Pointer and Array Access Errors, 1994.
, Data structures and algorithms (6.7 Strong Components), 1983.
, Cling: A Memory Allocator to Mitigate Dangling Pointers, USENIX Security Symposium. USENIX Association, 2010.
, A Stack Memory Abstraction and Symbolic Analysis Framework for Executables, ACM Transactions on Software Engineering and Methodology, vol.25, issue.2, 2016.
DOI : 10.1109/COMPSAC.2007.163
, Dangling pointer: POINTER. SMASHING THE POINTER FOR FUN AND PROFIT. Black Hat USA, 2007.
, Statically-directed dynamic automated test generation, 2011.
, An All-in-One Toolkit for Automated White-Box Testing, Lecture Notes in Computer Science, 2014.
DOI : 10.1007/978-3-319-09099-3_4
, Sound and Quasi-Complete Detection of Infeasible Test Requirements, 2015 IEEE 8th International Conference on Software Testing, Verification and Validation (ICST), 2015.
DOI : 10.1109/ICST.2015.7102607
, Hoard: a scalable memory allocator for multithreaded applications, In: SIGPLAN Not, pp.362-1340, 2000.
, A few billion lines of code later, Communications of the ACM, vol.53, issue.2, 2010.
DOI : 10.1145/1646353.1646374
, Sequoll: A framework for model checking binaries, 2013 IEEE 19th Real-Time and Embedded Technology and Applications Symposium (RTAS), 2013.
DOI : 10.1109/RTAS.2013.6531083
, WYSINWYX, ACM Transactions on Programming Languages and Systems, vol.32, issue.6, 2010.
DOI : 10.1145/1749608.1749612
, Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications, 2008 IEEE Symposium on Security and Privacy (sp 2008), 2008.
DOI : 10.1109/SP.2008.17
URL : http://repository.cmu.edu/cgi/viewcontent.cgi?article=1001&context=ece
, BAP: A Binary Analysis Platform, Proceedings of the 23rd international conference on Computer aided verification. CAV'11, 2011.
DOI : 10.1007/978-3-642-14295-6_27
URL : http://users.ece.cmu.edu/~ejschwar/papers/cav11.pdf
, DieHard: probabilistic memory safety for unsafe languages, 2006.
, Practical memory checking with Dr. Memory, International Symposium on Code Generation and Optimization (CGO 2011), 2011.
DOI : 10.1109/CGO.2011.5764689
URL : http://www.cag.lcs.mit.edu/commit/papers/2011/bruening-cgo11-drmemory.pdf
, Undangle: early detection of dangling pointers in use-after-free and double-free vulnerabilities, Proceedings of the 2012 International Symposium on Software Testing and Analysis, ISSTA 2012, 2012.
DOI : 10.1145/2338965.2336769
, Abstract interpretation, Proceedings of the 4th ACM SIGACT-SIGPLAN symposium on Principles of programming languages , POPL '77, 1977.
DOI : 10.1145/512950.512973
URL : https://hal.archives-ouvertes.fr/hal-00930103
, KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs, 2008.
, Bugalyze.com -Detecting Bugs Using Decompilation and Data Flow Analysis
, Behind the scenes in SANTE: a combination of static and dynamic analyses, Automated Software Engineering, vol.25, issue.7, 2014.
DOI : 10.1145/1146238.1146255
URL : https://hal.archives-ouvertes.fr/hal-00818147
, Lessons In Static Binary Analysis, In: BlackHat US, 2012.
, S2E: a platform for in-vivo multi-path analysis of software systems, 2011.
, The S2E Platform, ACM Transactions on Computer Systems, vol.30, issue.1, 2012.
DOI : 10.1145/2110356.2110358
, Compile-time deallocation of individual objects, Proceedings of the 2006 international symposium on Memory management , ISMM '06, 2006.
DOI : 10.1145/1133956.1133975
, Symbolic execution for software testing, Communications of the ACM, vol.56, issue.2, 2013.
DOI : 10.1145/2408776.2408795
, On the detection of custom memory allocators in C binaries, Empirical Software Engineering, vol.32, issue.3, 2016.
DOI : 10.1145/1133956.1133968
, CWE-415. Double Free. url: https://cwe.mitre
, Use After Free. url: https
, Efficiently Detecting All Dangling Pointer Uses in Production Servers, International Conference on Dependable Systems and Networks (DSN'06), 2006.
DOI : 10.1109/DSN.2006.31
, Cyber Grand Challenge
, BINSEC/SE: A Dynamic Symbolic Execution Toolkit for Binary-Level Analysis, 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER), 2016.
DOI : 10.1109/SANER.2016.43
, Specification of concretization and symbolization policies in symbolic execution, Proceedings of the 25th International Symposium on Software Testing and Analysis, ISSTA 2016, 2016.
DOI : 10.1109/ASE.2004.1342749
, BINSEC: Binary Code Analysis with Low-Level Regions, Lecture Notes in Computer Science, 2015.
DOI : 10.1007/978-3-662-46681-0_17
, Recovering High-Level Conditions from Binary Programs, FM. Ed. by John S. Fitzgerald et al. Lecture Notes in Computer Science, 2016.
DOI : 10.1109/SP.2015.47
, The yices smt solver, 2006.
, Use-after-Free: New Protections, and how to Defeat them. Bromium. https://labs.bromium.com/2015/01/17/use-after-free-new-protections- and-how-to-defeat-them, 2015.
, Binary-level static analysis
, LAVA: Large-Scale Automated Vulnerability Addition REIL: A platform-independent intermediate representation of disassembled code for static code analysis, IEEE Symposium on Security and Privacy, p.CanSecWest, 2009.
, Uncovering Use-After-Free Conditions in Compiled Code, 2015 10th International Conference on Availability, Reliability and Security, 2015.
DOI : 10.1109/ARES.2015.61
, Solving Exists/Forall Problems With Yices, 13th International Workshop on Satisfiability Modulo Theories, 2015.
, A Comparative Study of Industrial Static Analysis Tools, Electronic Notes in Theoretical Computer Science, vol.217, 2008.
DOI : 10.1016/j.entcs.2008.06.039
, A scalable concurrent malloc (3) implementation for FreeBSD, Proc. of the BSDCan Conference, 2006.
, Scalable memory allocation using jemalloc. https://www.facebook. com / notes / facebook -engineering / scalable -memory -allocation -using - jemalloc/480222803919, 2011.
, Finding the needle in the heap, Proceedings of the 6th Workshop on Software Security, Protection, and Reverse Engineering, SSPREW '16, 2016.
DOI : 10.1109/ICSE.2015.80
URL : https://hal.archives-ouvertes.fr/tel-01681707
, GUEB : Static Detection of Use-After-Free on Binary, 2015.
, A Comparison of Memory Allocators for Multicore and Multithread Applications: A Quantitative Approach, 2011.
, Understanding the heap by breaking it. Black Hat USA, 2007.
, A Comprehensive Complexity Analysis of User-Level Memory Allocator Algorithms, 2012 Brazilian Symposium on Computing System Engineering, 2012.
DOI : 10.1109/SBESC.2012.27
, Stagefright exploit reliably attacks Android phones
, Using static analysis to detect use-after-free on binary code, 1st Symposium on Digital Trust in Auvergne, 2014.
DOI : 10.1007/s11416-014-0203-1
, Guided Dynamic Symbolic Execution Using Subgraph Control-Flow Information, Lecture Notes in Computer Science, vol.10, issue.3, 2016.
DOI : 10.1109/ICSE.2015.80
, Statically detecting Useafter-Free on Binary Code
DOI : 10.1007/s11416-014-0203-1
, How browsers work : Behind the scenes of modern web browsers
, Detecting aliased stale pointers via static analysis: An architecture independent practical application of pointer analysis and graph theory to find bugs in binary code, 2009.
, DART: directed automated random testing, In: SIGPLAN Not, 2005.
, SAGE, Communications of the ACM, vol.55, issue.3, 2012.
DOI : 10.1145/2093548.2093564
, Free-Me: a static analysis for automatic individual object reclamation, 2006.
, Higher-order test generation In: PLDI, 2011.
DOI : 10.1145/1993498.1993529
, Most serious Linux privilege-escalation bug ever is under active exploit. http://arstechnica.com/security/2016/10/most-serious-linux- privilege-escalation-bug-ever-is-under-active-exploit
, Static Use-After-Free Detector for C/C++. https : //blog.trailofbits.com/2016/03/09/the-problem-with-dynamic-program- analysis
, Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations, Proceedings of the 22Nd USENIX Conference on Security. SEC'13. USENIX Association, 2013.
, Fast Allocation and Deallocation of Memory Based on Object Lifetimes, In: Softw., Pract. Exper, 1990.
, Nesting of reducible and irreducible loops, ACM Transactions on Programming Languages and Systems, vol.19, issue.4, pp.164-0925, 1997.
DOI : 10.1145/262004.262005
, Quantifying the performance of garbage collection vs. explicit memory management, 2006.
, Finding use-after-free bugs with static analysis. https : / / sean . heelan.io, 2009.
, Practical analysis of stripped binary code, In: SIGARCH Computer Architecture News, 2005.
, Information technology ? Programming languages ? C ISO
, Information technology ? Programming languages ? C ISO Storage durations of objects, IEC, vol.9899, issue.2, pp.2011-2017, 2012.
, malloc(3) Revisited, USENIX Annual Technical Conference . Ed. by Fred Douglis. USENIX Association, 1998.
, Static analysis of x86 executables: = Statische Analyse von Programmen in x86, 2010.
, Symbolic execution and program testing, Communications of the ACM, vol.19, issue.7, pp.1-0782, 1976.
DOI : 10.1145/360248.360252
, Heap Abstractions for Static Analysis, ACM Computing Surveys, vol.49, issue.2, 2014.
DOI : 10.1145/774572.774594
URL : http://arxiv.org/pdf/1403.4910
, Handbook of Open Source Tools. 1st. 5 Apache Portable Runtime (apr) 5.1 APR Memory Pool, 2010.
DOI : 10.1007/978-1-4419-7719-9
, Undecidability of static analysis, ACM Letters on Programming Languages and Systems, vol.1, issue.4, 2002.
DOI : 10.1145/161494.161501
URL : http://athos.rutgers.edu/~landi/loplas92.ps
, Preventing Use-after-free with Dangling Pointers Nullification, Proceedings 2015 Network and Distributed System Security Symposium, 2015.
DOI : 10.14722/ndss.2015.23238
, Dynamically validating static memory leak warnings, Proceedings of the 2013 International Symposium on Software Testing and Analysis, ISSTA 2013, 2013.
DOI : 10.1145/2483760.2483778
, Adobe Reader's Custom Memory Management: a Heap of Trouble
, Microsoft Edge MemGC Internals, 2015.
, Random walks on graphs: A survey, 1993.
, Directed Symbolic Execution, In: SAS. Ed. by Eran Yahav. Lecture Notes in Computer Science, vol.19, issue.7, 2011.
DOI : 10.1145/1755913.1755946
URL : http://drum.lib.umd.edu/bitstream/1903/11374/3/CS-TR-4979-r1.pdf
, Modeling the heap: A practical approach " . https://www.youtube. com/watch?v=AbiVYHVU0mQ, 2008.
, Z3: An Efficient SMT Solver, Lecture Notes in Computer Science, 2008.
, KATCH: high-coverage testing of software patches, 2013.
, How Heartbleed Broke the Internet ? And Why It Can Happen Again. https://www.wired.com, 2014.
, GFlags and PageHeap. https://msdn.microsoft.com/en-us/library, p.549561
, Binary code is not easy, Proceedings of the 25th International Symposium on Software Testing and Analysis, ISSTA 2016, 2016.
DOI : 10.1109/CSAC.2004.17
, A Survey of Satisfiability Modulo Theory, 2016.
DOI : 10.1007/978-3-662-46681-0_10
URL : https://hal.archives-ouvertes.fr/hal-01332051
, SoftBound: highly compatible and complete spatial memory safety for c, 2009.
, CETS, Proceedings of the 2010 international symposium on Memory management, ISMM '10, 2010.
DOI : 10.1145/1806651.1806657
, DieHarder, Proceedings of the 17th ACM conference on Computer and communications security, CCS '10
DOI : 10.1145/1866307.1866371
, CCured: Type-safe Retrofitting of Legacy Code, 2002.
, Watchdog, ACM SIGARCH Computer Architecture News, vol.40, issue.3, 2012.
DOI : 10.1145/2366231.2337181
, WatchdogLite, Proceedings of Annual IEEE/ACM International Symposium on Code Generation and Optimization, CGO '14, 2014.
DOI : 10.1145/2581122.2544147
, Boolector 2.0 system description, In: Journal on Satisfiability Boolean Modeling and Computation, 2014.
, Boolector 2.0 system description, In: Journal on Satisfiability Boolean Modeling and Computation, 2014.
, Valgrind: a framework for heavyweight dynamic binary instrumentation, 2007.
, Mitigating Dangling Pointer Bugs Using Frame Poisoning
, Survey of satisfiability modulo theories (SMT) . In: Banff International Research Station for Mathematical Innovation and Discovery (BIRS) Workshop Lecture Videos. Banff International Research Station for Mathematical Innovation and Discovery
, Developer's Guide: Resource Pools
, PartitionAlloc -A shallow dive and some rand
, Windows internals, 2012.
, Tag-Protector, Proceedings of the Third Workshop on Cryptography and Security in Computing Systems, CS2 '16, 2016.
DOI : 10.1145/1755688.1755707
, TCMalloc : Thread-Caching Malloc
, Abstraction Recovery for Scalable Static Binary Analysis
, AddressSanitizer: A Fast Address Sanity Checker
, Fuzzing: Brute Force Vulnerability Discovery, 2007.
, Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management, In: SAS. Ed. by Radhia Cousot. Lecture Notes in Computer Science, 2003.
DOI : 10.1016/j.scico.2005.02.010
URL : https://doi.org/10.1016/j.scico.2005.02.010
, Etymology of the computer bug: History and folklore, American Speech, 1987.
, Life After the Isolated Heap
, CUTE: a concolic unit testing engine for C ", In: SIGSOFT Softw. Eng. Notes, 2005.
DOI : 10.21236/ada482657
URL : https://www.ideals.illinois.edu/bitstream/2142/11107/2/CUTE%20A%20Concolic%20Unit%20Testing%20Engine%20for%20C.pdf
, BitBlaze: A New Approach to Computer Security via Binary Analysis, Proceedings of the 4th International Conference on Information Systems Security (ICISS), 2008.
DOI : 10.1145/1315245.1315261
URL : http://bitblaze.cs.berkeley.edu/papers/bitblaze_iciss08.pdf
, Store a new value in pointers immediately after free(). https
, Driller: Augmenting Fuzzing Through Selective Symbolic Execution, Proceedings 2016 Network and Distributed System Security Symposium, 2016.
DOI : 10.14722/ndss.2016.23368
, Eternal War in Memory, IEEE Security & Privacy, vol.12, issue.3, 2014.
DOI : 10.1109/MSP.2014.44
, Testing Flow Graph Reducibility, In: J. Comput. Syst. Sci, 1974.
DOI : 10.1145/800125.804040
URL : http://ecommons.cornell.edu/bitstream/1813/6008/1/73-159.pdf
, Is It the Beginning of the End For Use-After-Free Exploitation? Palo Alto Network, 2014.
, Open bugs
, Understanding the low fragmentation heap, 2010.
, Technical Analysis of ProFTPD Response Pool Use-after-free (CVE-2011- 4130) http : / / www . vupen . com / blog, 20120110.
, Partition Memory Models for Program Analysis, 2016.
DOI : 10.1007/978-3-319-52234-0_29
, Efficiently solving quantified bit-vector formulas, Formal Methods in System Design, vol.42, issue.1, 2013.
DOI : 10.1016/0022-0000(80)90027-6
URL : http://research.microsoft.com/%7Eleonardo/fmcad10.pdf
, Dynamic Storage Allocation: A Survey and Critical Review, Lecture Notes in Computer Science, 1995.
, An Efficient and Backwards-Compatible Transformation to Ensure Memory Safety of C Programs, Proceedings of the 12th ACM SIGSOFT International Symposium on the Foundations of Software Engineering (FSE), 2004.
, Garbage collection internals for Flash Player and Adobe AIR
, FreeSentry: Protecting Against Use-After-Free Vulnerabilities Due to Dangling Pointers, Proceedings 2015 Network and Distributed System Security Symposium, 2015.
DOI : 10.14722/ndss.2015.23190
, Execution synthesis, Proceedings of the 5th European conference on Computer systems, EuroSys '10, 2010.
DOI : 10.1145/1755913.1755946
, VTint: Protecting Virtual Function Tables' Integrity, Proceedings 2015 Network and Distributed System Security Symposium, 2015.
DOI : 10.14722/ndss.2015.23099
, Regular Property Guided Dynamic Symbolic Execution, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, 2015.
DOI : 10.1109/ICSE.2015.80
, Clang Static Analyzer
, The MonoREIL static code analysis framework. https://www. zynamics.com/binnavi/manual/html/mono_reil.html. [Graa] GrammaTech. CodeSonar. https
, CodeSonar Binary Code Analysis. https://www.grammatech.com/ products/binary-analysis
, A garbage collector for C and C++
, Fortify Static Code Analyzer. http : / / www8 . hp . com / us / en / software - solutions/static-code-analysis-sast/. [LLV] LLVM. The LLVM Compiler Infrastructure
, Electric Fence
, White Box Testing (SAST) http : / / www . veracode . com / products / binary-static-analysis-sast
, AFL (american fuzzy lop)