G. Ammons, T. Ball, and J. R. Larus, Exploiting Hardware Performance Counters with Flow and Context Sensitive Profiling In: PLDI, 1997.

T. M. Austin, S. E. Breach, and G. S. Sohi, Efficient Detection of All Pointer and Array Access Errors, 1994.

A. V. Aho, J. E. Hopcroft, and J. D. Ullman, Data structures and algorithms (6.7 Strong Components), 1983.

A. Akritidis, Cling: A Memory Allocator to Mitigate Dangling Pointers, USENIX Security Symposium. USENIX Association, 2010.

A. Anand, A Stack Memory Abstraction and Symbolic Analysis Framework for Executables, ACM Transactions on Software Engineering and Methodology, vol.25, issue.2, 2016.
DOI : 10.1109/COMPSAC.2007.163

A. [. Afek and . Sharabani, Dangling pointer: POINTER. SMASHING THE POINTER FOR FUN AND PROFIT. Black Hat USA, 2007.

[. Babic, Statically-directed dynamic automated test generation, 2011.

[. Bardin, An All-in-One Toolkit for Automated White-Box Testing, Lecture Notes in Computer Science, 2014.
DOI : 10.1007/978-3-319-09099-3_4

[. Bardin, Sound and Quasi-Complete Detection of Infeasible Test Requirements, 2015 IEEE 8th International Conference on Software Testing, Verification and Validation (ICST), 2015.
DOI : 10.1109/ICST.2015.7102607

. Ber+00, D. Emery, and . Berger, Hoard: a scalable memory allocator for multithreaded applications, In: SIGPLAN Not, pp.362-1340, 2000.

A. Bessey, A few billion lines of code later, Communications of the ACM, vol.53, issue.2, 2010.
DOI : 10.1145/1646353.1646374

[. Blackham and G. Heiser, Sequoll: A framework for model checking binaries, 2013 IEEE 19th Real-Time and Embedded Technology and Applications Symposium (RTAS), 2013.
DOI : 10.1109/RTAS.2013.6531083

T. Balakrishnan and . Reps, WYSINWYX, ACM Transactions on Programming Languages and Systems, vol.32, issue.6, 2010.
DOI : 10.1145/1749608.1749612

D. Brumley, Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications, 2008 IEEE Symposium on Security and Privacy (sp 2008), 2008.
DOI : 10.1109/SP.2008.17

URL : http://repository.cmu.edu/cgi/viewcontent.cgi?article=1001&context=ece

D. Brumley, BAP: A Binary Analysis Platform, Proceedings of the 23rd international conference on Computer aided verification. CAV'11, 2011.
DOI : 10.1007/978-3-642-14295-6_27

URL : http://users.ece.cmu.edu/~ejschwar/papers/cav11.pdf

D. Emery, B. G. Berger, and . Zorn, DieHard: probabilistic memory safety for unsafe languages, 2006.

D. Bruening and Q. Zhao, Practical memory checking with Dr. Memory, International Symposium on Code Generation and Optimization (CGO 2011), 2011.
DOI : 10.1109/CGO.2011.5764689

URL : http://www.cag.lcs.mit.edu/commit/papers/2011/bruening-cgo11-drmemory.pdf

J. Caballero, Undangle: early detection of dangling pointers in use-after-free and double-free vulnerabilities, Proceedings of the 2012 International Symposium on Software Testing and Analysis, ISSTA 2012, 2012.
DOI : 10.1145/2338965.2336769

P. Cousot and R. Cousot, Abstract interpretation, Proceedings of the 4th ACM SIGACT-SIGPLAN symposium on Principles of programming languages , POPL '77, 1977.
DOI : 10.1145/512950.512973

URL : https://hal.archives-ouvertes.fr/hal-00930103

[. Cadar, D. Dunbar, and D. R. Engler, KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs, 2008.

S. Cesare, Bugalyze.com -Detecting Bugs Using Decompilation and Data Flow Analysis

O. Chebaro, Behind the scenes in SANTE: a combination of static and dynamic analyses, Automated Software Engineering, vol.25, issue.7, 2014.
DOI : 10.1145/1146238.1146255

URL : https://hal.archives-ouvertes.fr/hal-00818147

R. Veracode-christien, Lessons In Static Binary Analysis, In: BlackHat US, 2012.

[. Chipounov, V. Kuznetsov, and G. Candea, S2E: a platform for in-vivo multi-path analysis of software systems, 2011.

[. Chipounov, V. Kuznetsov, and G. Candea, The S2E Platform, ACM Transactions on Computer Systems, vol.30, issue.1, 2012.
DOI : 10.1145/2110356.2110358

S. Cherem and R. Rugina, Compile-time deallocation of individual objects, Proceedings of the 2006 international symposium on Memory management , ISMM '06, 2006.
DOI : 10.1145/1133956.1133975

[. Cadar and K. Sen, Symbolic execution for software testing, Communications of the ACM, vol.56, issue.2, 2013.
DOI : 10.1145/2408776.2408795

X. Chen, A. Slowinska, and H. Bos, On the detection of custom memory allocators in C binaries, Empirical Software Engineering, vol.32, issue.3, 2016.
DOI : 10.1145/1133956.1133968

]. Cwea and . Cwe, CWE-415. Double Free. url: https://cwe.mitre

]. Cweb, . Cwe, and . Cwe-416, Use After Free. url: https

[. Dhurjati and V. S. Adve, Efficiently Detecting All Dangling Pointer Uses in Production Servers, International Conference on Dependable Systems and Networks (DSN'06), 2006.
DOI : 10.1109/DSN.2006.31

. Dar and . Darpa, Cyber Grand Challenge

[. David, BINSEC/SE: A Dynamic Symbolic Execution Toolkit for Binary-Level Analysis, 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER), 2016.
DOI : 10.1109/SANER.2016.43

[. David, Specification of concretization and symbolization policies in symbolic execution, Proceedings of the 25th International Symposium on Software Testing and Analysis, ISSTA 2016, 2016.
DOI : 10.1109/ASE.2004.1342749

A. Djoudi and S. Bardin, BINSEC: Binary Code Analysis with Low-Level Regions, Lecture Notes in Computer Science, 2015.
DOI : 10.1007/978-3-662-46681-0_17

A. Djoudi, S. Bardin, and E. Goubault, Recovering High-Level Conditions from Binary Programs, FM. Ed. by John S. Fitzgerald et al. Lecture Notes in Computer Science, 2016.
DOI : 10.1109/SP.2015.47

B. Dutertre and L. D. Moura, The yices smt solver, 2006.

J. Demott, Use-after-Free: New Protections, and how to Defeat them. Bromium. https://labs.bromium.com/2015/01/17/use-after-free-new-protections- and-how-to-defeat-them, 2015.

A. Djoudi, Binary-level static analysis

B. Dolan-gavitt, LAVA: Large-Scale Automated Vulnerability Addition REIL: A platform-independent intermediate representation of disassembled code for static code analysis, IEEE Symposium on Security and Privacy, p.CanSecWest, 2009.

[. Dewey, B. Reaves, and P. Traynor, Uncovering Use-After-Free Conditions in Compiled Code, 2015 10th International Conference on Availability, Reliability and Security, 2015.
DOI : 10.1109/ARES.2015.61

B. Dutertre, Solving Exists/Forall Problems With Yices, 13th International Workshop on Satisfiability Modulo Theories, 2015.

[. Emanuelsson and U. Nilsson, A Comparative Study of Industrial Static Analysis Tools, Electronic Notes in Theoretical Computer Science, vol.217, 2008.
DOI : 10.1016/j.entcs.2008.06.039

J. Evans, A scalable concurrent malloc (3) implementation for FreeBSD, Proc. of the BSDCan Conference, 2006.

J. Evans, Scalable memory allocation using jemalloc. https://www.facebook. com / notes / facebook -engineering / scalable -memory -allocation -using - jemalloc/480222803919, 2011.

J. Feist, Finding the needle in the heap, Proceedings of the 6th Workshop on Software Security, Protection, and Reverse Engineering, SSPREW '16, 2016.
DOI : 10.1109/ICSE.2015.80

URL : https://hal.archives-ouvertes.fr/tel-01681707

J. Feist, GUEB : Static Detection of Use-After-Free on Binary, 2015.

T. Borges and F. , A Comparison of Memory Allocators for Multicore and Multithread Applications: A Quantitative Approach, 2011.

J. N. Ferguson, Understanding the heap by breaking it. Black Hat USA, 2007.

M. [. Ferreira, R. Fernandes, and . Matias, A Comprehensive Complexity Analysis of User-Level Memory Allocator Algorithms, 2012 Brazilian Symposium on Computing System Engineering, 2012.
DOI : 10.1109/SBESC.2012.27

J. Fingas, Stagefright exploit reliably attacks Android phones

J. Feist, L. Mounier, and M. Potet, Using static analysis to detect use-after-free on binary code, 1st Symposium on Digital Trust in Auvergne, 2014.
DOI : 10.1007/s11416-014-0203-1

[. Feist, L. Mounier, and M. Potet, Guided Dynamic Symbolic Execution Using Subgraph Control-Flow Information, Lecture Notes in Computer Science, vol.10, issue.3, 2016.
DOI : 10.1109/ICSE.2015.80

[. Feist, L. Mounier, and M. Potet, Statically detecting Useafter-Free on Binary Code
DOI : 10.1007/s11416-014-0203-1

T. Garsiel, How browsers work : Behind the scenes of modern web browsers

[. Gola, Detecting aliased stale pointers via static analysis: An architecture independent practical application of pointer analysis and graph theory to find bugs in binary code, 2009.

P. Godefroid, N. Klarlund, and K. Sen, DART: directed automated random testing, In: SIGPLAN Not, 2005.

P. Godefroid, M. Y. Levin, and D. A. Molnar, SAGE, Communications of the ACM, vol.55, issue.3, 2012.
DOI : 10.1145/2093548.2093564

Z. Samuel, K. S. Guyer, D. Mckinley, and . Frampton, Free-Me: a static analysis for automatic individual object reclamation, 2006.

P. Godefroid, Higher-order test generation In: PLDI, 2011.
DOI : 10.1145/1993498.1993529

D. Goodin, Most serious Linux privilege-escalation bug ever is under active exploit. http://arstechnica.com/security/2016/10/most-serious-linux- privilege-escalation-bug-ever-is-under-active-exploit

P. Goodman and . Pointsto, Static Use-After-Free Detector for C/C++. https : //blog.trailofbits.com/2016/03/09/the-problem-with-dynamic-program- analysis

I. Haller, Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations, Proceedings of the 22Nd USENIX Conference on Security. SEC'13. USENIX Association, 2013.

R. David and . Hanson, Fast Allocation and Deallocation of Memory Based on Object Lifetimes, In: Softw., Pract. Exper, 1990.

P. Havlak, Nesting of reducible and irreducible loops, ACM Transactions on Programming Languages and Systems, vol.19, issue.4, pp.164-0925, 1997.
DOI : 10.1145/262004.262005

M. Hertz and E. D. Berger, Quantifying the performance of garbage collection vs. explicit memory management, 2006.

S. Heelan, Finding use-after-free bugs with static analysis. https : / / sean . heelan.io, 2009.

C. Laune, B. P. Harris, and . Miller, Practical analysis of stripped binary code, In: SIGARCH Computer Architecture News, 2005.

]. Inc12a and . Incits, Information technology ? Programming languages ? C ISO

]. Inc12b and . Incits, Information technology ? Programming languages ? C ISO Storage durations of objects, IEC, vol.9899, issue.2, pp.2011-2017, 2012.

[. Kamp, malloc(3) Revisited, USENIX Annual Technical Conference . Ed. by Fred Douglis. USENIX Association, 1998.

[. Kinder, Static analysis of x86 executables: = Statische Analyse von Programmen in x86, 2010.

J. C. King, Symbolic execution and program testing, Communications of the ACM, vol.19, issue.7, pp.1-0782, 1976.
DOI : 10.1145/360248.360252

V. Kanvar and U. P. Khedker, Heap Abstractions for Static Analysis, ACM Computing Surveys, vol.49, issue.2, 2014.
DOI : 10.1145/774572.774594

URL : http://arxiv.org/pdf/1403.4910

[. Koranne, Handbook of Open Source Tools. 1st. 5 Apache Portable Runtime (apr) 5.1 APR Memory Pool, 2010.
DOI : 10.1007/978-1-4419-7719-9

W. Landi, Undecidability of static analysis, ACM Letters on Programming Languages and Systems, vol.1, issue.4, 2002.
DOI : 10.1145/161494.161501

B. Lee, Preventing Use-after-free with Dangling Pointers Nullification, Proceedings 2015 Network and Distributed System Security Symposium, 2015.
DOI : 10.14722/ndss.2015.23238

M. Li, Dynamically validating static memory leak warnings, Proceedings of the 2013 International Symposium on Software Testing and Analysis, ISSTA 2013, 2013.
DOI : 10.1145/2483760.2483778

H. Li, Adobe Reader's Custom Memory Management: a Heap of Trouble

H. Li, Microsoft Edge MemGC Internals, 2015.

L. Lovász, Random walks on graphs: A survey, 1993.

[. Ma, Directed Symbolic Execution, In: SAS. Ed. by Eran Yahav. Lecture Notes in Computer Science, vol.19, issue.7, 2011.
DOI : 10.1145/1755913.1755946

URL : http://drum.lib.umd.edu/bitstream/1903/11374/3/CS-TR-4979-r1.pdf

[. Marron, Modeling the heap: A practical approach " . https://www.youtube. com/watch?v=AbiVYHVU0mQ, 2008.

[. Mendonca-de-moura and N. Bjorner, Z3: An Efficient SMT Solver, Lecture Notes in Computer Science, 2008.

P. Dan, M. , and C. Cadar, KATCH: high-coverage testing of software patches, 2013.

R. Mcmillan, How Heartbleed Broke the Internet ? And Why It Can Happen Again. https://www.wired.com, 2014.

. Mic and . Microsoft, GFlags and PageHeap. https://msdn.microsoft.com/en-us/library, p.549561

[. Meng and B. P. Miller, Binary code is not easy, Proceedings of the 25th International Symposium on Software Testing and Analysis, ISSTA 2016, 2016.
DOI : 10.1109/CSAC.2004.17

D. Monniaux, A Survey of Satisfiability Modulo Theory, 2016.
DOI : 10.1007/978-3-662-46681-0_10

URL : https://hal.archives-ouvertes.fr/hal-01332051

[. Nagarakatte, SoftBound: highly compatible and complete spatial memory safety for c, 2009.

[. Nagarakatte, CETS, Proceedings of the 2010 international symposium on Memory management, ISMM '10, 2010.
DOI : 10.1145/1806651.1806657

G. Novark and E. D. Berger, DieHarder, Proceedings of the 17th ACM conference on Computer and communications security, CCS '10
DOI : 10.1145/1866307.1866371

C. George, S. Necula, W. Mcpeak, and . Weimer, CCured: Type-safe Retrofitting of Legacy Code, 2002.

[. Nagarakatte, M. M. Martin, and S. Zdancewic, Watchdog, ACM SIGARCH Computer Architecture News, vol.40, issue.3, 2012.
DOI : 10.1145/2366231.2337181

[. Nagarakatte, M. M. Martin, and S. Zdancewic, WatchdogLite, Proceedings of Annual IEEE/ACM International Symposium on Code Generation and Optimization, CGO '14, 2014.
DOI : 10.1145/2581122.2544147

A. Niemetz, M. Preiner, and A. Biere, Boolector 2.0 system description, In: Journal on Satisfiability Boolean Modeling and Computation, 2014.

A. Niemetz, M. Preiner, and A. Biere, Boolector 2.0 system description, In: Journal on Satisfiability Boolean Modeling and Computation, 2014.

N. Nethercote and J. Seward, Valgrind: a framework for heavyweight dynamic binary instrumentation, 2007.

. Oca, O. Robert, and . Callahan, Mitigating Dangling Pointer Bugs Using Frame Poisoning

A. Oliveras, Survey of satisfiability modulo theories (SMT) . In: Banff International Research Station for Mathematical Innovation and Discovery (BIRS) Workshop Lecture Videos. Banff International Research Station for Mathematical Innovation and Discovery

. Pro and . Proftpd, Developer's Guide: Resource Pools

C. Rohlf, PartitionAlloc -A shallow dive and some rand

E. Mark, . Russinovich, A. David, A. Solomon, and . Ionescu, Windows internals, 2012.

A. Saeed, A. Ahmadinia, and M. Just, Tag-Protector, Proceedings of the Third Workshop on Cryptography and Security in Computing Systems, CS2 '16, 2016.
DOI : 10.1145/1755688.1755707

. San-]-paul-menage-sanjay and . Ghemawat, TCMalloc : Thread-Caching Malloc

J. Edward and . Schwartz, Abstraction Recovery for Scalable Static Binary Analysis

[. Serebryany, AddressSanitizer: A Fast Address Sanity Checker

M. Sutton, A. Greene, and P. Amini, Fuzzing: Brute Force Vulnerability Discovery, 2007.

[. Shaham, Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management, In: SAS. Ed. by Radhia Cousot. Lecture Notes in Computer Science, 2003.
DOI : 10.1016/j.scico.2005.02.010

URL : https://doi.org/10.1016/j.scico.2005.02.010

R. Fred and . Shapiro, Etymology of the computer bug: History and folklore, American Speech, 1987.

N. Silvanovich, Life After the Isolated Heap

[. Sen, D. Marinov, and G. Agha, CUTE: a concolic unit testing engine for C ", In: SIGSOFT Softw. Eng. Notes, 2005.
DOI : 10.21236/ada482657

URL : https://www.ideals.illinois.edu/bitstream/2142/11107/2/CUTE%20A%20Concolic%20Unit%20Testing%20Engine%20for%20C.pdf

[. Song, BitBlaze: A New Approach to Computer Security via Binary Analysis, Proceedings of the 4th International Conference on Information Systems Security (ICISS), 2008.
DOI : 10.1145/1315245.1315261

URL : http://bitblaze.cs.berkeley.edu/papers/bitblaze_iciss08.pdf

]. Sta, . Cert-c-coding-standard, and . Mem01-c, Store a new value in pointers immediately after free(). https

N. Stephens, Driller: Augmenting Fuzzing Through Selective Symbolic Execution, Proceedings 2016 Network and Distributed System Security Symposium, 2016.
DOI : 10.14722/ndss.2016.23368

[. Szekeres, Eternal War in Memory, IEEE Security & Privacy, vol.12, issue.3, 2014.
DOI : 10.1109/MSP.2014.44

[. Tarjan, Testing Flow Graph Reducibility, In: J. Comput. Syst. Sci, 1974.
DOI : 10.1145/800125.804040

URL : http://ecommons.cornell.edu/bitstream/1813/6008/1/73-159.pdf

B. Qu, T. Yan, and R. Lu, Is It the Beginning of the End For Use-After-Free Exploitation? Palo Alto Network, 2014.

. Ubu and . Ubuntu, Open bugs

[. Valasek, Understanding the low fragmentation heap, 2010.

. Vup and . Vupen, Technical Analysis of ProFTPD Response Pool Use-after-free (CVE-2011- 4130) http : / / www . vupen . com / blog, 20120110.

W. Wang, Partition Memory Models for Program Analysis, 2016.
DOI : 10.1007/978-3-319-52234-0_29

C. M. Wintersteiger, Y. Hamadi, and L. Mendonca-de-moura, Efficiently solving quantified bit-vector formulas, Formal Methods in System Design, vol.42, issue.1, 2013.
DOI : 10.1016/0022-0000(80)90027-6

URL : http://research.microsoft.com/%7Eleonardo/fmcad10.pdf

R. Paul and . Wilson, Dynamic Storage Allocation: A Survey and Critical Review, Lecture Notes in Computer Science, 1995.

W. Xu, D. C. Duvarney, and R. Sekar, An Efficient and Backwards-Compatible Transformation to Ensure Memory Safety of C Programs, Proceedings of the 12th ACM SIGSOFT International Symposium on the Foundations of Software Engineering (FSE), 2004.

M. Yaiser, Garbage collection internals for Flash Player and Adobe AIR

Y. Younan, FreeSentry: Protecting Against Use-After-Free Vulnerabilities Due to Dangling Pointers, Proceedings 2015 Network and Distributed System Security Symposium, 2015.
DOI : 10.14722/ndss.2015.23190

[. Zamfir and G. Candea, Execution synthesis, Proceedings of the 5th European conference on Computer systems, EuroSys '10, 2010.
DOI : 10.1145/1755913.1755946

C. Zhang, VTint: Protecting Virtual Function Tables' Integrity, Proceedings 2015 Network and Distributed System Security Symposium, 2015.
DOI : 10.14722/ndss.2015.23099

Y. Zhang, Regular Property Guided Dynamic Symbolic Execution, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, 2015.
DOI : 10.1109/ICSE.2015.80

. Cla and . Clang, Clang Static Analyzer

/. Google and . Zynamics, The MonoREIL static code analysis framework. https://www. zynamics.com/binnavi/manual/html/mono_reil.html. [Graa] GrammaTech. CodeSonar. https

. Grab and . Grammatech, CodeSonar Binary Code Analysis. https://www.grammatech.com/ products/binary-analysis

]. M. Han, -. J. Weiser-hans, J. Boehm-alan, and . Demers, A garbage collector for C and C++

. Hp and . Hp, Fortify Static Code Analyzer. http : / / www8 . hp . com / us / en / software - solutions/static-code-analysis-sast/. [LLV] LLVM. The LLVM Compiler Infrastructure

B. Perens, Electric Fence

. Vera and . Veracode, White Box Testing (SAST) http : / / www . veracode . com / products / binary-static-analysis-sast

M. Zalewski, AFL (american fuzzy lop)