|
[1] S. Anand, P. Godefroid, and N. Tillmann, "Demand-driven compositional symbolic execution," in Tools and Algorithms for the Construction and Analysis of Systems, ed: Springer, 2008, pp. 367-381. [2] W. A. Arbaugh, W. L. Fithen, and J. McHugh, "Windows of vulnerability: A case study analysis," Computer, vol. 33, pp. 52-59, 2000. [3] T. Avgerinos, S. K. Cha, B. L. T. Hao, and D. Brumley, "AEG: Automatic Exploit Generation," in NDSS, 2011, pp. 59-66. [4] F. Bellard, "QEMU, a Fast and Portable Dynamic Translator," in USENIX Annual Technical Conference, FREENIX Track, 2005, pp. 41-46. [5] C. Cadar, D. Dunbar, and D. R. Engler, "KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs," in OSDI, 2008, pp. 209-224. [6] M. Canini, D. Venzano, P. Peresini, D. Kostic, and J. Rexford, "A NICE way to test OpenFlow applications," NSDI, Apr, 2012. [7] D. Caselden, A. Bazhanyuk, M. Payer, L. Szekeres, S. McCamant, and D. Song, "Transformation-aware exploit generation using a HI-CFG," University of California, Berkeley, Tech. Rep. UCB/EECS-2013-85, 2013. [8] V. Chipounov, V. Kuznetsov, and G. Candea, "S2E: A platform for in-vivo multi-path analysis of software systems," ACM SIGARCH Computer Architecture News, vol. 39, pp. 265-278, 2011. [9] V. Chipounov, V. Kuznetsov, and G. Candea, "The s2e platform: Design, implementation, and applications," ACM Transactions on Computer Systems (TOCS), vol. 30, p. 2, 2012. [10] C. Cowan, P. Wagle, C. Pu, S. Beattie, and J. Walpole, "Buffer overflows: Attacks and defenses for the vulnerability of the decade," in DARPA Information Survivability Conference and Exposition, 2000. DISCEX'00. Proceedings, 2000, pp. 119-129. [11] L. De Moura and N. Bjørner, "Z3: An efficient SMT solver," in Tools and Algorithms for the Construction and Analysis of Systems, ed: Springer, 2008, pp. 337-340. [12] M. Eddington. (2011). Peach fuzzing platform. Available: http://peachfuzzer.com/ [13] V. Ganesh and D. L. Dill, "A decision procedure for bit-vectors and arrays," in Computer Aided Verification, 2007, pp. 519-531. [14] V. Ganesh, T. Leek, and M. Rinard, "Taint-based directed whitebox fuzzing," in Software Engineering, 2009. ICSE 2009. IEEE 31st International Conference on, 2009, pp. 474-484. [15] P. Godefroid, M. Y. Levin, and D. A. Molnar, "Automated Whitebox Fuzz Testing," in NDSS, 2008, pp. 151-166. [16] S. Heelan, "Automatic generation of control flow hijacking exploits for software vulnerabilities," University of Oxford, MSc Computer Science Dissertation, 2009. [17] S. Hocevar. (2011). zzuf—multi-purpose fuzzer. Available: http://caca.zoy.org/wiki/zzuf [18] S.-K. Huang, M.-H. Huang, P.-Y. Huang, C.-W. Lai, H.-L. Lu, and W.-M. Leong, "CRAX: Software Crash Analysis for Automatic Exploit Generation by Modeling Attacks as Symbolic Continuations," in Software Security and Reliability (SERE), 2012 IEEE Sixth International Conference on, 2012, pp. 78-87. [19] J. C. King, "Symbolic execution and program testing," Communications of the ACM, vol. 19, pp. 385-394, 1976. [20] C. Lattner and V. Adve, "LLVM: A compilation framework for lifelong program analysis & transformation," in Code Generation and Optimization, 2004. CGO 2004. International Symposium on, 2004, pp. 75-86. [21] D. Libenzi. XMail. Available: http://www.xmailserver.org/ [22] J. Liu, Q. Wei, Q.-x. Wang, and T. Guo, "Trigger condition based test generation for finding security bugs," in Systems and Informatics (ICSAI), 2012 International Conference on, 2012, pp. 1106-1110. [23] K.-K. Ma, K. Y. Phang, J. S. Foster, and M. Hicks, "Directed symbolic execution," in Static Analysis, ed: Springer, 2011, pp. 95-111. [24] B. Martin, M. Brown, A. Paller, D. Kirby, and S. Christey, "2011 CWE/SANS Top 25 Most Dangerous Software Errors," Common Weakness Enumeration, vol. 7515, 2011. [25] S. McCamant, M. Payer, D. Caselden, A. Bazhanyuk, and D. Song, "Transformationaware symbolic execution for system test generation," Tech. Rep. UCB/EECS-2013-125, University of California, Berkeley (Jun 2013)2013. [26] B. P. Miller, L. Fredriksen, and B. So, "An empirical study of the reliability of UNIX utilities," Communications of the ACM, vol. 33, pp. 32-44, 1990. [27] C. Miller, J. Caballero, N. M. Johnson, M. G. Kang, S. McCamant, P. Poosankam, et al., "Crash analysis with BitBlaze," at BlackHat USA, 2010. [28] D. Molnar, X. C. Li, and D. A. Wagner, "Dynamic test generation to find integer bugs in x86 binary linux programs," in Proceedings of the 18th conference on USENIX security symposium, 2009, pp. 67-82. [29] D. A. Molnar and D. Wagner, "Catchconv: Symbolic execution and run-time type inference for integer conversion errors," UC Berkeley EECS, 2007. [30] T. Newsham, "Format string attacks," ed, 2000. [31] J. Newsome and D. Song, "Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software," 2005. [32] J. Röβler, G. Fraser, A. Zeller, and A. Orso, "Isolating failure causes through test case generation," in Proceedings of the 2012 International Symposium on Software Testing and Analysis, 2012, pp. 309-319. [33] P. Saxena, P. Poosankam, S. McCamant, and D. Song, "Loop-extended symbolic execution on binary programs," in Proceedings of the eighteenth international symposium on Software testing and analysis, 2009, pp. 225-236. [34] E. J. Schwartz, T. Avgerinos, and D. Brumley, "All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask)," in Security and Privacy (SP), 2010 IEEE Symposium on, 2010, pp. 317-331. [35] K. Sen, "Concolic testing," in Proceedings of the twenty-second IEEE/ACM international conference on Automated software engineering, 2007, pp. 571-572. [36] K. Sen, D. Marinov, and G. Agha, CUTE: a concolic unit testing engine for C vol. 30: ACM, 2005. [37] J. Shewmaker, "Analyzing dll injection," GSM Presentation, 2006. [38] D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. G. Kang, et al., "BitBlaze: A new approach to computer security via binary analysis," in Information systems security, ed: Springer, 2008, pp. 1-25. [39] M. Staats and C. Pǎsǎreanu, "Parallel symbolic execution for structural test generation," in Proceedings of the 19th international symposium on Software testing and analysis, 2010, pp. 183-194. [40] M. Sutton, A. Greene, and P. Amini, Fuzzing: brute force vulnerability discovery: Pearson Education, 2007. [41] J. Vanegue, S. Heelan, and R. Rolles, "SMT Solvers in Software Security," in WOOT, 2012, pp. 85-96. [42] T. Wang, T. Wei, G. Gu, and W. Zou, "TaintScope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection," in Security and Privacy (SP), 2010 IEEE Symposium on, 2010, pp. 497-512. [43] T. Wang, T. Wei, G. Gu, and W. Zou, "Checksum-aware fuzzing combined with dynamic taint analysis and symbolic execution," ACM Transactions on Information and System Security (TISSEC), vol. 14, p. 15, 2011. [44] T. Wang, T. Wei, Z. Lin, and W. Zou, "IntScope: Automatically Detecting Integer Overflow Vulnerability in X86 Binary Using Symbolic Execution," in NDSS, 2009. [45] M. Woo, S. K. Cha, S. Gottlieb, and D. Brumley, "Scheduling black-box mutational fuzzing," in Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, 2013, pp. 511-522. [46] R.-G. Xu, P. Godefroid, and R. Majumdar, "Testing for buffer overflows with length abstraction," in Proceedings of the 2008 international symposium on Software testing and analysis, 2008, pp. 27-38. [47] 黃世昆, 黃銘祥, 黃博彥, 賴俊維, and 呂翰霖, "自動脅迫產生器發展現況與威脅分析," 資訊安全通訊, vol. 18, pp. 88-100, 2012. [48] 劉歡, "跨平台Web程式測試與攻擊產生系統," 碩士, 資訊科學與工程研究所, 國立交通大學, 2013.
|