SeanHeelan/aeg.bib

## aeg.bib
@inproceedings{avgerinos_aeg:_2011,
	title = {{AEG}: {Automatic} {Exploit} {Generation}},
	booktitle = {Network and {Distributed} {System} {Security} {Symposium}},
	author = {Avgerinos, Thanassis and Cha, Sang Kil and Hao, Brent Lim Tze and Brumley, David},
	month = feb,
	year = {2011},
	keywords = {MyPHDThesis}
}

@inproceedings{brumley_automatic_2008,
	address = {Washington, DC, USA},
	series = {{SP} '08},
	title = {Automatic {Patch}-{Based} {Exploit} {Generation} is {Possible}: {Techniques} and {Implications}},
	isbn = {978-0-7695-3168-7},
	url = {https://doi.org/10.1109/SP.2008.17},
	doi = {10.1109/SP.2008.17},
	booktitle = {Proceedings of the 2008 {IEEE} {Symposium} on {Security} and {Privacy}},
	publisher = {IEEE Computer Society},
	author = {Brumley, David and Poosankam, Pongsin and Song, Dawn and Zheng, Jiang},
	year = {2008},
	keywords = {MyPHDThesis, combined execution, exploit generation, patch, symbolic execution, test case generation},
	pages = {143--157}
}

@article{dullien_weird_2019,
	title = {Weird machines, exploitability, and provable unexploitability},
	issn = {2168-6750},
	doi = {10.1109/TETC.2017.2785299},
	abstract = {The concept of exploit is central to computer security, particularly in the context of memory corruptions. Yet, in spite of the centrality of the concept and voluminous descriptions of various exploitation techniques or countermeasures, a good theoretical framework for describing and reasoning about exploitation has not yet been put forward.},
	journal = {IEEE Transactions on Emerging Topics in Computing},
	author = {Dullien, T. F.},
	year = {2019},
	keywords = {Complexity theory, Computation Theory, Computer hacking, Computer Security, Concrete, Cryptography, Information security, Language-theoretic security, Programming, Software, Transducers},
	pages = {1--1},
	file = {IEEE Xplore Abstract Record:/home/sean/Zotero/storage/7Q5F3585/8226852.html:text/html;IEEE Xplore Full Text PDF:/home/sean/Zotero/storage/QQTC6QYN/Dullien - 2019 - Weird machines, exploitability, and provable unexp.pdf:application/pdf}
}

@inproceedings{repel_modular_2017,
	address = {New York, NY, USA},
	series = {{PLAS} '17},
	title = {Modular {Synthesis} of {Heap} {Exploits}},
	isbn = {978-1-4503-5099-0},
	url = {http://doi.acm.org/10.1145/3139337.3139346},
	doi = {10.1145/3139337.3139346},
	abstract = {Memory errors continue to compromise the security of today's systems. Recent efforts to automatically synthesize exploits for stack-based buffer overflows promise to help assess a vulnerability's severity more quickly and alleviate the burden of manual reasoning. However, generation of heap exploits has been out of scope for such methods thus far. In this paper, we investigate the problem of automatically generating heap exploits, which, in addition to finding the vulnerability, requires intricate interaction with the heap manager. We identify the challenges involved in automatically finding the right parameters and interaction sequences for such attacks, which have traditionally required manual analysis. To tackle these challenges, we present a modular approach that is designed to minimize the assumptions made about the heap manager used by the target application. Our prototype system is able to find exploit primitives in six binary implementations of Windows and UNIX-based heap managers and applies these to successfully exploit two real-world applications.},
	urldate = {2019-06-23},
	booktitle = {Proceedings of the 2017 {Workshop} on {Programming} {Languages} and {Analysis} for {Security}},
	publisher = {ACM},
	author = {Repel, Dusan and Kinder, Johannes and Cavallaro, Lorenzo},
	year = {2017},
	note = {event-place: Dallas, Texas, USA},
	keywords = {symbolic execution, exploitation, vulnerabilities},
	pages = {25--35}
}

@inproceedings{cha_unleashing_2012,
	address = {Washington, DC, USA},
	series = {{SP} '12},
	title = {Unleashing {Mayhem} on {Binary} {Code}},
	isbn = {978-0-7695-4681-0},
	url = {https://doi.org/10.1109/SP.2012.31},
	doi = {10.1109/SP.2012.31},
	abstract = {In this paper we present Mayhem, a new system for automatically finding exploitable bugs in binary (i.e., executable) programs. Every bug reported by Mayhem is accompanied by a working shell-spawning exploit. The working exploits ensure soundness and that each bug report is security-critical and actionable. Mayhem works on raw binary code without debugging information. To make exploit generation possible at the binary-level, Mayhem addresses two major technical challenges: actively managing execution paths without exhausting memory, and reasoning about symbolic memory indices, where a load or a store address depends on user input. To this end, we propose two novel techniques: 1) hybrid symbolic execution for combining online and offline (concolic) execution to maximize the benefits of both techniques, and 2) index-based memory modeling, a technique that allows Mayhem to efficiently reason about symbolic memory at the binary level. We used Mayhem to find and demonstrate 29 exploitable vulnerabilities in both Linux and Windows programs, 2 of which were previously undocumented.},
	urldate = {2019-06-23},
	booktitle = {Proceedings of the 2012 {IEEE} {Symposium} on {Security} and {Privacy}},
	publisher = {IEEE Computer Society},
	author = {Cha, Sang Kil and Avgerinos, Thanassis and Rebert, Alexandre and Brumley, David},
	year = {2012},
	keywords = {exploit generation, hybrid execution, index-based memory modeling, symbolic memory},
	pages = {380--394},
	file = {Submitted Version:/home/sean/Zotero/storage/9FN6RXND/Cha et al. - 2012 - Unleashing Mayhem on Binary Code.pdf:application/pdf}
}

@mastersthesis{heelan_sean_automatic_2009,
	title = {Automatic generation of control flow hijacking exploits for software vulnerabilities},
	url = {https://www.cprover.org/dissertations/thesis-Heelan.pdf},
	urldate = {2019-06-23},
	school = {University of Oxford},
	author = {Heelan, Sean},
	year = {2009}
}

@inproceedings{stephens_driller:_2016,
	title = {Driller: {Augmenting} {Fuzzing} {Through} {Selective} {Symbolic} {Execution}},
	url = {http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/driller-augmenting-fuzzing-through-selective-symbolic-execution.pdf},
	booktitle = {23rd {Annual} {Network} and {Distributed} {System} {Security} {Symposium}, {NDSS} 2016, {San} {Diego}, {California}, {USA}, {February} 21-24, 2016},
	author = {Stephens, Nick and Grosen, John and Salls, Christopher and Dutcher, Andrew and Wang, Ruoyu and Corbetta, Jacopo and Shoshitaishvili, Yan and Kruegel, Christopher and Vigna, Giovanni},
	year = {2016}
}

@misc{dinaburg_how_2015,
	title = {How {We} {Fared} in the {Cyber} {Grand} {Challenge}},
	url = {https://blog.trailofbits.com/2015/07/15/how-we-fared-in-the-cyber-grand-challenge/},
	urldate = {2019-06-23},
	journal = {Trail of Bits Blog},
	author = {Dinaburg, Artem},
	month = jul,
	year = {2015}
}

@misc{darpa_darpa_2013,
	title = {{DARPA} {Announces} {Cyber} {Grand} {Challenge}},
	url = {https://www.darpa.mil/news-events/2013-10-22},
	urldate = {2019-09-23},
	author = {DARPA},
	month = oct,
	year = {2013}
}

@inproceedings{vanegue_automated_2013,
	title = {The {Automated} {Exploitation} {Grand} {Challenge}},
	url = {https://openwall.info/wiki/_media/people/jvanegue/files/aegc_vanegue.pdf},
	booktitle = {{H2HC} 2013},
	author = {Vanegue, Julien},
	month = oct,
	year = {2013}
}

@inproceedings{wu_fuze:_2018,
	title = {{FUZE}: {Towards} {Facilitating} {Exploit} {Generation} for {Kernel} {Use}-{After}-{Free} {Vulnerabilities}},
	isbn = {978-1-939133-04-5},
	shorttitle = {{FUZE}},
	url = {https://www.usenix.org/node/217627},
	language = {en},
	urldate = {2019-07-08},
	author = {Wu, Wei and Chen, Yueqi and Xu, Jun and Xing, Xinyu and Gong, Xiaorui and Zou, Wei},
	year = {2018},
	pages = {781--797},
	file = {Full Text PDF:/home/sean/Zotero/storage/YDSRCERR/Wu et al. - 2018 - FUZE Towards Facilitating Exploit Generation fo.pdf:application/pdf;Snapshot:/home/sean/Zotero/storage/F767WS3P/217627.html:text/html}
}

@inproceedings{wang_revery:_2018,
	title = {Revery: {From} {Proof}-of-{Concept} to {Exploitable}},
	isbn = {978-1-4503-5693-0},
	shorttitle = {Revery},
	url = {http://dl.acm.org/citation.cfm?id=3243734.3243847},
	doi = {10.1145/3243734.3243847},
	urldate = {2019-07-08},
	publisher = {ACM},
	author = {Wang, Yan and Zhang, Chao and Xiang, Xiaobo and Zhao, Zixuan and Li, Wenjie and Gong, Xiaorui and Liu, Bingchang and Chen, Kaixiang and Zou, Wei},
	month = aug,
	year = {2018},
	pages = {1914--1927},
	file = {Full Text PDF:/home/sean/Zotero/storage/QV9CXGIF/Wang et al. - 2018 - Revery From Proof-of-Concept to Exploitable.pdf:application/pdf;Snapshot:/home/sean/Zotero/storage/AFX32SG8/citation.html:text/html}
}

@inproceedings{garmany_towards_2018,
	address = {New York, NY, USA},
	series = {{ACSAC} '18},
	title = {Towards {Automated} {Generation} of {Exploitation} {Primitives} for {Web} {Browsers}},
	isbn = {978-1-4503-6569-7},
	url = {http://doi.acm.org/10.1145/3274694.3274723},
	doi = {10.1145/3274694.3274723},
	abstract = {The growing dependence on software and the increasing complexity of such systems builds and feeds the attack surface for exploitable vulnerabilities. Security researchers put up a lot of effort to develop exploits and analyze existing exploits with the goal of staying ahead of the state-of-the-art in attacks and defenses. The urge for automated systems that operate at scale, speed and efficiency is therefore undeniable. Given their complexity and large user base, web browsers pose an attractive target. Due to various mitigation strategies, the exploitation of a browser vulnerability became a time consuming, multi-step task: creating a working exploit even from a crashing input is a resource-intensive task that can take a substantial amount of time to complete. In many cases, the input, which triggers a vulnerability follows a crashing path but does not enter an exploitable state. In this paper, we introduce novel methods to significantly improve and partially automate the development process for browser exploits. Our approach is based on the observation that an analyst typically performs certain manual analysis steps that can be automated. This serves the purpose to propagate the bug-induced, controlled data to a specific program location to carry out a desired action. These actions include achieving write-what-where or control over the instruction pointer primitives. These are useful to extend control over the target program and are necessities towards successful code execution, the ultimate goal of the adversary. We implemented a prototype of our approach called PrimGen. For a given browser vulnerability, it is capable of automatically crafting data objects that lead the execution to a desired action. We show in our evaluation that our approach is able to generate new and previously unknown exploitation opportunities for real-world vulnerabilities in Mozilla Firefox, Internet Explorer, and Google Chrome. Using small templates, PrimGen generates inputs that conducts specific primitives. In total, PrimGen has found 48 JavaScript inputs which conduct the desired primitives when fed into the target browsers.},
	urldate = {2019-07-08},
	booktitle = {Proceedings of the 34th {Annual} {Computer} {Security} {Applications} {Conference}},
	publisher = {ACM},
	author = {Garmany, Behrad and Stoffel, Martin and Gawlik, Robert and Koppe, Philipp and Blazytko, Tim and Holz, Thorsten},
	year = {2018},
	note = {event-place: San Juan, PR, USA},
	pages = {300--312},
	file = {ACM Full Text PDF:/home/sean/Zotero/storage/8RYJBWDT/Garmany et al. - 2018 - Towards Automated Generation of Exploitation Primi.pdf:application/pdf}
}

@inproceedings{hu_data-oriented_2016,
	title = {Data-{Oriented} {Programming}: {On} the {Expressiveness} of {Non}-control {Data} {Attacks}},
	doi = {10.1109/SP.2016.62},
	booktitle = {2016 {IEEE} {Symposium} on {Security} and {Privacy} ({SP})},
	author = {Hu, H. and Shinde, S. and Adrian, S. and Chua, Z. L. and Saxena, P. and Liang, Z.},
	month = may,
	year = {2016},
	keywords = {Programming, ASLR, Browsers, control-flow hijacking attack, control-flow hijacking defense, data handling, data-oriented programming, data-oriented x86 gadgets, DEP, end-to-end attacks, gadget dispatchers, information leakage attack, Linux, memory exploit, memory permission, noncontrol data attack, noncontrol data exploit, Payloads, privilege escalation attack, program memory, randomization defense, Security, security of data, Servers, storage management, Systematics, Turing-complete attack, x86 programs},
	pages = {969--986}
}

@inproceedings{hu_automatic_2015,
	address = {Washington, D.C.},
	title = {Automatic {Generation} of {Data}-{Oriented} {Exploits}},
	isbn = {978-1-931971-23-2},
	url = {https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/hu},
	booktitle = {24th {USENIX} {Security} {Symposium} ({USENIX} {Security} 15)},
	publisher = {USENIX Association},
	author = {Hu, Hong and Chua, Zheng Leong and Adrian, Sendroiu and Saxena, Prateek and Liang, Zhenkai},
	year = {2015},
	pages = {177--192}
}

@inproceedings{ispoglou_block_2018,
	address = {New York, NY, USA},
	series = {{CCS} '18},
	title = {Block {Oriented} {Programming}: {Automating} {Data}-{Only} {Attacks}},
	isbn = {978-1-4503-5693-0},
	url = {http://doi.acm.org/10.1145/3243734.3243739},
	doi = {10.1145/3243734.3243739},
	booktitle = {Proceedings of the 2018 {ACM} {SIGSAC} {Conference} on {Computer} and {Communications} {Security}},
	publisher = {ACM},
	author = {Ispoglou, Kyriakos K. and AlBassam, Bader and Jaeger, Trent and Payer, Mathias},
	year = {2018},
	note = {event-place: Toronto, Canada},
	keywords = {exploitation, binary analysis, block oriented programming, data only attacks, program synthesis},
	pages = {1868--1882}
}

@inproceedings{eckert_heaphopper:_2018,
	address = {Baltimore, MD},
	title = {{HeapHopper}: {Bringing} {Bounded} {Model} {Checking} to {Heap} {Implementation} {Security}},
	isbn = {978-1-931971-46-1},
	url = {https://www.usenix.org/conference/usenixsecurity18/presentation/eckert},
	booktitle = {27th {USENIX} {Security} {Symposium} ({USENIX} {Security} 18)},
	publisher = {USENIX Association},
	author = {Eckert, Moritz and Bianchi, Antonio and Wang, Ruoyu and Shoshitaishvili, Yan and Kruegel, Christopher and Vigna, Giovanni},
	year = {2018},
	pages = {99--116}
}

@inproceedings{heelan_automatic_2018,
	address = {Baltimore, MD},
	title = {Automatic {Heap} {Layout} {Manipulation} for {Exploitation}},
	isbn = {978-1-931971-46-1},
	url = {https://www.usenix.org/conference/usenixsecurity18/presentation/heelan},
	booktitle = {27th {USENIX} {Security} {Symposium} ({USENIX} {Security} 18)},
	publisher = {USENIX Association},
	author = {Heelan, Sean and Melham, Tom and Kroening, Daniel},
	year = {2018},
	pages = {763--779}
}

@inproceedings{xu_collision_2015,
	address = {New York, NY, USA},
	series = {{CCS} '15},
	title = {From {Collision} {To} {Exploitation}: {Unleashing} {Use}-{After}-{Free} {Vulnerabilities} in {Linux} {Kernel}},
	isbn = {978-1-4503-3832-5},
	url = {http://doi.acm.org/10.1145/2810103.2813637},
	doi = {10.1145/2810103.2813637},
	booktitle = {Proceedings of the {22Nd} {ACM} {SIGSAC} {Conference} on {Computer} and {Communications} {Security}},
	publisher = {ACM},
	author = {Xu, Wen and Li, Juanru and Shu, Junliang and Yang, Wenbo and Xie, Tianyi and Zhang, Yuanyuan and Gu, Dawu},
	year = {2015},
	note = {event-place: Denver, Colorado, USA},
	keywords = {linux kernel exploit, memory collision, user-after-free vulnerability},
	pages = {414--425}
}

@inproceedings{wu_kepler:_2019,
	address = {Santa Clara, CA},
	title = {{KEPLER}: {Facilitating} {Control}-flow {Hijacking} {Primitive} {Evaluation} for {Linux} {Kernel} {Vulnerabilities}},
	isbn = {978-1-939133-06-9},
	url = {https://www.usenix.org/conference/usenixsecurity19/presentation/wu-wei},
	booktitle = {28th {USENIX} {Security} {Symposium} ({USENIX} {Security} 19)},
	publisher = {USENIX Association},
	author = {Wu, Wei and Chen, Yueqi and Xing, Xinyu and Zou, Wei},
	month = aug,
	year = {2019},
	pages = {1187--1204}
}

@inproceedings{chen_slake:_2019,
	address = {New York, NY, USA},
	series = {{CCS} '19},
	title = {{SLAKE}: {Facilitating} {Slab} {Manipulation} for {Exploiting} {Vulnerabilities} in the {Linux} {Kernel}},
	isbn = {978-1-4503-6747-9},
	url = {http://doi.acm.org/10.1145/3319535.3363212},
	doi = {10.1145/3319535.3363212},
	booktitle = {Proceedings of the 2019 {ACM} {SIGSAC} {Conference} on {Computer} and {Communications} {Security}},
	publisher = {ACM},
	author = {Chen, Yueqi and Xing, Xinyu},
	year = {2019},
	note = {event-place: London, United Kingdom},
	keywords = {OS security, vulnerability exploitation},
	pages = {1707--1722}
}

@inproceedings{heelan_gollum:_2019,
	address = {New York, NY, USA},
	series = {{CCS} '19},
	title = {Gollum: {Modular} and {Greybox} {Exploit} {Generation} for {Heap} {Overflows} in {Interpreters}},
	isbn = {978-1-4503-6747-9},
	url = {http://doi.acm.org/10.1145/3319535.3354224},
	doi = {10.1145/3319535.3354224},
	booktitle = {Proceedings of the 2019 {ACM} {SIGSAC} {Conference} on {Computer} and {Communications} {Security}},
	publisher = {ACM},
	author = {Heelan, Sean and Melham, Tom and Kroening, Daniel},
	year = {2019},
	note = {event-place: London, United Kingdom},
	keywords = {exploit generation, greybox, primitive search},
	pages = {1689--1706}
}

@inproceedings{bao_your_2017,
	title = {Your {Exploit} is {Mine}: {Automatic} {Shellcode} {Transplant} for {Remote} {Exploits}},
	booktitle = {{IEEE} {Symposium} on {Security} and {Privacy}},
	author = {Bao, Tiffany and Wang, Ruoyu and Shoshitaishvili, Yan and Brumley, David},
	year = {2017}
}

@inproceedings{schwartz_q:_2011,
	address = {Berkeley, CA, USA},
	series = {{SEC}'11},
	title = {Q: {Exploit} {Hardening} {Made} {Easy}},
	url = {http://dl.acm.org/citation.cfm?id=2028067.2028092},
	booktitle = {Proceedings of the 20th {USENIX} {Conference} on {Security}},
	publisher = {USENIX Association},
	author = {Schwartz, Edward J. and Avgerinos, Thanassis and Brumley, David},
	year = {2011},
	note = {event-place: San Francisco, CA},
	pages = {25--25}
	@inproceedings{avgerinos_aeg:_2011,
	title = {{AEG}: {Automatic} {Exploit} {Generation}},
	booktitle = {Network and {Distributed} {System} {Security} {Symposium}},
	author = {Avgerinos, Thanassis and Cha, Sang Kil and Hao, Brent Lim Tze and Brumley, David},
	month = feb,
	year = {2011},
	keywords = {MyPHDThesis}
	}

	@inproceedings{brumley_automatic_2008,
	address = {Washington, DC, USA},
	series = {{SP} '08},
	title = {Automatic {Patch}-{Based} {Exploit} {Generation} is {Possible}: {Techniques} and {Implications}},
	isbn = {978-0-7695-3168-7},
	url = {https://doi.org/10.1109/SP.2008.17},
	doi = {10.1109/SP.2008.17},
	booktitle = {Proceedings of the 2008 {IEEE} {Symposium} on {Security} and {Privacy}},
	publisher = {IEEE Computer Society},
	author = {Brumley, David and Poosankam, Pongsin and Song, Dawn and Zheng, Jiang},
	year = {2008},
	keywords = {MyPHDThesis, combined execution, exploit generation, patch, symbolic execution, test case generation},
	pages = {143--157}
	}

	@article{dullien_weird_2019,
	title = {Weird machines, exploitability, and provable unexploitability},
	issn = {2168-6750},
	doi = {10.1109/TETC.2017.2785299},
	abstract = {The concept of exploit is central to computer security, particularly in the context of memory corruptions. Yet, in spite of the centrality of the concept and voluminous descriptions of various exploitation techniques or countermeasures, a good theoretical framework for describing and reasoning about exploitation has not yet been put forward.},
	journal = {IEEE Transactions on Emerging Topics in Computing},
	author = {Dullien, T. F.},
	year = {2019},
	keywords = {Complexity theory, Computation Theory, Computer hacking, Computer Security, Concrete, Cryptography, Information security, Language-theoretic security, Programming, Software, Transducers},
	pages = {1--1},
	file = {IEEE Xplore Abstract Record:/home/sean/Zotero/storage/7Q5F3585/8226852.html:text/html;IEEE Xplore Full Text PDF:/home/sean/Zotero/storage/QQTC6QYN/Dullien - 2019 - Weird machines, exploitability, and provable unexp.pdf:application/pdf}
	}

	@inproceedings{repel_modular_2017,
	address = {New York, NY, USA},
	series = {{PLAS} '17},
	title = {Modular {Synthesis} of {Heap} {Exploits}},
	isbn = {978-1-4503-5099-0},
	url = {http://doi.acm.org/10.1145/3139337.3139346},
	doi = {10.1145/3139337.3139346},
	abstract = {Memory errors continue to compromise the security of today's systems. Recent efforts to automatically synthesize exploits for stack-based buffer overflows promise to help assess a vulnerability's severity more quickly and alleviate the burden of manual reasoning. However, generation of heap exploits has been out of scope for such methods thus far. In this paper, we investigate the problem of automatically generating heap exploits, which, in addition to finding the vulnerability, requires intricate interaction with the heap manager. We identify the challenges involved in automatically finding the right parameters and interaction sequences for such attacks, which have traditionally required manual analysis. To tackle these challenges, we present a modular approach that is designed to minimize the assumptions made about the heap manager used by the target application. Our prototype system is able to find exploit primitives in six binary implementations of Windows and UNIX-based heap managers and applies these to successfully exploit two real-world applications.},
	urldate = {2019-06-23},
	booktitle = {Proceedings of the 2017 {Workshop} on {Programming} {Languages} and {Analysis} for {Security}},
	publisher = {ACM},
	author = {Repel, Dusan and Kinder, Johannes and Cavallaro, Lorenzo},
	year = {2017},
	note = {event-place: Dallas, Texas, USA},
	keywords = {symbolic execution, exploitation, vulnerabilities},
	pages = {25--35}
	}

	@inproceedings{cha_unleashing_2012,
	address = {Washington, DC, USA},
	series = {{SP} '12},
	title = {Unleashing {Mayhem} on {Binary} {Code}},
	isbn = {978-0-7695-4681-0},
	url = {https://doi.org/10.1109/SP.2012.31},
	doi = {10.1109/SP.2012.31},
	abstract = {In this paper we present Mayhem, a new system for automatically finding exploitable bugs in binary (i.e., executable) programs. Every bug reported by Mayhem is accompanied by a working shell-spawning exploit. The working exploits ensure soundness and that each bug report is security-critical and actionable. Mayhem works on raw binary code without debugging information. To make exploit generation possible at the binary-level, Mayhem addresses two major technical challenges: actively managing execution paths without exhausting memory, and reasoning about symbolic memory indices, where a load or a store address depends on user input. To this end, we propose two novel techniques: 1) hybrid symbolic execution for combining online and offline (concolic) execution to maximize the benefits of both techniques, and 2) index-based memory modeling, a technique that allows Mayhem to efficiently reason about symbolic memory at the binary level. We used Mayhem to find and demonstrate 29 exploitable vulnerabilities in both Linux and Windows programs, 2 of which were previously undocumented.},
	urldate = {2019-06-23},
	booktitle = {Proceedings of the 2012 {IEEE} {Symposium} on {Security} and {Privacy}},
	publisher = {IEEE Computer Society},
	author = {Cha, Sang Kil and Avgerinos, Thanassis and Rebert, Alexandre and Brumley, David},
	year = {2012},
	keywords = {exploit generation, hybrid execution, index-based memory modeling, symbolic memory},
	pages = {380--394},
	file = {Submitted Version:/home/sean/Zotero/storage/9FN6RXND/Cha et al. - 2012 - Unleashing Mayhem on Binary Code.pdf:application/pdf}
	}

	@mastersthesis{heelan_sean_automatic_2009,
	title = {Automatic generation of control flow hijacking exploits for software vulnerabilities},
	url = {https://www.cprover.org/dissertations/thesis-Heelan.pdf},
	urldate = {2019-06-23},
	school = {University of Oxford},
	author = {Heelan, Sean},
	year = {2009}
	}

	@inproceedings{stephens_driller:_2016,
	title = {Driller: {Augmenting} {Fuzzing} {Through} {Selective} {Symbolic} {Execution}},
	url = {http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/driller-augmenting-fuzzing-through-selective-symbolic-execution.pdf},
	booktitle = {23rd {Annual} {Network} and {Distributed} {System} {Security} {Symposium}, {NDSS} 2016, {San} {Diego}, {California}, {USA}, {February} 21-24, 2016},
	author = {Stephens, Nick and Grosen, John and Salls, Christopher and Dutcher, Andrew and Wang, Ruoyu and Corbetta, Jacopo and Shoshitaishvili, Yan and Kruegel, Christopher and Vigna, Giovanni},
	year = {2016}
	}

	@misc{dinaburg_how_2015,
	title = {How {We} {Fared} in the {Cyber} {Grand} {Challenge}},
	url = {https://blog.trailofbits.com/2015/07/15/how-we-fared-in-the-cyber-grand-challenge/},
	urldate = {2019-06-23},
	journal = {Trail of Bits Blog},
	author = {Dinaburg, Artem},
	month = jul,
	year = {2015}
	}

	@misc{darpa_darpa_2013,
	title = {{DARPA} {Announces} {Cyber} {Grand} {Challenge}},
	url = {https://www.darpa.mil/news-events/2013-10-22},
	urldate = {2019-09-23},
	author = {DARPA},
	month = oct,
	year = {2013}
	}

	@inproceedings{vanegue_automated_2013,
	title = {The {Automated} {Exploitation} {Grand} {Challenge}},
	url = {https://openwall.info/wiki/_media/people/jvanegue/files/aegc_vanegue.pdf},
	booktitle = {{H2HC} 2013},
	author = {Vanegue, Julien},
	month = oct,
	year = {2013}
	}

	@inproceedings{wu_fuze:_2018,
	title = {{FUZE}: {Towards} {Facilitating} {Exploit} {Generation} for {Kernel} {Use}-{After}-{Free} {Vulnerabilities}},
	isbn = {978-1-939133-04-5},
	shorttitle = {{FUZE}},
	url = {https://www.usenix.org/node/217627},
	language = {en},
	urldate = {2019-07-08},
	author = {Wu, Wei and Chen, Yueqi and Xu, Jun and Xing, Xinyu and Gong, Xiaorui and Zou, Wei},
	year = {2018},
	pages = {781--797},
	file = {Full Text PDF:/home/sean/Zotero/storage/YDSRCERR/Wu et al. - 2018 - FUZE Towards Facilitating Exploit Generation fo.pdf:application/pdf;Snapshot:/home/sean/Zotero/storage/F767WS3P/217627.html:text/html}
	}

	@inproceedings{wang_revery:_2018,
	title = {Revery: {From} {Proof}-of-{Concept} to {Exploitable}},
	isbn = {978-1-4503-5693-0},
	shorttitle = {Revery},
	url = {http://dl.acm.org/citation.cfm?id=3243734.3243847},
	doi = {10.1145/3243734.3243847},
	urldate = {2019-07-08},
	publisher = {ACM},
	author = {Wang, Yan and Zhang, Chao and Xiang, Xiaobo and Zhao, Zixuan and Li, Wenjie and Gong, Xiaorui and Liu, Bingchang and Chen, Kaixiang and Zou, Wei},
	month = aug,
	year = {2018},
	pages = {1914--1927},
	file = {Full Text PDF:/home/sean/Zotero/storage/QV9CXGIF/Wang et al. - 2018 - Revery From Proof-of-Concept to Exploitable.pdf:application/pdf;Snapshot:/home/sean/Zotero/storage/AFX32SG8/citation.html:text/html}
	}

	@inproceedings{garmany_towards_2018,
	address = {New York, NY, USA},
	series = {{ACSAC} '18},
	title = {Towards {Automated} {Generation} of {Exploitation} {Primitives} for {Web} {Browsers}},
	isbn = {978-1-4503-6569-7},
	url = {http://doi.acm.org/10.1145/3274694.3274723},
	doi = {10.1145/3274694.3274723},
	abstract = {The growing dependence on software and the increasing complexity of such systems builds and feeds the attack surface for exploitable vulnerabilities. Security researchers put up a lot of effort to develop exploits and analyze existing exploits with the goal of staying ahead of the state-of-the-art in attacks and defenses. The urge for automated systems that operate at scale, speed and efficiency is therefore undeniable. Given their complexity and large user base, web browsers pose an attractive target. Due to various mitigation strategies, the exploitation of a browser vulnerability became a time consuming, multi-step task: creating a working exploit even from a crashing input is a resource-intensive task that can take a substantial amount of time to complete. In many cases, the input, which triggers a vulnerability follows a crashing path but does not enter an exploitable state. In this paper, we introduce novel methods to significantly improve and partially automate the development process for browser exploits. Our approach is based on the observation that an analyst typically performs certain manual analysis steps that can be automated. This serves the purpose to propagate the bug-induced, controlled data to a specific program location to carry out a desired action. These actions include achieving write-what-where or control over the instruction pointer primitives. These are useful to extend control over the target program and are necessities towards successful code execution, the ultimate goal of the adversary. We implemented a prototype of our approach called PrimGen. For a given browser vulnerability, it is capable of automatically crafting data objects that lead the execution to a desired action. We show in our evaluation that our approach is able to generate new and previously unknown exploitation opportunities for real-world vulnerabilities in Mozilla Firefox, Internet Explorer, and Google Chrome. Using small templates, PrimGen generates inputs that conducts specific primitives. In total, PrimGen has found 48 JavaScript inputs which conduct the desired primitives when fed into the target browsers.},
	urldate = {2019-07-08},
	booktitle = {Proceedings of the 34th {Annual} {Computer} {Security} {Applications} {Conference}},
	publisher = {ACM},
	author = {Garmany, Behrad and Stoffel, Martin and Gawlik, Robert and Koppe, Philipp and Blazytko, Tim and Holz, Thorsten},
	year = {2018},
	note = {event-place: San Juan, PR, USA},
	pages = {300--312},
	file = {ACM Full Text PDF:/home/sean/Zotero/storage/8RYJBWDT/Garmany et al. - 2018 - Towards Automated Generation of Exploitation Primi.pdf:application/pdf}
	}

	@inproceedings{hu_data-oriented_2016,
	title = {Data-{Oriented} {Programming}: {On} the {Expressiveness} of {Non}-control {Data} {Attacks}},
	doi = {10.1109/SP.2016.62},
	booktitle = {2016 {IEEE} {Symposium} on {Security} and {Privacy} ({SP})},
	author = {Hu, H. and Shinde, S. and Adrian, S. and Chua, Z. L. and Saxena, P. and Liang, Z.},
	month = may,
	year = {2016},
	keywords = {Programming, ASLR, Browsers, control-flow hijacking attack, control-flow hijacking defense, data handling, data-oriented programming, data-oriented x86 gadgets, DEP, end-to-end attacks, gadget dispatchers, information leakage attack, Linux, memory exploit, memory permission, noncontrol data attack, noncontrol data exploit, Payloads, privilege escalation attack, program memory, randomization defense, Security, security of data, Servers, storage management, Systematics, Turing-complete attack, x86 programs},
	pages = {969--986}
	}

	@inproceedings{hu_automatic_2015,
	address = {Washington, D.C.},
	title = {Automatic {Generation} of {Data}-{Oriented} {Exploits}},
	isbn = {978-1-931971-23-2},
	url = {https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/hu},
	booktitle = {24th {USENIX} {Security} {Symposium} ({USENIX} {Security} 15)},
	publisher = {USENIX Association},
	author = {Hu, Hong and Chua, Zheng Leong and Adrian, Sendroiu and Saxena, Prateek and Liang, Zhenkai},
	year = {2015},
	pages = {177--192}
	}

	@inproceedings{ispoglou_block_2018,
	address = {New York, NY, USA},
	series = {{CCS} '18},
	title = {Block {Oriented} {Programming}: {Automating} {Data}-{Only} {Attacks}},
	isbn = {978-1-4503-5693-0},
	url = {http://doi.acm.org/10.1145/3243734.3243739},
	doi = {10.1145/3243734.3243739},
	booktitle = {Proceedings of the 2018 {ACM} {SIGSAC} {Conference} on {Computer} and {Communications} {Security}},
	publisher = {ACM},
	author = {Ispoglou, Kyriakos K. and AlBassam, Bader and Jaeger, Trent and Payer, Mathias},
	year = {2018},
	note = {event-place: Toronto, Canada},
	keywords = {exploitation, binary analysis, block oriented programming, data only attacks, program synthesis},
	pages = {1868--1882}
	}

	@inproceedings{eckert_heaphopper:_2018,
	address = {Baltimore, MD},
	title = {{HeapHopper}: {Bringing} {Bounded} {Model} {Checking} to {Heap} {Implementation} {Security}},
	isbn = {978-1-931971-46-1},
	url = {https://www.usenix.org/conference/usenixsecurity18/presentation/eckert},
	booktitle = {27th {USENIX} {Security} {Symposium} ({USENIX} {Security} 18)},
	publisher = {USENIX Association},
	author = {Eckert, Moritz and Bianchi, Antonio and Wang, Ruoyu and Shoshitaishvili, Yan and Kruegel, Christopher and Vigna, Giovanni},
	year = {2018},
	pages = {99--116}
	}

	@inproceedings{heelan_automatic_2018,
	address = {Baltimore, MD},
	title = {Automatic {Heap} {Layout} {Manipulation} for {Exploitation}},
	isbn = {978-1-931971-46-1},
	url = {https://www.usenix.org/conference/usenixsecurity18/presentation/heelan},
	booktitle = {27th {USENIX} {Security} {Symposium} ({USENIX} {Security} 18)},
	publisher = {USENIX Association},
	author = {Heelan, Sean and Melham, Tom and Kroening, Daniel},
	year = {2018},
	pages = {763--779}
	}

	@inproceedings{xu_collision_2015,
	address = {New York, NY, USA},
	series = {{CCS} '15},
	title = {From {Collision} {To} {Exploitation}: {Unleashing} {Use}-{After}-{Free} {Vulnerabilities} in {Linux} {Kernel}},
	isbn = {978-1-4503-3832-5},
	url = {http://doi.acm.org/10.1145/2810103.2813637},
	doi = {10.1145/2810103.2813637},
	booktitle = {Proceedings of the {22Nd} {ACM} {SIGSAC} {Conference} on {Computer} and {Communications} {Security}},
	publisher = {ACM},
	author = {Xu, Wen and Li, Juanru and Shu, Junliang and Yang, Wenbo and Xie, Tianyi and Zhang, Yuanyuan and Gu, Dawu},
	year = {2015},
	note = {event-place: Denver, Colorado, USA},
	keywords = {linux kernel exploit, memory collision, user-after-free vulnerability},
	pages = {414--425}
	}

	@inproceedings{wu_kepler:_2019,
	address = {Santa Clara, CA},
	title = {{KEPLER}: {Facilitating} {Control}-flow {Hijacking} {Primitive} {Evaluation} for {Linux} {Kernel} {Vulnerabilities}},
	isbn = {978-1-939133-06-9},
	url = {https://www.usenix.org/conference/usenixsecurity19/presentation/wu-wei},
	booktitle = {28th {USENIX} {Security} {Symposium} ({USENIX} {Security} 19)},
	publisher = {USENIX Association},
	author = {Wu, Wei and Chen, Yueqi and Xing, Xinyu and Zou, Wei},
	month = aug,
	year = {2019},
	pages = {1187--1204}
	}

	@inproceedings{chen_slake:_2019,
	address = {New York, NY, USA},
	series = {{CCS} '19},
	title = {{SLAKE}: {Facilitating} {Slab} {Manipulation} for {Exploiting} {Vulnerabilities} in the {Linux} {Kernel}},
	isbn = {978-1-4503-6747-9},
	url = {http://doi.acm.org/10.1145/3319535.3363212},
	doi = {10.1145/3319535.3363212},
	booktitle = {Proceedings of the 2019 {ACM} {SIGSAC} {Conference} on {Computer} and {Communications} {Security}},
	publisher = {ACM},
	author = {Chen, Yueqi and Xing, Xinyu},
	year = {2019},
	note = {event-place: London, United Kingdom},
	keywords = {OS security, vulnerability exploitation},
	pages = {1707--1722}
	}

	@inproceedings{heelan_gollum:_2019,
	address = {New York, NY, USA},
	series = {{CCS} '19},
	title = {Gollum: {Modular} and {Greybox} {Exploit} {Generation} for {Heap} {Overflows} in {Interpreters}},
	isbn = {978-1-4503-6747-9},
	url = {http://doi.acm.org/10.1145/3319535.3354224},
	doi = {10.1145/3319535.3354224},
	booktitle = {Proceedings of the 2019 {ACM} {SIGSAC} {Conference} on {Computer} and {Communications} {Security}},
	publisher = {ACM},
	author = {Heelan, Sean and Melham, Tom and Kroening, Daniel},
	year = {2019},
	note = {event-place: London, United Kingdom},
	keywords = {exploit generation, greybox, primitive search},
	pages = {1689--1706}
	}

	@inproceedings{bao_your_2017,
	title = {Your {Exploit} is {Mine}: {Automatic} {Shellcode} {Transplant} for {Remote} {Exploits}},
	booktitle = {{IEEE} {Symposium} on {Security} and {Privacy}},
	author = {Bao, Tiffany and Wang, Ruoyu and Shoshitaishvili, Yan and Brumley, David},
	year = {2017}
	}

	@inproceedings{schwartz_q:_2011,
	address = {Berkeley, CA, USA},
	series = {{SEC}'11},
	title = {Q: {Exploit} {Hardening} {Made} {Easy}},
	url = {http://dl.acm.org/citation.cfm?id=2028067.2028092},
	booktitle = {Proceedings of the 20th {USENIX} {Conference} on {Security}},
	publisher = {USENIX Association},
	author = {Schwartz, Edward J. and Avgerinos, Thanassis and Brumley, David},
	year = {2011},
	note = {event-place: San Francisco, CA},
	pages = {25--25}