{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,10]],"date-time":"2026-04-10T10:05:59Z","timestamp":1775815559157,"version":"3.50.1"},"reference-count":250,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","issue":"11","license":[{"start":{"date-parts":[[2021,11,1]],"date-time":"2021-11-01T00:00:00Z","timestamp":1635724800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2021,11,1]],"date-time":"2021-11-01T00:00:00Z","timestamp":1635724800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2021,11,1]],"date-time":"2021-11-01T00:00:00Z","timestamp":1635724800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"DOI":"10.13039\/501100004830","name":"Siemens","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100004830","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Institute of Information communications Technology Planning Evaluation","award":["No.2019-0-01697"],"award-info":[{"award-number":["No.2019-0-01697"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IIEEE Trans. Software Eng."],"published-print":{"date-parts":[[2021,11,1]]},"DOI":"10.1109\/tse.2019.2946563","type":"journal-article","created":{"date-parts":[[2019,10,10]],"date-time":"2019-10-10T20:03:10Z","timestamp":1570737790000},"page":"2312-2331","source":"Crossref","is-referenced-by-count":364,"title":["The Art, Science, and Engineering of Fuzzing: A Survey"],"prefix":"10.1109","volume":"47","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-2932-5568","authenticated-orcid":false,"given":"Valentin J.M.","family":"Manes","sequence":"first","affiliation":[]},{"given":"HyungSeok","family":"Han","sequence":"additional","affiliation":[]},{"given":"Choongwoo","family":"Han","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6012-7228","authenticated-orcid":false,"given":"Sang Kil","family":"Cha","sequence":"additional","affiliation":[]},{"given":"Manuel","family":"Egele","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0094-4805","authenticated-orcid":false,"given":"Edward J.","family":"Schwartz","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0237-444X","authenticated-orcid":false,"given":"Maverick","family":"Woo","sequence":"additional","affiliation":[]}],"member":"263","reference":[{"key":"ref170","article-title":"Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software","author":"newsome","year":"2005","journal-title":"Proc Symp Network and Distributed System Security"},{"key":"ref172","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2007.37"},{"key":"ref171","article-title":"Ioctl fuzzer","author":"oleksiuk","year":"2009"},{"key":"ref174","first-page":"149","article-title":"Digtool: A virtualization-based framework for detecting kernel vulnerabilities","author":"pan","year":"2017","journal-title":"Proc Usenix Security Symp"},{"key":"ref173","first-page":"729","article-title":"MoonShine: Optimizing OS fuzzer seed selection with trace distillation","author":"pailoor","year":"2018","journal-title":"Proc Usenix Security Symp"},{"key":"ref176","doi-asserted-by":"publisher","DOI":"10.1145\/3132747.3132785"},{"key":"ref175","doi-asserted-by":"publisher","DOI":"10.1145\/1453101.1453121"},{"key":"ref178","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.27"},{"key":"ref177","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00056"},{"key":"ref168","article-title":"Triforce linux syscall fuzzer","year":"0"},{"key":"ref169","doi-asserted-by":"publisher","DOI":"10.1145\/1250734.1250746"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134020"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1145\/3210309"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1145\/3062341.3062349"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.1007\/11836810_25"},{"key":"ref31","article-title":"AUTHSCAN: Automatic extraction of web authentication protocols from implementations","author":"bai","year":"2013","journal-title":"Proc Symp Network and Distributed System Security"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1145\/2001420.2001423"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1007\/978-94-015-3711-7"},{"key":"ref36","first-page":"41","article-title":"QEMU, a fast and portable dynamic translator","author":"bellard","year":"2005","journal-title":"Proc USENIX Annu Tech Conf"},{"key":"ref35","author":"beizer","year":"1995","journal-title":"Black-Box Testing Techniques for Functional Testing of Software and Systems"},{"key":"ref34","article-title":"pwn4fun spring 2014&#x2013;safari&#x2013;part II","author":"beer","year":"2014"},{"key":"ref181","doi-asserted-by":"publisher","DOI":"10.1145\/1081180.1081189"},{"key":"ref180","article-title":"DynInst: Putting the performance in high performance computing","author":"project","year":"0"},{"key":"ref185","doi-asserted-by":"publisher","DOI":"10.1145\/2254064.2254104"},{"key":"ref184","first-page":"861","article-title":"Optimizing seed selection for fuzzing","author":"rebert","year":"2014","journal-title":"Proc Usenix Security Symp"},{"key":"ref183","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2017.23404"},{"key":"ref182","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2017.35"},{"key":"ref189","article-title":"FLAX: Systematic discovery of client-side validation vulnerabilities in rich web applications","author":"saxena","year":"2010","journal-title":"Proc Symp Network and Distributed System Security"},{"key":"ref188","doi-asserted-by":"publisher","DOI":"10.1145\/2737924.2737998"},{"key":"ref187","first-page":"193","article-title":"Protocol state fuzzing of tls implementations","author":"ruiter","year":"2015","journal-title":"Proc Usenix Security Symp"},{"key":"ref186","article-title":"Lithium","author":"ruderman","year":"0"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1145\/2568225.2568293"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382222"},{"key":"ref179","doi-asserted-by":"publisher","DOI":"10.1145\/2970276.2970316"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2004.2"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2013.02.061"},{"key":"ref22","article-title":"Accessing crashwrangler to analyze crashes for security implications","year":"0"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1145\/2610384.2610403"},{"key":"ref24","article-title":"Pwn2own: The perfect antidote to fanboys who say their platform is safe","year":"2014"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2011.121"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23371"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23412"},{"key":"ref50","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2012.6227156"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.21236\/ADA587051"},{"key":"ref154","article-title":"antiparser","author":"mckinney","year":"0"},{"key":"ref153","first-page":"100","article-title":"Differential testing for software","volume":"10","author":"mckeeman","year":"1998","journal-title":"Digital Tech J"},{"key":"ref156","article-title":"Minifuzz","year":"0"},{"key":"ref155","article-title":"!exploitable crash analyzer &#x2013; MSEC debugger extensions","year":"0"},{"key":"ref150","doi-asserted-by":"publisher","DOI":"10.1109\/ASE.2015.49"},{"key":"ref152","doi-asserted-by":"publisher","DOI":"10.1145\/2150976.2151012"},{"key":"ref151","doi-asserted-by":"publisher","DOI":"10.1109\/IWAST.2012.6228986"},{"key":"ref146","doi-asserted-by":"publisher","DOI":"10.1145\/1453101.1453114"},{"key":"ref147","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2017.65"},{"key":"ref148","article-title":"fsfuzzer","author":"grubb","year":"0"},{"key":"ref149","doi-asserted-by":"publisher","DOI":"10.1145\/1065010.1065034"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00046"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.1145\/1255329.1255344"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23159"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243849"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.50"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.31"},{"key":"ref53","article-title":"Failure Observation Engine","year":"0"},{"key":"ref52","article-title":"Basic fuzzing framework","year":"0"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978428"},{"key":"ref167","article-title":"Hodor fuzzer","year":"0"},{"key":"ref166","doi-asserted-by":"publisher","DOI":"10.1145\/1806651.1806657"},{"key":"ref165","doi-asserted-by":"publisher","DOI":"10.1145\/1542476.1542504"},{"key":"ref164","author":"myers","year":"2011","journal-title":"The Art of Software Testing"},{"key":"ref163","article-title":"KernelFuzzer","year":"0"},{"key":"ref162","first-page":"24","article-title":"SMS of death: From analyzing to attacking mobile phones on a large scale","author":"mulliner","year":"2011","journal-title":"Proc Usenix Security Symp"},{"key":"ref161","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23166"},{"key":"ref160","doi-asserted-by":"publisher","DOI":"10.1145\/1995376.1995394"},{"key":"ref4","article-title":"dharma","year":"0"},{"key":"ref3","article-title":"Cwe-758: Reliance on undefined, unspecified, or implementation-defined behavior","year":"0"},{"key":"ref6","article-title":"The fuzzing project","year":"0"},{"key":"ref5","article-title":"Fidgety afl","year":"0"},{"key":"ref159","first-page":"67","article-title":"Dynamic test generation to find integer bugs in x86 binary linux programs","author":"molnar","year":"2009","journal-title":"Proc Usenix Security Symp"},{"key":"ref8","article-title":"GPF","year":"0"},{"key":"ref49","first-page":"209","article-title":"KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs","author":"cadar","year":"2008","journal-title":"Proc USENIX Symp Operating System Design Implementation"},{"key":"ref7","article-title":"Google chromium security","year":"0"},{"key":"ref157","doi-asserted-by":"publisher","DOI":"10.1145\/96267.96279"},{"key":"ref158","article-title":"Fuzz by number: More data about fuzzing than you ever wanted to know","author":"miller","year":"2008","journal-title":"Proc CanSecWest Conf"},{"key":"ref9","article-title":"LibFuzzer","year":"0"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1145\/1993498.1993551"},{"key":"ref45","article-title":"Efficient, transparent, and comprehensive runtime code manipulation","author":"bruening","year":"2004"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.1145\/1315245.1315286"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1145\/1866307.1866354"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.1145\/390016.808445"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2013.6606558"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.15"},{"key":"ref43","article-title":"LZfuzz: A fast compression-based fuzzer for poorly documented protocols","author":"bratus","year":"2008"},{"key":"ref73","doi-asserted-by":"publisher","DOI":"10.1109\/ASE.2015.65"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.1145\/2642937.2642963"},{"key":"ref71","article-title":"Revolutionizing the field of grey-box attack surface testing with evolutionary fuzzing","author":"demott","year":"2007","journal-title":"Proc Black Hat USA"},{"key":"ref70","doi-asserted-by":"publisher","DOI":"10.1109\/ASE.2017.8115617"},{"key":"ref76","first-page":"523","article-title":"Enemy of the State: A state-aware black-box web vulnerability scanner","author":"doup\u00e9","year":"2012","journal-title":"Proc Usenix Security Symp"},{"key":"ref77","doi-asserted-by":"publisher","DOI":"10.1145\/2557547.2557550"},{"key":"ref74","first-page":"760","article-title":"Understanding integer overflow in C\/C++","author":"dietz","year":"2012","journal-title":"Proc Int Conf Softw Eng"},{"key":"ref75","doi-asserted-by":"publisher","DOI":"10.1145\/1653662.1653730"},{"key":"ref78","first-page":"246","article-title":"Targeted taint driven fuzzing using software metrics","author":"duran","year":"2011","journal-title":"Proc CanSecWest Conf"},{"key":"ref79","article-title":"Peach fuzzing platform","author":"eddington","year":"0"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2009.02.022"},{"key":"ref62","doi-asserted-by":"publisher","DOI":"10.1145\/2908080.2908095"},{"key":"ref61","doi-asserted-by":"publisher","DOI":"10.1145\/2491956.2462173"},{"key":"ref63","doi-asserted-by":"publisher","DOI":"10.1145\/1950365.1950396"},{"key":"ref64","article-title":"Clusterfuzz","year":"0"},{"key":"ref65","article-title":"Neural fuzzer","year":"0"},{"key":"ref66","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2009.14"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134069"},{"key":"ref68","doi-asserted-by":"publisher","DOI":"10.1145\/2884781.2884844"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455820"},{"key":"ref197","doi-asserted-by":"publisher","DOI":"10.1145\/1375581.1375584"},{"key":"ref198","doi-asserted-by":"publisher","DOI":"10.1145\/1081706.1081750"},{"key":"ref199","first-page":"309","article-title":"AddressSanitizer: A fast address sanity checker","author":"serebryany","year":"2012","journal-title":"Proc USENIX Annu Tech Conf"},{"key":"ref193","doi-asserted-by":"publisher","DOI":"10.1145\/3196494.3196508"},{"key":"ref194","article-title":"funfuzz","author":"security","year":"0"},{"key":"ref195","article-title":"orangfuzz","author":"security","year":"0"},{"key":"ref196","doi-asserted-by":"publisher","DOI":"10.1145\/1321631.1321679"},{"key":"ref95","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2018.1870859"},{"key":"ref94","doi-asserted-by":"publisher","DOI":"10.1109\/ASE.2017.8115618"},{"key":"ref190","doi-asserted-by":"publisher","DOI":"10.1145\/353323.353382"},{"key":"ref93","first-page":"151","article-title":"Automated whitebox fuzz testing","author":"godefroid","year":"2008","journal-title":"Proc Symp Network and Distributed System Security"},{"key":"ref191","first-page":"167","article-title":"kAFL: Hardware-assisted feedback fuzzing for os kernels","author":"schumilo","year":"2017","journal-title":"Proc Usenix Security Symp"},{"key":"ref92","doi-asserted-by":"publisher","DOI":"10.1145\/1065010.1065036"},{"key":"ref192","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.26"},{"key":"ref91","doi-asserted-by":"publisher","DOI":"10.1145\/1375581.1375607"},{"key":"ref90","doi-asserted-by":"publisher","DOI":"10.1145\/1292414.1292416"},{"key":"ref98","doi-asserted-by":"publisher","DOI":"10.1145\/3236024.3264835"},{"key":"ref99","article-title":"Melkor_elf_fuzzer","year":"0"},{"key":"ref96","article-title":"Grammatech blogs: The cyber grand challenge","year":"0"},{"key":"ref97","doi-asserted-by":"publisher","DOI":"10.1145\/2976002.2976017"},{"key":"ref82","doi-asserted-by":"publisher","DOI":"10.1016\/B978-159749195-2.00004-8"},{"key":"ref81","article-title":"sidewinder&#x201D;: An evolutionary guidance system for malicious input crafting","author":"embleton","year":"2006","journal-title":"Proc Black Hat USA"},{"key":"ref84","article-title":"A collection of burpsuite intruder payloads, fuzz lists and file uploads","author":"fewer","year":"0"},{"key":"ref83","doi-asserted-by":"publisher","DOI":"10.1145\/2046707.2046779"},{"key":"ref80","article-title":"Vulcan: Binary tranformation in a distributed environment","author":"edwards","year":"2001"},{"key":"ref89","article-title":"Public fuzzers","year":"0"},{"key":"ref85","article-title":"Gdb exploitable","author":"foote","year":"0"},{"key":"ref86","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00040"},{"key":"ref87","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2009.5070546"},{"key":"ref88","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-28865-9_18"},{"key":"ref200","doi-asserted-by":"publisher","DOI":"10.1145\/1791194.1791203"},{"key":"ref101","first-page":"49","article-title":"Dowsing for overflows: A guided fuzzer to find buffer boundary violations","author":"haller","year":"2013","journal-title":"Proc Usenix Security Symp"},{"key":"ref100","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978405"},{"key":"ref209","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23368"},{"key":"ref203","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978411"},{"key":"ref204","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23176"},{"key":"ref201","article-title":"Neuro-symbolic execution: Augmenting symbolic execution with neural constraints","author":"shen","year":"2019","journal-title":"Proc Symp Network and Distributed System Security"},{"key":"ref202","article-title":"Introducing Choronzon: An approach at knowledge-based evolutionary fuzzing","author":"sialveras","year":"2015","journal-title":"Proc ZeroNights"},{"key":"ref207","article-title":"Ll-fuzzer","author":"spensky","year":"0"},{"key":"ref208","first-page":"46","article-title":"MemorySanitizer: Fast detector of uninitialized memory use in C++","author":"stepanov","year":"2015","journal-title":"Proc Int Symp Code Generation Optimization"},{"key":"ref205","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00010"},{"key":"ref206","doi-asserted-by":"publisher","DOI":"10.1109\/ASE.2017.8115615"},{"key":"ref211","article-title":"The art of file format fuzzing","author":"sutton","year":"2005","journal-title":"Proc Black Hat Asia"},{"key":"ref210","article-title":"Filefuzz","author":"sutton","year":"0"},{"key":"ref212","author":"sutton","year":"2007","journal-title":"Fuzzing Brute Force Vulnerability Discovery"},{"key":"ref213","article-title":"honggfuzz","author":"swiecki","year":"0"},{"key":"ref214","author":"takanen","year":"2008","journal-title":"Fuzzing for Software Security Testing and Quality Assurance"},{"key":"ref215","author":"takanen","year":"2018","journal-title":"Fuzzing for Software Security Testing and Quality Assurance"},{"key":"ref216","article-title":"Exposing vulnerabilities in media software","author":"thiel","year":"2008","journal-title":"Proc Black Hat EU"},{"key":"ref217","first-page":"941","article-title":"Enforcing forward-edge control-flow integrity in gcc & llvm","author":"tice","year":"2014","journal-title":"Proc Usenix Security Symp"},{"key":"ref218","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-79124-9_10"},{"key":"ref219","doi-asserted-by":"publisher","DOI":"10.1145\/3180155.3180251"},{"key":"ref220","article-title":"GRR","year":"0"},{"key":"ref222","doi-asserted-by":"publisher","DOI":"10.1145\/3238147.3238200"},{"key":"ref221","article-title":"Taking browsers fuzzing to the next (dom) level","author":"valotta","year":"2012","journal-title":"Proc DeepSec"},{"key":"ref229","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.37"},{"key":"ref228","doi-asserted-by":"publisher","DOI":"10.1145\/3106237.3106258"},{"key":"ref227","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.23"},{"key":"ref226","article-title":"syzkaller","author":"vyukov","year":"0"},{"key":"ref225","article-title":"go-fuzz","author":"vyukov","year":"0"},{"key":"ref224","first-page":"47","article-title":"Autodaf&#x00E9;: an act of software torture","author":"vuagnoux","year":"2005","journal-title":"Proc Chaos Commun Congr"},{"key":"ref223","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-45744-4_29"},{"key":"ref127","doi-asserted-by":"publisher","DOI":"10.1145\/2786805.2786844"},{"key":"ref126","first-page":"641","article-title":"Hulk: Eliciting malicious behavior in browser extensions","author":"kapravelos","year":"2014","journal-title":"Proc Usenix Security Symp"},{"key":"ref125","doi-asserted-by":"publisher","DOI":"10.1145\/1882291.1882332"},{"key":"ref124","doi-asserted-by":"publisher","DOI":"10.1007\/978-0-387-35413-2_16"},{"key":"ref129","first-page":"689","article-title":"CAB-Fuzz: Practical concolic testing techniques for COTS operating systems","author":"kim","year":"2017","journal-title":"Proc USENIX Annu Tech Conf"},{"key":"ref128","article-title":"tlsfuzzer","author":"kario","year":"0"},{"key":"ref130","doi-asserted-by":"publisher","DOI":"10.1145\/360248.360252"},{"key":"ref133","article-title":"Nightmare","author":"koret","year":"0"},{"key":"ref134","article-title":"Circumventing fuzzing roadblocks with compiler transformations","year":"2016"},{"key":"ref131","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243804"},{"key":"ref132","doi-asserted-by":"publisher","DOI":"10.1109\/RELDIS.1997.632800"},{"key":"ref232","doi-asserted-by":"publisher","DOI":"10.1145\/3236024.3236039"},{"key":"ref233","doi-asserted-by":"publisher","DOI":"10.1145\/1985793.1985801"},{"key":"ref230","doi-asserted-by":"publisher","DOI":"10.1145\/2517349.2522728"},{"key":"ref231","article-title":"perf_fuzzer: Targeted fuzzing of the perf_event_open() system call","author":"weaver","year":"2015"},{"key":"ref239","doi-asserted-by":"publisher","DOI":"10.1109\/TrustCom.2012.99"},{"key":"ref238","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134046"},{"key":"ref235","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516736"},{"key":"ref234","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23118"},{"key":"ref237","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.56"},{"key":"ref236","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2009.5270315"},{"key":"ref136","doi-asserted-by":"publisher","DOI":"10.1109\/ISPASS.2010.5452024"},{"key":"ref135","doi-asserted-by":"publisher","DOI":"10.1145\/1806799.1806836"},{"key":"ref138","first-page":"81","article-title":"Type casting verification: Stopping an emerging attack vector","author":"lee","year":"2015","journal-title":"Proc Usenix Security Symp"},{"key":"ref137","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2012.6227211"},{"key":"ref139","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2017.23457"},{"key":"ref140","doi-asserted-by":"publisher","DOI":"10.1145\/3213846.3213874"},{"key":"ref141","doi-asserted-by":"publisher","DOI":"10.1145\/3238147.3238176"},{"key":"ref142","doi-asserted-by":"publisher","DOI":"10.1186\/s42400-018-0002-y"},{"key":"ref143","doi-asserted-by":"publisher","DOI":"10.1145\/3106237.3106295"},{"key":"ref144","doi-asserted-by":"publisher","DOI":"10.1109\/TR.2018.2834476"},{"key":"ref2","article-title":"Cisco secure development lifecycle","year":"0"},{"key":"ref145","doi-asserted-by":"publisher","DOI":"10.1145\/2737924.2737986"},{"key":"ref1","article-title":"Binspector: Evolving a security tool","year":"0"},{"key":"ref241","article-title":"American Fuzzy Lop","author":"zalewski","year":"0"},{"key":"ref242","article-title":"Crossfuzz","author":"zalewski","year":"0"},{"key":"ref243","article-title":"New in AFL: persistent mode","author":"zalewski","year":"0"},{"key":"ref244","article-title":"ref_fuzz","author":"zalewski","year":"0"},{"key":"ref240","first-page":"745","article-title":"QSYM: A practical concolic execution engine tailored for hybrid fuzzing","author":"yun","year":"2018","journal-title":"Proc Usenix Security Symp"},{"key":"ref248","doi-asserted-by":"publisher","DOI":"10.1145\/2576195.2576208"},{"key":"ref247","article-title":"A famed hacker is grading thousands of programs&#x2014;and may revolutionize software in the process","author":"zetter","year":"0"},{"key":"ref246","doi-asserted-by":"publisher","DOI":"10.1109\/32.988498"},{"key":"ref245","article-title":"Technical &#x201C;whitepaper","author":"zalewski","year":"0"},{"key":"ref249","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23504"},{"key":"ref109","first-page":"445","article-title":"Fuzzing with code fragments","author":"holler","year":"2012","journal-title":"Proc Usenix Security Symp"},{"key":"ref108","article-title":"Runtime decompilation","author":"hoglund","year":"2003","journal-title":"Proc Black Hat USA"},{"key":"ref107","article-title":"zzuf","author":"hocevar","year":"0"},{"key":"ref106","article-title":"radamsa","author":"helin","year":"0"},{"key":"ref105","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23312"},{"key":"ref104","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23263"},{"key":"ref103","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134103"},{"key":"ref102","doi-asserted-by":"publisher","DOI":"10.1145\/1145735.1145737"},{"key":"ref111","doi-asserted-by":"publisher","DOI":"10.21236\/ADA610472"},{"key":"ref112","doi-asserted-by":"publisher","DOI":"10.1109\/T-C.1975.224259"},{"key":"ref110","article-title":"Well there's your problem: Isolating the crash-inducing bits in a fuzzed file","author":"householder","year":"2012"},{"key":"ref250","article-title":"Tavor","author":"zimmermann","year":"0"},{"key":"ref10","article-title":"Microsoft Security Development Lifecycle, verification phase","year":"0"},{"key":"ref11","article-title":"Reddit: Iama mayhem, the hacking machine that won darpa's cyber grand challenge. ama!","year":"0"},{"key":"ref12","article-title":"Structure-aware fuzzing with libFuzzer","year":"2019"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1145\/1102120.1102165"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1145\/1609956.1609960"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1145\/1326304.1326313"},{"key":"ref118","doi-asserted-by":"publisher","DOI":"10.1109\/ICST.2014.45"},{"key":"ref16","article-title":"An introduction to SPIKE, the fuzzer creation kit","author":"aitel","year":"2001","journal-title":"Proc Black Hat USA"},{"key":"ref117","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134062"},{"key":"ref17","article-title":"Sharefuzz","author":"aitel","year":"2001"},{"key":"ref18","article-title":"Announcing OSS-Fuzz: Continuous fuzzing for open source software","author":"aizatsky","year":"2016"},{"key":"ref119","doi-asserted-by":"publisher","DOI":"10.1093\/oxfordhb\/9780199689781.013.15"},{"key":"ref19","article-title":"sulley","author":"amini","year":"0"},{"key":"ref114","article-title":"0-knowledge fuzzing","author":"iozzo","year":"2010","journal-title":"Proc Black Hat USA"},{"key":"ref113","article-title":"Charlie Miller reveals his process for security research","year":"2011"},{"key":"ref116","first-page":"121","article-title":"jFuzz: A concolic whitebox fuzzer for java","author":"jayaraman","year":"2009","journal-title":"Proc 1st NASA Forma Methods Symp"},{"key":"ref115","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.15"},{"key":"ref120","doi-asserted-by":"publisher","DOI":"10.1145\/1542476.1542489"},{"key":"ref121","article-title":"A framework for file format fuzzing with genetic algorithms","author":"jr","year":"2012"},{"key":"ref122","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455806"},{"key":"ref123","article-title":"CompareCoverage","author":"jurczyk","year":"0"}],"container-title":["IEEE Transactions on Software Engineering"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/32\/9611545\/08863940.pdf?arnumber=8863940","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,5,10]],"date-time":"2022-05-10T14:50:07Z","timestamp":1652194207000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/8863940\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,11,1]]},"references-count":250,"journal-issue":{"issue":"11"},"URL":"https:\/\/doi.org\/10.1109\/tse.2019.2946563","relation":{},"ISSN":["0098-5589","1939-3520","2326-3881"],"issn-type":[{"value":"0098-5589","type":"print"},{"value":"1939-3520","type":"electronic"},{"value":"2326-3881","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,11,1]]}}}