library.bib 62.1 KB
Newer Older
Rick Smetsers's avatar
Rick Smetsers committed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
@inproceedings{merten2011learnlib,
author = {Merten, M. and Steffen, B. and Howar, F. and Margaria, T.},
booktitle = {Proc.\ of TACAS},
series = {LNCS},
volume = {6605},
doi = {10.1007/978-3-642-19835-9_18},
title = {{Next Generation LearnLib}},
year = {2011}
}
@misc{afl-website,
author = {Zalewski, M.},
title = {{American Fuzzy Lop (AFL) fuzzer}},
url = {http://lcamtuf.coredump.cx/afl/},
urldate = {2015-09-15},
note = {date accessed: 2015-09-15},
year = {2015}
}
@misc{LLVMLangRef,
author = {{LLVM Project}},
title = {{LLVM Language Reference Manual}},
url = {http://llvm.org/docs/LangRef.html},
urldate = {2016-02-02},
note = {date accessed: 2016-02-02},
year = {2016}
}
@article{angluin1987learning,
author = {Angluin, D.},
doi = {10.1016/0890-5401(87)90052-6},
journal = {Information and Computation},
number = {2},
pages = {87--106},
title = {{Learning regular sets from queries and counterexamples}},
volume = {75},
year = {1987}
}
@inproceedings{rers2015,
author = {Geske, M. and Isberner, M. and Steffen, B.},
title = {{Rigorous Examination of Reactive Systems}},
booktitle = {Proc. of RV},
series = {LNCS},
volume = {9333},
year = {2015},
doi = {10.1007/978-3-319-23820-3_28},
pages = {423--429}
}
@inproceedings{Smeenk2015,
author = {Smeenk, W. and Vaandrager, F. and Jansen, D.N.},
title = {{Applying Automata Learning to Embedded Control Software}},
booktitle = {Proc.\ of ICFEM},
series = {LNCS},
volume = {9407},
pages = {1--17},
year = {2015}
}
@article{chow1978testing,
author = {Chow, T.S.},
doi = {10.1109/TSE.1978.231496},
journal = {IEEE Transactions on Software Engineering},
pages = {178--187},
title = {{Testing Software Design Modeled by Finite-State Machines}},
number = {3},
volume = {4},
year = {1978}
}
@misc{afl-blog-jpeg,
author = {Zalewski, M.},
title = {{Pulling JPEGs out of thin air}},
url = {https://lcamtuf.blogspot.com/2014/11/pulling-jpegs-out-of-thin-air.html},
urldate = {2015-09-15},
note = {date accessed: 2015-09-15},
year = {2014}
}
@inproceedings{Steffen2011,
author = {Steffen, B. and Howar, F. and Merten, M.},
doi = {10.1007/978-3-642-21455-4_8},
pages = {256--296},
title = {{Introduction to Active Automata Learning from a Practical Perspective}},
booktitle = {Proc.\ of SFM},
series = {LNCS},
volume = {6659},
year = {2011}
}
@misc{afl-blog-forkserver,
author = {Zalewski, M.},
title = {{Fuzzing random programs without execve()}},
url = {https://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html},
urldate = {2015-09-15},
note = {date accessed: 2015-09-15},
year = {2014}
}
@article{Rivest1994,
author = {Rivest, R. and Schapire, R.},
doi = {10.1145/176584.176589},
journal = {Journal of the ACM},
number = {3},
pages = {555--589},
title = {{Diversity-based inference of finite automata}},
volume = {41},
year = {1994}
}
@incollection{Isberner2014a,
author = {Isberner, M. and Howar, F. and Steffen, B.},
doi = {10.1007/978-3-319-11164-3_26},
pages = {307--322},
title = {{The TTT Algorithm: A Redundancy-Free Approach to Active Automata Learning}},
booktitle = {Proc.\ of RV},
series = {LNCS},
volume = {8734},
year = {2014}
}
@incollection{Merten2011,
author = {Merten, M. and Steffen, B. and Howar, F. and Margaria, T},
doi = {10.1007/978-3-642-19835-9_18},
pages = {220--223},
title = {{Next Generation LearnLib}},
booktitle = {Proc.\ of TACAS},
series = {LNCS},
volume = {6605},
year = {2011}
}

@article{guillot2010automatic,
abstract = {This paper gives an overview of our research in the automation of the process of software protection analysis. We will focus more particularly on the problem of obfuscation. Our current approach is based on a local semantic analysis, which aims to rewrite the binary code in a simpler (easier to understand) way. This approach has the advantage of not relying on a manual search for "patterns" of obfuscation. This way of manipulating the code is, at the end, quite similar to the optimising stage of most of compilers. We will exhibit concrete results based on the development of a prototype and its application to a test target. Current limitations and future prospects will be discussed in as well. 2009 Springer-Verlag France.},
annote = {Also uses compiler optimisation techniques},
author = {Guillot, Yoann and Gazet, Alexandre},
doi = {10.1007/s11416-009-0126-4},
file = {:Users/mark/Documents/Mendeley Desktop/Guillot, Gazet - 2010 - Automatic binary deobfuscation.pdf:pdf},
issn = {1772-9890},
journal = {Journal in Computer Virology},
month = {aug},
number = {3},
pages = {261--276},
publisher = {Springer},
title = {{Automatic binary deobfuscation}},
url = {http://link.springer.com/10.1007/s11416-009-0126-4},
volume = {6},
year = {2010}
}
@article{TobiasSchneider,
author = {{Tobias Schneider}, Amir Moradi},
file = {:Users/mark/Documents/Mendeley Desktop/Tobias Schneider - Unknown - Leakage Assessment Methodology - a clear roadmap for side-channel evaluations.pdf:pdf},
keywords = {leaky coffee},
mendeley-tags = {leaky coffee},
title = {{Leakage Assessment Methodology - a clear roadmap for side-channel evaluations}}
}
@phdthesis{Abcouwer2015,
author = {Abcouwer, Friso},
file = {:Users/mark/Documents/Mendeley Desktop/Abcouwer - 2015 - Measuring Task Complexity in Human Computation Systems.pdf:pdf},
school = {Delft University of Technology},
title = {{Measuring Task Complexity in Human Computation Systems}},
type = {mscthesis},
year = {2015}
}
@inproceedings{cha2015symfuzz,
author = {Cha, Sang Kil and Woo, Maverick and Brumley, David},
booktitle = {2015 IEEE Symposium on Security and Privacy},
doi = {10.1109/SP.2015.50},
file = {:Users/mark/Documents/Mendeley Desktop/Cha, Woo, Brumley - Unknown - Program-Adaptive Mutational Fuzzing.pdf:pdf},
isbn = {978-1-4673-6949-7},
month = {may},
number = {1},
pages = {725--741},
publisher = {IEEE},
title = {{Program-Adaptive Mutational Fuzzing}},
url = {http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=7163057},
year = {2015}
}
@article{Kunming2015,
author = {Kunming, Alvin Cai},
file = {:Users/mark/Documents/Mendeley Desktop/Kunming - 2015 - Comparison of Side Channel Analysis Measurement Setups.pdf:pdf},
title = {{Comparison of Side Channel Analysis Measurement Setups}},
year = {2015}
}
@inproceedings{Dolan-Gavitt2014,
address = {New York, New York, USA},
author = {Dolan-Gavitt, Brendan and Hodosh, Josh and Hulin, Patrick and Leek, Tim and Whelan, Ryan},
booktitle = {Proceedings of the 5th Program Protection and Reverse Engineering Workshop on - PPREW-5},
doi = {10.1145/2843859.2843867},
file = {:Users/mark/Documents/Mendeley Desktop/Dolan-Gavitt et al. - 2015 - Repeatable Reverse Engineering with PANDA.pdf:pdf},
isbn = {9781450336420},
keywords = {instrumentation,introspection,record,replay},
pages = {1--11},
publisher = {ACM Press},
title = {{Repeatable Reverse Engineering with PANDA}},
url = {http://dl.acm.org/citation.cfm?doid=2843859.2843867},
year = {2015}
}
@inproceedings{Wiener,
address = {New York, New York, USA},
author = {Wiener, Michael J},
booktitle = {Proceedings of the 5th Program Protection and Reverse Engineering Workshop on - PPREW-5},
doi = {10.1145/2843859.2846054},
file = {:Users/mark/Documents/Mendeley Desktop/Wiener - 2015 - Applying Software Protection to White-Box Cryptography.pdf:pdf},
isbn = {9781450336420},
keywords = {advanced encryption standard,cryptography,data encryption standard,differential fault analysis,reverse engineering,side channels,software protection,white-box cryptography},
pages = {1--2},
publisher = {ACM Press},
title = {{Applying Software Protection to White-Box Cryptography}},
url = {http://dl.acm.org/citation.cfm?doid=2843859.2846054},
year = {2015}
}
@article{Gnaedig2010,
abstract = {This paper deals with the issue of self-modifying code and packed programs, a long-standing problem commonly addressed by emulation techniques and memory dumps. We propose an original semantics-based approach to simplify dynamic code analysis, by using compiler optimization techniques to get rid of code-generating instructions. For this, we use classic slicing techniques to identify code dependencies. As it is semantics-based, our approach allows us to rely on strongly established formal methods and is a promising approach for handling packed programs.},
author = {Gnaedig, Isabelle and Kaczmarek, Matthieu and Reynaud, Daniel and Wloka, St{\'{e}}phane},
doi = {10.1109/MALWARE.2010.5665795},
file = {:Users/mark/Documents/Mendeley Desktop/Gnaedig et al. - 2010 - Unconditional self-modifying code elimination with dynamic compiler optimizations.pdf:pdf},
isbn = {9781424493555},
journal = {Proceedings of the 5th IEEE International Conference on Malicious and Unwanted Software, Malware 2010},
pages = {47--54},
title = {{Unconditional self-modifying code elimination with dynamic compiler optimizations}},
year = {2010}
}
@article{Tamerus2012,
author = {Tamerus, P D},
file = {:Users/mark/Documents/Mendeley Desktop/Tamerus - 2012 - Asynchronous Logic as Counter Measure against Power Analysis Attacks.pdf:pdf},
title = {{Asynchronous Logic as Counter Measure against Power Analysis Attacks}},
year = {2012}
}
@unpublished{sanfelix2015unboxing,
author = {Sanfelix, Eloi and Mune, Cristofaro and Haas, Job De},
file = {:Users/mark/Documents/Mendeley Desktop/Sanfelix, Mune, Haas - 2015 - Unboxing the White-Box.pdf:pdf;:Users/mark/Documents/Mendeley Desktop/Sanfelix, Mune, Haas - 2015 - Unboxing the White-Box(2).pdf:pdf},
keywords = {and embedded exploitation,exploit,fault injection,previous work on mobile,reversing,software},
title = {{Unboxing the White-Box}},
year = {2015}
}
@inproceedings{Banks2006,
abstract = {Fuzzing is a well-known black-box approach to the security testing of applications. Fuzzing has many advantages in terms of simplicity and effectiveness over more complex, expensive testing approaches. Unfortunately, current fuzzing tools suffer from a number of limitations, and, in particular, they provide little support for the fuzzing of stateful protocols. In this paper, we present SNOOZE, a tool for building flexible, security-oriented, network protocol fuzzers. SNOOZE implements a stateful fuzzing approach that can be used to effectively identify security flaws in network protocol implementations. SNOOZE allows a tester to describe the stateful operation of a protocol and the messages that need to be generated in each state. In addition, SNOOZE provides attack-specific fuzzing primitives that allow a tester to focus on specific vulnerability classes. We used an initial prototype of the SNOOZE tool to test programs that implement the SIP protocol, with promising results. SNOOZE supported the creation of sophisticated fuzzing scenarios that were able to expose real-world bugs in the programs analyzed.},
address = {Berlin, Heidelberg},
author = {Banks, Greg and Cova, Marco and Felmetsger, Viktoria and Almeroth, Kevin and Kemmerer, Richard and Vigna, Giovanni},
booktitle = {Information Security: 9th International Conference, ISC 2006},
chapter = {SNOOZE: To},
doi = {10.1007/11836810_25},
editor = {Katsikas, Sokratis K and L{\'{o}}pez, Javier and Backes, Michael and Gritzalis, Stefanos and Preneel, Bart},
file = {:Users/mark/Documents/Mendeley Desktop/Banks et al. - 2006 - SNOOZE Toward a Stateful NetwOrk prOtocol fuzZEr.pdf:pdf},
isbn = {978-3-540-38343-7},
keywords = {Security Testing.,network protocols,security testing,stateful fuzzing},
pages = {343--358},
publisher = {Springer Berlin Heidelberg},
title = {{SNOOZE: Toward a Stateful NetwOrk prOtocol fuzZEr}},
url = {http://dx.doi.org/10.1007/11836810_25 http://www.springerlink.com/index/E7U87826375LU431.pdf http://link.springer.com/10.1007/11836810_25},
year = {2006}
}
@book{Clarke1999,
author = {Clarke, Edmund M. and Grumberg, Orna and Peled, Doron A.},
isbn = {9780262032704},
publisher = {MIT Press},
title = {{Model Checking}},
year = {1999}
}
@techreport{yadegari2014generic,
author = {Yadegari, Babak and Johannesmeyer, Brian and Whitely, Benjamin and Debray, Saumya},
booktitle = {2015 IEEE Symposium on Security and Privacy},
doi = {10.1109/SP.2015.47},
file = {:Users/mark/Documents/Mendeley Desktop//Yadegari et al. - 2014 - A generic approach to automatic deobfuscation of executable code.pdf:pdf},
institution = {Technical report, Department of Computer Science, The University of Arizona},
isbn = {978-1-4673-6949-7},
keywords = {-deobfuscation,4,are unpacked at runtime,interpretation with distinct virtual,multiple layers of,or if there are,oriented programming,program counters that are,return,virtualization-obfuscation},
pages = {674--691},
title = {{A generic approach to automatic deobfuscation of executable code}},
url = {http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=7163054},
year = {2014}
}
@article{Broek2015,
author = {Broek, Fabian Van Den},
file = {:Users/mark/Documents/Mendeley Desktop/Broek - 2015 - Defeating IMSI Catchers.pdf:pdf},
isbn = {9781450338325},
pages = {1--12},
title = {{Defeating IMSI Catchers}},
year = {2015}
}
@article{Madou2006,
author = {Madou, Matias and {Van Put}, Ludo and {De Bosschere}, Koen},
doi = {10.1145/1111542.1111566},
file = {:Users/mark/Documents/Mendeley Desktop/Madou, Van Put, De Bosschere - 2006 - Loco An Interactive Code (De)Obfuscation Tool.pdf:pdf},
isbn = {1595931961},
journal = {Proceedings of the 2006 ACM SIGPLAN symposium on Partial evaluation and semantics-based program manipulation - PEPM '06},
keywords = {binary rewriting,code obfuscation,security},
number = {August 2015},
pages = {140},
title = {{Loco: An Interactive Code (De)Obfuscation Tool}},
url = {http://portal.acm.org/citation.cfm?doid=1111542.1111566},
year = {2006}
}
@article{Bos2015,
author = {van den Bos, P and Vaandrager, FW and Smetsers, R},
file = {:Users/mark/Documents/Mendeley Desktop/Bos, Vaandrager, Smetsers - 2015 - Enhancing Active Automata Learning by a User Log Based Metric.pdf:pdf},
title = {{Enhancing Active Automata Learning by a User Log Based Metric}},
url = {http://www.ru.nl/publish/pages/769526/z_20150706masterthesispetravandenbos.pdf},
year = {2015}
}
@inproceedings{Pedrosa2010,
abstract = {Finite State Machines (FSMs) are widely used to generate test case suites for critical systems. Several test case generation methods are derived from the well-known W-method. The Wp-method is a variation of the W-method, which produces smaller test suites. The G-method is a generalization of the W-method, which dispenses the use of characterization sets. In this paper, we combine ideas of both, and introduce a new generalized method, that does not depend on characterization sets, as the Wp-method does, and may produce smaller test suites than those of the G-method.},
author = {Pedrosa, Lehilton Lelis Chaves and Moura, Arnaldo Vieira},
booktitle = {2010 Fourth International Conference on Secure Software Integration and Reliability Improvement Companion},
doi = {10.1109/SSIRI-C.2010.25},
file = {:Users/mark/Documents/Mendeley Desktop/Pedrosa, Moura - 2010 - Generalized Partial Test Case Generation Method.pdf:pdf},
isbn = {978-1-4244-7644-2},
keywords = {Automata,Automatic testing,Costs,Fault detection,G-method,Hardware,Helium,Particle separators,Software systems,Software testing,System testing,W-method generalization,Wp-method,automatic test pattern generation,finite state machines,finite-state machines,generalisation (artificial intelligence),generalized partial test case generation method,program testing,test case selection,testing},
month = {jun},
pages = {70--77},
publisher = {IEEE},
title = {{Generalized Partial Test Case Generation Method}},
url = {http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=5521563},
year = {2010}
}
@inproceedings{sen2007concolic,
abstract = {Concolic testing automates test input generation by combining the concrete and symbolic (concolic) execution of the code under test. Traditional test input generation techniques use either (1) concrete execution or (2) symbolic execution that builds constraints and is followed by a generation of concrete test inputs from these constraints. In contrast, concolic testing tightly couples both concrete and symbolic executions: they run simultaneously, and each gets feedback from the other. We have implemented concolic testing in tools for testing both C and Java programs. We have used the tools to find bugs in several real-world software systems including SGLIB, a popular C data structure library used in a commercial tool, a third-party implementation of the Needham-Schroeder protocol and the TMN protocol, the scheduler of Honeywell's DEOS real-time operating system, and the Sun Microsystems' JDK 1.4 collection framework. In this tutorial, we will describe concolic testing and some of its recent extensions},
address = {New York, New York, USA},
author = {Sen, Koushik},
booktitle = {Proceedings of the twenty-second IEEE/ACM international conference on Automated software engineering - ASE '07},
doi = {10.1145/1321631.1321746},
file = {:Users/mark/Documents/Mendeley Desktop/Sen - 2007 - Concolic testing.pdf:pdf},
isbn = {9781595938824},
keywords = {concolic testing,data structure testing,explicit path model checking,random testing,testing,unit testing},
organization = {ACM},
pages = {571},
publisher = {ACM Press},
title = {{Concolic testing}},
url = {http://portal.acm.org/citation.cfm?doid=1321631.1321746},
year = {2007}
}
@article{Banescu,
author = {Banescu, Sebastian},
file = {:Users/mark/Documents/Mendeley Desktop/Banescu - Unknown - A Framework for Measuring Software Obfuscation Resilience Against Automated Attacks.pdf:pdf},
title = {{A Framework for Measuring Software Obfuscation Resilience Against Automated Attacks}}
}
@article{souchet2013kryptonite,
author = {Souchet, Axel},
file = {:Users/mark/Documents/Mendeley Desktop//Souchet - 2013 - Obfuscation of steel meet my Kryptonite.pdf:pdf},
pages = {1--24},
title = {{Obfuscation of steel: meet my Kryptonite}},
url = {http://download.tuxfamily.org/overclokblog/Obfuscation of steel{\%}3a meet my Kryptonite/0vercl0k_Obfuscation_of_steel_meet_kryptonite.pdf},
volume = {2013},
year = {2013}
}
@article{dolan2013mov,
abstract = {It is well-known that the x86 instruction set is baroque, overcom- plicated, and redundantly redundant.We show just how much fluff it has by demonstrating that it remains Turing-complete when re- duced to just one instruction. The instruction we choose is mov, which can do both loads and stores. We use no unusual addressing modes, self-modifying code, or runtime code generation. Using just this instruction (and a single unconditional branch at the end of the program to make nontermination possible), we demonstrate how an arbitrary Turing machine can be simulated.},
author = {Dolan, Stephen},
file = {:Users/mark/Documents/Mendeley Desktop/Dolan - 2013 - mov is Turing-complete.pdf:pdf},
pages = {1--4},
title = {{mov is Turing-complete}},
url = {http://www.cl.cam.ac.uk/{~}sd601/papers/mov.pdf},
year = {2013}
}
@misc{LLVMBitCodeFormat,
author = {{LLVM Project}},
title = {{LLVM Bitcode File Format}},
url = {http://llvm.org/docs/BitCodeFormat.html},
urldate = {2016-02-02},
note = {date accessed: 2016-02-02},
year = {2016}
}
@article{Walkinshaw2007,
abstract = {Finite state machine-derived specifications such as X-machines, extended finite state machines and abstract state machines, are an established means to model software behaviour. They allow for comprehensive testing of an implementation in terms of its intended behaviour. In practice however they are rarely generated and maintained during software development, hence their benefits can rarely be exploited. We address this problem by using an interactive grammar inference technique to infer the underlying state machine representation of an existing software system. The approach is interactive because it generates queries to the user as it constructs a hypothesis machine, which can be interpreted as system tests. This paper describes (1) how an existing grammar inference technique (QSM) can be used to reverse-engineer state-based models of software from execution traces at a developer-defined level of abstraction and (2) how the QSM technique can be improved for a better balance between the number of tests it proposes and the accuracy of the machine it derives. The technique has been implemented, which has enabled us to present a small case study of its use with respect to a real software system, along with some preliminary performance results.},
author = {Walkinshaw, Neil and Bogdanov, Kirill and Holcombe, Mike and Salahuddin, Sarah},
doi = {10.1109/WCRE.2007.45},
file = {:Users/mark/Documents/Mendeley Desktop/Walkinshaw et al. - 2007 - Reverse engineering state machines by interactive grammar inference.pdf:pdf},
isbn = {0-7695-3034-6},
issn = {1095-1350},
journal = {Proceedings - Working Conference on Reverse Engineering, WCRE},
number = {1},
pages = {209--218},
title = {{Reverse engineering state machines by interactive grammar inference}},
year = {2007}
}
@book{dang2014practical,
author = {Dang, Bruce and {Gazet Alexandre}, Bachaalany Elias and Josse, S{\'{e}}bastien},
editor = {Miller, Matt},
publisher = {John Wiley {\&} Sons},
title = {{Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation}},
year = {2014}
}
@article{bos2015differential,
author = {Bos, Joppe W and Hubain, Charles and Michiels, Wil and Teuwen, Philippe},
file = {:Users/mark/Documents/Mendeley Desktop//Bos et al. - 2015 - Differential Computation Analysis Hiding your White-Box Designs is Not Enough.pdf:pdf},
pages = {1--22},
title = {{Differential Computation Analysis: Hiding your White-Box Designs is Not Enough}},
year = {2015}
}
@article{Bertolino2012,
author = {Bertolino, A and Calabr{\`{o}}, A and Merten, M and Steffen, B},
journal = {ERCIM News},
number = {88},
publisher = {ERCIM},
title = {{Never-stop Learning: Continuous Validation of Learned Models for Evolving Systems through Monitoring}},
url = {https://hal.inria.fr/hal-00661027},
volume = {2012},
year = {2012}
}
@inproceedings{Groz2015,
address = {New York, New York, USA},
author = {de Go{\"{e}}r, Franck and Groz, Roland and Mounier, Laurent},
booktitle = {Proceedings of the 5th Program Protection and Reverse Engineering Workshop on - PPREW-5},
doi = {10.1145/2843859.2843861},
file = {:Users/mark/Documents/Mendeley Desktop/de Go{\"{e}}r, Groz, Mounier - 2015 - Lightweight heuristics to retrieve parameter associations from binaries.pdf:pdf},
isbn = {9781450336420},
keywords = {data-flow,dynamic type inference,reverse-engineering},
pages = {1--12},
publisher = {ACM Press},
title = {{Lightweight heuristics to retrieve parameter associations from binaries}},
url = {http://dl.acm.org/citation.cfm?doid=2843859.2843861},
year = {2015}
}
@inproceedings{ruiter2015protocol,
author = {Ruiter, J De and Poll, E},
booktitle = {USENIX Security},
file = {:Users/mark/Documents/Mendeley Desktop/Ruiter, Poll - 2015 - Protocol state fuzzing of TLS implementations.pdf:pdf},
pages = {193--206},
title = {{Protocol state fuzzing of TLS implementations}},
url = {http://www.cs.bham.ac.uk/{~}deruitej/papers/usenix15.pdf},
year = {2015}
}
@incollection{grobert2011automated,
abstract = {Identifying that a given binary program implements a spe- cific cryptographic algorithm and finding out more information about the cryptographic code is an important problem. Proprietary programs and especially malicious software (so called malware) often use cryptography and we want to learn more about the context, e.g., which algorithms and keys are used by the program. This helps an analyst to quickly under- stand what a given binary program does and eases analysis. In this paper, we present several methods to identify cryptographic prim- itives (e.g., entire algorithms or only keys) within a given binary program in an automated way. We perform fine-grained dynamic binary analysis and use the collected information as input for several heuristics that characterize specific, unique aspects of cryptographic code. Our evalua- tion shows that these methods improve the state-of-the-art approaches in this area and that we can successfully extract cryptographic keys from a given malware binary.},
author = {Gr{\"{o}}bert, Felix and Willems, Carsten and Holz, Thorsten},
booktitle = {Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)},
doi = {10.1007/978-3-642-23644-0_3},
file = {:Users/mark/Documents/Mendeley Desktop/Gr{\"{o}}bert, Willems, Holz - 2011 - Automated Identification of Cryptographic Primitives in Binary Programs.pdf:pdf},
isbn = {9783642236433},
issn = {03029743},
keywords = {Binary Analysis,Cryptography,Malware Analysis},
pages = {41--60},
title = {{Automated Identification of Cryptographic Primitives in Binary Programs}},
url = {http://www.ei.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2011/06/21/cryptoPrimitives-raid11.pdf http://link.springer.com/10.1007/978-3-642-23644-0_3},
volume = {6961 LNCS},
year = {2011}
}
@misc{hexraysdecompiler,
author = {SA, Hex-Rays},
title = {{Hex-Rays decompiler}},
url = {https://www.hex-rays.com/products/decompiler/},
urldate = {2015-09-15},
433
note = {date accessed: 2015-09-15},
Rick Smetsers's avatar
Rick Smetsers committed
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
year = {2015}
}
@inproceedings{salwan2015triton,
address = {Rennes},
author = {Salwan, Jonathan and Saudel, Florent},
booktitle = {SSTIC 2015-Symposium sur la s{\'{e}}curit{\'{e}} des technologies de l'information et des communications},
file = {:Users/mark/Documents/Mendeley Desktop/Salwan, Saudel - 2015 - Triton Framework d'ex{\'{e}}cution concolique et d'analyses en runtime.pdf:pdf},
title = {{Triton: Framework d'ex{\'{e}}cution concolique et d'analyses en runtime}},
url = {https://www.sstic.org/media/SSTIC2015/SSTIC-actes/triton_dynamic_symbolic_execution_and_runtime_anal/SSTIC2015-Article-triton_dynamic_symbolic_execution_and_runtime_analysis-saudel_salwan.pdf},
year = {2015}
}
@article{LeeYannakakisADS1994,
abstract = {We study the complexity of two fundamental problems in the testing$\backslash$nof finite-state machines. 1) Distinguishing sequences (state$\backslash$nidentification). We show that it is PSPACE-complete to determine whether$\backslash$na finite-state machine has a preset distinguishing sequence. There are$\backslash$nmachines that have distinguishing sequences, but only of exponential$\backslash$nlength. We give a polynomial time algorithm that determines whether a$\backslash$nfinite-state machine has an adaptive distinguishing sequence. (The$\backslash$nprevious classical algorithms take exponential time.) Furthermore, if$\backslash$nthere is an adaptive distinguishing sequence, then we give an efficient$\backslash$nalgorithm that constructs such a sequence of length at most n(n-1)/2$\backslash$n(which is the best possible), where n is the number of states. 2) Unique$\backslash$ninput output sequences (state verification). It is PSPACE-complete to$\backslash$ndetermine whether a state of a machine has a unique input output$\backslash$nsequence. There are machines whose states have unique input output$\backslash$nsequences but only of exponential length},
author = {Lee, David and Yannakakis, Mihalis},
doi = {10.1109/12.272431},
file = {:Users/mark/Documents/Mendeley Desktop/Lee, Yannakakis - 1994 - Testing Finite-State Machines State Identification and Verification.pdf:pdf},
isbn = {0018-9340},
issn = {00189340},
journal = {IEEE Transactions on Computers},
keywords = {Adaptive distinguishing sequence,PSPACE-complete,UIO sequence,finite-state,machine,preset distinguishing sequence,state identification,state verification},
number = {3},
pages = {306--320},
title = {{Testing Finite-State Machines: State Identification and Verification}},
volume = {43},
year = {1994}
}
@article{Kargen1990,
author = {Karg{\'{e}}n, Ulf},
file = {:Users/mark/Documents/Mendeley Desktop/Karg{\'{e}}n - 1990 - Turning Programs against Each Other High Coverage Fuzz-Testing using Binary-Code Mutation and Dynamic Slicing Categorie.pdf:pdf},
isbn = {9781450336758},
keywords = {black-box,dynamic slicing,fuzz testing,fuzzing,program},
pages = {782--792},
title = {{Turning Programs against Each Other: High Coverage Fuzz-Testing using Binary-Code Mutation and Dynamic Slicing Categories and Subject Descriptors}},
year = {1990}
}
@inproceedings{palsberg2000experience,
abstract = {There are at least four US patents on software watermarking, and$\backslash$nan idea for further advancing the state of the art was presented by C.$\backslash$nCollberg and C. Thomborsen (1999). The new idea is to embed a watermark$\backslash$nin dynamic data structures, thereby protecting against many$\backslash$nprogram-transformation attacks. Until now there have been no reports on$\backslash$npractical experience with this technique. We have implemented and$\backslash$nexperimented with a watermarking system for Java based on the ideas of$\backslash$nCollberg and Thomborsen. Our experiments show that watermarking can be$\backslash$ndone efficiently with moderate increases in code size, execution times$\backslash$nand heap-space usage, while making the watermarked code resilient to a$\backslash$nvariety of program-transformation attacks. For a particular$\backslash$nrepresentation of watermarks, the time to retrieve a watermark is on the$\backslash$norder of one minute per megabyte of heap space. Our implementation is$\backslash$nnot designed to resists all possible attacks; to do that, it should be$\backslash$ncombined with other protection techniques, such as obfuscation and$\backslash$ntamperproofing},
author = {Palsberg, J. and Krishnaswamy, S. and {Minseok Kwon} and Ma, D. and {Qiuyun Shao} and Zhang, Y.},
booktitle = {Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00)},
doi = {10.1109/ACSAC.2000.898885},
file = {:Users/mark/Documents/Mendeley Desktop/Palsberg et al. - 2000 - Experience with software watermarking.pdf:pdf},
isbn = {0-7695-0859-6},
pages = {308--316},
publisher = {IEEE Comput. Soc},
title = {{Experience with software watermarking}},
url = {http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=898885},
year = {2000}
}
@phdthesis{Thesis2007,
author = {{Izquierdo Riera}, Francisco Blas},
file = {:Users/mark/Documents/Mendeley Desktop/Izquierdo Riera - 2014 - LO! LLVM Obfuscator.pdf:pdf},
school = {Chalmers University of Technology},
title = {{LO! LLVM Obfuscator}},
year = {2014}
}
@article{Wang2011,
abstract = {Fuzz testing has proven successful in finding security vulnerabilities in large programs. However, tradi- tional fuzz testing tools have a well-known common drawback: they are ineffective if most generated inputs are rejected at the early stage of programrunning, especially when target programs employ checksummech- anisms to verify the integrity of inputs. This article presents TaintScope, an automatic fuzzing system using dynamic taint analysis and symbolic execution techniques, to tackle the above problem. TaintScope has sev- eral novel features: (1) TaintScope is a checksum-aware fuzzing tool. It can identify checksum fields in inputs, accurately locate checksum-based integrity checks by using branch profiling techniques, and bypass such checks via control flow alteration. Furthermore, it can fix checksum values in generated inputs using combined concrete and symbolic execution techniques. (2) TaintScope is a taint-based fuzzing tool working at the x86 binary level. Based on fine-grained dynamic taint tracing, TaintScope identifies the “hot bytes” in a well-formed input that are used in security-sensitive operations (e.g., invoking system/library calls), and then focuses on modifying such bytes with random or boundary values. (3) TaintScope is also a symbolic- execution-based fuzzing tool. It can symbolically evaluate a trace, reason about all possible values that can execute the trace, and then detect potential vulnerabilities on the trace. We evaluate TaintScope on a number of large real-world applications. Experimental results show that TaintScope can accurately locate the checksum checks in programs and dramatically improve the effective- ness of fuzz testing. TaintScope has already found 30 previously unknown vulnerabilities in several widely used applications, including Adobe Acrobat, Flash Player, Google Picasa, and Microsoft Paint. Most of these severe vulnerabilities have been confirmed by Secunia and oCERT, and assigned CVE identifiers (such as CVE-2009-1882, CVE-2009-2688). Vendor patches have been released or are in preparation based on our reports.},
author = {Wang, Tielei and Wei, Tao and Gu, Guofei and Zou, Wei},
doi = {10.1145/2019599.2019600},
file = {:Users/mark/Documents/Mendeley Desktop/Wang et al. - 2011 - Checksum-Aware Fuzzing Combined with Dynamic Taint Analysis and Symbolic Execution.pdf:pdf},
issn = {10949224},
journal = {ACM Transactions on Information and System Security},
number = {2},
pages = {1--28},
title = {{Checksum-Aware Fuzzing Combined with Dynamic Taint Analysis and Symbolic Execution}},
volume = {14},
year = {2011}
}
@article{Janssen2013,
author = {Janssen, Ramon},
file = {:Users/mark/Documents/Mendeley Desktop/Janssen - 2013 - Learning a State Diagram of TCP Using Abstraction.pdf:pdf},
title = {{Learning a State Diagram of TCP Using Abstraction}},
year = {2013}
}
@article{Diaconescu2013,
author = {Diaconescu, Alexandru Ionut},
file = {:Users/mark/Documents/Mendeley Desktop/Diaconescu - 2013 - Automated Code Review for Fault Injection.pdf:pdf},
title = {{Automated Code Review for Fault Injection}},
year = {2013}
}
@inproceedings{Caballero2007,
abstract = {Protocol reverse engineering, the process of extracting the application-level protocol used by an implementation, with-out access to the protocol specification, is important for many network security applications. Recent work [17] has proposed protocol reverse engineering by using clustering on network traces. That kind of approach is limited by the lack of semantic information on network traces. In this pa-per we propose a new approach using program binaries. Our approach, shadowing, uses dynamic binary analysis and is based on a unique intuition—the way that an implementa-tion of the protocol processes the received application data reveals a wealth of information about the protocol message format. We have implemented our approach in a system called Polyglot and evaluated it extensively using real-world implementations of five different protocols: DNS, HTTP, IRC, Samba and ICQ. We compare our results with the man-ually crafted message format, included in Wireshark, one of the state-of-the-art protocol analyzers. The differences we find are small and usually due to different implementa-tions handling fields in different ways. Finding such differ-ences between implementations is an added benefit, as they are important for problems such as fingerprint generation, fuzzing, and error detection.},
address = {New York, New York, USA},
author = {Caballero, Juan and Yin, Heng and Liang, Zhenkai and Song, Dawn},
booktitle = {Proceedings of the 14th ACM conference on Computer and communications security - CCS '07},
doi = {10.1145/1315245.1315286},
file = {:Users/mark/Documents/Mendeley Desktop/Caballero et al. - 2007 - Polyglot Automatic Extraction of Protocol Message Format using Dynamic Binary Analysis.pdf:pdf},
isbn = {9781595937032},
issn = {15437221},
keywords = {binary analysis,protocol reverse engineering},
pages = {317},
publisher = {ACM Press},
title = {{Polyglot: Automatic Extraction of Protocol Message Format using Dynamic Binary Analysis}},
url = {http://portal.acm.org/citation.cfm?doid=1315245.1315286},
year = {2007}
}
@incollection{demoura2008z3,
abstract = {Satisfiability Modulo Theories (SMT) problem is a decision problem for logical first order formulas with respect to combinations of background theories such as: arithmetic, bit-vectors, arrays, and uninterpreted functions. Z3 is a new and efficient SMT Solver freely available from Microsoft Research. It is used in various software verification and analysis applications.},
author = {de Moura, Leonardo and Bj{\o}rner, Nikolaj},
booktitle = {Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)},
doi = {10.1007/978-3-540-78800-3_24},
file = {:Users/mark/Documents/Mendeley Desktop/de Moura, Bj{\o}rner - 2008 - Z3 An Efficient SMT Solver.pdf:pdf},
isbn = {3540787992},
issn = {03029743},
pages = {337--340},
publisher = {Springer},
title = {{Z3: An Efficient SMT Solver}},
url = {http://link.springer.com/10.1007/978-3-540-78800-3_24},
volume = {4963 LNCS},
year = {2008}
}
@misc{hotz2015qira,
author = {Hotz, George},
title = {{QEMU Interactive Runtime Analyser (qira)}},
url = {http://qira.me/},
549
note = {date accessed: 2015-09-15},
Rick Smetsers's avatar
Rick Smetsers committed
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
urldate = {2015-09-15},
year = {2015}
}
@techreport{wang2000software,
abstract = {In this paper we address the problem of protecting trusted software on untrusted hosts by code obfuscation. We address one aspect of the problem, namely obstructing static analysis of programs. The presence of aliases has been proven to restrict greatly the precision of static data-flow analysis. Meanwhile, effective alias detection has been shown to be NP-Hard. While this represents a significant hurdle for code optimization, it provides a theoretical basis for structuring tamper-resistant programs— the systematic introduction of nontrivial aliases transforms programs to a form that yields data flow information very slowly and/or with little precision. We describe a set of transformations that introduce aliases and further hinder the analysis by a systematic "break-down" of the program control-flow; transforming high level control transfers to indirect addressing through aliased pointers. By doing so, the basic control-flow analysis is made into a general alias analysis problem, and the data-flow analysis and control-flow analysis are made co-dependent. We present a theoretical result which shows that a precise analysis of the transformed program, in the general case, is NP-hard and demonstrate the applicability of our techniques with empirical results.},
author = {Wang, Chenxi and Hill, Jonathan and Knight, John and Davidson, Jack},
booktitle = {Transform},
doi = {10.1.1.35.2337},
file = {:Users/mark/Documents/Mendeley Desktop//Wang et al. - 2000 - Software tamper resistance Obstructing static analysis of programs.pdf:pdf},
institution = {Technical Report CS-2000-12, University of Virginia, 12 2000},
pages = {1--18},
title = {{Software tamper resistance: Obstructing static analysis of programs}},
url = {http://logic.pdmi.ras.ru/{~}yura/of/whkd2000.pdf http://dl.acm.org/citation.cfm?id=900898},
year = {2000}
}
@misc{afl-blog-mutation,
author = {Zalewski, Micha{\l}},
title = {{Binary fuzzing strategies: what works, what doesn't}},
url = {https://lcamtuf.blogspot.nl/2014/08/binary-fuzzing-strategies-what-works.html},
urldate = {2015-09-15},
year = {2014}
}
@inproceedings{sen2005cute,
abstract = {In unit testing, a program is decomposed into units which are collections of functions. A part of unit can be tested by generating inputs for a single entry function. The entry function may contain pointer arguments, in which case the inputs to the unit are memory graphs. The paper addresses the problem of automating unit testing with memory graphs as inputs. The approach used builds on previous work combining symbolic and concrete execution, and more specifically, using such a combination to generate test inputs to explore all feasible execution paths. The current work develops a method to represent and track constraints that capture the behavior of a symbolic execution of a unit with memory graphs as inputs. Moreover, an efficient constraint solver is proposed to facilitate incremental generation of such test inputs. Finally, CUTE, a tool implementing the method is described together with the results of applying CUTE to real-world examples of C code.},
address = {New York, New York, USA},
author = {Sen, Koushik and Marinov, Darko and Agha, Gul},
booktitle = {Proceedings of the 10th European software engineering conference held jointly with 13th ACM SIGSOFT international symposium on Foundations of software engineering - ESEC/FSE-13},
doi = {10.1145/1081706.1081750},
file = {:Users/mark/Documents/Mendeley Desktop/Sen, Marinov, Agha - 2005 - CUTE A Concolic Unit Testing Engine for C.pdf:pdf},
isbn = {1595930140},
issn = {01635948},
keywords = {concolic testing,data structure testing,explicit path,model-checking,random testing,testing,unit testing},
pages = {263},
publisher = {ACM Press},
title = {{CUTE: A Concolic Unit Testing Engine for C}},
url = {http://portal.acm.org/citation.cfm?doid=1081706.1081750},
year = {2005}
}
@article{Dorofeeva2010,
author = {Dorofeeva, Rita and El-Fakih, Khaled and Maag, Stephane and Cavalli, Ana R. and Yevtushenko, Nina},
doi = {10.1016/j.infsof.2010.07.001},
issn = {09505849},
journal = {Information and Software Technology},
month = {dec},
number = {12},
pages = {1286--1297},
title = {{FSM-based conformance testing methods: A survey annotated with experimental evaluation}},
url = {http://linkinghub.elsevier.com/retrieve/pii/S0950584910001278},
volume = {52},
year = {2010}
}
@inproceedings{madou2005hybrid,
abstract = {Advances in reverse engineering and program analyses have made software extremely vulnerable to malicious host attacks. These attacks typically take the form of intellectual property violations, against which the software needs to be protected. The intellectual property that needs to be protected can take on different forms. The software might, e.g., consist itself of proprietary algorithms and datastructures or it could provide controlled access to copyrighted material. Therefore, in recent years, a number of techniques have been explored to protect software. Many of these techniques provide a reasonable level of security against static-only attacks. Many of them however fail to address the problem of dynamic or hybrid static-dynamic attacks. While this type of attack is already commonly used by black-hats, this is one of the first scientific papers to discuss the potential of these attacks through which an attacker can analyze, control and modify a program extensively. The concepts are illustrated through a case study of a recently proposed algorithm for software watermarking [6].},
address = {New York, New York, USA},
author = {Madou, Matias and Anckaert, Bertrand and {De Sutter}, Bjorn and {De Bosschere}, Koen},
booktitle = {Proceedings of the 5th ACM workshop on Digital rights management - DRM '05},
doi = {10.1145/1102546.1102560},
file = {:Users/mark/Documents/Mendeley Desktop/Madou et al. - 2005 - Hybrid static-dynamic attacks against software protection mechanisms.pdf:pdf},
isbn = {1595932305},
keywords = {attacks,intellectual property,obfuscation,software protection,tamper-resistance,watermarking},
organization = {ACM},
pages = {75},
publisher = {ACM Press},
title = {{Hybrid static-dynamic attacks against software protection mechanisms}},
url = {http://dl.acm.org/citation.cfm?id=1102560 http://portal.acm.org/citation.cfm?doid=1102546.1102560},
year = {2005}
}
@article{Chan,
author = {Chan, Patrick P F and Collberg, Christian},
file = {:Users/mark/Documents/Mendeley Desktop/Chan, Collberg - Unknown - A Method to Evaluate CFG Comparison Algorithms.pdf:pdf},
title = {{A Method to Evaluate CFG Comparison Algorithms}},
volume = {1}
}
@inproceedings{chow2003whiteboxaes,
abstract = {Conventional software implementations of cryptographic algorithms are totally insecure where a hostile user may control the execution environment, or where co-located with malicious software. Yet current trends point to increasing usage in environments so threatened. We discuss encrypted-composed-function methods intended to provide a practical degree of protection against white-box (total access) attacks in untrusted execution environments. As an example, we show how aes can be implemented as a series of lookups in key-dependent tables. The intent is to hide the key by a combination of encoding its tables with random bijections representing compositions rather than individual steps, and extending the cryptographic boundary by pushing it out further into the containing application. We partially justify our aes implementation, and motivate its design, by showing how removal of parts of the recommended implementation allows specified attacks, including one utilizing a pattern in the aes SubBytes table.},
author = {Chow, Stanley and Eisen, Philip a and Johnson, Harold and {Van Oorschot}, Paul C and Oorschot, Paul C Van},
booktitle = {Selected Areas in Cryptography},
doi = {10.1007/3-540-36492-7_17},
file = {:Users/mark/Documents/Mendeley Desktop//Chow et al. - 2003 - White-box cryptography and an AES implementation.pdf:pdf},
isbn = {3-540-00622-2},
issn = {03029743},
organization = {Springer},
pages = {250--270},
title = {{White-box cryptography and an AES implementation}},
year = {2003}
}
@misc{collbergtigress,
author = {Collberg, Christian and Martin, Sam and Myers, Jonathan and Zimmerman, Bill},
title = {{The Tigress diversifying C virtualizer}},
url = {http://tigress.cs.arizona.edu/},
urldate = {2015-09-15},
note = {date accessed: 2015-09-15},
year = {2014}
}
@inproceedings{holler2012fuzzing,
abstract = {Fuzz testing is an automated technique providing random data as input to a software system in the hope to expose a vulnerability. In order to be effective, the fuzzed input must be common enough to pass elementary consistency checks; a JavaScript interpreter, for instance, would only accept a semantically valid program. On the other hand, the fuzzed input must be uncommon enough to trigger exceptional behavior, such as a crash of the interpreter. The LangFuzz approach resolves this conflict by using a grammar to randomly generate valid programs; the code fragments, however, partially stem from programs known to have caused invalid behavior before. LangFuzz is an effective tool for security testing: Applied on the Mozilla JavaScript interpreter, it discovered a total of 105 new severe vulnerabilities within three months of operation (and thus became one of the top security bug bounty collectors within this period); applied on the PHP interpreter, it discovered 18 new defects causing crashes.},
author = {Holler, Christian and Herzig, Kim and Zeller, Andreas},
booktitle = {Usenix},
file = {:Users/mark/Documents/Mendeley Desktop/Holler, Herzig, Zeller - 2012 - Fuzzing with Code Fragments.pdf:pdf},
isbn = {978-931971-95-9},
keywords = {fuzz testing,grammar,security,security testing},
pages = {445--458},
title = {{Fuzzing with Code Fragments}},
url = {https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final73.pdf},
year = {2012}
}
@article{Bauer2014,
author = {Bauer, Oliver and Geske, Maren and Isberner, Malte},
doi = {10.1007/s10009-014-0333-2},
file = {:Users/mark/Documents/Mendeley Desktop/Bauer, Geske, Isberner - 2014 - Analyzing program behavior through active automata learning.pdf:pdf},
issn = {1433-2779},
journal = {International Journal on Software Tools for Technology Transfer},
keywords = {active,automata learning,model construction,program analysis,verification},
month = {oct},
number = {5},
pages = {531--542},
title = {{Analyzing program behavior through active automata learning}},
url = {http://link.springer.com/10.1007/s10009-014-0333-2},
volume = {16},
year = {2014}
}
@article{Smetsers2016,
author = {Smetsers, Rick and Moerman, Joshua and Jansen, David N},
file = {:Users/mark/Documents/Mendeley Desktop/Smetsers, Moerman, Jansen - 2016 - Minimal Separating Sequences for all Pairs of States.pdf:pdf},
title = {{Minimal Separating Sequences for all Pairs of States}},
year = {2016}
}
@phdthesis{Noordermeer2011,
author = {Noordermeer, Mike},
file = {:Users/mark/Documents/Mendeley Desktop/Noordermeer - 2011 - Implementing Link-state Update Policies for Quality of Service Routing.pdf:pdf},
school = {Delft University of Technology},
title = {{Implementing Link-state Update Policies for Quality of Service Routing}},
type = {mscthesis},
year = {2011}
}
@misc{morpher,
author = {Morpher},
title = {{Morpher Obfuscation Service}},
url = {http://morpher.com/},
urldate = {2015-09-15},
note = {date accessed: 2015-09-15},
year = {2015}
}
@incollection{wyseur2007cryptanalysis,
abstract = {At DRM 2002, Chow et al. [4] presented a method for implementing the DES block cipher such that it becomes hard to extract the embedded secret key in a white-box attack context. In such a context, an attacker has full access to the implementation and its execution environment. In order to provide an extra level of security, an implementation shielded with external encodings was introduced by Chow et al. and improved by Link and Neumann [10]. In this paper, we present an algorithm to extract the secret key from such white-box DES implementations. The cryptanalysis is a differential attack on obfuscated rounds, and works regardless of the shielding external encodings that are applied. The cryptanalysis has a average time complexity of 214 and a negligible space complexity.},
address = {Berlin, Heidelberg},
author = {Wyseur, Brecht and Michiels, Wil and Gorissen, Paul and Preneel, Bart},
booktitle = {Selected Areas in Cryptography},
doi = {10.1007/978-3-540-77360-3_17},
file = {:Users/mark/Documents/Mendeley Desktop//Wyseur et al. - 2007 - Cryptanalysis of White-Box DES Implementations with Arbitrary External Encodings.pdf:pdf},
isbn = {978-3-540-77359-7, 978-3-540-77360-3},
issn = {03029743},
keywords = {cryptanalysis,data encryp-,des,obfuscation,tion standard,white-box cryptography},
organization = {Springer},
pages = {264--277},
publisher = {Springer Berlin Heidelberg},
title = {{Cryptanalysis of White-Box DES Implementations with Arbitrary External Encodings}},
url = {http://link.springer.com/10.1007/978-3-540-77360-3_17},
year = {2007}
}
@article{heule2010dfasat,
abstract = {We present an exact algorithm for identification of deterministic finite automata (DFA) which is based on satisfiability (SAT) solvers. Despite the size of the low level SAT representation, our approach is competitive with alternative techniques. Our contributions are fourfold: First, we propose a compact translation of DFA identification into SAT. Second, we reduce the SAT search space by adding lower bound information using a fast max-clique approximation algorithm. Third, we include many redundant clauses to provide the SAT solver with some additional knowledge about the problem. Fourth, we show how to use the flexibility of our translation in order to apply it to very hard problems. Experiments on a well-known suite of random DFA identification problems show that SAT solvers can efficiently tackle all instances. Moreover, our algorithm outperforms state-of-the-art techniques on several hard problems.},
author = {Heule, Marijn J H and Verwer, Sicco},
doi = {10.1007/978-3-642-15488-1_7},
file = {:Users/mark/Documents/Mendeley Desktop/Heule, Verwer - 2010 - Exact DFA identification using SAT solvers.pdf:pdf},
isbn = {3642154875},
issn = {03029743},
journal = {Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)},
pages = {66--79},
title = {{Exact DFA identification using SAT solvers}},
volume = {6339 LNAI},
year = {2010}
}
@book{Broy2005,
address = {Berlin, Heidelberg},
doi = {10.1007/b137241},
editor = {Broy, Manfred and Jonsson, Bengt and Katoen, Joost-Pieter and Leucker, Martin and Pretschner, Alexander},
isbn = {978-3-540-26278-7},
publisher = {Springer Berlin Heidelberg},
series = {Lecture Notes in Computer Science},
title = {{Model-Based Testing of Reactive Systems}},
url = {http://link.springer.com/10.1007/b137241},
volume = {3472},
year = {2005}
}
@inproceedings{shoshitaishvili2015firmalice,
address = {Reston, VA},
annote = {angr angr.io project},
author = {Shoshitaishvili, Yan and Wang, Ruoyu and Hauser, Christophe and Kruegel, Christopher and Vigna, Giovanni},
booktitle = {Proceedings 2015 Network and Distributed System Security Symposium},
doi = {10.14722/ndss.2015.23294},
file = {:Users/mark/Documents/Mendeley Desktop//Shoshitaishvili et al. - 2015 - Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware.pdf:pdf},
isbn = {1-891562-38-X},
publisher = {Internet Society},
title = {{Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware}},
url = {http://www.internetsociety.org/doc/firmalice-automatic-detection-authentication-bypass-vulnerabilities-binary-firmware},
year = {2015}
}
@inproceedings{chen2008towards,
abstract = {Many threats that plague todaypsilas networks (e.g., phishing, botnets, denial of service attacks) are enabled by a complex ecosystem of attack programs commonly called malware. To combat these threats, defenders of these networks have turned to the collection, analysis, and reverse engineering of malware as mechanisms to understand these programs, generate signatures, and facilitate cleanup of infected hosts. Recently however, new malware instances have emerged with the capability to check and often thwart these defensive activities - essentially leaving defenders blind to their activities. To combat this emerging threat, we have undertaken a robust analysis of current malware and developed a detailed taxonomy of malware defender fingerprinting methods. We demonstrate the utility of this taxonomy by using it to characterize the prevalence of these avoidance methods, to generate a novel fingerprinting method that can assist malware propagation, and to create an effective new technique to protect production systems.},
author = {Chen, Xu and Andersen, Jon and Mao, Z Morley and Bailey, Michael and Nazario, Jose and {Morley Mao}, Z. and Bailey, Michael and Nazario, Jose},
booktitle = {Dependable Systems and Networks With FTCS and DCC, 2008. DSN 2008. IEEE International Conference on},
doi = {10.1109/DSN.2008.4630086},
file = {:Users/mark/Documents/Mendeley Desktop//Chen et al. - 2008 - Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware.pdf:pdf},
isbn = {978-1-4244-2397-2},
issn = {1530-0889},
organization = {IEEE},
pages = {177--186},
title = {{Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware}},
year = {2008}
}
@article{chen2013confuse,
author = {Chen, Chih-Fan and Petsios, Theofilos and Pomonis, Marios and Tang, Adrian},
file = {:Users/mark/Documents/Mendeley Desktop//Chen et al. - 2013 - CONFUSE LLVM-based Code Obfuscation.pdf:pdf},
keywords = {ation,cfg alter-,code obfuscation,hardening,reverse engineering},
publisher = {May},
title = {{CONFUSE: LLVM-based Code Obfuscation}},
year = {2013}
}
@techreport{collberg1997taxonomy,
abstract = {It has become more and more common to distribute software in forms that retain most or all of the information present in the original source code. An important example is Java bytecode. Since such codes are easy to decompile, they increase the risk of malicious reverse engineering attacks. par In this paper we review several techniques for technical protection of software secrets. We will argue that automatic em code obfuscation is currently the most viable method for preventing reverse engineering. We then describe the design of a em code obfuscator, a tool which converts a program into an equivalent one that is more difficult to understand and reverse engineer. par The obfuscator is based on the application of code transformations, in many cases similar to those used by compiler optimizers. We describe a large number of such transformations, classify them, and evaluate them with respect to their em potency (To what degree is a human reader confused?), em resilience (How well are automatic em deobfuscation attacks resisted?), and em cost (How much overhead is added to the application?). par We finally discuss some possible deobfuscation techniques (such as program em slicing) and possible counter-measures an obfuscator could employ against them.},
author = {Collberg, Christian and Thomborson, Clark and Low, Douglas},
booktitle = {Technical Report 148 Department of Computer Science University of Auckland July},
doi = {10.1.1.38.9852},
file = {:Users/mark/Documents/Mendeley Desktop//Collberg, Thomborson, Low - 1997 - A taxonomy of obfuscating transformations.pdf:pdf},
institution = {Department of Computer Science, The University of Auckland, New Zealand},
isbn = {1173-3500},
issn = {11733500},
number = {148},
pages = {36},
title = {{A taxonomy of obfuscating transformations}},
url = {http://scholar.google.com/scholar?hl=en{\&}btnG=Search{\&}q=intitle:A+Taxonomy+of+Obfuscating+Transformations{\#}0},
year = {1997}
}
@inproceedings{Kanzaki2015,
address = {New York, New York, USA},
author = {Kanzaki, Yuichiro and Thomborson, Clark and Monden, Akito and Collberg, Christian},
booktitle = {Proceedings of the 5th Program Protection and Reverse Engineering Workshop on - PPREW-5},
doi = {10.1145/2843859.2843862},
file = {:Users/mark/Documents/Mendeley Desktop/Kanzaki et al. - 2015 - Pinpointing and Hiding Surprising Fragments in an Obfuscated Program.pdf:pdf},
isbn = {9781450336420},
keywords = {all or part of,code obfuscation,code stealth,n-gram,or,or hard copies of,permission to make digital,program analysis,software protection,this work for personal},
pages = {1--9},
publisher = {ACM Press},
title = {{Pinpointing and Hiding Surprising Fragments in an Obfuscated Program}},
url = {http://dl.acm.org/citation.cfm?doid=2843859.2843862},
year = {2015}
}
@article{Dantas,
author = {Dantas, Henrique},
file = {:Users/mark/Documents/Mendeley Desktop/Dantas - Unknown - Vulnerability Analysis of Smart Meters.pdf:pdf},
title = {{Vulnerability Analysis of Smart Meters}}
}
@article{Vermoen2006,
abstract = {Power analysis of smart cards is commonly used to obtain informa- tion about implemented cryptographic algorithms. We propose a similar methodology for reverse engineering of Java Card applets. In order to acquire power traces, we present a new microcontroller based smart card reader with an accurate adjustable trigger func- tion. Because power analysis only does not provide enough informa- tion, we refine our methodology by involving additional information sources. Issues like distinguishing between instructions performing similar tasks and reverse engineering of conditional branches and nested loops are also addressed. The proposed methodology is ap- plied to a commercially available Java Card smart card and the re- sults are reported. We conclude that our augmented power analysis can be successfully used to acquire information about the instruc- tions executed on a Java Card smart card.},
author = {Vermoen, Dennis},
file = {:Users/mark/Documents/Mendeley Desktop/Vermoen - 2006 - Reverse engineering of Java Card applets using power analysis.pdf:pdf},
journal = {Electrical Engineering},
title = {{Reverse engineering of Java Card applets using power analysis}},
year = {2006}
}
@inproceedings{lattner2004llvm,
abstract = { We describe LLVM (low level virtual machine), a compiler framework designed to support transparent, lifelong program analysis and transformation for arbitrary programs, by providing high-level information to compiler transformations at compile-time, link-time, run-time, and in idle time between runs. LLVM defines a common, low-level code representation in static single assignment (SSA) form, with several novel features: a simple, language-independent type-system that exposes the primitives commonly used to implement high-level language features; an instruction for typed address arithmetic; and a simple mechanism that can be used to implement the exception handling features of high-level languages (and setjmp/longjmp in C) uniformly and efficiently. The LLVM compiler framework and code representation together provide a combination of key capabilities that are important for practical, lifelong analysis and transformation of programs. To our knowledge, no existing compilation approach provides all these capabilities. We describe the design of the LLVM representation and compiler framework, and evaluate the design in three ways: (a) the size and effectiveness of the representation, including the type information it provides; (b) compiler performance for several interprocedural problems; and (c) illustrative examples of the benefits LLVM provides for several challenging compiler problems.},
author = {Lattner, Chris and Adve, Vikram},
booktitle = {Code Generation and Optimization, 2004. CGO 2004. International Symposium on},
doi = {10.1109/CGO.2004.1281665},
file = {:Users/mark/Documents/Mendeley Desktop//Lattner, Adve - 2004 - LLVM A compilation framework for lifelong program analysis {\&} transformation.pdf:pdf},
isbn = {0769521029},
issn = {1053587X},
number = {c},
organization = {IEEE},
pages = {75--86},
title = {{LLVM: A compilation framework for lifelong program analysis {\&} transformation}},
year = {2004}
}
@article{oehlert2005violating,
author = {Oehlert, Peter},
file = {:Users/mark/Documents/Mendeley Desktop/Oehlert - 2005 - Violating assumptions with fuzzing.pdf:pdf},
journal = {Security {\&} Privacy, IEEE},
number = {2},
pages = {58--62},
publisher = {IEEE},
title = {{Violating assumptions with fuzzing}},
volume = {3},
year = {2005}
}
@article{Vasilevskii1973,
author = {Vasilevskii, M. P.},
doi = {10.1007/BF01068590},
file = {:Users/mark/Documents/Mendeley Desktop/Vasilevskii - 1973 - Failure diagnosis of automata.pdf:pdf},
issn = {0011-4235},
journal = {Cybernetics},
number = {4},
pages = {653--665},
title = {{Failure diagnosis of automata}},
url = {http://link.springer.com/10.1007/BF01068590},
volume = {9},
year = {1973}
}
@inproceedings{Cho2011,
  title={MACE: Model-inference-Assisted Concolic Exploration for Protocol and Vulnerability Discovery.},
  author={Cho, Chia Yuan and Babic, Domagoj and Poosankam, Pongsin and Chen, Kevin Zhijie and Wu, Edward XueJun and Song, Dawn},
  booktitle={USENIX Security},
  pages={139--154},
  year={2011}
}
@INPROCEEDINGS{Duchene2012, 
author={F. Duchene and R. Groz and S. Rawat and J. L. Richier}, 
booktitle={Proc. of ICST}, 
title={XSS Vulnerability Detection Using Model Inference Assisted Evolutionary Fuzzing}, 
year={2012}, 
pages={815--817},
doi={10.1109/ICST.2012.181}, 
}
@inproceedings{Howar2013,
 author = {Howar, Falk and Giannakopoulou, Dimitra and Rakamari\'{c}, Zvonimir},
 title = {Hybrid Learning: Interface Generation Through Static, Dynamic, and Symbolic Analysis},
 booktitle = {Proc. of ISSTA},
 year = {2013},
 isbn = {978-1-4503-2159-4},
 location = {Lugano, Switzerland},
 pages = {268--279},
 numpages = {12},
 url = {http://doi.acm.org/10.1145/2483760.2483783},
 doi = {10.1145/2483760.2483783},
 acmid = {2483783},
 publisher = {ACM},
 address = {New York, NY, USA},
 keywords = {Concolic Execution, Dynamic Analysis, Interfaces, Learning, Software Components, Static Analysis},
}
@incollection{Giannakopoulou2012,
  title={Symbolic learning of component interfaces},
  author={Giannakopoulou, Dimitra and Rakamari{\'c}, Zvonimir and Raman, Vishwanath},
  booktitle={Static Analysis},
  pages={248--264},
  year={2012},
  publisher={Springer}
}
@Inbook{Peled1999,
author="Peled, Doron
and Vardi, Moshe Y.
and Yannakakis, Mihalis",
chapter="Black Box Checking",
title="Formal Methods for Protocol Engineering and Distributed Systems",
year="1999",
publisher="Springer US",
doi="10.1007/978-0-387-35578-8_13"
}