This is a nonexhaustive list of interesting papers and background materials. Any of these papers are acceptable to present in class, although some are short enough that they may require another paper as well. Feel free to suggest another paper that interests you! If there is a topic or area that you would like to investigate, you can let me know, and I can suggest additional papers of interest. You might look through the proceedings of ISSTA, ICSE, PLDI, FSE, ICST, ASPLOS, ICSM, ASE, ISMM, Middleware, ICPC, POPL, Usenix Security, Security and Privacy, CCS, SAS, or CAV.

Fuzzing & Symbolic Execution

• Angora: Efficient Fuzzing by Principled Search

• FuzzerGym: A Competitive Framework for Fuzzing and Learning

• EnFuzz: From Ensemble Learning to Ensemble Fuzzing

• Neuro-Symbolic Execution: The Feasibility of an Inductive Approach to Symbolic Execution

• NEZHA: Efficient Domain-Independent Differential Testing

• REST-ler: Automatic Intelligent REST API Fuzzing

• Learn&fuzz: Machine learning for input fuzzing

• Indexing Operators to Extend the Reach of Symbolic Execution

• Compiler Fuzzing through Deep Learning

• PerfFuzz: Automatically Generating Pathological Inputs

Offense & Defense

• oo7: Low-overhead Defense against Spectre Attacks via Binary Analysis

• Spectre Returns! Speculation Attacks using the Return Stack Buffer

• FORESHADOW: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution

• NetSpectre: Read Arbitrary Memory over Network

• (State of) The Art of War: Offensive Techniques in Binary Analysis

• ASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks
  [https://github.com/sslab-gatech/aslr-guard]

• Your Exploit is Mine: Automatic Shellcode Transplant for Remote Exploits

• VTrust: Regaining Trust on Virtual Calls

• Boosting the Precision of Virtual Call Integrity Protection with Partial Pointer Analysis for C++

• Dynamic hooks: hiding control flow changes within non-control data

• Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity

• SPAIN: Security Patch Analysis for Binaries - Towards Understanding the Pain and Pills

• A Compiler and Verifier for Page Access Oblivious Computation

• Symbolic Deobfuscation: From Virtualized Code Back to the Original

• Self-Hiding Behavior in Android Apps: Detection and Characterization

• Protecting Million-User iOS Apps with Obfuscation: Motivations, Pitfalls, and Experience

• Decomposition Instead of Self-Composition for Proving the Absence of Timing Channels

• Symbolic path cost analysis for side-channel detection

• Eliminating Timing Side-Channel Leaks using Program Repair

• CANAL: A Cache Timing Analysis Framework via LLVM Transformation

Bugs, Testing, Verification, & Repair

• Inferring Mutant Utility from Program Context

• Faster Mutation Analysis via Equivalence Modulo States

• Are Mutation Scores Correlated with Real Fault Detection?

• State of Mutation Testing at Google

• Evaluating and Improving Fault Localization
  [https://bitbucket.org/rjust/fault-localization-data]

• Neuro-Symbolic Program Repair for Correcting Introductory Programming Assignments

• Shaping Program Repair Space with Existing Patches and Similar Code

• An Empirical Study on TensorFlow Program Bugs

• Enlightened Debugging

• TARDIS: Affordable Time-Travel Debugging in Managed Runtimes

• DeepTest: Automated Testing of Deep-Neural-Network-driven Autonomous Cars

• An Empirical Study on TensorFlow Program Bugs

• Debugging Data Flows in Reactive Programs

• Debugging with Intelligence via Probabilistic Inference

• Robustness Testing of Autonomy Software

Smart Contracts

• MadMax: Surviving Out-of-Gas Conditions in Ethereum Smart Contracts

• Towards saving money in using smart contracts

• Securify: Practical Security Analysis of Smart Contracts

• Making Smart Contracts Smarter

Parallelism & Concurrency

• High-Coverage, Unbounded Sound Predictive Race Detection

• Bounding Data Races in Space and Time

• Efficient Concurrency-Bug Detection Across Inputs

• Directed synthesis of failing concurrent executions

Synthesis

• Learning Syntactic Program Transformations from Examples

• Scaling Enumerative Program Synthesis via Divide and Conquer

• FlashMeta: A Framework for Inductive Program Synthesis

• Interactive Program Synthesis

• Selecting Representative Examples for Program Synthesis

• Synthesizing highly expressive SQL queries from input-output examples

• Program Synthesis using Abstraction Refinement

• Program Synthesis using Conflict-Driven Learning

• Generalized Data Structure Synthesis

Learning

• Code Vectors: Understanding Programs Through Embedded Abstracted Symbolic Traces

• A General Path-Based Representation for Predicting Program Properties

• Are Deep Neural Networks the Best Choice for Modeling Source Code?

• AI²: Safety and Robustness Certification of Neural Networks with Abstract Interpretation

• Neuro-symbolic program corrector for introductory programming assignments

Static Analysis

• Symbolic Verification of Regular Properties

• Refining interprocedural change-impact analysis using equivalence relations

• Null Dereference Verification via Over-approximated Weakest Pre-conditions Analysis

• Lightweight detection of physical unit inconsistencies without program annotations

• Path-Sensitive Data Flow Analysis Simplified

• Precise Data Flow Analysis in the Presence of Correlated Method Calls

• Context Transformations for Pointer Analysis

• Securing a Compiler Transformation

• Upper and Lower Amortized Cost Bounds of Programs Expressed as Cost Relations

• Context-Sensitive Data-Dependence Analysis via Linear Conjunctive Language Reachability

Performance

• Performance Diagnosis for Inefficient Loops

• PerfRanker: prioritization of performance regression tests for collection-intensive software

• REMIX: Online Detection and Repair of Cache Contention for the JVM

• BOLT: A Practical Binary Optimizer for Data Centers and Beyond

• Leveraging Program Analysis to Reduce User-Perceived Latency in Mobile Applications

• Speedoo: Prioritizing Performance Optimization Opportunities

Mobile

• A SEALANT for Inter-App Security Holes in Android

• Automatic Generation of Inter-Component Communication Exploits for Android Applications

• µDroid: An Energy-Aware Mutation Testing Framework for Android

• Systematic Execution of Android Test Suites in Adverse Conditions

Web

• BLeak: Automatically Debugging Memory Leaks in Web Applications

• ReDeCheck: An Automatic Layout Failure Checking Tool for Responsively Designed Web Pages

• Automated Repair of Layout Cross Browser Issues using Search-Based Techniques
  [https://github.com/sonalmahajan/xfix]

• Test Execution Checkpointing for Web Applications

• ZenIDS: Introspective Intrusion Detection for PHP Applications

• To Type or Not to Type: Quantifying Preventable Bugs in JavaScript

Similarity

• BinGo: Cross-Architecture Cross-OS Binary Search

• Cross-Architecture Bug Search in Binary Executables

• Similarity of Binaries through re-Optimization

• Winnowing: Local Algorithms for Document Fingerprinting

Misc.

• TRAVIOLI: A Dynamic Analysis for Detecting Data-Structure Traversals

• Hierarchical Program Paths

• Low Overhead Dynamic Binary Translation on ARM

• Instruction Punning: Lightweight Instrumentation for x86-64