doc: Research directions

langston-barrett / czz

Whole-program, Scheme-scriptable, multi-language, coverage-guided fuzzer

https://langston-barrett.github.io/czz/

MIT License

6 stars 0 forks source link

Open langston-barrett opened 2 years ago

langston-barrett commented 2 years ago

Integrate symbolic data
Concolic testing
Soundness checking for (whole-program) static analysis
Guiding fuzzer towards bugs with under-constrained symex (UC-Crux) or static analysis
API usage checking a la CogniCrypt, specs with state machines or via LTL
Data-oriented "coverage" (feedback), e.g., is a function parameter null or not? zero or not?