Directed Whitebox Fuzzing [ICSE'09] Taint-based Directed Whitebox Fuzzing [paper] [S&P'10] TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection [paper] [SAS'11] Directed symbolic execution [paper] [ICSE'12] BugRedux: Reproducing Field Failures for In-house Debugging [paper] [Thesis'12] Hybrid Fuzz Testing: Discovering Software Bugs via Fuzzing and Symbolic Execution [paper] [FSE'13] KATCH: High-Coverage Testing of Software Patches [paper] [TOSEM'14] Directed Incremental Symbolic Execution [paper] [ICSE'15] Hercules: Reproducing Crashes in Real-World Application Binaries [paper] [ICSE'16] Guiding Dynamic Symbolic Execution toward Unverified Program Executions [paper] [TASE'16] SeededFuzz: Selecting and Generating Seeds for Directed Fuzzing [paper] [SAC'18] Improving Function Coverage with Munch: A Hybrid Fuzzing and Directed Symbolic Execution Approach [paper]