BINSEC has a paper by Josselin Feist & al. accepted at SSPREW called Finding the Needle in the Heap: Combining Static Analysis and Dynamic Symbolic Execution to Trigger Use-After-Free.
Here is the abstract:
This paper presents a fully automated technique to find and trigger Use-After-Free vulnerabilities (UAF) on binary code. The approach combines a static analyzer and a dynamic symbolic execution engine. We also introduce several original heuristics for the dynamic symbolic execution part, speeding up the exploration and making this combination effective in practice . The tool we developed is open-source, and it has successfully been applied on real world vulnerabilities. As an example, we detail a proof-of-concept exploit triggering a previously unknown vulnerability on JasPer leading to the CVE-2015-5221