University of Minnesota
Program Analysis for Security
index.php

Symbolic execution, part 2

David Brumley, Juan Caballero, Zhenkai Liang, James Newsome, and Dawn Song. “Towards automatic discovery of deviations in binary implementations with applications to error detection and fingerprint generation”. In USENIX Security Symposium, pages 213-228, Boston, MA, USA, August 2007.
[USENIX]

Vitaly Chipounov, Volodymyr Kuznetsov, and George Candea. “S2E: a platform for in-vivo multi-path analysis of software systems”. In Architectural Support for Programming Languages and Operating Systems (ASPLOS), pages 265-278, Newport Beach, CA, USA, March 2011.
[ACM]

Question: The S2E paper describes a number of applications of S2E, including three detailed case studies, and four further ideas mentioned in Section 6.1.4. Several of these applications are related to security, but arguably they are all "defensive" or "white-hat" applications: in other words, they're described techniques to help "the good guys" (who may be the developers of software) prevent attacks.

The converse kinds of applications would be called "offensive", or "black-hat": techniques that have no value in defending a system, but could be used by an adversary who was trying to compromise security or get some illicit effect. Give an example of an offensive application of S2E.

Optional

Vijay Ganesh and David L. Dill. “A decision procedure for bit-vectors and arrays”. In Computer Aided Verification (CAV), pages 519-531, Berlin, Germany, July 2007.
[Springer]

Much of the power of symbolic execution engines comes from the decision procedures they use. Lest those tools seem magic, this paper describes the workings of STP, the tool used in many symbolic execution systems.

Stefan Bucur, Vlad Ureche, Cristian Zamfir, and George Candea. “Parallel symbolic execution for automated real-world software testing”. In ACM European Conference on Computer Systems (EuroSys), pages 183-198, Salzburg, Austria, April 2011.
[ACM]

From the same research group as the S2E paper in the main readings, this paper describes two major enhancements over KLEE that improve scalability: parallel search and an improved system environment model.

Ella Bounimova, Patrice Godefroid, and David Molnar. “Billions and billions of constraints: Whitebox fuzz testing in production”. Technical Report MSR-TR-2012-55, Microsoft Research, May 2012.
[Microsoft]

This fairly recent tech report talks about the scaling experiences with MSR's SAGE system, one of the most impressive industrial applications of symbolic execution.