Main navigation | Main content
David Brumley, Juan Caballero, Zhenkai Liang, James Newsome, and Dawn
Song. “Towards automatic discovery of deviations in binary
implementations with applications to error detection and fingerprint
generation”. In USENIX Security Symposium, pages 213-228,
Boston, MA, USA, August 2007.
[USENIX]
Vitaly Chipounov, Volodymyr Kuznetsov, and George Candea. “S2E:
a platform for in-vivo multi-path analysis of software
systems”. In Architectural Support for Programming Languages
and Operating Systems (ASPLOS), pages 265-278, Newport Beach, CA,
USA, March 2011.
[ACM]
Question: The S2E paper describes a number of applications of S2E, including three detailed case studies, and four further ideas mentioned in Section 6.1.4. Several of these applications are related to security, but arguably they are all "defensive" or "white-hat" applications: in other words, they're described techniques to help "the good guys" (who may be the developers of software) prevent attacks.
The converse kinds of applications would be called "offensive", or "black-hat": techniques that have no value in defending a system, but could be used by an adversary who was trying to compromise security or get some illicit effect. Give an example of an offensive application of S2E.
Vijay Ganesh and David L. Dill. “A decision procedure for
bit-vectors and arrays”. In Computer Aided Verification
(CAV), pages 519-531, Berlin, Germany, July 2007.
[Springer]
Much of the power of symbolic execution engines comes from the decision procedures they use. Lest those tools seem magic, this paper describes the workings of STP, the tool used in many symbolic execution systems.
Stefan Bucur, Vlad Ureche, Cristian Zamfir, and George
Candea. “Parallel symbolic execution for automated real-world
software testing”. In ACM European Conference on Computer
Systems (EuroSys), pages 183-198, Salzburg, Austria, April 2011.
[ACM]
From the same research group as the S2E paper in the main readings, this paper describes two major enhancements over KLEE that improve scalability: parallel search and an improved system environment model.
Ella Bounimova, Patrice Godefroid, and David Molnar. “Billions
and billions of constraints: Whitebox fuzz testing in
production”. Technical Report MSR-TR-2012-55, Microsoft
Research, May 2012.
[Microsoft]
This fairly recent tech report talks about the scaling experiences with MSR's SAGE system, one of the most impressive industrial applications of symbolic execution.