SlideShare a Scribd company logo
1 of 17
Team bi0s
Amrita Center for Cybersecurity,
Amritapuri
Selective Symbolic Execution
Shivkrishna Anil
1
Team bi0s
Amrita Center for Cybersecurity,
Amritapuri
Agenda
● Introduction
● S2E
● Analysing a simple program
● Demo Video
2
Team bi0s
Amrita Center for Cybersecurity,
Amritapuri
@shivnambiar1
● Member of Team bi0s
● Final Year Computer Science student at Amrita University
● Focuses on Memory Forensics, Disk Forensics and
Steganography
● Working on a plugin for S2E
3
Team bi0s
Amrita Center for Cybersecurity,
Amritapuri
Symbolic??
● Analyzing a program to determine inputs that cause a part of
a program to execute
● S2E, Angr, Mayhem, Triton, KLEE
● Useful for generating test cases with exhaustive code
coverage
● Works on obfuscated binaries
4
Team bi0s
Amrita Center for Cybersecurity,
Amritapuri
Path Constraints
5Example of Symbolic Execution : https://goo.gl/qqv6Pw
Team bi0s
Amrita Center for Cybersecurity,
Amritapuri
S2E
● Selective Symbolic Execution
● Automated path explorer with modular path analyzers
● S2E - A platform for developing multi-path in-vivo analysis
tools
● Contender for CGC 2016
● Emulates an entire virtual machine instead of an executable
● Random path selection and DFS 6
Team bi0s
Amrita Center for Cybersecurity,
Amritapuri
Why S2E?
● A technique for creating the illusion of full system symbolic
execution, while symbolically running only the code that is of
interest to the developer
● Can interact with the environment
● Input can switch from symbolic to concrete domain and vice
versa
7
Team bi0s
Amrita Center for Cybersecurity,
Amritapuri
Comparison
● Works for very large programs like a whole windows stack
frame
● Implemented at the Kernel level
● Does not exhaust System resources as compared to other
Symbolic engines
8
Team bi0s
Amrita Center for Cybersecurity,
Amritapuri
The Working of Transition
Multi-path / Single-path execution : http://s2e.epfl.ch/images/s2e-sel.png 9
Team bi0s
Amrita Center for Cybersecurity,
Amritapuri
S2E Architecture
S2E Architecture : http://s2e.epfl.ch/images/s2e-vm.png 10
Team bi0s
Amrita Center for Cybersecurity,
Amritapuri
Code Walkthrough
11
Team bi0s
Amrita Center for Cybersecurity,
Amritapuri
12
Code Walkthrough (contd)
Team bi0s
Amrita Center for Cybersecurity,
Amritapuri
Tree Diagram
13
Input Set
of all
characters
Team bi0s
Amrita Center for Cybersecurity,
Amritapuri
Live Demo
14
Team bi0s
Amrita Center for Cybersecurity,
Amritapuri
Limitations
● Exhausts memory when state forking increases considerably
● Maximum of 2 arguments can only be passed
● S2E can only run on a shared-memory architecture
● Code coverage is low as it doesn't consider under constrained
and over constrained symbols
15
Team bi0s
Amrita Center for Cybersecurity,
Amritapuri
Further Reading
● S2E: A Platform for In-Vivo Multi-Path Analysis of Software
Systems
● Selective Symbolic Execution
● A Survey of Symbolic Execution Techniques
16
Team bi0s
Amrita Center for Cybersecurity,
Amritapuri
Questions??
17

More Related Content

What's hot

AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0CTruncer
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingCTruncer
 
Distributed app development with nodejs and zeromq
Distributed app development with nodejs and zeromqDistributed app development with nodejs and zeromq
Distributed app development with nodejs and zeromqRuben Tan
 
Introduction to Ewasm - crosslink taipei 2019
Introduction to Ewasm - crosslink taipei 2019Introduction to Ewasm - crosslink taipei 2019
Introduction to Ewasm - crosslink taipei 2019hydai
 
Native client (Евгений Эльцин)
Native client (Евгений Эльцин)Native client (Евгений Эльцин)
Native client (Евгений Эльцин)Ontico
 
Leveraging zeromq for node.js
Leveraging zeromq for node.jsLeveraging zeromq for node.js
Leveraging zeromq for node.jsRuben Tan
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil FrameworkVeilFramework
 
The Saga of JavaScript and Typescript: in Deno land
The Saga of JavaScript and Typescript: in Deno landThe Saga of JavaScript and Typescript: in Deno land
The Saga of JavaScript and Typescript: in Deno landHaci Murat Yaman
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into ItCTruncer
 
Introduction to ZeroMQ - eSpace TechTalk
Introduction to ZeroMQ - eSpace TechTalkIntroduction to ZeroMQ - eSpace TechTalk
Introduction to ZeroMQ - eSpace TechTalkMahmoud Said
 
Appium & Robot Framework
Appium & Robot FrameworkAppium & Robot Framework
Appium & Robot FrameworkFurkan Ertürk
 
Debugging NET Applications With WinDBG
Debugging  NET Applications With WinDBGDebugging  NET Applications With WinDBG
Debugging NET Applications With WinDBGCory Foy
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your NetworkCTruncer
 
LibreOffice oss-fuzz, crashtesting, coverity
LibreOffice oss-fuzz, crashtesting, coverityLibreOffice oss-fuzz, crashtesting, coverity
LibreOffice oss-fuzz, crashtesting, coverityCaolán McNamara
 
Swift for back end: A new generation of full stack languages?
Swift for back end: A new generation of full stack languages?Swift for back end: A new generation of full stack languages?
Swift for back end: A new generation of full stack languages?Koombea
 
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack ThereofThe Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack ThereofCTruncer
 

What's hot (20)

AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
 
I believe in rust
I believe in rustI believe in rust
I believe in rust
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while Persisting
 
Distributed app development with nodejs and zeromq
Distributed app development with nodejs and zeromqDistributed app development with nodejs and zeromq
Distributed app development with nodejs and zeromq
 
Introduction to Ewasm - crosslink taipei 2019
Introduction to Ewasm - crosslink taipei 2019Introduction to Ewasm - crosslink taipei 2019
Introduction to Ewasm - crosslink taipei 2019
 
Native client (Евгений Эльцин)
Native client (Евгений Эльцин)Native client (Евгений Эльцин)
Native client (Евгений Эльцин)
 
Leveraging zeromq for node.js
Leveraging zeromq for node.jsLeveraging zeromq for node.js
Leveraging zeromq for node.js
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil Framework
 
JavaScript Unit Testing
JavaScript Unit TestingJavaScript Unit Testing
JavaScript Unit Testing
 
JavaScript Unit Testing
JavaScript Unit TestingJavaScript Unit Testing
JavaScript Unit Testing
 
The Saga of JavaScript and Typescript: in Deno land
The Saga of JavaScript and Typescript: in Deno landThe Saga of JavaScript and Typescript: in Deno land
The Saga of JavaScript and Typescript: in Deno land
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into It
 
Introduction to ZeroMQ - eSpace TechTalk
Introduction to ZeroMQ - eSpace TechTalkIntroduction to ZeroMQ - eSpace TechTalk
Introduction to ZeroMQ - eSpace TechTalk
 
Appium & Robot Framework
Appium & Robot FrameworkAppium & Robot Framework
Appium & Robot Framework
 
Automate Yo' Self
Automate Yo' SelfAutomate Yo' Self
Automate Yo' Self
 
Debugging NET Applications With WinDBG
Debugging  NET Applications With WinDBGDebugging  NET Applications With WinDBG
Debugging NET Applications With WinDBG
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your Network
 
LibreOffice oss-fuzz, crashtesting, coverity
LibreOffice oss-fuzz, crashtesting, coverityLibreOffice oss-fuzz, crashtesting, coverity
LibreOffice oss-fuzz, crashtesting, coverity
 
Swift for back end: A new generation of full stack languages?
Swift for back end: A new generation of full stack languages?Swift for back end: A new generation of full stack languages?
Swift for back end: A new generation of full stack languages?
 
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack ThereofThe Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack Thereof
 

Similar to S2 e (selective symbolic execution) -shivkrishna a

Study of the dynamic behavior of a pump with Code_ASTER on Simulagora
Study of the dynamic behavior of a pump with Code_ASTER on SimulagoraStudy of the dynamic behavior of a pump with Code_ASTER on Simulagora
Study of the dynamic behavior of a pump with Code_ASTER on SimulagoraLogilab
 
Srikanth_PILLI_CV_latest
Srikanth_PILLI_CV_latestSrikanth_PILLI_CV_latest
Srikanth_PILLI_CV_latestSrikanth Pilli
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure DevelopmentBosnia Agile
 
Serverless java
Serverless   javaServerless   java
Serverless javaVishwas N
 
Unit testing for ext js apps using sencha test - Walkingtree Technologies
Unit testing for ext js apps using sencha test - Walkingtree TechnologiesUnit testing for ext js apps using sencha test - Walkingtree Technologies
Unit testing for ext js apps using sencha test - Walkingtree TechnologiesWalking Tree Technologies
 
Introduction to Test Execution Automation Framework for Embedded Systems
Introduction to Test Execution Automation Framework for Embedded SystemsIntroduction to Test Execution Automation Framework for Embedded Systems
Introduction to Test Execution Automation Framework for Embedded SystemsHiroshiMisawa
 
Reliable mobile test automation
Reliable mobile test automationReliable mobile test automation
Reliable mobile test automationVishal Banthia
 
Why we decided on RSA Security Analytics for network visibility
Why we decided on RSA Security Analytics for network visibilityWhy we decided on RSA Security Analytics for network visibility
Why we decided on RSA Security Analytics for network visibilityRecruit Technologies
 
EclipseCon Eu 2015 - Breathe life into your Designer!
EclipseCon Eu 2015 - Breathe life into your Designer!EclipseCon Eu 2015 - Breathe life into your Designer!
EclipseCon Eu 2015 - Breathe life into your Designer!melbats
 
UC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdf
UC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdfUC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdf
UC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdfWlamir Molinari
 
Sydney mule soft meetup 30 april 2020
Sydney mule soft meetup   30 april 2020Sydney mule soft meetup   30 april 2020
Sydney mule soft meetup 30 april 2020Royston Lobo
 
ElasTest presentation in MadridJUG (Madrid December 2017)
ElasTest presentation in MadridJUG (Madrid December 2017)ElasTest presentation in MadridJUG (Madrid December 2017)
ElasTest presentation in MadridJUG (Madrid December 2017)ElasTest Project
 
No liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failureNo liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failureRogue Wave Software
 
Configuration Management and Deployment
Configuration Management and DeploymentConfiguration Management and Deployment
Configuration Management and DeploymentSomnathMore3
 
DevOps / Agile Tools Seminar 2013
DevOps / Agile Tools Seminar 2013DevOps / Agile Tools Seminar 2013
DevOps / Agile Tools Seminar 2013Ethan Ram
 
IMA/Thales SceneGate Viewer for OpenSimulator Presentation at OSCC19
IMA/Thales SceneGate Viewer for OpenSimulator Presentation at OSCC19IMA/Thales SceneGate Viewer for OpenSimulator Presentation at OSCC19
IMA/Thales SceneGate Viewer for OpenSimulator Presentation at OSCC19Lisa Laxton
 
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...Nico Meisenzahl
 
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEEBKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEELinaro
 

Similar to S2 e (selective symbolic execution) -shivkrishna a (20)

Study of the dynamic behavior of a pump with Code_ASTER on Simulagora
Study of the dynamic behavior of a pump with Code_ASTER on SimulagoraStudy of the dynamic behavior of a pump with Code_ASTER on Simulagora
Study of the dynamic behavior of a pump with Code_ASTER on Simulagora
 
ElasTest Webinar
ElasTest WebinarElasTest Webinar
ElasTest Webinar
 
Srikanth_PILLI_CV_latest
Srikanth_PILLI_CV_latestSrikanth_PILLI_CV_latest
Srikanth_PILLI_CV_latest
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
 
Serverless java
Serverless   javaServerless   java
Serverless java
 
Unit testing for ext js apps using sencha test - Walkingtree Technologies
Unit testing for ext js apps using sencha test - Walkingtree TechnologiesUnit testing for ext js apps using sencha test - Walkingtree Technologies
Unit testing for ext js apps using sencha test - Walkingtree Technologies
 
Introduction to Test Execution Automation Framework for Embedded Systems
Introduction to Test Execution Automation Framework for Embedded SystemsIntroduction to Test Execution Automation Framework for Embedded Systems
Introduction to Test Execution Automation Framework for Embedded Systems
 
Reliable mobile test automation
Reliable mobile test automationReliable mobile test automation
Reliable mobile test automation
 
Building APIs with Mule and Spring Boot
Building APIs with Mule and Spring BootBuilding APIs with Mule and Spring Boot
Building APIs with Mule and Spring Boot
 
Why we decided on RSA Security Analytics for network visibility
Why we decided on RSA Security Analytics for network visibilityWhy we decided on RSA Security Analytics for network visibility
Why we decided on RSA Security Analytics for network visibility
 
EclipseCon Eu 2015 - Breathe life into your Designer!
EclipseCon Eu 2015 - Breathe life into your Designer!EclipseCon Eu 2015 - Breathe life into your Designer!
EclipseCon Eu 2015 - Breathe life into your Designer!
 
UC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdf
UC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdfUC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdf
UC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdf
 
Sydney mule soft meetup 30 april 2020
Sydney mule soft meetup   30 april 2020Sydney mule soft meetup   30 april 2020
Sydney mule soft meetup 30 april 2020
 
ElasTest presentation in MadridJUG (Madrid December 2017)
ElasTest presentation in MadridJUG (Madrid December 2017)ElasTest presentation in MadridJUG (Madrid December 2017)
ElasTest presentation in MadridJUG (Madrid December 2017)
 
No liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failureNo liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failure
 
Configuration Management and Deployment
Configuration Management and DeploymentConfiguration Management and Deployment
Configuration Management and Deployment
 
DevOps / Agile Tools Seminar 2013
DevOps / Agile Tools Seminar 2013DevOps / Agile Tools Seminar 2013
DevOps / Agile Tools Seminar 2013
 
IMA/Thales SceneGate Viewer for OpenSimulator Presentation at OSCC19
IMA/Thales SceneGate Viewer for OpenSimulator Presentation at OSCC19IMA/Thales SceneGate Viewer for OpenSimulator Presentation at OSCC19
IMA/Thales SceneGate Viewer for OpenSimulator Presentation at OSCC19
 
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
 
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEEBKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
 

More from Cysinfo Cyber Security Community

Understanding Malware Persistence Techniques by Monnappa K A
Understanding Malware Persistence Techniques by Monnappa K AUnderstanding Malware Persistence Techniques by Monnappa K A
Understanding Malware Persistence Techniques by Monnappa K ACysinfo Cyber Security Community
 
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Understanding & analyzing obfuscated malicious web scripts by Vikram KharviUnderstanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Understanding & analyzing obfuscated malicious web scripts by Vikram KharviCysinfo Cyber Security Community
 
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TKGetting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TKCysinfo Cyber Security Community
 
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul PillaiA look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul PillaiCysinfo Cyber Security Community
 
Reversing and Decrypting Malware Communications by Monnappa
Reversing and Decrypting Malware Communications by MonnappaReversing and Decrypting Malware Communications by Monnappa
Reversing and Decrypting Malware Communications by MonnappaCysinfo Cyber Security Community
 
Understanding evasive hollow process injection techniques monnappa k a
Understanding evasive hollow process injection techniques   	monnappa k aUnderstanding evasive hollow process injection techniques   	monnappa k a
Understanding evasive hollow process injection techniques monnappa k aCysinfo Cyber Security Community
 
Security challenges in d2d communication by ajithkumar vyasarao
Security challenges in d2d communication  by ajithkumar vyasaraoSecurity challenges in d2d communication  by ajithkumar vyasarao
Security challenges in d2d communication by ajithkumar vyasaraoCysinfo Cyber Security Community
 

More from Cysinfo Cyber Security Community (20)

Understanding Malware Persistence Techniques by Monnappa K A
Understanding Malware Persistence Techniques by Monnappa K AUnderstanding Malware Persistence Techniques by Monnappa K A
Understanding Malware Persistence Techniques by Monnappa K A
 
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Understanding & analyzing obfuscated malicious web scripts by Vikram KharviUnderstanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
 
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TKGetting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
 
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar PrustyEmerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
 
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul PillaiA look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
 
Closer look at PHP Unserialization by Ashwin Shenoi
Closer look at PHP Unserialization by Ashwin ShenoiCloser look at PHP Unserialization by Ashwin Shenoi
Closer look at PHP Unserialization by Ashwin Shenoi
 
Unicorn: The Ultimate CPU Emulator by Akshay Ajayan
Unicorn: The Ultimate CPU Emulator by Akshay AjayanUnicorn: The Ultimate CPU Emulator by Akshay Ajayan
Unicorn: The Ultimate CPU Emulator by Akshay Ajayan
 
The Art of Executing JavaScript by Akhil Mahendra
The Art of Executing JavaScript by Akhil MahendraThe Art of Executing JavaScript by Akhil Mahendra
The Art of Executing JavaScript by Akhil Mahendra
 
Reversing and Decrypting Malware Communications by Monnappa
Reversing and Decrypting Malware Communications by MonnappaReversing and Decrypting Malware Communications by Monnappa
Reversing and Decrypting Malware Communications by Monnappa
 
DeViL - Detect Virtual Machine in Linux by Sreelakshmi
DeViL - Detect Virtual Machine in Linux by SreelakshmiDeViL - Detect Virtual Machine in Linux by Sreelakshmi
DeViL - Detect Virtual Machine in Linux by Sreelakshmi
 
Analysis of android apk using adhrit by Abhishek J.M
 Analysis of android apk using adhrit by Abhishek J.M Analysis of android apk using adhrit by Abhishek J.M
Analysis of android apk using adhrit by Abhishek J.M
 
Understanding evasive hollow process injection techniques monnappa k a
Understanding evasive hollow process injection techniques   	monnappa k aUnderstanding evasive hollow process injection techniques   	monnappa k a
Understanding evasive hollow process injection techniques monnappa k a
 
Security challenges in d2d communication by ajithkumar vyasarao
Security challenges in d2d communication  by ajithkumar vyasaraoSecurity challenges in d2d communication  by ajithkumar vyasarao
Security challenges in d2d communication by ajithkumar vyasarao
 
Dynamic binary analysis using angr siddharth muralee
Dynamic binary analysis using angr   siddharth muraleeDynamic binary analysis using angr   siddharth muralee
Dynamic binary analysis using angr siddharth muralee
 
Bit flipping attack on aes cbc - ashutosh ahelleya
Bit flipping attack on aes cbc -	ashutosh ahelleyaBit flipping attack on aes cbc -	ashutosh ahelleya
Bit flipping attack on aes cbc - ashutosh ahelleya
 
Security Analytics using ELK stack
Security Analytics using ELK stack	Security Analytics using ELK stack
Security Analytics using ELK stack
 
Linux Malware Analysis
Linux Malware Analysis	Linux Malware Analysis
Linux Malware Analysis
 
Introduction to Binary Exploitation
Introduction to Binary Exploitation	Introduction to Binary Exploitation
Introduction to Binary Exploitation
 
ATM Malware: Understanding the threat
ATM Malware: Understanding the threat	ATM Malware: Understanding the threat
ATM Malware: Understanding the threat
 
XXE - XML External Entity Attack
XXE - XML External Entity Attack	XXE - XML External Entity Attack
XXE - XML External Entity Attack
 

Recently uploaded

TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...marcuskenyatta275
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...FIDO Alliance
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftshyamraj55
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsStefano
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...CzechDreamin
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutesconfluent
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyJohn Staveley
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfFIDO Alliance
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Patrick Viafore
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfFIDO Alliance
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastUXDXConf
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Julian Hyde
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCzechDreamin
 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsUXDXConf
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomCzechDreamin
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityScyllaDB
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyUXDXConf
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessUXDXConf
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlPeter Udo Diehl
 

Recently uploaded (20)

TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering Teams
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 

S2 e (selective symbolic execution) -shivkrishna a

  • 1. Team bi0s Amrita Center for Cybersecurity, Amritapuri Selective Symbolic Execution Shivkrishna Anil 1
  • 2. Team bi0s Amrita Center for Cybersecurity, Amritapuri Agenda ● Introduction ● S2E ● Analysing a simple program ● Demo Video 2
  • 3. Team bi0s Amrita Center for Cybersecurity, Amritapuri @shivnambiar1 ● Member of Team bi0s ● Final Year Computer Science student at Amrita University ● Focuses on Memory Forensics, Disk Forensics and Steganography ● Working on a plugin for S2E 3
  • 4. Team bi0s Amrita Center for Cybersecurity, Amritapuri Symbolic?? ● Analyzing a program to determine inputs that cause a part of a program to execute ● S2E, Angr, Mayhem, Triton, KLEE ● Useful for generating test cases with exhaustive code coverage ● Works on obfuscated binaries 4
  • 5. Team bi0s Amrita Center for Cybersecurity, Amritapuri Path Constraints 5Example of Symbolic Execution : https://goo.gl/qqv6Pw
  • 6. Team bi0s Amrita Center for Cybersecurity, Amritapuri S2E ● Selective Symbolic Execution ● Automated path explorer with modular path analyzers ● S2E - A platform for developing multi-path in-vivo analysis tools ● Contender for CGC 2016 ● Emulates an entire virtual machine instead of an executable ● Random path selection and DFS 6
  • 7. Team bi0s Amrita Center for Cybersecurity, Amritapuri Why S2E? ● A technique for creating the illusion of full system symbolic execution, while symbolically running only the code that is of interest to the developer ● Can interact with the environment ● Input can switch from symbolic to concrete domain and vice versa 7
  • 8. Team bi0s Amrita Center for Cybersecurity, Amritapuri Comparison ● Works for very large programs like a whole windows stack frame ● Implemented at the Kernel level ● Does not exhaust System resources as compared to other Symbolic engines 8
  • 9. Team bi0s Amrita Center for Cybersecurity, Amritapuri The Working of Transition Multi-path / Single-path execution : http://s2e.epfl.ch/images/s2e-sel.png 9
  • 10. Team bi0s Amrita Center for Cybersecurity, Amritapuri S2E Architecture S2E Architecture : http://s2e.epfl.ch/images/s2e-vm.png 10
  • 11. Team bi0s Amrita Center for Cybersecurity, Amritapuri Code Walkthrough 11
  • 12. Team bi0s Amrita Center for Cybersecurity, Amritapuri 12 Code Walkthrough (contd)
  • 13. Team bi0s Amrita Center for Cybersecurity, Amritapuri Tree Diagram 13 Input Set of all characters
  • 14. Team bi0s Amrita Center for Cybersecurity, Amritapuri Live Demo 14
  • 15. Team bi0s Amrita Center for Cybersecurity, Amritapuri Limitations ● Exhausts memory when state forking increases considerably ● Maximum of 2 arguments can only be passed ● S2E can only run on a shared-memory architecture ● Code coverage is low as it doesn't consider under constrained and over constrained symbols 15
  • 16. Team bi0s Amrita Center for Cybersecurity, Amritapuri Further Reading ● S2E: A Platform for In-Vivo Multi-Path Analysis of Software Systems ● Selective Symbolic Execution ● A Survey of Symbolic Execution Techniques 16
  • 17. Team bi0s Amrita Center for Cybersecurity, Amritapuri Questions?? 17

Editor's Notes

  1. A Method of dynamic binary analysis - to get test cases KLEE is a symbolic virtual machine built on top of the LLVM compiler Mayhem - PPP _CMU Angr -Shellphish - UCSB Formal definition of symbolic execution slide needs to be added Symbolic execution: - A mechanism to discover the code coverage -- Translate each instruction into constraints --- constraints: a formula define the operation functionality -- Collect all constraints -- Solve when required condition is met --- e.g. when a branch condition is met Formal definition of Concolic execution: - Number of possible paths increases exponentially -- in symbolic execution, every memory is location is symbolized -- too many symbols to solve - Concolic execution -- only make the interesting memory symbolize -- otherwise give a concrete value Source code not required for code coverage Obfuscated
  2. Conflicting path constraints cancels
  3. In-vivo : this kind of analysis helps to understand all the interactions of the analysed code in surrounding system Algorithm used DFS and random path STP - Constaint solver automated path explorer with modular path analyzers:the explorer drives the target system down all execution paths of interest, while analyzers check properties of each such path
  4. For eg: a malware - classical malware analysis - debuger n sandbox -evade Ptrace - system call
  5. If we want to analyse a program in multi-path ; it will also execute the dependent libraries in multi-path which takes up a lot of system resources unnecessarily (Path explosion) Works for large programs because it executes symbolically only the region of interest Kernel level - Does not analyse
  6. Explain the code
  7. S2e_make_symbolic - to give all possible inputs S2e_enable_forking - to fork different branches for path exploration
  8. Talk about different inputs and the various paths it takes. Final messages.txt
  9. S2E cannot start on one machine and fork new instances on other machines for now - Shared memory architecure