CC
Uploaded byCysinfo Cyber Security Community
PPTX, PDF540 views

S2 e (selective symbolic execution) -shivkrishna a

The document discusses Team bi0s from the Amrita Center for Cybersecurity, focusing on selective symbolic execution and their work with the S2E platform. It highlights the benefits of S2E for analyzing large programs, its architecture, and the differences between symbolic and concrete execution. Limitations of the approach, such as memory exhaustion and code coverage issues, are also mentioned.

Embed presentation

Downloaded 19 times
Team bi0s Amrita Center for Cybersecurity, Amritapuri Selective Symbolic Execution Shivkrishna Anil 1
Team bi0s Amrita Center for Cybersecurity, Amritapuri Agenda ● Introduction ● S2E ● Analysing a simple program ● Demo Video 2
Team bi0s Amrita Center for Cybersecurity, Amritapuri @shivnambiar1 ● Member of Team bi0s ● Final Year Computer Science student at Amrita University ● Focuses on Memory Forensics, Disk Forensics and Steganography ● Working on a plugin for S2E 3
Team bi0s Amrita Center for Cybersecurity, Amritapuri Symbolic?? ● Analyzing a program to determine inputs that cause a part of a program to execute ● S2E, Angr, Mayhem, Triton, KLEE ● Useful for generating test cases with exhaustive code coverage ● Works on obfuscated binaries 4
Team bi0s Amrita Center for Cybersecurity, Amritapuri Path Constraints 5Example of Symbolic Execution : https://goo.gl/qqv6Pw
Team bi0s Amrita Center for Cybersecurity, Amritapuri S2E ● Selective Symbolic Execution ● Automated path explorer with modular path analyzers ● S2E - A platform for developing multi-path in-vivo analysis tools ● Contender for CGC 2016 ● Emulates an entire virtual machine instead of an executable ● Random path selection and DFS 6
Team bi0s Amrita Center for Cybersecurity, Amritapuri Why S2E? ● A technique for creating the illusion of full system symbolic execution, while symbolically running only the code that is of interest to the developer ● Can interact with the environment ● Input can switch from symbolic to concrete domain and vice versa 7
Team bi0s Amrita Center for Cybersecurity, Amritapuri Comparison ● Works for very large programs like a whole windows stack frame ● Implemented at the Kernel level ● Does not exhaust System resources as compared to other Symbolic engines 8
Team bi0s Amrita Center for Cybersecurity, Amritapuri The Working of Transition Multi-path / Single-path execution : http://s2e.epfl.ch/images/s2e-sel.png 9
Team bi0s Amrita Center for Cybersecurity, Amritapuri S2E Architecture S2E Architecture : http://s2e.epfl.ch/images/s2e-vm.png 10
Team bi0s Amrita Center for Cybersecurity, Amritapuri Code Walkthrough 11
Team bi0s Amrita Center for Cybersecurity, Amritapuri 12 Code Walkthrough (contd)
Team bi0s Amrita Center for Cybersecurity, Amritapuri Tree Diagram 13 Input Set of all characters
Team bi0s Amrita Center for Cybersecurity, Amritapuri Live Demo 14
Team bi0s Amrita Center for Cybersecurity, Amritapuri Limitations ● Exhausts memory when state forking increases considerably ● Maximum of 2 arguments can only be passed ● S2E can only run on a shared-memory architecture ● Code coverage is low as it doesn't consider under constrained and over constrained symbols 15
Team bi0s Amrita Center for Cybersecurity, Amritapuri Further Reading ● S2E: A Platform for In-Vivo Multi-Path Analysis of Software Systems ● Selective Symbolic Execution ● A Survey of Symbolic Execution Techniques 16
Team bi0s Amrita Center for Cybersecurity, Amritapuri Questions?? 17

More Related Content

PDF
Higher Level Malware
byCTruncer
 
PDF
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
byCTruncer
 
PDF
Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde
byNSConclave
 
PDF
syzkaller: the next gen kernel fuzzer
byDmitry Vyukov
 
PDF
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
byCTruncer
 
PPTX
The Veil-Framework
byVeilFramework
 
PDF
Veil-Ordnance
byVeilFramework
 
PDF
Generamba
byNicolae Ghimbovschi
 
Higher Level Malware
byCTruncer
 
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
byCTruncer
 
Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde
byNSConclave
 
syzkaller: the next gen kernel fuzzer
byDmitry Vyukov
 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
byCTruncer
 
The Veil-Framework
byVeilFramework
 
Veil-Ordnance
byVeilFramework
 
Generamba
byNicolae Ghimbovschi
 

What's hot

PDF
The Supporting Role of Antivirus Evasion while Persisting
byCTruncer
 
PDF
The State of the Veil Framework
byVeilFramework
 
PDF
Introduction to Ewasm - crosslink taipei 2019
byhydai
 
ODP
Native client (Евгений Эльцин)
byOntico
 
PPT
Leveraging zeromq for node.js
byRuben Tan
 
PDF
Introduction to ZeroMQ - eSpace TechTalk
byMahmoud Said
 
PDF
Automate Yo' Self
byJohn Anderson
 
PDF
AntiVirus Evasion Reconstructed - Veil 3.0
byCTruncer
 
PDF
The Art of AV Evasion - Or Lack Thereof
byCTruncer
 
PPT
JavaScript Unit Testing
byChristian Johansen
 
PDF
Appium & Robot Framework
byFurkan Ertürk
 
PPTX
Debugging NET Applications With WinDBG
byCory Foy
 
KEY
Distributed app development with nodejs and zeromq
byRuben Tan
 
PDF
LibreOffice oss-fuzz, crashtesting, coverity
byCaolán McNamara
 
PDF
An EyeWitness View into your Network
byCTruncer
 
PDF
Swift for back end: A new generation of full stack languages?
byKoombea
 
PPTX
The Saga of JavaScript and Typescript: in Deno land
byHaci Murat Yaman
 
PPTX
Hacking - Breaking Into It
byCTruncer
 
PPT
JavaScript Unit Testing
byChristian Johansen
 
PPTX
I believe in rust
byReidar Sollid
 
The Supporting Role of Antivirus Evasion while Persisting
byCTruncer
 
The State of the Veil Framework
byVeilFramework
 
Introduction to Ewasm - crosslink taipei 2019
byhydai
 
Native client (Евгений Эльцин)
byOntico
 
Leveraging zeromq for node.js
byRuben Tan
 
Introduction to ZeroMQ - eSpace TechTalk
byMahmoud Said
 
Automate Yo' Self
byJohn Anderson
 
AntiVirus Evasion Reconstructed - Veil 3.0
byCTruncer
 
The Art of AV Evasion - Or Lack Thereof
byCTruncer
 
JavaScript Unit Testing
byChristian Johansen
 
Appium & Robot Framework
byFurkan Ertürk
 
Debugging NET Applications With WinDBG
byCory Foy
 
Distributed app development with nodejs and zeromq
byRuben Tan
 
LibreOffice oss-fuzz, crashtesting, coverity
byCaolán McNamara
 
An EyeWitness View into your Network
byCTruncer
 
Swift for back end: A new generation of full stack languages?
byKoombea
 
The Saga of JavaScript and Typescript: in Deno land
byHaci Murat Yaman
 
Hacking - Breaking Into It
byCTruncer
 
JavaScript Unit Testing
byChristian Johansen
 
I believe in rust
byReidar Sollid
 

Similar to S2 e (selective symbolic execution) -shivkrishna a

PDF
Symbolic Execution (introduction and hands-on)
byEmilio Coppa
 
PDF
Automatic Test Data Generation from Embedded C Code 1st Edition by Eileen Dil...
byheini3klairll
 
PDF
Dynamic Binary Analysis and Obfuscated Codes
byJonathan Salwan
 
PPTX
Symbolic Execution And KLEE
byShauvik Roy Choudhary, Ph.D.
 
PPTX
Lecture12_PerformanceEvaluationAndOSAwareDebugging.pptx
byphapdn1
 
PDF
Model-based Testing Principles
byHenry Muccini
 
PDF
Sthack 2015 - Jonathan "@JonathanSalwan" Salwan - Dynamic Behavior Analysis U...
byStHack
 
PDF
Model Simulation, Graphical Animation, and Omniscient Debugging with EcoreToo...
byBenoit Combemale
 
PPTX
Baab (Bug as a Backdoor) through automatic exploit generation (CRAX)
byShih-Kun Huang
 
PDF
A Survey of Symbolic Execution Tools
byCSCJournals
 
PDF
St hack2015 dynamic_behavior_analysis_using_binary_instrumentation_jonathan_s...
byJonathan Salwan
 
PDF
Linaro Connect 2016 (BKK16) - Introduction to LISA
byPatrick Bellasi
 
PDF
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
byNoSuchCon
 
PDF
A Survey on Dynamic Symbolic Execution for Automatic Test Generation
bySung Kim
 
Symbolic Execution (introduction and hands-on)
byEmilio Coppa
 
Automatic Test Data Generation from Embedded C Code 1st Edition by Eileen Dil...
byheini3klairll
 
Dynamic Binary Analysis and Obfuscated Codes
byJonathan Salwan
 
Symbolic Execution And KLEE
byShauvik Roy Choudhary, Ph.D.
 
Lecture12_PerformanceEvaluationAndOSAwareDebugging.pptx
byphapdn1
 
Model-based Testing Principles
byHenry Muccini
 
Sthack 2015 - Jonathan "@JonathanSalwan" Salwan - Dynamic Behavior Analysis U...
byStHack
 
Model Simulation, Graphical Animation, and Omniscient Debugging with EcoreToo...
byBenoit Combemale
 
Baab (Bug as a Backdoor) through automatic exploit generation (CRAX)
byShih-Kun Huang
 
A Survey of Symbolic Execution Tools
byCSCJournals
 
St hack2015 dynamic_behavior_analysis_using_binary_instrumentation_jonathan_s...
byJonathan Salwan
 
Linaro Connect 2016 (BKK16) - Introduction to LISA
byPatrick Bellasi
 
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
byNoSuchCon
 
A Survey on Dynamic Symbolic Execution for Automatic Test Generation
bySung Kim
 

More from Cysinfo Cyber Security Community

PPTX
Emerging Trends in Cybersecurity by Amar Prusty
byCysinfo Cyber Security Community
 
PPTX
Detecting Bad Apples: Understanding macOS Malware TTPs by Surya Teja
byCysinfo Cyber Security Community
 
PDF
The Ultimate Serial Port Detective – Baudowl
byCysinfo Cyber Security Community
 
PDF
The Art of Executing JavaScript by Akhil Mahendra
byCysinfo Cyber Security Community
 
PPTX
Attacking and Defending AI by Adity Roy and Nikita Biradar
byCysinfo Cyber Security Community
 
PDF
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
byCysinfo Cyber Security Community
 
PDF
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
byCysinfo Cyber Security Community
 
PPTX
DeViL - Detect Virtual Machine in Linux by Sreelakshmi
byCysinfo Cyber Security Community
 
PPTX
Analysis of android apk using adhrit by Abhishek J.M
byCysinfo Cyber Security Community
 
PPTX
Dynamic binary analysis using angr siddharth muralee
byCysinfo Cyber Security Community
 
PPTX
Bit flipping attack on aes cbc - ashutosh ahelleya
byCysinfo Cyber Security Community
 
PDF
Unicorn: The Ultimate CPU Emulator by Akshay Ajayan
byCysinfo Cyber Security Community
 
PDF
Threat Hunting with Garuda: From Manual Analysis to AI-Driven Hunting By Monn...
byCysinfo Cyber Security Community
 
PDF
Understanding Malware Persistence Techniques by Monnappa K A
byCysinfo Cyber Security Community
 
PDF
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
byCysinfo Cyber Security Community
 
PPTX
Security challenges in d2d communication by ajithkumar vyasarao
byCysinfo Cyber Security Community
 
PDF
Security Analytics using ELK stack
byCysinfo Cyber Security Community
 
PDF
Closer look at PHP Unserialization by Ashwin Shenoi
byCysinfo Cyber Security Community
 
PDF
Understanding evasive hollow process injection techniques monnappa k a
byCysinfo Cyber Security Community
 
PDF
Reversing and Decrypting Malware Communications by Monnappa
byCysinfo Cyber Security Community
 
Emerging Trends in Cybersecurity by Amar Prusty
byCysinfo Cyber Security Community
 
Detecting Bad Apples: Understanding macOS Malware TTPs by Surya Teja
byCysinfo Cyber Security Community
 
The Ultimate Serial Port Detective – Baudowl
byCysinfo Cyber Security Community
 
The Art of Executing JavaScript by Akhil Mahendra
byCysinfo Cyber Security Community
 
Attacking and Defending AI by Adity Roy and Nikita Biradar
byCysinfo Cyber Security Community
 
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
byCysinfo Cyber Security Community
 
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
byCysinfo Cyber Security Community
 
DeViL - Detect Virtual Machine in Linux by Sreelakshmi
byCysinfo Cyber Security Community
 
Analysis of android apk using adhrit by Abhishek J.M
byCysinfo Cyber Security Community
 
Dynamic binary analysis using angr siddharth muralee
byCysinfo Cyber Security Community
 
Bit flipping attack on aes cbc - ashutosh ahelleya
byCysinfo Cyber Security Community
 
Unicorn: The Ultimate CPU Emulator by Akshay Ajayan
byCysinfo Cyber Security Community
 
Threat Hunting with Garuda: From Manual Analysis to AI-Driven Hunting By Monn...
byCysinfo Cyber Security Community
 
Understanding Malware Persistence Techniques by Monnappa K A
byCysinfo Cyber Security Community
 
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
byCysinfo Cyber Security Community
 
Security challenges in d2d communication by ajithkumar vyasarao
byCysinfo Cyber Security Community
 
Security Analytics using ELK stack
byCysinfo Cyber Security Community
 
Closer look at PHP Unserialization by Ashwin Shenoi
byCysinfo Cyber Security Community
 
Understanding evasive hollow process injection techniques monnappa k a
byCysinfo Cyber Security Community
 
Reversing and Decrypting Malware Communications by Monnappa
byCysinfo Cyber Security Community
 

Recently uploaded

PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PDF
December Patch Tuesday
byIvanti
 
PDF
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PPTX
The Landscape of Computer Software Development Companies
byYash Singh
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PDF
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
PDF
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PPTX
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
PPTX
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
PPTX
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
PPTX
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
PDF
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
PDF
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
December Patch Tuesday
byIvanti
 
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
The year in review - MarvelClient in 2025
bypanagenda
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
The Landscape of Computer Software Development Companies
byYash Singh
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 

S2 e (selective symbolic execution) -shivkrishna a

  • 1.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri Selective Symbolic Execution Shivkrishna Anil 1
  • 2.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri Agenda ● Introduction ● S2E ● Analysing a simple program ● Demo Video 2
  • 3.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri @shivnambiar1 ● Member of Team bi0s ● Final Year Computer Science student at Amrita University ● Focuses on Memory Forensics, Disk Forensics and Steganography ● Working on a plugin for S2E 3
  • 4.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri Symbolic?? ● Analyzing a program to determine inputs that cause a part of a program to execute ● S2E, Angr, Mayhem, Triton, KLEE ● Useful for generating test cases with exhaustive code coverage ● Works on obfuscated binaries 4
  • 5.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri Path Constraints 5Example of Symbolic Execution : https://goo.gl/qqv6Pw
  • 6.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri S2E ● Selective Symbolic Execution ● Automated path explorer with modular path analyzers ● S2E - A platform for developing multi-path in-vivo analysis tools ● Contender for CGC 2016 ● Emulates an entire virtual machine instead of an executable ● Random path selection and DFS 6
  • 7.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri Why S2E? ● A technique for creating the illusion of full system symbolic execution, while symbolically running only the code that is of interest to the developer ● Can interact with the environment ● Input can switch from symbolic to concrete domain and vice versa 7
  • 8.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri Comparison ● Works for very large programs like a whole windows stack frame ● Implemented at the Kernel level ● Does not exhaust System resources as compared to other Symbolic engines 8
  • 9.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri The Working of Transition Multi-path / Single-path execution : http://s2e.epfl.ch/images/s2e-sel.png 9
  • 10.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri S2E Architecture S2E Architecture : http://s2e.epfl.ch/images/s2e-vm.png 10
  • 11.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri Code Walkthrough 11
  • 12.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri 12 Code Walkthrough (contd)
  • 13.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri Tree Diagram 13 Input Set of all characters
  • 14.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri Live Demo 14
  • 15.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri Limitations ● Exhausts memory when state forking increases considerably ● Maximum of 2 arguments can only be passed ● S2E can only run on a shared-memory architecture ● Code coverage is low as it doesn't consider under constrained and over constrained symbols 15
  • 16.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri Further Reading ● S2E: A Platform for In-Vivo Multi-Path Analysis of Software Systems ● Selective Symbolic Execution ● A Survey of Symbolic Execution Techniques 16
  • 17.
    Team bi0s Amrita Centerfor Cybersecurity, Amritapuri Questions?? 17

Editor's Notes

  • #5 A Method of dynamic binary analysis - to get test cases KLEE is a symbolic virtual machine built on top of the LLVM compiler Mayhem - PPP _CMU Angr -Shellphish - UCSB Formal definition of symbolic execution slide needs to be added Symbolic execution: - A mechanism to discover the code coverage -- Translate each instruction into constraints --- constraints: a formula define the operation functionality -- Collect all constraints -- Solve when required condition is met --- e.g. when a branch condition is met Formal definition of Concolic execution: - Number of possible paths increases exponentially -- in symbolic execution, every memory is location is symbolized -- too many symbols to solve - Concolic execution -- only make the interesting memory symbolize -- otherwise give a concrete value Source code not required for code coverage Obfuscated
  • #6 Conflicting path constraints cancels
  • #7 In-vivo : this kind of analysis helps to understand all the interactions of the analysed code in surrounding system Algorithm used DFS and random path STP - Constaint solver automated path explorer with modular path analyzers:the explorer drives the target system down all execution paths of interest, while analyzers check properties of each such path
  • #8 For eg: a malware - classical malware analysis - debuger n sandbox -evade Ptrace - system call
  • #9 If we want to analyse a program in multi-path ; it will also execute the dependent libraries in multi-path which takes up a lot of system resources unnecessarily (Path explosion) Works for large programs because it executes symbolically only the region of interest Kernel level - Does not analyse
  • #12 Explain the code
  • #13 S2e_make_symbolic - to give all possible inputs S2e_enable_forking - to fork different branches for path exploration
  • #15 Talk about different inputs and the various paths it takes. Final messages.txt
  • #16 S2E cannot start on one machine and fork new instances on other machines for now - Shared memory architecure