This document provides an overview of Triton, a concolic execution framework built as a Pin tool. Triton allows for dynamic binary analysis using symbolic execution, taint analysis, and snapshot capabilities. It represents instructions and their semantics using SMT2-LIB format and interfaces with SMT solvers like Z3. Triton guides symbolic execution with information from its taint analysis engine. It also provides a snapshot engine to replay execution traces in memory. The document discusses Triton's internal components and how users can build analysis tools with Triton by installing dependencies and running Pin scripts.
How Triton can help to reverse virtual machine based software protectionsJonathan Salwan
The first part of the talk is going to be an introduction to the Triton framework to expose its components and to explain how they work together. Then, the second part will include demonstrations on how it's possible to reverse virtual machine based protections using taint analysis, symbolic execution, SMT simplifications and LLVM-IR optimizations.
Dynamic Binary Analysis and Obfuscated Codes Jonathan Salwan
At this presentation we will talk about how a DBA (Dynamic Binary Analysis) may help a reverse engineer to reverse obfuscated code. We will first introduce some basic obfuscation techniques and then expose how it's possible to break some stuffs (using our open-source DBA framework - Triton) like detect opaque predicates, reconstruct CFG, find the original algorithm, isolate sensible data and many more... Then, we will conclude with a demo and few words about our future work.
Verilog HDL is introduced for modeling digital hardware at different levels of abstraction. Key concepts discussed include:
- Module instantiation, assignments, and procedural blocks for behavioral modeling.
- Concurrency is modeled using an event-based simulation approach with a time wheel concept.
- Switch level and gate level modeling using built-in primitives like transistors and logic gates.
- User-defined primitives (UDPs) allow custom logic to augment pre-defined primitives.
The document provides an overview of Verilog, including:
1) Why HDLs like Verilog are needed for designing large, complex hardware systems.
2) Basic Verilog syntax such as modules, ports, parameters, nets, registers, operators, assignments.
3) How to model hardware features in Verilog like combinational logic, sequential logic, timing, case statements.
Platform-independent static binary code analysis using a meta-assembly languagezynamics GmbH
This document describes a platform-independent static code analysis framework called MonoREIL that uses abstract interpretation. It introduces an intermediate representation called REIL that can be extracted from disassembled binary code. MonoREIL implements abstract interpretation over REIL code to perform analyses like register tracking and detecting negative array indexing without dependence on platform or source code. The framework is intended for offensive security purposes like binary analysis where source is unavailable.
This document provides an overview of System Verilog concepts including simulation and synthesis, modules and primitives, styles, data types, operators, and more. Key points covered include the module concept as the basic design unit, module declaration syntax, module instantiation, different styles like structural, RTL/dataflow and behavioral, data types for nets and registers, number representation formats, and basic Verilog operators. The document serves as a tutorial introduction to essential System Verilog language constructs.
Hardware description languages (HDLs) allow designers to describe digital systems at different levels of abstraction in a textual format. The two most commonly used HDLs are Verilog and VHDL. Verilog is commonly used in the US, while VHDL is more popular in Europe. HDLs enable simulation of designs before fabrication to verify functionality. Digital designs can be modeled at the gate level, data flow level, or behavioral level in Verilog. Verilog code consists of a design module and test bench module to stimulate inputs and observe outputs.
This document discusses behavioral Verilog coding constructs including always and initial blocks, blocking vs non-blocking assignments, and if-else and case statements. It provides examples of coding flip-flops and sequential logic using these constructs. It also discusses simulator mechanics and the stratified event queue model of simulation.
How Triton can help to reverse virtual machine based software protectionsJonathan Salwan
The first part of the talk is going to be an introduction to the Triton framework to expose its components and to explain how they work together. Then, the second part will include demonstrations on how it's possible to reverse virtual machine based protections using taint analysis, symbolic execution, SMT simplifications and LLVM-IR optimizations.
Dynamic Binary Analysis and Obfuscated Codes Jonathan Salwan
At this presentation we will talk about how a DBA (Dynamic Binary Analysis) may help a reverse engineer to reverse obfuscated code. We will first introduce some basic obfuscation techniques and then expose how it's possible to break some stuffs (using our open-source DBA framework - Triton) like detect opaque predicates, reconstruct CFG, find the original algorithm, isolate sensible data and many more... Then, we will conclude with a demo and few words about our future work.
Verilog HDL is introduced for modeling digital hardware at different levels of abstraction. Key concepts discussed include:
- Module instantiation, assignments, and procedural blocks for behavioral modeling.
- Concurrency is modeled using an event-based simulation approach with a time wheel concept.
- Switch level and gate level modeling using built-in primitives like transistors and logic gates.
- User-defined primitives (UDPs) allow custom logic to augment pre-defined primitives.
The document provides an overview of Verilog, including:
1) Why HDLs like Verilog are needed for designing large, complex hardware systems.
2) Basic Verilog syntax such as modules, ports, parameters, nets, registers, operators, assignments.
3) How to model hardware features in Verilog like combinational logic, sequential logic, timing, case statements.
Platform-independent static binary code analysis using a meta-assembly languagezynamics GmbH
This document describes a platform-independent static code analysis framework called MonoREIL that uses abstract interpretation. It introduces an intermediate representation called REIL that can be extracted from disassembled binary code. MonoREIL implements abstract interpretation over REIL code to perform analyses like register tracking and detecting negative array indexing without dependence on platform or source code. The framework is intended for offensive security purposes like binary analysis where source is unavailable.
This document provides an overview of System Verilog concepts including simulation and synthesis, modules and primitives, styles, data types, operators, and more. Key points covered include the module concept as the basic design unit, module declaration syntax, module instantiation, different styles like structural, RTL/dataflow and behavioral, data types for nets and registers, number representation formats, and basic Verilog operators. The document serves as a tutorial introduction to essential System Verilog language constructs.
Hardware description languages (HDLs) allow designers to describe digital systems at different levels of abstraction in a textual format. The two most commonly used HDLs are Verilog and VHDL. Verilog is commonly used in the US, while VHDL is more popular in Europe. HDLs enable simulation of designs before fabrication to verify functionality. Digital designs can be modeled at the gate level, data flow level, or behavioral level in Verilog. Verilog code consists of a design module and test bench module to stimulate inputs and observe outputs.
This document discusses behavioral Verilog coding constructs including always and initial blocks, blocking vs non-blocking assignments, and if-else and case statements. It provides examples of coding flip-flops and sequential logic using these constructs. It also discusses simulator mechanics and the stratified event queue model of simulation.
Control-flow analysis discovers the flow of control within code by building basic blocks and a control-flow graph (CFG). It identifies loops by computing dominators. Basic blocks are sequences of straight-line code with a single entry and exit. A CFG represents control flow with nodes for basic blocks and edges for control transfers. Loops are detected by finding natural loops defined by back edges where the target dominates the source.
Delays in Verilog allow modeling of timing aspects like propagation delays. There are different types of delays depending on the design approach - gate level modeling uses rise, fall, and turn-off delays while dataflow modeling uses assignment delays on nets. Behavioral modeling supports regular delays before assignments, intra-assignment delays after the equals sign, and zero delays to ensure last execution. Sequential and parallel blocks also control statement ordering.
This document discusses switch level modeling in Verilog. It describes different types of transistor switches that can be used as primitives in Verilog, including nmos, pmos, rnmos, rpmos, and cmos switches. It also covers bidirectional switches like tran, tranif1, and examples of how to use the switches to model basic logic gates and memory cells like a RAM cell. Time delays can be specified for switches. Switch level modeling allows designing circuits using transistors directly in Verilog.
C++ allows for concise summaries in 3 sentences or less:
The document provides an overview of C++ concepts including data types, variables, operators, functions, classes, inheritance and virtual members. It also covers process and thread concepts at a high level. Code examples are provided to illustrate namespaces, input/output, program flow control, overloading, dynamic memory allocation, and classes. The document serves as a brief review of fundamental C++ and system programming concepts.
The document contains questions and explanations about C programming keywords and concepts like pointers, arrays, structures, unions, and bit manipulation. It provides definitions and examples for keywords like #define, #include, #pragma, #asm, #ifdef, and #endif. It also gives solutions to questions about pointers, counting bits to access specific bits or bytes of memory at a particular address, and explaining differences between array parameters and pointers in function definitions in C.
This document contains lecture notes on Verilog syntax and structural modeling. It discusses various Verilog concepts like commenting code, numbers and identifiers, vectors, arrays, parameters and defines, gate primitives, and hierarchy. It provides examples of modeling half adders and full adders structurally and behaviorally using primitives, modules, and always blocks. The document emphasizes choosing descriptive names and commenting code to explain the purpose or motivation behind design decisions.
This document discusses synchronization and semaphores. It begins by explaining how mutual exclusion can be achieved in uni-processors using interrupt disabling, but this does not work in multi-processors. Semaphores provide a solution using atomic test-and-set instructions. Semaphores allow processes to suspend execution and wait for signals. They avoid busy waiting by putting processes to sleep when the semaphore value is not positive. The document provides examples of using binary and general semaphores for problems like mutual exclusion and process synchronization.
SystemVerilog Assertions verification with SVAUnit - DVCon US 2016 TutorialAmiq Consulting
This document provides an overview of SystemVerilog Assertions (SVAs) and the SVAUnit framework for verifying SVAs. It begins with an introduction to SVAs, including types of assertions and properties. It then discusses planning SVA development, such as identifying design characteristics and coding guidelines. The document outlines implementing SVAs and using the SVAUnit framework, which allows decoupling SVA definition from validation code. It provides an example demonstrating generating stimuli to validate an AMBA APB protocol SVA using SVAUnit. Finally, it summarizes SVAUnit's test API and features for error reporting and test coverage.
This document discusses different types of simulation for digital circuits including analog simulation using a SPICE engine, digital simulation, and event-driven simulation. It also covers testbenches, including generating stimulus, monitoring outputs, and exhaustively testing designs. Key topics covered include clocks, finite state machine testing, and force/release in testbenches.
Verilog is a hardware description language used to model and simulate digital circuits. It supports different levels of abstraction from algorithmic level down to transistor level. The document describes key Verilog concepts including data types, operators, procedural blocks, timing, and system tasks. It also explains the use of modules for hierarchical design and compiler directives for code reuse and timescale specification.
This document provides an overview of Verilog, including:
- Verilog is a hardware description language used to describe digital systems at different levels including switch, gate, and register transfer levels.
- It discusses the basics of Verilog, common simulation tools, design methodology, modules, ports, data types, assignments, primitives, test benches, and provides a tutorial for using Active-HDL for simulation.
Verilog HDL (Hardware Description Language) Training Course for self-taught instructional. User should be familiar with basic digital and logic design. Helpful to have a Verilog simulator while going through examples.
Verilog HDL is a hardware description language used to design and document electronic systems. Verilog HDL allows designers to design at various levels of abstraction. It is the most widely used HDL with a user community of more than 50,000 active designers.
A brief history
Verilog HDL originated at Automated Integrated Design Systems (later renamed as Gateway Design Automation) in 1985. The company was privately held at that time by Dr. Prabhu Goel, the inventor of the PODEM test generation algorithm. Verilog HDL was designed by Phil Moorby, who was later to become the Chief Designer for Verilog-XL and the first Corporate Fellow at Cadence Design Systems. Gateway Design Automation grew rapidly with the success of Verilog-XL and was finally acquired by Cadence Design Systems, San Jose, CA in 1989.
Verilog was invented as simulation language. Use of Verilog for synthesis was a complete afterthought. Rumors abound that there were merger discussions between Gateway and Synopsys in the early days, where neither gave the other much chance of success..
In the late 1980's it seemed evident that designers were going to be moving away from proprietary languages like n dot, HiLo and Verilog towards the US Depatment of Defense standard H.D.L., known as the VHSIC Hardware Description Language. VHSIC it self stands for "Very High Speen Intergrated Circuit" BTW).
Perhaps due to such market pressure, Cadence Design Systems decided to open the Verilog language to the public in 1990, and thus OVI (Open Verilog International) was born. Until that time, Verilog HDL was a proprietary language, being the property of Cadence Design Systems. When OVI was formed in 1991, a number of small companies began working on Verilog simulators, including Chronologic Simulation, Frontline Design Automation, and others. The first of these came to market in 1992, and now there are mature Verilog simulators available from many sources.
As a result, the Verilog market has grown substantially. The market for Verilog related tools in 1994 was well over $75,000,000, making it the most commercially significant hardware description language on the market.
An IEEE working group was established in 1993 under the Design Automation Sub-Committee to produce the IEEE Verilog standard 1364. Verilog became IEEE Standard 1364 in 1995.
As an international standard, the Verilog market continued to grow. In 1998 the market for Verilog simulators alone was well over $150,000,000; continuing its dominance.
The IEEE working group released a revised standard in March of 2002, known as IEEE 1364-2001. Significant publication errors marred this release, and a revised version was released in 2003, known as IEEE 1364-2001 Revision C.
This document provides an overview of Verilog hardware description language (HDL) and gate-level modeling. It discusses the key components of Verilog modules like module definition, ports, parameters and instantiations. It describes how to define ports and connect ports in a module. It also covers different gate primitives in Verilog like AND, OR, NOT etc. and how to describe gate-level designs using these primitives by specifying gate connections and delays. Finally, it mentions some references for further reading on Verilog HDL and digital logic design.
This document provides an introduction to Verilog, a hardware description language (HDL). It describes the main purposes of HDLs as allowing designers to describe circuits at both the algorithmic and gate levels, enabling simulation and synthesis. The document then discusses some Verilog basics, including modules as building blocks, ports, parameters, variables, instantiation, and structural vs procedural code. It provides examples of module declarations and typical module components.
1. Embedded C requires compilers to create executable files that can be downloaded and run on microcontrollers, while C compilers typically generate code for operating systems on desktop computers.
2. Embedded systems often have real-time constraints and limited memory and other resources that require more optimization, unlike most desktop applications.
3. Programming for embedded systems focuses on optimally using limited resources and satisfying timing requirements using basic C constructs and function libraries.
The document describes an experiment to write VHDL code for basic logic gates. It includes the truth tables, logic diagrams, and VHDL code for AND, OR, NOT, NAND, NOR, and EXOR gates. Waveform diagrams are provided to simulate the behavior of each gate.
Digital Circuit Verification Hardware Descriptive Language VerilogAbhiraj Bohra
This document discusses digital system design and digital circuit verification using hardware description languages like Verilog. It provides examples of using structural and dataflow modeling in Verilog to describe a 4-to-1 multiplexer and a 2-to-4 decoder. It also demonstrates writing a test bench to apply stimulus and observe the response of a combinational logic circuit during simulation.
Summary of Blue Ocean Strategy and tools. To be used as a quick reference of the concepts and tools. Not a replacement to reading the book (www.blueoceanstrategy.com)
Execution - The Discipline of getting things done GMR Group
This book was published in the year 2002 and I had read this book at that time. Revisited and read this book again just to evaluate the context. Even today the context of this book is very relevant.
Too many leaders fool themselves into thinking their companies are well run. They are like the parents in Garrison Keillor’s fictional Lake Wobegon, all of whom think their children are above average. Then the top performers at Lake Wobegon High school arrive at the University of Minnesota or Colgate or Princeton and find out they are average or even below average. Similarly , when corporate leaders start understanding how the GE’s and Emerson Electrics of this world are run- how superbly they get things done- they discover how far they have to go before they become World class in Execution.
Here is the fundamental problem: People think of execution as the tactical side of business, something leaders delegate while thy focus on the perceived “bigger” issues. This idea is completely wrong. Execution is not just tactics—it is a discipline and a system. It has to be built into a company’s strategy, its goals, and its culture. And the leader of the organization must be deeply engaged in it. He can delegate its substance.
We talk to many leaders who fall victim to the gap between promises they’ve made and results their organizations delivered. They frequently tell us they have a problem with accountability—people aren’t doing the things they’re supposed to do to implement a plan. They desperately want to make changes of some kind, but what do they need to change? They don’t know.
Execution is a specific set of behaviors and techniques that companies need to master in order to have competitive advantage.
Read this Summary ……
Control-flow analysis discovers the flow of control within code by building basic blocks and a control-flow graph (CFG). It identifies loops by computing dominators. Basic blocks are sequences of straight-line code with a single entry and exit. A CFG represents control flow with nodes for basic blocks and edges for control transfers. Loops are detected by finding natural loops defined by back edges where the target dominates the source.
Delays in Verilog allow modeling of timing aspects like propagation delays. There are different types of delays depending on the design approach - gate level modeling uses rise, fall, and turn-off delays while dataflow modeling uses assignment delays on nets. Behavioral modeling supports regular delays before assignments, intra-assignment delays after the equals sign, and zero delays to ensure last execution. Sequential and parallel blocks also control statement ordering.
This document discusses switch level modeling in Verilog. It describes different types of transistor switches that can be used as primitives in Verilog, including nmos, pmos, rnmos, rpmos, and cmos switches. It also covers bidirectional switches like tran, tranif1, and examples of how to use the switches to model basic logic gates and memory cells like a RAM cell. Time delays can be specified for switches. Switch level modeling allows designing circuits using transistors directly in Verilog.
C++ allows for concise summaries in 3 sentences or less:
The document provides an overview of C++ concepts including data types, variables, operators, functions, classes, inheritance and virtual members. It also covers process and thread concepts at a high level. Code examples are provided to illustrate namespaces, input/output, program flow control, overloading, dynamic memory allocation, and classes. The document serves as a brief review of fundamental C++ and system programming concepts.
The document contains questions and explanations about C programming keywords and concepts like pointers, arrays, structures, unions, and bit manipulation. It provides definitions and examples for keywords like #define, #include, #pragma, #asm, #ifdef, and #endif. It also gives solutions to questions about pointers, counting bits to access specific bits or bytes of memory at a particular address, and explaining differences between array parameters and pointers in function definitions in C.
This document contains lecture notes on Verilog syntax and structural modeling. It discusses various Verilog concepts like commenting code, numbers and identifiers, vectors, arrays, parameters and defines, gate primitives, and hierarchy. It provides examples of modeling half adders and full adders structurally and behaviorally using primitives, modules, and always blocks. The document emphasizes choosing descriptive names and commenting code to explain the purpose or motivation behind design decisions.
This document discusses synchronization and semaphores. It begins by explaining how mutual exclusion can be achieved in uni-processors using interrupt disabling, but this does not work in multi-processors. Semaphores provide a solution using atomic test-and-set instructions. Semaphores allow processes to suspend execution and wait for signals. They avoid busy waiting by putting processes to sleep when the semaphore value is not positive. The document provides examples of using binary and general semaphores for problems like mutual exclusion and process synchronization.
SystemVerilog Assertions verification with SVAUnit - DVCon US 2016 TutorialAmiq Consulting
This document provides an overview of SystemVerilog Assertions (SVAs) and the SVAUnit framework for verifying SVAs. It begins with an introduction to SVAs, including types of assertions and properties. It then discusses planning SVA development, such as identifying design characteristics and coding guidelines. The document outlines implementing SVAs and using the SVAUnit framework, which allows decoupling SVA definition from validation code. It provides an example demonstrating generating stimuli to validate an AMBA APB protocol SVA using SVAUnit. Finally, it summarizes SVAUnit's test API and features for error reporting and test coverage.
This document discusses different types of simulation for digital circuits including analog simulation using a SPICE engine, digital simulation, and event-driven simulation. It also covers testbenches, including generating stimulus, monitoring outputs, and exhaustively testing designs. Key topics covered include clocks, finite state machine testing, and force/release in testbenches.
Verilog is a hardware description language used to model and simulate digital circuits. It supports different levels of abstraction from algorithmic level down to transistor level. The document describes key Verilog concepts including data types, operators, procedural blocks, timing, and system tasks. It also explains the use of modules for hierarchical design and compiler directives for code reuse and timescale specification.
This document provides an overview of Verilog, including:
- Verilog is a hardware description language used to describe digital systems at different levels including switch, gate, and register transfer levels.
- It discusses the basics of Verilog, common simulation tools, design methodology, modules, ports, data types, assignments, primitives, test benches, and provides a tutorial for using Active-HDL for simulation.
Verilog HDL (Hardware Description Language) Training Course for self-taught instructional. User should be familiar with basic digital and logic design. Helpful to have a Verilog simulator while going through examples.
Verilog HDL is a hardware description language used to design and document electronic systems. Verilog HDL allows designers to design at various levels of abstraction. It is the most widely used HDL with a user community of more than 50,000 active designers.
A brief history
Verilog HDL originated at Automated Integrated Design Systems (later renamed as Gateway Design Automation) in 1985. The company was privately held at that time by Dr. Prabhu Goel, the inventor of the PODEM test generation algorithm. Verilog HDL was designed by Phil Moorby, who was later to become the Chief Designer for Verilog-XL and the first Corporate Fellow at Cadence Design Systems. Gateway Design Automation grew rapidly with the success of Verilog-XL and was finally acquired by Cadence Design Systems, San Jose, CA in 1989.
Verilog was invented as simulation language. Use of Verilog for synthesis was a complete afterthought. Rumors abound that there were merger discussions between Gateway and Synopsys in the early days, where neither gave the other much chance of success..
In the late 1980's it seemed evident that designers were going to be moving away from proprietary languages like n dot, HiLo and Verilog towards the US Depatment of Defense standard H.D.L., known as the VHSIC Hardware Description Language. VHSIC it self stands for "Very High Speen Intergrated Circuit" BTW).
Perhaps due to such market pressure, Cadence Design Systems decided to open the Verilog language to the public in 1990, and thus OVI (Open Verilog International) was born. Until that time, Verilog HDL was a proprietary language, being the property of Cadence Design Systems. When OVI was formed in 1991, a number of small companies began working on Verilog simulators, including Chronologic Simulation, Frontline Design Automation, and others. The first of these came to market in 1992, and now there are mature Verilog simulators available from many sources.
As a result, the Verilog market has grown substantially. The market for Verilog related tools in 1994 was well over $75,000,000, making it the most commercially significant hardware description language on the market.
An IEEE working group was established in 1993 under the Design Automation Sub-Committee to produce the IEEE Verilog standard 1364. Verilog became IEEE Standard 1364 in 1995.
As an international standard, the Verilog market continued to grow. In 1998 the market for Verilog simulators alone was well over $150,000,000; continuing its dominance.
The IEEE working group released a revised standard in March of 2002, known as IEEE 1364-2001. Significant publication errors marred this release, and a revised version was released in 2003, known as IEEE 1364-2001 Revision C.
This document provides an overview of Verilog hardware description language (HDL) and gate-level modeling. It discusses the key components of Verilog modules like module definition, ports, parameters and instantiations. It describes how to define ports and connect ports in a module. It also covers different gate primitives in Verilog like AND, OR, NOT etc. and how to describe gate-level designs using these primitives by specifying gate connections and delays. Finally, it mentions some references for further reading on Verilog HDL and digital logic design.
This document provides an introduction to Verilog, a hardware description language (HDL). It describes the main purposes of HDLs as allowing designers to describe circuits at both the algorithmic and gate levels, enabling simulation and synthesis. The document then discusses some Verilog basics, including modules as building blocks, ports, parameters, variables, instantiation, and structural vs procedural code. It provides examples of module declarations and typical module components.
1. Embedded C requires compilers to create executable files that can be downloaded and run on microcontrollers, while C compilers typically generate code for operating systems on desktop computers.
2. Embedded systems often have real-time constraints and limited memory and other resources that require more optimization, unlike most desktop applications.
3. Programming for embedded systems focuses on optimally using limited resources and satisfying timing requirements using basic C constructs and function libraries.
The document describes an experiment to write VHDL code for basic logic gates. It includes the truth tables, logic diagrams, and VHDL code for AND, OR, NOT, NAND, NOR, and EXOR gates. Waveform diagrams are provided to simulate the behavior of each gate.
Digital Circuit Verification Hardware Descriptive Language VerilogAbhiraj Bohra
This document discusses digital system design and digital circuit verification using hardware description languages like Verilog. It provides examples of using structural and dataflow modeling in Verilog to describe a 4-to-1 multiplexer and a 2-to-4 decoder. It also demonstrates writing a test bench to apply stimulus and observe the response of a combinational logic circuit during simulation.
Summary of Blue Ocean Strategy and tools. To be used as a quick reference of the concepts and tools. Not a replacement to reading the book (www.blueoceanstrategy.com)
Execution - The Discipline of getting things done GMR Group
This book was published in the year 2002 and I had read this book at that time. Revisited and read this book again just to evaluate the context. Even today the context of this book is very relevant.
Too many leaders fool themselves into thinking their companies are well run. They are like the parents in Garrison Keillor’s fictional Lake Wobegon, all of whom think their children are above average. Then the top performers at Lake Wobegon High school arrive at the University of Minnesota or Colgate or Princeton and find out they are average or even below average. Similarly , when corporate leaders start understanding how the GE’s and Emerson Electrics of this world are run- how superbly they get things done- they discover how far they have to go before they become World class in Execution.
Here is the fundamental problem: People think of execution as the tactical side of business, something leaders delegate while thy focus on the perceived “bigger” issues. This idea is completely wrong. Execution is not just tactics—it is a discipline and a system. It has to be built into a company’s strategy, its goals, and its culture. And the leader of the organization must be deeply engaged in it. He can delegate its substance.
We talk to many leaders who fall victim to the gap between promises they’ve made and results their organizations delivered. They frequently tell us they have a problem with accountability—people aren’t doing the things they’re supposed to do to implement a plan. They desperately want to make changes of some kind, but what do they need to change? They don’t know.
Execution is a specific set of behaviors and techniques that companies need to master in order to have competitive advantage.
Read this Summary ……
Consulting - Stanford Strategic Framework for Matrix Structures Francisco Gonzalez
The document proposes a matrix organizational structure for a fast-growing company managing approximately 50 projects simultaneously. The VP of Operations will lead multiple project managers and functional departments to ensure projects are completed on time, on budget, and to the required quality standard. This will align the company's strategy, culture, and structure to achieve its aggressive growth goals. A strong matrix structure with primary alignment to projects is recommended to facilitate coordination across the many concurrent initiatives.
The document provides an introduction to strategic business execution. It discusses the importance of strategic execution, as 90% of strategies fail due to poor execution. It then presents a strategic execution framework with four components: values/behaviors/attitudes, important competencies, core disciplines, and integrating processes. The document delves into each of these components, describing key aspects of strategic business execution like strategic planning, portfolio management, program management and more.
CRM 2.0 - Frameworks for Program StrategyMichael Moir
This presentation reviews several overarching frameworks for guiding CRM strategy and planning efforts. It provides a starting point for many aspects of a holistic CRM approach.
The Visioneering Operating System - A Framework For ExecutionDavender Gupta
The document proposes a Visioneering Business Operating System (VOS) as a framework to accelerate the transition from strategy to execution. The VOS would provide a standardized yet customizable set of processes across four systems - people systems, operations systems, project systems, and learning systems. It aims to reduce business failures caused by the strategy-execution gap and improve business performance through increased visibility, accountability, adaptability, and quality.
This Slideshare presentation is a partial preview of the full business document. To view and download the full document, please go here:
http://flevy.com/browse/business-document/it-strategy-209
This is a comprehensive document on Information Technology (IT) / Management Information Systems (MIS) Strategy.
This document includes IT strategy frameworks, critical success factors, detailed project approach and organizational structure, sample deliverables, and more.
Execution - The Discipline of getting things doneSathish Kumar P
The document summarizes key points from the book "Execution" about how to successfully execute business strategies. It discusses that execution requires integrating people, strategy, and operations. Execution is not tactical but a discipline that companies must master. Leaders play a central role in conceiving and executing strategy. The three core processes of execution are the people process, strategy process, and operational process, which must all be critically linked with a focus on people. Putting an execution environment in place is difficult but losing it is easy.
Strategic Planning, Execution Frameworks & Organizational Health – Executive Summary
There are many frameworks and components for strategic management, planning, and execution; like a Ferrari, a BMW, or a Volkswagen, they all do the job – just differently. Ultimately, every business needs to answer some key questions:
Where are we? Where are we going? How do we get there? How are we doing? How do we function effectively? How can we influence what we cannot control? How should we appear to Customers (BtoB, BtoC)? How do we look to our investors? How do we look to our workforce? How do we sustain, and continuously learn & improve? What must we excel at to satisfy stakeholders? How do we become The Employer of Choice, and the Provider of Choice in the markets we serve?
Led by an internal team (which frequently includes the CEO, CFO, COO, CHRO, sales & marketing, IT/IS, and other represented disciplines), and sometimes also key stakeholders (customers, suppliers), the output is practical & tactical, helping to enable sterling execution & organizational health.
Strategic management is a method by which leaders conceive of and implement a strategy that leads to a sustainable competitive advantage.
Strategic planning is a systematic, organizational effort that includes initial assessment, thorough analysis, strategy formulation, its implementation and evaluation, leading to the achievement of business goals, and competitive advantage. Continuous improvement / continuous learning includes benchmarking, best practices, change management, and performance excellence. Input frequently comes from senior management, and may also come from lead investors, the workforce, key customers, suppliers, and distributors.
Execution frameworks help align the organization’s talent, organizational structure, programs, projects, tasks, processes, and technology, to ensure strategy is executed on time, on budget, as required, meeting (and exceeding) business goals. In many instances, an execution framework has few strategic objectives, numerous (enabling) tactical initiatives, measures, and targets, plans operations, monitors and learns, validates & adapts, supported by budget & resources.
Organizational health is about making a company function effectively by building a cohesive leadership team, establishing real clarity among those leaders, communicating that clarity to everyone within the organization, and putting in place enough structure to reinforce that clarity going forward, and aligning rewards, metrics, and resources.
The frameworks in this document are probably most helpful for those who are already familiar with or practice content strategy. They also represent the ones we particularly like and use the most here at KBS. We hope you find them useful.
The document provides an overview of several frameworks related to project management, process improvement, strategy development, and enterprise architecture. It summarizes frameworks for the project management process groups, Six Sigma DMAIC methodology, the "Strategy Fish" diagram, a strategic planning framework, an implementation playbook structure, a learning framework, the SDLC, a communication framework, organization design principles, and models for enterprise architecture and management framework interoperability.
Porter's strategies (generic strategies, five forces, diamond model) with ref...Sigortam.net
It is very hard to apply and understand Michael Porter's strategy frameworks. That's why i prepared this summary for myself and to whom feels same feelings about it...
Testing web applications for performance is fundamentally different and more complex than testing them for functional correctness. To carry out effective Performance Testing (PT) it is essential to choose the right tools at the right time. They are chosen in different phases of PT to perform activities Such as scripting, test execution, reporting and analysis. The Performance Execution Framework (PEF) is designed to boost the productivity of performance test teams.
The document provides an overview of several frameworks and models used for strategic analysis, including SWOT analysis, Porter's 5 forces, and the strategy diamond. It discusses the strengths and weaknesses of each framework. In particular, it explains that while SWOT analysis identifies strengths, weaknesses, opportunities, and threats, it does not provide guidance on what actions to take. The document also discusses different measures of industry concentration, including concentration ratios and the Herfindahl-Hirschman Index (HHI). The HHI gives more weight to larger firms and provides a more accurate picture of competition than concentration ratios alone. Thresholds for the HHI indicate whether an industry is highly competitive or concentrated.
The document introduces Cockatrice, a hardware design environment that uses Elixir as its description language. Cockatrice aims to synthesize hardware description language (HDL) from Elixir code written in a "Zen style" with Enum and Flow functions. This allows hardware to be designed and operated from Elixir code. Cockatrice provides templates to synthesize HDL modules from Elixir functions and connects them as a dataflow circuit from the abstract syntax tree. It also generates an interface driver in C to enable communication between the synthesized hardware and controlling Elixir software.
The document describes the general structure of a compiler, which consists of a front-end and back-end separated by an intermediate representation (IR). The front-end performs analysis of the source code by parsing and semantic checking to generate an IR. The back-end then translates the IR into target code through optimization and code generation. This separation allows different front-ends and back-ends to be combined to create compilers for new languages and targets. The front-end includes lexical analysis, syntax analysis, and semantic analysis, while the back-end contains IR generation, optimization, and code generation steps.
This document provides an introduction to assembly language programming. It discusses how assembly language works at a low level directly with a computer's processor. It outlines the basic components of an assembly language program like editors, assemblers, linkers and debuggers. It also describes the instruction sets, addressing modes, and common directives supported by the 8086 microprocessor. Finally, it provides an example of a simple assembly language program to perform an 8-bit number subtraction.
We have learnt that any computer system is made of hardware and software.
The hardware understands a language, which humans cannot understand. So we write programs in high-level language, which is easier for us to understand and remember.
These programs are then fed into a series of tools and OS components to get the desired code that can be used by the machine.
This is known as Language Processing System.
This document provides an overview of topics related to compiler design and implementation including: lexical analysis, parsing, semantic analysis, code generation, assembly language programming, finite automata, parsing algorithms, and the WL programming language. It lists specific tasks like performing semantic analysis on WL programs, generating MIPS assembly code from WL parse trees, drawing finite automata, and parsing strings using various grammars. It also defines key concepts and compares programming languages.
The document discusses attention mechanisms and their implementation in TensorFlow. It begins with an overview of attention mechanisms and their use in neural machine translation. It then reviews the code implementation of an attention mechanism for neural machine translation from English to French using TensorFlow. Finally, it briefly discusses pointer networks, an attention mechanism variant, and code implementation of pointer networks for solving sorting problems.
This document discusses assemblers and assembly language. It defines an assembler as a program that accepts assembly language as input and translates it into machine language. It describes the main components of assembly language statements, including labels, mnemonics, operands, and different statement types. It also explains the different data structures used by assemblers, including symbol tables, mnemonic tables, and location counters. Finally, it discusses the two-pass structure of assemblers, how they generate intermediate code on the first pass and then use that to resolve forward references and completely synthesize instructions on the second pass.
In this PPT we covered all the points like..Introduction to compilers - Design issues, passes, phases, symbol table
Preliminaries - Memory management, Operating system support for compiler, Compiler support for garbage collection ,Lexical Analysis - Tokens, Regular Expressions, Process of Lexical analysis, Block Schematic, Automatic construction of lexical analyzer using LEX, LEX features and specification.
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basicssecurityxploded
This presentation is part of our Reverse Engineering & Malware Analysis Training program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
The document provides an introduction to computer organization and assembly language. It discusses that processor understands only machine language instructions as strings of 1s and 0s. Assembly language represents instructions in a more understandable symbolic code for a specific processor family. Assembly language is converted into executable machine code by an assembler utility. Understanding assembly language provides knowledge of how programs interface with the operating system, processor and BIOS, and how instructions access and process data.
The document provides information about a reversing and malware analysis training program. It begins with a disclaimer stating that the views expressed are solely of the trainer and not the company. It then acknowledges those who supported the training program. It states that the presentation is part of a reversing and malware analysis training program currently only offered locally for free. It introduces the two trainers and provides their backgrounds and contact information. It outlines topics that will be covered including x86 assembly, instructions, stack operations, and calling conventions. It notes that a demonstration will be included.
The document discusses instruction set architecture and the MIPS architecture. It introduces key concepts like assembly language, registers, instructions, and how assembly code maps to high-level languages like C. Specific MIPS instructions for arithmetic like addition and subtraction are presented, showing how a single line of C code can require multiple assembly instructions. Register usage and conventions are also covered.
Assemblers take assembly code written in symbolic mnemonics and convert it into machine-readable object code. They evaluate the operation field of each instruction to find the corresponding machine code value. Assemblers also generate location counter values and other information needed by the loader. Assembly programs contain labels, opcodes, operands, and comments. Assembler directives provide instructions to the assembler itself rather than generating machine codes. Common directives include START and END to specify the beginning and end of a program. VAX, Pentium Pro, and other architectures have different data formats, instruction formats, addressing modes, instruction sets, and I/O methods.
The document provides an overview of compiler design and the different phases involved in compiling a program. It discusses:
1) What compilers do by translating source code into machine code while hiding machine-dependent details. Compilers may generate pure machine code, augmented machine code, or virtual machine code.
2) The typical structure of a compiler which includes lexical analysis, syntactic analysis, semantic analysis, code generation, and optimization phases.
3) Lexical analysis involves scanning the source code and grouping characters into tokens. Regular expressions are used to specify patterns for tokens. Scanner generators like Lex and Flex can generate scanners from regular expression definitions.
The document discusses intermediate code generation in compilers. It describes how compilers generate intermediate code representations after parsing source code. Intermediate representations allow separating the front-end and back-end of compilers, facilitating code optimization and retargeting compilers to different architectures. Common intermediate representations discussed include abstract syntax trees, postfix notation, static single assignment form, and three-address instructions. The document also provides examples of generating three-address code using syntax-directed translation.
The document provides details about the architecture of SIC and SIC/XE machines. It describes the memory, registers, data formats, instruction formats, addressing modes, instruction set, and input/output for both machines. It also provides example programs to illustrate different instructions and addressing modes. Additionally, it explains CISC machines in general and provides details about the VAX and Pentium Pro architectures as examples of CISC instruction set architectures.
W8_1: Intro to UoS Educational ProcessorDaniel Roggen
Introduction to the University of Sussex Educational Processor
In this unit we introduce the UoS educational processor and it's key components, including register banks, ALU, IO and memory interfaces, etc.
Unit duration: 50mn.
License: LGPL 2.1
This document provides an overview of MIPS machine language instructions. It describes the key components of MIPS instructions, including register operands, immediate operands, and different instruction formats. It explains basic arithmetic, load/store, branch, and jump instructions. It also discusses MIPS register organization, memory organization including byte ordering, the fetch-execute cycle, and MIPS addressing modes including register, word-relative, and PC-relative addressing. The document is serving as a lecture on MIPS instruction set architecture for a computer organization and architecture course.
This document provides an introduction to assembly language programming fundamentals. It discusses machine languages and low-level languages. It also covers data representation and numbering systems. Key assembly language concepts like instructions format, directives, procedures, macros and input/output are described. Examples are given to illustrate variables, assignment, conditional jumps, loops and other common programming elements in assembly language.
The document discusses RISC-V instruction formats. It describes six main instruction formats: R-format, I-format, S-format, SB-format, U-format, and UJ-format. The R-format is used for instructions that use three register inputs. The I-format is used for instructions that have an immediate field instead of the second register. The S-format is used for store instructions. The SB-format is used for branch instructions. The U-format is used for instructions with an upper immediate field. The UJ-format is used for jump instructions.
Similar to Sstic 2015 detailed_version_triton_concolic_execution_frame_work_f_saudel_jsalwan (20)
Remote Sensing and Computational, Evolutionary, Supercomputing, and Intellige...University of Maribor
Slides from talk:
Aleš Zamuda: Remote Sensing and Computational, Evolutionary, Supercomputing, and Intelligent Systems.
11th International Conference on Electrical, Electronics and Computer Engineering (IcETRAN), Niš, 3-6 June 2024
Inter-Society Networking Panel GRSS/MTT-S/CIS Panel Session: Promoting Connection and Cooperation
https://www.etran.rs/2024/en/home-english/
EWOCS-I: The catalog of X-ray sources in Westerlund 1 from the Extended Weste...Sérgio Sacani
Context. With a mass exceeding several 104 M⊙ and a rich and dense population of massive stars, supermassive young star clusters
represent the most massive star-forming environment that is dominated by the feedback from massive stars and gravitational interactions
among stars.
Aims. In this paper we present the Extended Westerlund 1 and 2 Open Clusters Survey (EWOCS) project, which aims to investigate
the influence of the starburst environment on the formation of stars and planets, and on the evolution of both low and high mass stars.
The primary targets of this project are Westerlund 1 and 2, the closest supermassive star clusters to the Sun.
Methods. The project is based primarily on recent observations conducted with the Chandra and JWST observatories. Specifically,
the Chandra survey of Westerlund 1 consists of 36 new ACIS-I observations, nearly co-pointed, for a total exposure time of 1 Msec.
Additionally, we included 8 archival Chandra/ACIS-S observations. This paper presents the resulting catalog of X-ray sources within
and around Westerlund 1. Sources were detected by combining various existing methods, and photon extraction and source validation
were carried out using the ACIS-Extract software.
Results. The EWOCS X-ray catalog comprises 5963 validated sources out of the 9420 initially provided to ACIS-Extract, reaching a
photon flux threshold of approximately 2 × 10−8 photons cm−2
s
−1
. The X-ray sources exhibit a highly concentrated spatial distribution,
with 1075 sources located within the central 1 arcmin. We have successfully detected X-ray emissions from 126 out of the 166 known
massive stars of the cluster, and we have collected over 71 000 photons from the magnetar CXO J164710.20-455217.
hematic appreciation test is a psychological assessment tool used to measure an individual's appreciation and understanding of specific themes or topics. This test helps to evaluate an individual's ability to connect different ideas and concepts within a given theme, as well as their overall comprehension and interpretation skills. The results of the test can provide valuable insights into an individual's cognitive abilities, creativity, and critical thinking skills
Travis Hills' Endeavors in Minnesota: Fostering Environmental and Economic Pr...Travis Hills MN
Travis Hills of Minnesota developed a method to convert waste into high-value dry fertilizer, significantly enriching soil quality. By providing farmers with a valuable resource derived from waste, Travis Hills helps enhance farm profitability while promoting environmental stewardship. Travis Hills' sustainable practices lead to cost savings and increased revenue for farmers by improving resource efficiency and reducing waste.
Unlocking the mysteries of reproduction: Exploring fecundity and gonadosomati...AbdullaAlAsif1
The pygmy halfbeak Dermogenys colletei, is known for its viviparous nature, this presents an intriguing case of relatively low fecundity, raising questions about potential compensatory reproductive strategies employed by this species. Our study delves into the examination of fecundity and the Gonadosomatic Index (GSI) in the Pygmy Halfbeak, D. colletei (Meisner, 2001), an intriguing viviparous fish indigenous to Sarawak, Borneo. We hypothesize that the Pygmy halfbeak, D. colletei, may exhibit unique reproductive adaptations to offset its low fecundity, thus enhancing its survival and fitness. To address this, we conducted a comprehensive study utilizing 28 mature female specimens of D. colletei, carefully measuring fecundity and GSI to shed light on the reproductive adaptations of this species. Our findings reveal that D. colletei indeed exhibits low fecundity, with a mean of 16.76 ± 2.01, and a mean GSI of 12.83 ± 1.27, providing crucial insights into the reproductive mechanisms at play in this species. These results underscore the existence of unique reproductive strategies in D. colletei, enabling its adaptation and persistence in Borneo's diverse aquatic ecosystems, and call for further ecological research to elucidate these mechanisms. This study lends to a better understanding of viviparous fish in Borneo and contributes to the broader field of aquatic ecology, enhancing our knowledge of species adaptations to unique ecological challenges.
Or: Beyond linear.
Abstract: Equivariant neural networks are neural networks that incorporate symmetries. The nonlinear activation functions in these networks result in interesting nonlinear equivariant maps between simple representations, and motivate the key player of this talk: piecewise linear representation theory.
Disclaimer: No one is perfect, so please mind that there might be mistakes and typos.
dtubbenhauer@gmail.com
Corrected slides: dtubbenhauer.com/talks.html
Phenomics assisted breeding in crop improvementIshaGoswami9
As the population is increasing and will reach about 9 billion upto 2050. Also due to climate change, it is difficult to meet the food requirement of such a large population. Facing the challenges presented by resource shortages, climate
change, and increasing global population, crop yield and quality need to be improved in a sustainable way over the coming decades. Genetic improvement by breeding is the best way to increase crop productivity. With the rapid progression of functional
genomics, an increasing number of crop genomes have been sequenced and dozens of genes influencing key agronomic traits have been identified. However, current genome sequence information has not been adequately exploited for understanding
the complex characteristics of multiple gene, owing to a lack of crop phenotypic data. Efficient, automatic, and accurate technologies and platforms that can capture phenotypic data that can
be linked to genomics information for crop improvement at all growth stages have become as important as genotyping. Thus,
high-throughput phenotyping has become the major bottleneck restricting crop breeding. Plant phenomics has been defined as the high-throughput, accurate acquisition and analysis of multi-dimensional phenotypes
during crop growing stages at the organism level, including the cell, tissue, organ, individual plant, plot, and field levels. With the rapid development of novel sensors, imaging technology,
and analysis methods, numerous infrastructure platforms have been developed for phenotyping.
Authoring a personal GPT for your research and practice: How we created the Q...Leonel Morgado
Thematic analysis in qualitative research is a time-consuming and systematic task, typically done using teams. Team members must ground their activities on common understandings of the major concepts underlying the thematic analysis, and define criteria for its development. However, conceptual misunderstandings, equivocations, and lack of adherence to criteria are challenges to the quality and speed of this process. Given the distributed and uncertain nature of this process, we wondered if the tasks in thematic analysis could be supported by readily available artificial intelligence chatbots. Our early efforts point to potential benefits: not just saving time in the coding process but better adherence to criteria and grounding, by increasing triangulation between humans and artificial intelligence. This tutorial will provide a description and demonstration of the process we followed, as two academic researchers, to develop a custom ChatGPT to assist with qualitative coding in the thematic data analysis process of immersive learning accounts in a survey of the academic literature: QUAL-E Immersive Learning Thematic Analysis Helper. In the hands-on time, participants will try out QUAL-E and develop their ideas for their own qualitative coding ChatGPT. Participants that have the paid ChatGPT Plus subscription can create a draft of their assistants. The organizers will provide course materials and slide deck that participants will be able to utilize to continue development of their custom GPT. The paid subscription to ChatGPT Plus is not required to participate in this workshop, just for trying out personal GPTs during it.
ESPP presentation to EU Waste Water Network, 4th June 2024 “EU policies driving nutrient removal and recycling
and the revised UWWTD (Urban Waste Water Treatment Directive)”
The ability to recreate computational results with minimal effort and actionable metrics provides a solid foundation for scientific research and software development. When people can replicate an analysis at the touch of a button using open-source software, open data, and methods to assess and compare proposals, it significantly eases verification of results, engagement with a diverse range of contributors, and progress. However, we have yet to fully achieve this; there are still many sociotechnical frictions.
Inspired by David Donoho's vision, this talk aims to revisit the three crucial pillars of frictionless reproducibility (data sharing, code sharing, and competitive challenges) with the perspective of deep software variability.
Our observation is that multiple layers — hardware, operating systems, third-party libraries, software versions, input data, compile-time options, and parameters — are subject to variability that exacerbates frictions but is also essential for achieving robust, generalizable results and fostering innovation. I will first review the literature, providing evidence of how the complex variability interactions across these layers affect qualitative and quantitative software properties, thereby complicating the reproduction and replication of scientific studies in various fields.
I will then present some software engineering and AI techniques that can support the strategic exploration of variability spaces. These include the use of abstractions and models (e.g., feature models), sampling strategies (e.g., uniform, random), cost-effective measurements (e.g., incremental build of software configurations), and dimensionality reduction methods (e.g., transfer learning, feature selection, software debloating).
I will finally argue that deep variability is both the problem and solution of frictionless reproducibility, calling the software science community to develop new methods and tools to manage variability and foster reproducibility in software systems.
Exposé invité Journées Nationales du GDR GPL 2024
1. Triton: Concolic Execution Framework
Florent Saudel
Jonathan Salwan
SSTIC
Rennes – France
Slides: detailed version
June 3 2015
Keywords: program analysis, DBI, DBA, Pin, concrete execution,
symbolic execution, concolic execution, DSE, taint analysis,
context snapshot, Z3 theorem prover and behavior analysis.
2. 2
● Jonathan Salwan is a student at Bordeaux University
(CSI Master) and also an employee at Quarkslab
● Florent Saudel is a student at the Bordeaux
University (CSI Master) and applying to an
Internship at Amossys
● Both like playing with low-level computing, program
analysis and software verification methods
Who are we?
3. 3
● Triton is a project started on January 2015 for our
Master final project at Bordeaux University (CSI)
supervised by Emmanuel Fleury from laBRI
● Triton is also sponsored by Quarkslab from the
beginning
Where does Triton come from?
4. 4
● Triton is a concolic execution framework as Pintool
● It provides advanced classes to improve dynamic
binary analysis (DBA) using Pin
– Symbolic execution engine
– SMT semantics representation
– Interface with SMT Solver
– Taint analysis engine
– Snapshot engine
– API and Python bindings
What is Triton?
5. 5
What is Triton?
Plug what you want which supports
the SMT2-LIB format
Pin
Taint
Engine
Symbolic
Execution
Engine
Snapshot
Engine
SMT
Semantics
IR
SMT
Solver
Interface
Python
Bindings
Triton internal components
Triton.so pintool
user
script.py
Z3 *
Front-endBack-end User side
6. 6
● Well-known projects
– SAGE
– Mayhem
– Bitblaze
– S2E
● The difference?
– Triton works online* through a higher level
languages using the Pin engine
Relative projects
online*: Analysis is performed at runtime and data can be modified directly
in memory to go through specific branches.
7. 7
● You can build tools which:
– Analyze a trace with concrete information
● Registers and memory values at each program point
– Perform a symbolic execution
● To know the symbolic expression of registers and memory at each program point
– Perform a symbolic fuzzing session
– Generate and solve path constraints
– Gather code coverage
– Runtime registers and memory modification
– Replay traces directly in memory
– Scriptable debugging
– Access to Pin functions through a higher level languages (Python bindings)
– And probably lots of others things
What kind of things you can
build with Triton?
10. 10
● Symbolic Engine
● Symbolic execution is the execution of a program using
symbolic variables instead of concrete values
● Symbolic execution translates the program's semantics into a
logical formula
● Symbolic execution can build and keep a path formula
– By solving the formula and its negation we can take all paths
and “cover” a code
● Instead of concrete execution which takes only one path
● Then a symbolic expression is given to a SMT solver to
generate a concrete value
11. 11
● Symbolic Engine inside Triton
●
A trace is a sequence of instructions
T = (Ins1 Ins∧ 2 Ins∧ 3 Ins∧ 4 … Ins∧ ∧ i)
●
Instructions are represented with symbolic expressions
●
A symbolic trace is a sequence of symbolic expressions
● Each symbolic expression is translated like this:
REFout = semantic
– Where :
●
REFout := unique ID
●
Semantic := REFin | <<smt expression>>
●
Each register or byte of memory points to its last reference →
Single Static Assignment Form (SSA)
16. 16
● Rebuild the trace with
backward analysis
movzx eax, byte ptr [mem]
add eax, 2
mov ebx, eax
Example:
// All refs initialized to -1
Register Reference Table {
EAX : #1,
EBX : #2,
ECX : -1,
...
}
// Empty set
Symbolic Expression Set {
<#2, #1>,
<#1, (bvadd #0 2)>,
<#0, symvar_1>
}
What is the semantic trace of EBX ?
17. 17
● Rebuild the trace with
backward analysis
movzx eax, byte ptr [mem]
add eax, 2
mov ebx, eax
Example:
// All refs initialized to -1
Register Reference Table {
EAX : #1,
EBX : #2,
ECX : -1,
...
}
// Empty set
Symbolic Expression Set {
<#2, #1>,
<#1, (bvadd #0 2)>,
<#0, symvar_1>
}
What is the semantic trace of EBX ?
EBX holds the reference #2
18. 18
● Rebuild the trace with
backward analysis
movzx eax, byte ptr [mem]
add eax, 2
mov ebx, eax
Example:
// All refs initialized to -1
Register Reference Table {
EAX : #1,
EBX : #2,
ECX : -1,
...
}
// Empty set
Symbolic Expression Set {
<#2, #1>,
<#1, (bvadd #0 2)>,
<#0, symvar_1>
}
What is the semantic trace of EBX ?
EBX holds the reference #2
What is #2 ?
19. 19
● Rebuild the trace with
backward analysis
movzx eax, byte ptr [mem]
add eax, 2
mov ebx, eax
Example:
// All refs initialized to -1
Register Reference Table {
EAX : #1,
EBX : #2,
ECX : -1,
...
}
// Empty set
Symbolic Expression Set {
<#2, #1>,
<#1, (bvadd #0 2)>,
<#0, symvar_1>
}
What is the semantic trace of EBX ?
EBX holds the reference #2
What is #2 ? Reconstruction: EBX = #2
20. 20
● Rebuild the trace with
backward analysis
movzx eax, byte ptr [mem]
add eax, 2
mov ebx, eax
Example:
// All refs initialized to -1
Register Reference Table {
EAX : #1,
EBX : #2,
ECX : -1,
...
}
// Empty set
Symbolic Expression Set {
<#2, #1>,
<#1, (bvadd #0 2)>,
<#0, symvar_1>
}
What is the semantic trace of EBX ?
EBX holds the reference #2
What is #2 ? Reconstruction: EBX = #1
21. 21
● Rebuild the trace with
backward analysis
movzx eax, byte ptr [mem]
add eax, 2
mov ebx, eax
Example:
// All refs initialized to -1
Register Reference Table {
EAX : #1,
EBX : #2,
ECX : -1,
...
}
// Empty set
Symbolic Expression Set {
<#2, #1>,
<#1, (bvadd #0 2)>,
<#0, symvar_1>
}
What is the semantic trace of EBX ?
EBX holds the reference #2
What is #2 ? Reconstruction: EBX = (bvadd #0 2)
22. 22
● Rebuild the trace with
backward analysis
movzx eax, byte ptr [mem]
add eax, 2
mov ebx, eax
Example:
// All refs initialized to -1
Register Reference Table {
EAX : #1,
EBX : #2,
ECX : -1,
...
}
// Empty set
Symbolic Expression Set {
<#2, #1>,
<#1, add(#0, 2)>,
<#0, symvar_1>
}
What is the semantic trace of EBX ?
EBX holds the reference #2
What is #2 ? Reconstruction: EBX = (bvadd symvar_1 2)
23. 23
● Assigning a reference for each register is not enough, we must also add
references on memory
● Follow references over memory
mov dword ptr [rbp-0x4], 0x0
...
mov eax, dword ptr [rbp-0x4]
push eax
...
pop ebx
What do we want to know?
Eax = 0 from somewhere ebx = eax
References
#1 = 0x0
...
#x = #1
#2 = #1
...
#x = #2
24. 24
● All registers, flags and each byte of memory are references
● A reference assignment is in SSA form during the execution
● The registers, flags and bytes of memory are assigned in the same
way
● A memory reference can be assigned from a register reference
(mov [mem], reg)
● A register reference can be assigned from a memory reference
(mov reg, [mem])
● If a reference doesn't exist yet, we concretize the value and we
affect a new reference
● References conclusion
27. 27
● SMT Semantics Representation
with SSA Form
● Why use SMT2-LIB representation?
– SMT-LIB is an international initiative aimed at facilitating research and
development in Satisfiability Modulo Theories (SMT)
– As all Triton's expressions are in the SMT2-LIB representation, you
can plug all solvers which supports this representation
● Currently Triton has an interface with Z3 but feel free to plug what
you want
29. 29
● Symbolic Execution Guided By The
Taint Analysis
● Taint analysis provides information about which registers and memory
addresses are controllable by the user at each program point:
– Assists the symbolic engine to setup the symbolic variables (a
symbolic variable is a memory area that the user can control)
– Limit the symbolic engine to the relevant part of the program
– At each branch instruction, we directly know if the user can go through
both branches (this is mainly used for code coverage)
30. 30
● Symbolic Execution Guided By The
Taint Analysis
● Transform a tainted area into a symbolic variable
0x40058b: movzx eax, byte ptr [rax]
-> #33 = SymVar_0 ; Controllable by the user
-> #34 = (_ bv4195726 64) ; RIP
0x40058e: movsx eax, al
-> #35 = ((_ sign_extend 24) ((_ extract 7 0) #33))
-> #36 = (_ bv4195729 64) ; RIP
0x40058b: movzx eax, byte ptr [rax]
-> #33 = ((_ zero_extend 24) (_ bv97 8))
-> #34 = (_ bv4195726 64) ; RIP
0x40058e: movsx eax, al
-> #35 = ((_ sign_extend 24) ((_ extract 7 0) #33))
-> #36 = (_ bv4195729 64) ; RIP
rax points on a tainted area
Use symbolic variable instead of concrete value
31. 31
● Symbolic Execution Guided By The
Taint Analysis
● Can I go through this branch?
– Check if flags are tainted
0x4005ae: cmp ecx, eax
-> #72 = (bvsub ((_ extract 31 0) #52) ((_ extract 31 0) #70))
...CF, OF, SF, AF, and PF skipped...
-> #78 = (ite (= #72 (_ bv0 32)) (_ bv1 1) (_ bv0 1)) ; ZF
-> #79 = (_ bv4195760 64) ; RIP
0x4005b0: jz 0x4005b9
-> #80 = (ite (= #78 (_ bv1 1)) (_ bv4195769 64) (_ bv4195762 64)) ; RIP
eax is tainted
tainted
32. 32
● Taint Analysis guided by the Symbolic
Engine and the Solver Engine
●
As the symbolic execution may be guided by the taint analysis, the taint analysis may
also be guided by the symbolic execution and the solver engine
●
What to choose between an over-approximation and under-approximation?
– Over-approximation: We can generate inputs for infeasible concrete paths.
– Under-approximation: We can miss some feasible paths.
● The goal of the taint engine is to say YES or NO if a register and memory is probably
tainted (byte-level over approximation)
● The goal of the symbolic engine is to build symbolic expressions based on
instructions semantics
● The goal of the solver engine is to generate a model of an expression (path condition)
– If your target is not tainted, don't ask a model → gain time
– If the solver engine returns UNSAT → the tainted inputs can't influence the control
flow to go through this path.
– If the solver engine returns SAT → the path can be triggered with the actual tainted
inputs. The model give us the set of concrete inputs for this path.
34. 34
● Snapshot Engine – Replay your trace
●
The snapshot engine offers the possibility to take and restore snapshot
– Mainly used to apply code coverage in memory. Useful when you fuzz the binary
– In future versions, it will be possible to take different snapshots at several program point
● The snapshot engine only restores registers and memory states
– If there is some disk, network,... I/O, Triton won't be able to restore the files modification
Restore context
Snapshot
Restore
SnapshotTarget
function / basic block
Dynamic Symbolic Execution Possible paths in the target
36. 36
● How to install Triton?
● Easy is easy
● You just need:
– Pin v2.14-71313
– Z3 v4.3.1
– Python v2.7
$ cd pin-2.14-71313-gcc.4.4.7-linux/source/tools/
$ git clone git@github.com:JonathanSalwan/Triton.git
$ cd Triton
$ make
$ ../../../pin -t ./triton.so -script your_script.py -- ./your_target_binary.elf64
Shell 1: Installation
37. 37
● Start an analysis
import triton
if __name__ == '__main__':
# Start the symbolic analysis from the 'check' function
triton.startAnalysisFromSymbol('check')
# Run the instrumentation - Never returns
triton.runProgram()
import triton
if __name__ == '__main__':
# Start the symbolic analysis from address
triton.startAnalysisFromAddr(0x40056d)
triton.stopAnalysisFromAddr(0x4005c9)
# Run the instrumentation - Never returns
triton.runProgram()
Code 1: Start analysis from symbols
Code 2: Start analysis from address
38. 38
● Predicate taint and untaint
import triton
if __name__ == '__main__':
# Start the symbolic analysis from the 'check' function
triton.startAnalysisFromSymbol('check')
# Taint the RAX and RBX registers when the address 0x40058e is executed
triton.taintRegFromAddr(0x40058e, [IDREF.REG.RAX, IDREF.REG.RBX])
# Untaint the RCX register when the address 0x40058e is executed
triton.untaintRegFromAddr(0x40058e, [IDREF.REG.RCX])
# Run the instrumentation - Never returns
triton.runProgram()
Code 3: Predicate taint and untaint at specific addresses
39. 39
● Callbacks
● Triton supports 8 kinds of callbacks
– AFTER
● Defines a callback after the instruction processing
– BEFORE
● Defines a callback before the instruction processing
– BEFORE_SYMPROC
● Defines a callback before the symbolic processing
– FINI
● Define a callback at the end of the execution
– ROUTINE_ENTRY
● Define a callback at the entry of a specified routine.
– ROUTINE_EXIT
● Define a callback at the exit of a specified routine.
– SYSCALL_ENTRY
● Define a callback before each syscall processing
– SYSCALL_EXIT
● Define a callback after each syscall processing
41. 41
● Callback on ROUTINE
def mallocEntry(threadId):
sizeAllocated = getRegValue(IDREF.REG.RDI)
print '-> malloc(%#x)' %(sizeAllocated)
def mallocExit(threadId):
ptrAllocated = getRegValue(IDREF.REG.RAX)
print '<- %#x' %(ptrAllocated)
if __name__ == '__main__':
startAnalysisFromSymbol('main')
addCallback(mallocEntry, IDREF.CALLBACK.ROUTINE_ENTRY, "malloc")
addCallback(mallocExit, IDREF.CALLBACK.ROUTINE_EXIT, "malloc")
runProgram()
Code 5: Callback before and after routine processing
-> malloc(0x20)
<- 0x8fc010
-> malloc(0x20)
<- 0x8fc040
-> malloc(0x20)
<- 0x8fc010
Code 5 result
42. 42
● Callback BEFORE and AFTER
instruction processing
def my_callback_before(instruction):
print 'TID (%d) %#x %s' %(instruction.threadId,
instruction.address,
instruction.assembly)
if __name__ == '__main__':
# Start the symbolic analysis from the 'check' function
startAnalysisFromSymbol('check')
# Add a callback.
addCallback(my_callback_before, IDREF.CALLBACK.BEFORE)
# Run the instrumentation - Never returns
runProgram()
Code 6: Callback before instruction processing
TID (0) 0x40056d push rbp
TID (0) 0x40056e mov rbp, rsp
TID (0) 0x400571 mov qword ptr [rbp-0x18], rdi
TID (0) 0x400575 mov dword ptr [rbp-0x4], 0x0
...
TID (0) 0x4005b2 mov eax, 0x1
TID (0) 0x4005b7 jmp 0x4005c8
TID (0) 0x4005c8 pop rbp
Code 6 result
43. 43
● Instruction class
def my_callback(instruction):
...
● instruction.address
● instruction.assembly
● instruction.imageName - e.g: libc.so
● instruction.isBranch
● instruction.opcode
● instruction.opcodeCategory
● instruction.operands
● instruction.symbolicElements – List of SymbolicElement class
● instruction.routineName - e.g: main
● instruction.sectionName - e.g: .text
● instruction.threadId
46. 46
● Play with the Taint engine at runtime
# 0x40058b: movzx eax, byte ptr [rax]
def cbeforeSymProc(instruction):
if instruction.address == 0x40058b:
rax = getRegValue(IDREF.REG.RAX)
taintMem(rax)
if __name__ == '__main__':
startAnalysisFromSymbol('check')
addCallback(cbeforeSymProc, IDREF.CALLBACK.BEFORE_SYMPROC)
runProgram()
Code 8: Taint memory at runtime
0x40058b: movzx eax, byte ptr [rax]
-> #33 = SymVar_0
-> #34 = (_ bv4195726 64)
0x40058e: movsx eax, al
-> #35 = ((_ sign_extend 24) ((_ extract 7 0) #33))
-> #36 = (_ bv4195729 64)
Code 8 result
Modifications must be done before
the symbolic processing
47. 47
● Taint argv[x][x] at the main function
def mainAnalysis(threadId):
rdi = getRegValue(IDREF.REG.RDI) # argc
rsi = getRegValue(IDREF.REG.RSI) # argv
while rdi != 0:
argv = getMemValue(rsi + ((rdi-1) * 8), 8)
offset = 0
while getMemValue(argv + offset, 1) != 0x00:
taintMem(argv + offset)
offset += 1
print '[+] %03d bytes tainted from the argv[%d] (%#x) pointer'
%(offset, rdi-1, argv)
rdi -= 1
return
Code 9: Taint all arguments when the main function occurs
$ pin -t ./triton.so -script taint_main.py -- ./example.bin64 12 123456 123456789
[+] 009 bytes tainted from the argv[3] (0x7fff802ad116) pointer
[+] 006 bytes tainted from the argv[2] (0x7fff802ad10f) pointer
[+] 002 bytes tainted from the argv[1] (0x7fff802ad10c) pointer
[+] 015 bytes tainted from the argv[0] (0x7fff802ad0ef) pointer
Code 9 result
48. 48
● Play with the Symbolic engine
0x40058b: movzx eax, byte ptr [rax]
...
...
0x4005ae: cmp ecx, eax
Example 10: Assembly code
def callback_beforeSymProc(instruction):
if instruction.address == 0x40058b:
rax = getRegValue(IDREF.REG.RAX)
taintMem(rax)
def callback_after(instruction):
if instruction.address == 0x4005ae:
# Get the symbolic expression ID of ZF
zfId = getRegSymbolicID(IDREF.FLAG.ZF)
# Backtrack the symbolic expression ZF
zfExpr = getBacktrackedSymExpr(zfId)
# Craft a new expression over the ZF expression : (assert (= zfExpr True))
expr = smt2lib.smtAssert(smt2lib.equal(zfExpr, smt2lib.bvtrue()))
print expr
Code 10: Backtrack symbolic expression
We know that rax points on a tainted area
(assert (= (ite (= (bvsub ((_ extract 31 0) ((_ extract 31 0) (bvxor ((_ extract 31 0)
(bvsub ((_ extract 31 0) ((_ sign_extend 24) ((_ extract 7 0) SymVar_0))) (_ bv1 32)))
(_ bv85 32)))) ((_ extract 31 0) ((_ sign_extend 24) ((_ extract 7 0) ((_ zero_extend 24)
(_ bv49 8)))))) (_ bv0 32)) (_ bv1 1) (_ bv0 1)) (_ bv1 1)))
Example 10 result
Symbolic Variable
49. 49
● Play with the Symbolic engine
...
zfExpr = getBacktrackedSymExpr(zfId)
# Craft a new expression over the ZF expression : (assert (= zfExpr True))
expr = smt2lib.smtAssert(smt2lib.equal(zfExpr, smt2lib.bvtrue()))
...
Extract of the Code 10
● What does it really mean?
– Triton builds symbolic formulas based on the instructions
semantics
– Triton also exports smt2lib functions which allows you to create
your own formula
– In this example, we want that the ZF expression is equal to 1
50. 50
● Play with the Solver engine
...
zfExpr = getBacktrackedSymExpr(zfId)
# Craft a new expression over the ZF expression : (assert (= zfExpr True))
expr = smt2lib.smtAssert(smt2lib.equal(zfExpr, smt2lib.bvtrue()))
...
model = getModel(expr)
print model
Extract of the Code 10
{'SymVar_0': 0x65}
Result
● getModel() returns a dictionary of valid model for each
symbolic variable
0x40058b: movzx eax, byte ptr [rax]
...
...
0x4005ae: cmp ecx, eax
Example 10: Assembly code
We know now that the first character must be 0x65 to
set the ZF at the compare instruction
51. 51
● Play with the Solver engine and inject
values directly in memory
...
model = getModel(expr)
print model
Extract of the Code 10 Result
● Each symbolic variable is assigned to a memory address (SymVar ↔ Address)
– Possible to get the symbolic variable from a memory address
● getSymVarFromMemory(addr)
– Possible to get the memory address from a symbolic variable
● getMemoryFromSymVar(symVar)
{'SymVar_0': 0x65}
for k, v in model.items():
setMemValue(getMemoryFromSymVar(k), getSymVarSize(k), v)
Inject values given by the solver in memory
52. 52
● Inject values in memory is not enough
Play with the snapshot engine
● Inject values in memory after instructions processing is useless
● That's why Triton offers a snapshot engine
φ1 φ2 φ3 φ4 φ5 φ6
0x40058b: movzx eax, byte ptr [rax]
0x4005ae: cmp ecx, eax
def callback_after(instruction):
if instruction.address == 0x40058b and isSnapshotEnable() == False:
takeSnapshot()
if instruction.address == 0x4005ae:
if getFlagValue(IDREF.FLAG.ZF) == 0:
zfExpr = getBacktrackedSymExpr(...) # Described on slide 45
expr = smt2lib.smtAssert(...zfExpr...) # Described on slide 45
for k, v in getModel(expr).items(): # Described on slide 48
saveValue(...)
restoreSnapshot()
restore snapshottake snapshot
54. 54
● Stop pasting fucking code
Show me a global vision
● Full API and Python bindings describes here
– https://github.com/JonathanSalwan/Triton/wiki/Python-Bindings
– ~80 functions exported over the Python bindings
● Basically we can:
– Taint and untaint memory and registers
– Inject value in memory and registers
– Add callbacks at each program point, syscalls, routine
– Assign symbolic expression on registers and bytes of memory
– Build and customize symbolic expressions
– Solve symbolic expressions
– Take and restore snapshots
– Do all this in Python!
56. 56
● Conclusion
● Triton:
– is a Pintool which provides others classes for DBA
– is designed as a concolic execution framework
– provides an API and Python bindings
– supports only x86-64 binaries
– currently supports ~100 semantics but we are working hard on it to
increase the semantics support
● An awesome thanks to Kevin `wisk` Szkudlapski and Francis `gg` Gabriel for
the x86.yaml from the Medusa project :)
– is free and open-source :)
– is available here : github.com/JonathanSalwan/Triton
57. 57
● Contacts
– fsaudel@gmail.com
– jsalwan@quarkslab.com
● Thanks
– We would like to thank the SSTIC's staff and especially Rolf Rolles, Sean Heelan,
Sébastien Bardin, Fred Raynal and Serge Guelton for their proofreading and awesome
feedbacks! Then, a big thanks to Quarkslab for the sponsor.
Thanks For Your Attention
Question(s)?
58. 58
● Q&A - Performances
● Host machine configuration
– Tested with an Intel(R) Core(TM) i7-3520M CPU @ 2.90GHz
– 16 Go DDR3
– 415 Go SSD Swap
● The targeted binary analyzed was /usr/bin/z3
– 6,789,610 symbolic expressions created for 1 trace
– The binary has been analyzed in 180 seconds
● One trace with SMT2-LIB translation and the taint spread
– 19 Go of RAM consumed
● Due to the SMT2-LIB strings manipulation