S2 e (selective symbolic execution) -shivkrishna a
- 1. Team bi0s Amrita Center for Cybersecurity, Amritapuri Selective Symbolic Execution Shivkrishna Anil 1
- 2. Team bi0s Amrita Center for Cybersecurity, Amritapuri Agenda ● Introduction ● S2E ● Analysing a simple program ● Demo Video 2
- 3. Team bi0s Amrita Center for Cybersecurity, Amritapuri @shivnambiar1 ● Member of Team bi0s ● Final Year Computer Science student at Amrita University ● Focuses on Memory Forensics, Disk Forensics and Steganography ● Working on a plugin for S2E 3
- 4. Team bi0s Amrita Center for Cybersecurity, Amritapuri Symbolic?? ● Analyzing a program to determine inputs that cause a part of a program to execute ● S2E, Angr, Mayhem, Triton, KLEE ● Useful for generating test cases with exhaustive code coverage ● Works on obfuscated binaries 4
- 5. Team bi0s Amrita Center for Cybersecurity, Amritapuri Path Constraints 5Example of Symbolic Execution : https://goo.gl/qqv6Pw
- 6. Team bi0s Amrita Center for Cybersecurity, Amritapuri S2E ● Selective Symbolic Execution ● Automated path explorer with modular path analyzers ● S2E - A platform for developing multi-path in-vivo analysis tools ● Contender for CGC 2016 ● Emulates an entire virtual machine instead of an executable ● Random path selection and DFS 6
- 7. Team bi0s Amrita Center for Cybersecurity, Amritapuri Why S2E? ● A technique for creating the illusion of full system symbolic execution, while symbolically running only the code that is of interest to the developer ● Can interact with the environment ● Input can switch from symbolic to concrete domain and vice versa 7
- 8. Team bi0s Amrita Center for Cybersecurity, Amritapuri Comparison ● Works for very large programs like a whole windows stack frame ● Implemented at the Kernel level ● Does not exhaust System resources as compared to other Symbolic engines 8
- 9. Team bi0s Amrita Center for Cybersecurity, Amritapuri The Working of Transition Multi-path / Single-path execution : http://s2e.epfl.ch/images/s2e-sel.png 9
- 10. Team bi0s Amrita Center for Cybersecurity, Amritapuri S2E Architecture S2E Architecture : http://s2e.epfl.ch/images/s2e-vm.png 10
- 11. Team bi0s Amrita Center for Cybersecurity, Amritapuri Code Walkthrough 11
- 12. Team bi0s Amrita Center for Cybersecurity, Amritapuri 12 Code Walkthrough (contd)
- 13. Team bi0s Amrita Center for Cybersecurity, Amritapuri Tree Diagram 13 Input Set of all characters
- 14. Team bi0s Amrita Center for Cybersecurity, Amritapuri Live Demo 14
- 15. Team bi0s Amrita Center for Cybersecurity, Amritapuri Limitations ● Exhausts memory when state forking increases considerably ● Maximum of 2 arguments can only be passed ● S2E can only run on a shared-memory architecture ● Code coverage is low as it doesn't consider under constrained and over constrained symbols 15
- 16. Team bi0s Amrita Center for Cybersecurity, Amritapuri Further Reading ● S2E: A Platform for In-Vivo Multi-Path Analysis of Software Systems ● Selective Symbolic Execution ● A Survey of Symbolic Execution Techniques 16
- 17. Team bi0s Amrita Center for Cybersecurity, Amritapuri Questions?? 17
Editor's Notes
- #5: A Method of dynamic binary analysis - to get test cases KLEE is a symbolic virtual machine built on top of the LLVM compiler Mayhem - PPP _CMU Angr -Shellphish - UCSB Formal definition of symbolic execution slide needs to be added Symbolic execution: - A mechanism to discover the code coverage -- Translate each instruction into constraints --- constraints: a formula define the operation functionality -- Collect all constraints -- Solve when required condition is met --- e.g. when a branch condition is met Formal definition of Concolic execution: - Number of possible paths increases exponentially -- in symbolic execution, every memory is location is symbolized -- too many symbols to solve - Concolic execution -- only make the interesting memory symbolize -- otherwise give a concrete value Source code not required for code coverage Obfuscated
- #6: Conflicting path constraints cancels
- #7: In-vivo : this kind of analysis helps to understand all the interactions of the analysed code in surrounding system Algorithm used DFS and random path STP - Constaint solver automated path explorer with modular path analyzers:the explorer drives the target system down all execution paths of interest, while analyzers check properties of each such path
- #8: For eg: a malware - classical malware analysis - debuger n sandbox -evade Ptrace - system call
- #9: If we want to analyse a program in multi-path ; it will also execute the dependent libraries in multi-path which takes up a lot of system resources unnecessarily (Path explosion) Works for large programs because it executes symbolically only the region of interest Kernel level - Does not analyse
- #12: Explain the code
- #13: S2e_make_symbolic - to give all possible inputs S2e_enable_forking - to fork different branches for path exploration
- #15: Talk about different inputs and the various paths it takes. Final messages.txt
- #16: S2E cannot start on one machine and fork new instances on other machines for now - Shared memory architecure