SlideShare uma empresa Scribd logo

S2 e (selective symbolic execution) -shivkrishna a

Transferir como PPTX, PDF
C
Cysinfo Cyber Security Community

S2 e (selective symbolic execution) by shivkrishna a More info : https://cysinfo.com/10th-quarterly-meetup-29th-july-2017/

Tecnologia
1 de 17
Team bi0s Amrita Center for Cybersecurity, Amritapuri Selective Symbolic Execution Shivkrishna Anil 1
Team bi0s Amrita Center for Cybersecurity, Amritapuri Agenda ● Introduction ● S2E ● Analysing a simple program ● Demo Video 2
Team bi0s Amrita Center for Cybersecurity, Amritapuri @shivnambiar1 ● Member of Team bi0s ● Final Year Computer Science student at Amrita University ● Focuses on Memory Forensics, Disk Forensics and Steganography ● Working on a plugin for S2E 3
Team bi0s Amrita Center for Cybersecurity, Amritapuri Symbolic?? ● Analyzing a program to determine inputs that cause a part of a program to execute ● S2E, Angr, Mayhem, Triton, KLEE ● Useful for generating test cases with exhaustive code coverage ● Works on obfuscated binaries 4
Team bi0s Amrita Center for Cybersecurity, Amritapuri Path Constraints 5Example of Symbolic Execution : https://goo.gl/qqv6Pw
Team bi0s Amrita Center for Cybersecurity, Amritapuri S2E ● Selective Symbolic Execution ● Automated path explorer with modular path analyzers ● S2E - A platform for developing multi-path in-vivo analysis tools ● Contender for CGC 2016 ● Emulates an entire virtual machine instead of an executable ● Random path selection and DFS 6
Team bi0s Amrita Center for Cybersecurity, Amritapuri Why S2E? ● A technique for creating the illusion of full system symbolic execution, while symbolically running only the code that is of interest to the developer ● Can interact with the environment ● Input can switch from symbolic to concrete domain and vice versa 7
Team bi0s Amrita Center for Cybersecurity, Amritapuri Comparison ● Works for very large programs like a whole windows stack frame ● Implemented at the Kernel level ● Does not exhaust System resources as compared to other Symbolic engines 8
Team bi0s Amrita Center for Cybersecurity, Amritapuri The Working of Transition Multi-path / Single-path execution : http://s2e.epfl.ch/images/s2e-sel.png 9
Team bi0s Amrita Center for Cybersecurity, Amritapuri S2E Architecture S2E Architecture : http://s2e.epfl.ch/images/s2e-vm.png 10
Team bi0s Amrita Center for Cybersecurity, Amritapuri Code Walkthrough 11
Team bi0s Amrita Center for Cybersecurity, Amritapuri 12 Code Walkthrough (contd)
Team bi0s Amrita Center for Cybersecurity, Amritapuri Tree Diagram 13 Input Set of all characters
Team bi0s Amrita Center for Cybersecurity, Amritapuri Live Demo 14
Team bi0s Amrita Center for Cybersecurity, Amritapuri Limitations ● Exhausts memory when state forking increases considerably ● Maximum of 2 arguments can only be passed ● S2E can only run on a shared-memory architecture ● Code coverage is low as it doesn't consider under constrained and over constrained symbols 15
Team bi0s Amrita Center for Cybersecurity, Amritapuri Further Reading ● S2E: A Platform for In-Vivo Multi-Path Analysis of Software Systems ● Selective Symbolic Execution ● A Survey of Symbolic Execution Techniques 16
Team bi0s Amrita Center for Cybersecurity, Amritapuri Questions?? 17

Recomendados

The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-Framework
VeilFramework
 
Veil-Ordnance
Veil-OrdnanceVeil-Ordnance
Veil-Ordnance
VeilFramework
 
Generamba
GenerambaGeneramba
Generamba
Nicolae Ghimbovschi
 
syzkaller: the next gen kernel fuzzer
syzkaller: the next gen kernel fuzzersyzkaller: the next gen kernel fuzzer
syzkaller: the next gen kernel fuzzer
Dmitry Vyukov
 
Higher Level Malware
Higher Level MalwareHigher Level Malware
Higher Level Malware
CTruncer
 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreA Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
CTruncer
 
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
CTruncer
 
Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde
Frida Android run time hooking - Bhargav Gajera & Vitthal ShindeFrida Android run time hooking - Bhargav Gajera & Vitthal Shinde
Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde
NSConclave
 

Recomendados

The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-Framework
VeilFramework
 
Veil-Ordnance
Veil-OrdnanceVeil-Ordnance
Veil-Ordnance
VeilFramework
 
Generamba
GenerambaGeneramba
Generamba
Nicolae Ghimbovschi
 
syzkaller: the next gen kernel fuzzer
syzkaller: the next gen kernel fuzzersyzkaller: the next gen kernel fuzzer
syzkaller: the next gen kernel fuzzer
Dmitry Vyukov
 
Higher Level Malware
Higher Level MalwareHigher Level Malware
Higher Level Malware
CTruncer
 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreA Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
CTruncer
 
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
CTruncer
 
Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde
Frida Android run time hooking - Bhargav Gajera & Vitthal ShindeFrida Android run time hooking - Bhargav Gajera & Vitthal Shinde
Frida Android run time hooking - Bhargav Gajera & Vitthal Shinde
NSConclave
 
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
CTruncer
 
I believe in rust
I believe in rustI believe in rust
I believe in rust
Reidar Sollid
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while Persisting
CTruncer
 
Distributed app development with nodejs and zeromq
Distributed app development with nodejs and zeromqDistributed app development with nodejs and zeromq
Distributed app development with nodejs and zeromq
Ruben Tan
 
Introduction to Ewasm - crosslink taipei 2019
Introduction to Ewasm - crosslink taipei 2019Introduction to Ewasm - crosslink taipei 2019
Introduction to Ewasm - crosslink taipei 2019
hydai
 
Native client (Евгений Эльцин)
Native client (Евгений Эльцин)Native client (Евгений Эльцин)
Native client (Евгений Эльцин)
Ontico
 
Leveraging zeromq for node.js
Leveraging zeromq for node.jsLeveraging zeromq for node.js
Leveraging zeromq for node.js
Ruben Tan
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil Framework
VeilFramework
 
JavaScript Unit Testing
JavaScript Unit TestingJavaScript Unit Testing
JavaScript Unit Testing
Christian Johansen
 
JavaScript Unit Testing
JavaScript Unit TestingJavaScript Unit Testing
JavaScript Unit Testing
Christian Johansen
 
The Saga of JavaScript and Typescript: in Deno land
The Saga of JavaScript and Typescript: in Deno landThe Saga of JavaScript and Typescript: in Deno land
The Saga of JavaScript and Typescript: in Deno land
Haci Murat Yaman
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into It
CTruncer
 
Introduction to ZeroMQ - eSpace TechTalk
Introduction to ZeroMQ - eSpace TechTalkIntroduction to ZeroMQ - eSpace TechTalk
Introduction to ZeroMQ - eSpace TechTalk
Mahmoud Said
 
Appium & Robot Framework
Appium & Robot FrameworkAppium & Robot Framework
Appium & Robot Framework
Furkan Ertürk
 
Automate Yo' Self
Automate Yo' SelfAutomate Yo' Self
Automate Yo' Self
John Anderson
 
Debugging NET Applications With WinDBG
Debugging NET Applications With WinDBGDebugging NET Applications With WinDBG
Debugging NET Applications With WinDBG
Cory Foy
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your Network
CTruncer
 
LibreOffice oss-fuzz, crashtesting, coverity
LibreOffice oss-fuzz, crashtesting, coverityLibreOffice oss-fuzz, crashtesting, coverity
LibreOffice oss-fuzz, crashtesting, coverity
Caolán McNamara
 
Swift for back end: A new generation of full stack languages?
Swift for back end: A new generation of full stack languages?Swift for back end: A new generation of full stack languages?
Swift for back end: A new generation of full stack languages?
Koombea
 
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack ThereofThe Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack Thereof
CTruncer
 
Study of the dynamic behavior of a pump with Code_ASTER on Simulagora
Study of the dynamic behavior of a pump with Code_ASTER on SimulagoraStudy of the dynamic behavior of a pump with Code_ASTER on Simulagora
Study of the dynamic behavior of a pump with Code_ASTER on Simulagora
Logilab
 
ElasTest Webinar
ElasTest WebinarElasTest Webinar
ElasTest Webinar
ElasTest Project
 

Mais conteúdo relacionado

Mais procurados

Distributed app development with nodejs and zeromq
Distributed app development with nodejs and zeromqDistributed app development with nodejs and zeromq
Distributed app development with nodejs and zeromq
Ruben Tan
 
Native client (Евгений Эльцин)
Native client (Евгений Эльцин)Native client (Евгений Эльцин)
Native client (Евгений Эльцин)
Ontico
 

Mais procurados (20)

AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
 
I believe in rust
I believe in rustI believe in rust
I believe in rust
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while Persisting
 
Distributed app development with nodejs and zeromq
Distributed app development with nodejs and zeromqDistributed app development with nodejs and zeromq
Distributed app development with nodejs and zeromq
 
Introduction to Ewasm - crosslink taipei 2019
Introduction to Ewasm - crosslink taipei 2019Introduction to Ewasm - crosslink taipei 2019
Introduction to Ewasm - crosslink taipei 2019
 
Native client (Евгений Эльцин)
Native client (Евгений Эльцин)Native client (Евгений Эльцин)
Native client (Евгений Эльцин)
 
Leveraging zeromq for node.js
Leveraging zeromq for node.jsLeveraging zeromq for node.js
Leveraging zeromq for node.js
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil Framework
 
JavaScript Unit Testing
JavaScript Unit TestingJavaScript Unit Testing
JavaScript Unit Testing
 
JavaScript Unit Testing
JavaScript Unit TestingJavaScript Unit Testing
JavaScript Unit Testing
 
The Saga of JavaScript and Typescript: in Deno land
The Saga of JavaScript and Typescript: in Deno landThe Saga of JavaScript and Typescript: in Deno land
The Saga of JavaScript and Typescript: in Deno land
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into It
 
Introduction to ZeroMQ - eSpace TechTalk
Introduction to ZeroMQ - eSpace TechTalkIntroduction to ZeroMQ - eSpace TechTalk
Introduction to ZeroMQ - eSpace TechTalk
 
Appium & Robot Framework
Appium & Robot FrameworkAppium & Robot Framework
Appium & Robot Framework
 
Automate Yo' Self
Automate Yo' SelfAutomate Yo' Self
Automate Yo' Self
 
Debugging NET Applications With WinDBG
Debugging NET Applications With WinDBGDebugging NET Applications With WinDBG
Debugging NET Applications With WinDBG
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your Network
 
LibreOffice oss-fuzz, crashtesting, coverity
LibreOffice oss-fuzz, crashtesting, coverityLibreOffice oss-fuzz, crashtesting, coverity
LibreOffice oss-fuzz, crashtesting, coverity
 
Swift for back end: A new generation of full stack languages?
Swift for back end: A new generation of full stack languages?Swift for back end: A new generation of full stack languages?
Swift for back end: A new generation of full stack languages?
 
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack ThereofThe Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack Thereof
 

Semelhante a S2 e (selective symbolic execution) -shivkrishna a

Srikanth_PILLI_CV_latest
Srikanth_PILLI_CV_latestSrikanth_PILLI_CV_latest
Srikanth_PILLI_CV_latest
Srikanth Pilli
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
Bosnia Agile
 
EclipseCon Eu 2015 - Breathe life into your Designer!
EclipseCon Eu 2015 - Breathe life into your Designer!EclipseCon Eu 2015 - Breathe life into your Designer!
EclipseCon Eu 2015 - Breathe life into your Designer!
melbats
 
IMA/Thales SceneGate Viewer for OpenSimulator Presentation at OSCC19
IMA/Thales SceneGate Viewer for OpenSimulator Presentation at OSCC19IMA/Thales SceneGate Viewer for OpenSimulator Presentation at OSCC19
IMA/Thales SceneGate Viewer for OpenSimulator Presentation at OSCC19
Lisa Laxton
 
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
Nico Meisenzahl
 
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEEBKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
Linaro
 

Semelhante a S2 e (selective symbolic execution) -shivkrishna a (20)

Study of the dynamic behavior of a pump with Code_ASTER on Simulagora
Study of the dynamic behavior of a pump with Code_ASTER on SimulagoraStudy of the dynamic behavior of a pump with Code_ASTER on Simulagora
Study of the dynamic behavior of a pump with Code_ASTER on Simulagora
 
ElasTest Webinar
ElasTest WebinarElasTest Webinar
ElasTest Webinar
 
Srikanth_PILLI_CV_latest
Srikanth_PILLI_CV_latestSrikanth_PILLI_CV_latest
Srikanth_PILLI_CV_latest
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
 
Serverless java
Serverless javaServerless java
Serverless java
 
Unit testing for ext js apps using sencha test - Walkingtree Technologies
Unit testing for ext js apps using sencha test - Walkingtree TechnologiesUnit testing for ext js apps using sencha test - Walkingtree Technologies
Unit testing for ext js apps using sencha test - Walkingtree Technologies
 
Introduction to Test Execution Automation Framework for Embedded Systems
Introduction to Test Execution Automation Framework for Embedded SystemsIntroduction to Test Execution Automation Framework for Embedded Systems
Introduction to Test Execution Automation Framework for Embedded Systems
 
Reliable mobile test automation
Reliable mobile test automationReliable mobile test automation
Reliable mobile test automation
 
Building APIs with Mule and Spring Boot
Building APIs with Mule and Spring BootBuilding APIs with Mule and Spring Boot
Building APIs with Mule and Spring Boot
 
Why we decided on RSA Security Analytics for network visibility
Why we decided on RSA Security Analytics for network visibilityWhy we decided on RSA Security Analytics for network visibility
Why we decided on RSA Security Analytics for network visibility
 
EclipseCon Eu 2015 - Breathe life into your Designer!
EclipseCon Eu 2015 - Breathe life into your Designer!EclipseCon Eu 2015 - Breathe life into your Designer!
EclipseCon Eu 2015 - Breathe life into your Designer!
 
UC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdf
UC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdfUC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdf
UC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdf
 
Sydney mule soft meetup 30 april 2020
Sydney mule soft meetup 30 april 2020Sydney mule soft meetup 30 april 2020
Sydney mule soft meetup 30 april 2020
 
ElasTest presentation in MadridJUG (Madrid December 2017)
ElasTest presentation in MadridJUG (Madrid December 2017)ElasTest presentation in MadridJUG (Madrid December 2017)
ElasTest presentation in MadridJUG (Madrid December 2017)
 
No liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failureNo liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failure
 
Configuration Management and Deployment
Configuration Management and DeploymentConfiguration Management and Deployment
Configuration Management and Deployment
 
DevOps / Agile Tools Seminar 2013
DevOps / Agile Tools Seminar 2013DevOps / Agile Tools Seminar 2013
DevOps / Agile Tools Seminar 2013
 
IMA/Thales SceneGate Viewer for OpenSimulator Presentation at OSCC19
IMA/Thales SceneGate Viewer for OpenSimulator Presentation at OSCC19IMA/Thales SceneGate Viewer for OpenSimulator Presentation at OSCC19
IMA/Thales SceneGate Viewer for OpenSimulator Presentation at OSCC19
 
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
 
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEEBKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
 

Mais de Cysinfo Cyber Security Community

Mais de Cysinfo Cyber Security Community (20)

Understanding Malware Persistence Techniques by Monnappa K A
Understanding Malware Persistence Techniques by Monnappa K AUnderstanding Malware Persistence Techniques by Monnappa K A
Understanding Malware Persistence Techniques by Monnappa K A
 
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Understanding & analyzing obfuscated malicious web scripts by Vikram KharviUnderstanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
 
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TKGetting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
Getting started with cybersecurity through CTFs by Shruti Dixit & Geethna TK
 
Emerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar PrustyEmerging Trends in Cybersecurity by Amar Prusty
Emerging Trends in Cybersecurity by Amar Prusty
 
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul PillaiA look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
A look into the sanitizer family (ASAN & UBSAN) by Akul Pillai
 
Closer look at PHP Unserialization by Ashwin Shenoi
Closer look at PHP Unserialization by Ashwin ShenoiCloser look at PHP Unserialization by Ashwin Shenoi
Closer look at PHP Unserialization by Ashwin Shenoi
 
Unicorn: The Ultimate CPU Emulator by Akshay Ajayan
Unicorn: The Ultimate CPU Emulator by Akshay AjayanUnicorn: The Ultimate CPU Emulator by Akshay Ajayan
Unicorn: The Ultimate CPU Emulator by Akshay Ajayan
 
The Art of Executing JavaScript by Akhil Mahendra
The Art of Executing JavaScript by Akhil MahendraThe Art of Executing JavaScript by Akhil Mahendra
The Art of Executing JavaScript by Akhil Mahendra
 
Reversing and Decrypting Malware Communications by Monnappa
Reversing and Decrypting Malware Communications by MonnappaReversing and Decrypting Malware Communications by Monnappa
Reversing and Decrypting Malware Communications by Monnappa
 
DeViL - Detect Virtual Machine in Linux by Sreelakshmi
DeViL - Detect Virtual Machine in Linux by SreelakshmiDeViL - Detect Virtual Machine in Linux by Sreelakshmi
DeViL - Detect Virtual Machine in Linux by Sreelakshmi
 
Analysis of android apk using adhrit by Abhishek J.M
Analysis of android apk using adhrit by Abhishek J.M Analysis of android apk using adhrit by Abhishek J.M
Analysis of android apk using adhrit by Abhishek J.M
 
Understanding evasive hollow process injection techniques monnappa k a
Understanding evasive hollow process injection techniques monnappa k aUnderstanding evasive hollow process injection techniques monnappa k a
Understanding evasive hollow process injection techniques monnappa k a
 
Security challenges in d2d communication by ajithkumar vyasarao
Security challenges in d2d communication by ajithkumar vyasaraoSecurity challenges in d2d communication by ajithkumar vyasarao
Security challenges in d2d communication by ajithkumar vyasarao
 
Dynamic binary analysis using angr siddharth muralee
Dynamic binary analysis using angr siddharth muraleeDynamic binary analysis using angr siddharth muralee
Dynamic binary analysis using angr siddharth muralee
 
Bit flipping attack on aes cbc - ashutosh ahelleya
Bit flipping attack on aes cbc - ashutosh ahelleyaBit flipping attack on aes cbc - ashutosh ahelleya
Bit flipping attack on aes cbc - ashutosh ahelleya
 
Security Analytics using ELK stack
Security Analytics using ELK stack Security Analytics using ELK stack
Security Analytics using ELK stack
 
Linux Malware Analysis
Linux Malware Analysis Linux Malware Analysis
Linux Malware Analysis
 
Introduction to Binary Exploitation
Introduction to Binary Exploitation Introduction to Binary Exploitation
Introduction to Binary Exploitation
 
ATM Malware: Understanding the threat
ATM Malware: Understanding the threat ATM Malware: Understanding the threat
ATM Malware: Understanding the threat
 
XXE - XML External Entity Attack
XXE - XML External Entity Attack XXE - XML External Entity Attack
XXE - XML External Entity Attack
 

Último

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Último (20)

MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 

S2 e (selective symbolic execution) -shivkrishna a

  • 1. Team bi0s Amrita Center for Cybersecurity, Amritapuri Selective Symbolic Execution Shivkrishna Anil 1
  • 2. Team bi0s Amrita Center for Cybersecurity, Amritapuri Agenda ● Introduction ● S2E ● Analysing a simple program ● Demo Video 2
  • 3. Team bi0s Amrita Center for Cybersecurity, Amritapuri @shivnambiar1 ● Member of Team bi0s ● Final Year Computer Science student at Amrita University ● Focuses on Memory Forensics, Disk Forensics and Steganography ● Working on a plugin for S2E 3
  • 4. Team bi0s Amrita Center for Cybersecurity, Amritapuri Symbolic?? ● Analyzing a program to determine inputs that cause a part of a program to execute ● S2E, Angr, Mayhem, Triton, KLEE ● Useful for generating test cases with exhaustive code coverage ● Works on obfuscated binaries 4
  • 5. Team bi0s Amrita Center for Cybersecurity, Amritapuri Path Constraints 5Example of Symbolic Execution : https://goo.gl/qqv6Pw
  • 6. Team bi0s Amrita Center for Cybersecurity, Amritapuri S2E ● Selective Symbolic Execution ● Automated path explorer with modular path analyzers ● S2E - A platform for developing multi-path in-vivo analysis tools ● Contender for CGC 2016 ● Emulates an entire virtual machine instead of an executable ● Random path selection and DFS 6
  • 7. Team bi0s Amrita Center for Cybersecurity, Amritapuri Why S2E? ● A technique for creating the illusion of full system symbolic execution, while symbolically running only the code that is of interest to the developer ● Can interact with the environment ● Input can switch from symbolic to concrete domain and vice versa 7
  • 8. Team bi0s Amrita Center for Cybersecurity, Amritapuri Comparison ● Works for very large programs like a whole windows stack frame ● Implemented at the Kernel level ● Does not exhaust System resources as compared to other Symbolic engines 8
  • 9. Team bi0s Amrita Center for Cybersecurity, Amritapuri The Working of Transition Multi-path / Single-path execution : http://s2e.epfl.ch/images/s2e-sel.png 9
  • 10. Team bi0s Amrita Center for Cybersecurity, Amritapuri S2E Architecture S2E Architecture : http://s2e.epfl.ch/images/s2e-vm.png 10
  • 11. Team bi0s Amrita Center for Cybersecurity, Amritapuri Code Walkthrough 11
  • 12. Team bi0s Amrita Center for Cybersecurity, Amritapuri 12 Code Walkthrough (contd)
  • 13. Team bi0s Amrita Center for Cybersecurity, Amritapuri Tree Diagram 13 Input Set of all characters
  • 14. Team bi0s Amrita Center for Cybersecurity, Amritapuri Live Demo 14
  • 15. Team bi0s Amrita Center for Cybersecurity, Amritapuri Limitations ● Exhausts memory when state forking increases considerably ● Maximum of 2 arguments can only be passed ● S2E can only run on a shared-memory architecture ● Code coverage is low as it doesn't consider under constrained and over constrained symbols 15
  • 16. Team bi0s Amrita Center for Cybersecurity, Amritapuri Further Reading ● S2E: A Platform for In-Vivo Multi-Path Analysis of Software Systems ● Selective Symbolic Execution ● A Survey of Symbolic Execution Techniques 16
  • 17. Team bi0s Amrita Center for Cybersecurity, Amritapuri Questions?? 17

Notas do Editor

  1. A Method of dynamic binary analysis - to get test cases KLEE is a symbolic virtual machine built on top of the LLVM compiler Mayhem - PPP _CMU Angr -Shellphish - UCSB Formal definition of symbolic execution slide needs to be added Symbolic execution: - A mechanism to discover the code coverage -- Translate each instruction into constraints --- constraints: a formula define the operation functionality -- Collect all constraints -- Solve when required condition is met --- e.g. when a branch condition is met Formal definition of Concolic execution: - Number of possible paths increases exponentially -- in symbolic execution, every memory is location is symbolized -- too many symbols to solve - Concolic execution -- only make the interesting memory symbolize -- otherwise give a concrete value Source code not required for code coverage Obfuscated
  2. Conflicting path constraints cancels
  3. In-vivo : this kind of analysis helps to understand all the interactions of the analysed code in surrounding system Algorithm used DFS and random path STP - Constaint solver automated path explorer with modular path analyzers:the explorer drives the target system down all execution paths of interest, while analyzers check properties of each such path
  4. For eg: a malware - classical malware analysis - debuger n sandbox -evade Ptrace - system call
  5. If we want to analyse a program in multi-path ; it will also execute the dependent libraries in multi-path which takes up a lot of system resources unnecessarily (Path explosion) Works for large programs because it executes symbolically only the region of interest Kernel level - Does not analyse
  6. Explain the code
  7. S2e_make_symbolic - to give all possible inputs S2e_enable_forking - to fork different branches for path exploration
  8. Talk about different inputs and the various paths it takes. Final messages.txt
  9. S2E cannot start on one machine and fork new instances on other machines for now - Shared memory architecure