Why Teams call analytics are critical to your entire business
S2 e (selective symbolic execution) -shivkrishna a
1. Team bi0s
Amrita Center for Cybersecurity,
Amritapuri
Selective Symbolic Execution
Shivkrishna Anil
1
2. Team bi0s
Amrita Center for Cybersecurity,
Amritapuri
Agenda
● Introduction
● S2E
● Analysing a simple program
● Demo Video
2
3. Team bi0s
Amrita Center for Cybersecurity,
Amritapuri
@shivnambiar1
● Member of Team bi0s
● Final Year Computer Science student at Amrita University
● Focuses on Memory Forensics, Disk Forensics and
Steganography
● Working on a plugin for S2E
3
4. Team bi0s
Amrita Center for Cybersecurity,
Amritapuri
Symbolic??
● Analyzing a program to determine inputs that cause a part of
a program to execute
● S2E, Angr, Mayhem, Triton, KLEE
● Useful for generating test cases with exhaustive code
coverage
● Works on obfuscated binaries
4
5. Team bi0s
Amrita Center for Cybersecurity,
Amritapuri
Path Constraints
5Example of Symbolic Execution : https://goo.gl/qqv6Pw
6. Team bi0s
Amrita Center for Cybersecurity,
Amritapuri
S2E
● Selective Symbolic Execution
● Automated path explorer with modular path analyzers
● S2E - A platform for developing multi-path in-vivo analysis
tools
● Contender for CGC 2016
● Emulates an entire virtual machine instead of an executable
● Random path selection and DFS 6
7. Team bi0s
Amrita Center for Cybersecurity,
Amritapuri
Why S2E?
● A technique for creating the illusion of full system symbolic
execution, while symbolically running only the code that is of
interest to the developer
● Can interact with the environment
● Input can switch from symbolic to concrete domain and vice
versa
7
8. Team bi0s
Amrita Center for Cybersecurity,
Amritapuri
Comparison
● Works for very large programs like a whole windows stack
frame
● Implemented at the Kernel level
● Does not exhaust System resources as compared to other
Symbolic engines
8
9. Team bi0s
Amrita Center for Cybersecurity,
Amritapuri
The Working of Transition
Multi-path / Single-path execution : http://s2e.epfl.ch/images/s2e-sel.png 9
10. Team bi0s
Amrita Center for Cybersecurity,
Amritapuri
S2E Architecture
S2E Architecture : http://s2e.epfl.ch/images/s2e-vm.png 10
15. Team bi0s
Amrita Center for Cybersecurity,
Amritapuri
Limitations
● Exhausts memory when state forking increases considerably
● Maximum of 2 arguments can only be passed
● S2E can only run on a shared-memory architecture
● Code coverage is low as it doesn't consider under constrained
and over constrained symbols
15
16. Team bi0s
Amrita Center for Cybersecurity,
Amritapuri
Further Reading
● S2E: A Platform for In-Vivo Multi-Path Analysis of Software
Systems
● Selective Symbolic Execution
● A Survey of Symbolic Execution Techniques
16
A Method of dynamic binary analysis - to get test cases
KLEE is a symbolic virtual machine built on top of the LLVM compiler
Mayhem - PPP _CMU
Angr -Shellphish - UCSB
Formal definition of symbolic execution slide needs to be added
Symbolic execution:
- A mechanism to discover the code coverage
-- Translate each instruction into constraints
--- constraints: a formula define the operation functionality
-- Collect all constraints
-- Solve when required condition is met
--- e.g. when a branch condition is met
Formal definition of Concolic execution:
- Number of possible paths increases exponentially
-- in symbolic execution, every memory is location is symbolized
-- too many symbols to solve
- Concolic execution
-- only make the interesting memory symbolize
-- otherwise give a concrete value
Source code not required for code coverage
Obfuscated
Conflicting path constraints cancels
In-vivo : this kind of analysis helps to understand all the interactions of the analysed code in surrounding system
Algorithm used DFS and random path
STP - Constaint solver
automated path explorer with modular path analyzers:the explorer drives the target system down all execution paths of interest, while analyzers check properties of each such path
For eg: a malware - classical malware analysis - debuger n sandbox -evade Ptrace - system call
If we want to analyse a program in multi-path ; it will also execute the dependent libraries in multi-path which takes up a lot of system resources unnecessarily (Path explosion)
Works for large programs because it executes symbolically only the region of interest
Kernel level - Does not analyse
Explain the code
S2e_make_symbolic - to give all possible inputs
S2e_enable_forking - to fork different branches for path exploration
Talk about different inputs and the various paths it takes.
Final messages.txt
S2E cannot start on one machine and fork new instances on other machines for now - Shared memory architecure