research-article

The S2E Platform: Design, Implementation, and Applications

Authors:

Vitaly Chipounov,

Volodymyr Kuznetsov,

George CandeaAuthors Info & Claims

ACM Transactions on Computer Systems (TOCS), Volume 30, Issue 1

Article No.: 2, Pages 1 - 49

https://doi.org/10.1145/2110356.2110358

Published: 01 February 2012 Publication History

Abstract

This article presents S²E, a platform for analyzing the properties and behavior of software systems, along with its use in developing tools for comprehensive performance profiling, reverse engineering of proprietary software, and automated testing of kernel-mode and user-mode binaries. Conceptually, S²E is an automated path explorer with modular path analyzers: the explorer uses a symbolic execution engine to drive the target system down all execution paths of interest, while analyzers measure and/or check properties of each such path. S²E users can either combine existing analyzers to build custom analysis tools, or they can directly use S²E’s APIs.

S²E’s strength is the ability to scale to large systems, such as a full Windows stack, using two new ideas: selective symbolic execution, a way to automatically minimize the amount of code that has to be executed symbolically given a target analysis, and execution consistency models, a way to make principled performance/accuracy trade-offs during analysis. These techniques give S²E three key abilities: to simultaneously analyze entire families of execution paths instead of just one execution at a time; to perform the analyses in-vivo within a real software stack---user programs, libraries, kernel, drivers, etc.---instead of using abstract models of these layers; and to operate directly on binaries, thus being able to analyze even proprietary software.

References

[1]

Anderson, J., Berc, L., Dean, J., Ghemawat, S., Henzinger, M., Leung, S.-T., Sites, D., Vandevoorde, M., Waldspurger, C. A., and Weihl, W. E. 1997. Continuous profiling: Where have all the cycles gone? In Proceedings of the Symposium on Operating Systems Principles.

Digital Library

[2]

Ball, T., Bounimova, E., Cook, B., Levin, V., Lichtenberg, J., McGarvey, C., Ondrusek, B., Rajamani, S. K., and Ustuner, A. 2006. Thorough static analysis of device drivers. In Proceedings of the ACM EuroSys European Conference on Computer Systems.

Digital Library

[3]

Ball, T., Bounimova, E., Levin, V., Kumar, R., and Lichtenberg, J. 2010. The static driver verifier research platform. In Proceedings of the International Conference on Computer Aided Verification.

Digital Library

[4]

Bellard, F. 2005. QEMU, a fast and portable dynamic translator. In Proceedings of the USENIX Annual Technical Conference.

Digital Library

[5]

Bessey, A., Block, K., Chelf, B., Chou, A., Fulton, B., Hallem, S., Henri-Gros, C., Kamsky, A., McPeak, S., and Engler, D. 2010. A few billion lines of code later: Using static analysis to find bugs in the real world. Comm. ACM 53, 2.

Digital Library

[6]

Bochs. 2011. Bochs IA-32 emulator. http://bochs.sourceforge.net/.

[7]

Boonstoppel, P., Cadar, C., and Engler, D. R. 2008. RWset: Attacking path explosion in constraint-based test generation. In Proceedings of the International Conference on Tools and Algorithms for the Construction and Analysis of Systems.

Digital Library

[8]

Brumley, D., Hartwig, C., Kang, M. G., Newsome, Z. L. J., Poosankam, P., Song, D., and Yin, H. 2007. BitScope: Automatically dissecting malicious binaries. Tech. rep. CMU-CS-07-133, Carnegie Mellon University.

[9]

Bucur, S., Ureche, V., Zamfir, C., and Candea, G. 2011. Parallel symbolic execution for automated real-world software testing. In Proceedings of the ACM EuroSys European Conference on Computer Systems.

Digital Library

[10]

Bungale, P. P. and Luk, C.-K. 2007. PinOS: a programmable framework for whole-system dynamic instrumentation. In Proceedings of the International Conference on Virtual Execution Environments.

Digital Library

[11]

Burrows, M., Erlingson, U., Leung, S.-T., Vandevoorde, M. T., Waldspurger, C. A., Walker, K., and Weihl, W. E. 2000. Efficient and flexible value sampling. In Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems.

Digital Library

[12]

Cadar, C., Ganesh, V., Pawlowski, P. M., Dill, D. L., and Engler, D. R. 2006. EXE: Automatically generating inputs of death. In Proceedings of the Conference on Computer and Communication Security.

Digital Library

[13]

Cadar, C., Dunbar, D., and Engler, D. R. 2008. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In Proceedings of the Symposium on Operating Systems Design and Implementation.

Digital Library

[14]

Chipounov, V. and Candea, G. 2010. Reverse engineering of binary device drivers with RevNIC. In Proceedings of the ACM EuroSys European Conference on Computer Systems.

Digital Library

[15]

Chipounov, V., Kuznetsov, V., and Candea, G. 2011. S2E: A platform for in-vivo multipath analysis of software systems. In Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems.

Digital Library

[16]

Dillig, I., Dillig, T., and Aiken, A. 2008. Sound, complete and scalable path-sensitive analysis. In Proceedings of the Conference on Programming Language Design and Implementation.

Digital Library

[17]

DTrace. 2011. Dtrace. http://www.sun.com/bigadmin/content/dtrace/index.jsp.

[18]

Godefroid, P. 1997. Model checking for programming languages using VeriSoft. In Proceedings of the Symposium on Principles of Programming Languages.

Digital Library

[19]

Godefroid, P. 2007. Compositional dynamic test generation. In Proceedings of the Symposium on Principles of Programming Languages.

Digital Library

[20]

Godefroid, P., Klarlund, N., and Sen, K. 2005. DART: Directed automated random testing. In Proceedings of the Conference on Programming Language Design and Implementation.

Digital Library

[21]

Godefroid, P., Levin, M. Y., and Molnar, D. 2008. Automated whitebox fuzz testing. In Proceedings of the Network and Distributed System Security Symposium.

[22]

IEEE. 2005. Standard 1666: SystemC language reference manual. http://standards.ieee.org/getieee/1666/.

[23]

Intel. 2011. Intel 64 and IA-32 Architectures Software Developers Manual. Vol. 2.

[24]

Java PathFinder. 2007. Java PathFinder. http://javapathfinder.sourceforge.net.

[25]

King, J. C. 1975. A new approach to program testing. In Proceedings of the International Conference on Reliable Software.

Digital Library

[26]

Kuznetsov, V., Chipounov, V., and Candea, G. 2010. Testing closed-source binary device drivers with DDT. In Proceedings of the USENIX Annual Technical Conference.

Digital Library

[27]

Lam, M. S., Whaley, J., Livshits, V. B., Martin, M. C., Avots, D., Carbin, M., and Unkel, C. 2005. Context-sensitive program analysis as database queries. In Proceedings of the Symposium on Principles of Database Systems.

Digital Library

[28]

Lattner, C. and Adve, V. 2004. LLVM: A compilation framework for lifelong program analysis and transformation. In Proceedings of the International Symposium on Code Generation and Optimization.

Digital Library

[29]

Levon, J. and Elie, P. 1998. Oprofile. http://oprofile.sourceforge.net.

[30]

Lua 2010. Lua: A lightweight embeddable scripting language. http://www.lua.org/.

[31]

Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V. J., and Hazelwood, K. 2005. PIN: Building customized program analysis tools with dynamic instrumentation. In Proceedings of the Conference on Programming Language Design and Implemenation.

Digital Library

[32]

Microsoft. 2011a. WHDC: Develop hardware for windows. http://www.microsoft.com/whdc.

[33]

Microsoft. 2011b. Windbg. http://msdn.microsoft.com/en-us/windows/hardware/gg463009.

[34]

Miller, B., Fredriksen, L., and So, B. 1990. An empirical study of the reliability of UNIX utilities. Comm. ACM 33, 12.

Digital Library

[35]

Murphy, C., Kaiser, G., Vo, I., and Chu, M. 2009. Quality assurance of software applications using the in vivo testing approach. In Proceedings of the International Conference on Software Testing Verification and Validation.

Digital Library

[36]

Musuvathi, M., Qadeer, S., Ball, T., Basler, G., Nainar, P. A., and Neamtiu, I. 2008. Finding and reproducing Heisenbugs in concurrent programs. In Proceedings of the Symposium on Operating System Design and Implementation.

Digital Library

[37]

Pesterev, A., Zeldovich, N., and Morris, R. T. 2010. Locating cache performance bottlenecks using data profiling. In Proceedings of the ACM EuroSys European Conference on Computer Systems.

Digital Library

[38]

Prasad, V., Cohen, W., Eigler, F. C., Hunt, M., Keniston, J., and Chen, B. 2005. Locating system problems using dynamic instrumentation. In Proceedings of the Linux Symposium.

[39]

Păsăreanu, C., Mehlitz, P., Bushnell, D., Gundy-Burlet, K., Lowry, M., Person, S., and Pape, M. 2008. Combining unit-level symbolic execution and system-level concrete execution for testing NASA software. In Proceedings of the International Symposium on Software Testing and Analysis.

Digital Library

[40]

Pulkkinen, T., Nelson, K., Pulkkinen, E., Cumming, M., and Schulze, M. 2011. libsigc++ --- The Typesafe Callback Framework for C++. http://libsigc.sourceforge.net/.

[41]

Savage, S., Burrows, M., Nelson, G., Sobalvarro, P., and Anderson, T. 1997. Eraser: A dynamic data race detector for multithreaded programs. ACM Trans. Comput. Syst. 15, 4.

Digital Library

[42]

Schwarz, B., Debray, S., and Andrews, G. 2002. Disassembly of executable code revisited. In Proceedings of the Working Conference on Reverse Engineering.

Digital Library

[43]

Sen, K. 2007. Concolic testing. In Proceedings of the International Conference on Automated Software Engineering.

Digital Library

[44]

Sen, K., Marinov, D., and Agha, G. 2005. CUTE: A concolic unit testing engine for C. In Proceedings of the Symposium on the Foundations of Software Engineering.

Digital Library

[45]

Song, D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M. G., Liang, Z., Newsome, J., Poosankam, P., and Saxena, P. 2008. Bitblaze: A new approach to computer security via binary analysis. In Proceedings of the International Conference on Information Systems Security.

Digital Library

[46]

Valgrind. 2011. Valgrind. http://valgrind.org/.

[47]

Wheeler, D. 2010. SLOCCount. http://www.dwheeler.com/sloccount/.

[48]

Yang, J., Sar, C., and Engler, D. 2006. EXPLODE: A lightweight, general system for finding serious storage system errors. In Proceedings of the Symposium on Operating Systems Design and Implementation.

Digital Library

[49]

Yang, J., Chen, T., Wu, M., Xu, Z., Liu, X., Lin, H., Yang, M., Long, F., Zhang, L., and Zhou, L. 2009. MoDist: Transparent model checking of unmodified distributed systems. In Proceedings of the Symposium on Networked Systems Design and Implementation.

Digital Library

[50]

Yourst, M. T. 2007. PTLsim: A cycle accurate full system x86-64 microarchitectural simulator. In Proceedings of the IEEE International Symposium on Performance Analysis of Systems and Software.

Cited By

Asadian HFiterau-Brostean PJonsson BSagonas K(2024)Monitor-based Testing of Network Protocol Implementations Using Symbolic ExecutionProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3664521(1-12)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3664521
Wu YHumayun AGulzar MKim M(2024)Natural Symbolic Execution-Based Testing for Big Data AnalyticsProceedings of the ACM on Software Engineering10.1145/36608251:FSE(2677-2700)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3660825
Hu JDuan YYin HRoychoudhury APaiva AAbreu RStorey M(2024)Marco: A Stochastic Asynchronous Concolic ExplorerProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3623301(1-12)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3623301
Show More Cited By

Index Terms

The S2E Platform: Design, Implementation, and Applications

Recommendations

S2E: a platform for in-vivo multi-path analysis of software systems
ASPLOS '11

This paper presents S2E, a platform for analyzing the properties and behavior of software systems. We demonstrate S2E's use in developing practical tools for comprehensive performance profiling, reverse engineering of proprietary software, and bug ...
S2E: a platform for in-vivo multi-path analysis of software systems
ASPLOS '11

This paper presents S2E, a platform for analyzing the properties and behavior of software systems. We demonstrate S2E's use in developing practical tools for comprehensive performance profiling, reverse engineering of proprietary software, and bug ...
S2E: a platform for in-vivo multi-path analysis of software systems
ASPLOS XVI: Proceedings of the sixteenth international conference on Architectural support for programming languages and operating systems

This paper presents S2E, a platform for analyzing the properties and behavior of software systems. We demonstrate S2E's use in developing practical tools for comprehensive performance profiling, reverse engineering of proprietary software, and bug ...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Computer Systems

ACM Transactions on Computer Systems Volume 30, Issue 1

Special Issue APLOS 2011

February 2012

137 pages

ISSN:0734-2071

EISSN:1557-7333

DOI:10.1145/2110356

Issue’s Table of Contents

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 February 2012

Accepted: 01 October 2011

Received: 01 August 2011

Published in TOCS Volume 30, Issue 1

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

139
Total Citations
View Citations
1,234
Total Downloads

Downloads (Last 12 months)92
Downloads (Last 6 weeks)4

Reflects downloads up to 11 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Asadian HFiterau-Brostean PJonsson BSagonas K(2024)Monitor-based Testing of Network Protocol Implementations Using Symbolic ExecutionProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3664521(1-12)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3664521
Wu YHumayun AGulzar MKim M(2024)Natural Symbolic Execution-Based Testing for Big Data AnalyticsProceedings of the ACM on Software Engineering10.1145/36608251:FSE(2677-2700)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3660825
Hu JDuan YYin HRoychoudhury APaiva AAbreu RStorey M(2024)Marco: A Stochastic Asynchronous Concolic ExplorerProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3623301(1-12)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3623301
Felici RPozzi LFuria C(2024)HyperPUT: generating synthetic faulty programs to challenge bug-finding toolsEmpirical Software Engineering10.1007/s10664-023-10430-829:2Online publication date: 15-Jan-2024
https://dl.acm.org/doi/10.1007/s10664-023-10430-8
Nguyen Tung LBinh Duong NLe KHung P(2024)Automated test data generation and stubbing method for C/C++ embedded projectsAutomated Software Engineering10.1007/s10515-024-00449-631:2Online publication date: 1-Nov-2024
https://dl.acm.org/doi/10.1007/s10515-024-00449-6
Dxo Soos MParaskevopoulou ZLundfall MBrockman M(2024)Hevm, a Fast Symbolic Execution Framework for EVM BytecodeComputer Aided Verification10.1007/978-3-031-65627-9_22(453-465)Online publication date: 26-Jul-2024
https://doi.org/10.1007/978-3-031-65627-9_22
Ling XYu JZhao ZZhou ZXu HChen BZhang F(2024)DDoSMiner: An Automated Framework for DDoS Attack Characterization and Vulnerability MiningApplied Cryptography and Network Security10.1007/978-3-031-54773-7_12(283-309)Online publication date: 5-Mar-2024
https://dl.acm.org/doi/10.1007/978-3-031-54773-7_12
Huang HLu YZhu KZhao J(2023)CanaryExp: A Canary-Sensitive Automatic Exploitability Evaluation Solution for Vulnerabilities in Binary ProgramsApplied Sciences10.3390/app13231255613:23(12556)Online publication date: 21-Nov-2023
https://doi.org/10.3390/app132312556
Pitigalaarachchi PDing XQiu HTu HHong JJiang LMeng WJensen CCremers CKirda E(2023)KRover: A Symbolic Execution Engine for Dynamic Kernel AnalysisProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623198(2009-2023)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623198
Daniel LBardin SRezk T(2023)Binsec/Rel: Symbolic Binary Analyzer for Security with Applications to Constant-Time and Secret-ErasureACM Transactions on Privacy and Security10.1145/356303726:2(1-42)Online publication date: 14-Apr-2023
https://dl.acm.org/doi/10.1145/3563037
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents