Abstract
This paper presents S2E, a platform for analyzing the properties and behavior of software systems. We demonstrate S2E's use in developing practical tools for comprehensive performance profiling, reverse engineering of proprietary software, and bug finding for both kernel-mode and user-mode binaries. Building these tools on top of S2E took less than 770 LOC and 40 person-hours each.
S2E's novelty consists of its ability to scale to large real systems, such as a full Windows stack. S2E is based on two new ideas: selective symbolic execution, a way to automatically minimize the amount of code that has to be executed symbolically given a target analysis, and relaxed execution consistency models, a way to make principled performance/accuracy trade-offs in complex analyses. These techniques give S2E three key abilities: to simultaneously analyze entire families of execution paths, instead of just one execution at a time; to perform the analyses in-vivo within a real software stack--user programs, libraries, kernel, drivers, etc.--instead of using abstract models of these layers; and to operate directly on binaries, thus being able to analyze even proprietary software.
Conceptually, S2E is an automated path explorer with modular path analyzers: the explorer drives the target system down all execution paths of interest, while analyzers check properties of each such path (e.g., to look for bugs) or simply collect information (e.g., count page faults). Desired paths can be specified in multiple ways, and S2E users can either combine existing analyzers to build a custom analysis tool, or write new analyzers using the S2E API.
- J. Anderson, L. Berc, J. Dean, S. Ghemawat, M. Henzinger, S.-T. Leung, D. Sites, M. Vandevoorde, C. A. Waldspurger, and W. E. Weihl. Continuous profiling: Where have all the cycles gone? In Symp. on Operating Systems Principles, 1997. Google Scholar
Digital Library
- T. Ball, E. Bounimova, B. Cook, V. Levin, J. Lichtenberg, C. McGarvey, B. Ondrusek, S. K. Rajamani, and A. Ustuner. Thorough static analysis of device drivers. In ACM SIGOPS/EuroSys European Conf. on Computer Systems, 2006. Google Scholar
Digital Library
- T. Ball, E. Bounimova, V. Levin, R. Kumar, and J. Lichtenberg. The static driver verifier research platform. In Intl. Conf. on Computer Aided Verification, 2010. Google Scholar
Digital Library
- F. Bellard. QEMU, a fast and portable dynamic translator. In USENIX Annual Technical Conf., 2005. Google Scholar
Digital Library
- A. Bessey, K. Block, B. Chelf, A. Chou, B. Fulton, S. Hallem, C. Henri-Gros, A. Kamsky, S. McPeak, and D. Engler. A few billion lines of code later: using static analysis to find bugs in the real world. Communications of the ACM, 53(2), 2010. Google Scholar
Digital Library
- Bochs IA-32 Emulator. http://bochs.sourceforge.net/.Google Scholar
- P. Boonstoppel, C. Cadar, and D. R. Engler. RWset: Attacking path explosion in constraint-based test generation. In Intl. Conf. on Tools and Algorithms for the Construction and Analysis of Systems, 2008. Google Scholar
Digital Library
- D. Brumley, C. Hartwig, M. G. Kang, Z. L. J. Newsome, P. Poosankam, D. Song, and H. Yin. BitScope: Automatically dissecting malicious binaries. Technical Report Carnegie Mellon University-CS-07-133, Carnegie Mellon University, 2007.Google Scholar
- P. P. Bungale and C.-K. Luk. PinOS: a programmable framework for whole-system dynamic instrumentation. In Intl. Conf. on Virtual Execution Environments, 2007. Google Scholar
Digital Library
- M. Burrows, U. Erlingson, S.-T. Leung, M. T. Vandevoorde, C. A. Waldspurger, K. Walker, and W. E. Weihl. Efficient and flexible value sampling. In Intl. Conf. on Architectural Support for Programming Languages and Operating Systems, 2000. Google Scholar
Digital Library
- C. Cadar, D. Dunbar, and D. R. Engler. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In Symp. on Operating Systems Design and Implementation, 2008. Google Scholar
Digital Library
- C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler. EXE: Automatically generating inputs of death. In Conf. on Computer and Communication Security, 2006. Google Scholar
Digital Library
- V. Chipounov and G. Candea. Reverse engineering of binary device drivers with RevNIC. In ACM SIGOPS/EuroSys European Conf. on Computer Systems, 2010. Google Scholar
Digital Library
- I. Dillig, T. Dillig, and A. Aiken. Sound, complete and scalable path-sensitive analysis. In Conf. on Programming Language Design and Implementation, 2008. Google Scholar
Digital Library
- Dtrace. http://www.sun.com/bigadmin/content/dtrace/index.jsp.Google Scholar
- P. Godefroid. Model checking for programming languages using Verisoft. In Symp. on Principles of Programming Languages, 1997. Google Scholar
Digital Library
- P. Godefroid. Compositional dynamic test generation. In Symp. on Principles of Programming Languages, 2007. Extended abstract. Google Scholar
Digital Library
- P. Godefroid, N. Klarlund, and K. Sen. DART: Directed automated random testing. In Conf. on Programming Language Design and Implementation, 2005. Google Scholar
Digital Library
- P. Godefroid, M. Y. Levin, and D. Molnar. Automated whitebox fuzz testing. In Network and Distributed System Security Symp., 2008.Google Scholar
- IEEE. Standard 1666: SystemC language reference manual, 2005. http://standards.ieee.org/getieee/1666/.Google Scholar
- Java PathFinder. http://javapathfinder.sourceforge.net, 2007.Google Scholar
- J. C. King. Symbolic execution and program testing. Communications of the ACM, 1976. Google Scholar
Digital Library
- V. Kuznetsov, V. Chipounov, and G. Candea. Testing closed-source binary device drivers with DDT. In USENIX Annual Technical Conf., 2010. Google Scholar
Digital Library
- M. S. Lam, J. Whaley, V. B. Livshits, M. C. Martin, D. Avots, M. Carbin, and C. Unkel. Context-sensitive program analysis as database queries. In Symp. on Principles of Database Systems, 2005. Google Scholar
Digital Library
- C. Lattner and V. Adve. LLVM: A compilation framework for lifelong program analysis and transformation. In Intl. Symp. on Code Generation and Optimization, 2004. Google Scholar
Digital Library
- Lua: A lightweight embeddable scripting language. http://www.lua.org/, 2010.Google Scholar
- C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood. PIN: building customized program analysis tools with dynamic instrumentation. In Conf. on Programming Language Design and Implementation, 2005. Google Scholar
Digital Library
- C. Murphy, G. Kaiser, I. Vo, and M. Chu. Quality assurance of software applications using the in vivo testing approach. In Intl. Conf. on Software Testing Verification and Validation, 2009. Google Scholar
Digital Library
- M. Musuvathi, S. Qadeer, T. Ball, G. Basler, P. A. Nainar, and I. Neamtiu. Finding and reproducing Heisenbugs in concurrent programs. In Symp. on Operating Systems Design and Implementation, 2008. Google Scholar
Digital Library
- Oprofile. http://oprofile.sourceforge.net.Google Scholar
- A. Pesterev, N. Zeldovich, and R. T. Morris. Locating cache performance bottlenecks using data profiling. In ACM SIGOPS/EuroSys European Conf. on Computer Systems, 2010. Google Scholar
Digital Library
- C. Păasăreanu, P. Mehlitz, D. Bushnell, K. Gundy-Burlet, M. Lowry, S. Person, and M. Pape. Combining unit-level symbolic execution and system-level concrete execution for testing NASA software. In Intl. Symp. on Software Testing and Analysis, 2008. Google Scholar
Digital Library
- S. Savage, M. Burrows, G. Nelson, P. Sobalvarro, and T. Anderson. Eraser: a dynamic data race detector for multithreaded programs. ACM Transactions on Computer Systems, 15(4), 1997. Google Scholar
Digital Library
- B. Schwarz, S. Debray, and G. Andrews. Disassembly of executable code revisited. In Working Conf. on Reverse Engineering, 2002. Google Scholar
Digital Library
- K. Sen. Concolic testing. In Intl. Conf. on Automated Software Engineering, 2007. Google Scholar
Digital Library
- K. Sen, D. Marinov, and G. Agha. CUTE: a concolic unit testing engine for C. In Symp. on the Foundations of Software Eng., 2005. Google Scholar
Digital Library
- D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. G. Kang, Z. Liang, J. Newsome, P. Poosankam, and P. Saxena. Bitblaze: A new approach to computer security via binary analysis. In Intl. Conf. on Information Systems Security, 2008. Google Scholar
Digital Library
- Valgrind. http://valgrind.org/.Google Scholar
- D. Wheeler. SLOCCount. http://www.dwheeler.com/sloccount/, 2010.Google Scholar
- J. Yang, T. Chen, M. Wu, Z. Xu, X. Liu, H. Lin, M. Yang, F. Long, L. Zhang, and L. Zhou. MoDist: Transparent model checking of unmodified distributed systems. In Symp. on Networked Systems Design and Implementation, 2009. Google Scholar
Digital Library
- J. Yang, C. Sar, and D. Engler. EXPLODE: a lightweight, general system for finding serious storage system errors. In Symp. on Operating Systems Design and Implementation, 2006. Google Scholar
Digital Library
- M. T. Yourst. PTLsim: A cycle accurate full system x86-64 microarchitectural simulator. In IEEE Intl. Symp. on Performance Analysis of Systems and Software, 2007.Google Scholar
Cross Ref
Index Terms
S2E: a platform for in-vivo multi-path analysis of software systems
Recommendations
The S2E Platform: Design, Implementation, and Applications
Special Issue APLOS 2011This article presents S2E, a platform for analyzing the properties and behavior of software systems, along with its use in developing tools for comprehensive performance profiling, reverse engineering of proprietary software, and automated testing of ...
S2E: a platform for in-vivo multi-path analysis of software systems
ASPLOS '11This paper presents S2E, a platform for analyzing the properties and behavior of software systems. We demonstrate S2E's use in developing practical tools for comprehensive performance profiling, reverse engineering of proprietary software, and bug ...
S2E: a platform for in-vivo multi-path analysis of software systems
ASPLOS XVI: Proceedings of the sixteenth international conference on Architectural support for programming languages and operating systemsThis paper presents S2E, a platform for analyzing the properties and behavior of software systems. We demonstrate S2E's use in developing practical tools for comprehensive performance profiling, reverse engineering of proprietary software, and bug ...







Comments