Abstract
This article presents S2E, a platform for analyzing the properties and behavior of software systems, along with its use in developing tools for comprehensive performance profiling, reverse engineering of proprietary software, and automated testing of kernel-mode and user-mode binaries. Conceptually, S2E is an automated path explorer with modular path analyzers: the explorer uses a symbolic execution engine to drive the target system down all execution paths of interest, while analyzers measure and/or check properties of each such path. S2E users can either combine existing analyzers to build custom analysis tools, or they can directly use S2E’s APIs.
S2E’s strength is the ability to scale to large systems, such as a full Windows stack, using two new ideas: selective symbolic execution, a way to automatically minimize the amount of code that has to be executed symbolically given a target analysis, and execution consistency models, a way to make principled performance/accuracy trade-offs during analysis. These techniques give S2E three key abilities: to simultaneously analyze entire families of execution paths instead of just one execution at a time; to perform the analyses in-vivo within a real software stack---user programs, libraries, kernel, drivers, etc.---instead of using abstract models of these layers; and to operate directly on binaries, thus being able to analyze even proprietary software.
- Anderson, J., Berc, L., Dean, J., Ghemawat, S., Henzinger, M., Leung, S.-T., Sites, D., Vandevoorde, M., Waldspurger, C. A., and Weihl, W. E. 1997. Continuous profiling: Where have all the cycles gone? In Proceedings of the Symposium on Operating Systems Principles. Google Scholar
Digital Library
- Ball, T., Bounimova, E., Cook, B., Levin, V., Lichtenberg, J., McGarvey, C., Ondrusek, B., Rajamani, S. K., and Ustuner, A. 2006. Thorough static analysis of device drivers. In Proceedings of the ACM EuroSys European Conference on Computer Systems. Google Scholar
Digital Library
- Ball, T., Bounimova, E., Levin, V., Kumar, R., and Lichtenberg, J. 2010. The static driver verifier research platform. In Proceedings of the International Conference on Computer Aided Verification. Google Scholar
Digital Library
- Bellard, F. 2005. QEMU, a fast and portable dynamic translator. In Proceedings of the USENIX Annual Technical Conference. Google Scholar
Digital Library
- Bessey, A., Block, K., Chelf, B., Chou, A., Fulton, B., Hallem, S., Henri-Gros, C., Kamsky, A., McPeak, S., and Engler, D. 2010. A few billion lines of code later: Using static analysis to find bugs in the real world. Comm. ACM 53, 2. Google Scholar
Digital Library
- Bochs. 2011. Bochs IA-32 emulator. http://bochs.sourceforge.net/.Google Scholar
- Boonstoppel, P., Cadar, C., and Engler, D. R. 2008. RWset: Attacking path explosion in constraint-based test generation. In Proceedings of the International Conference on Tools and Algorithms for the Construction and Analysis of Systems. Google Scholar
Digital Library
- Brumley, D., Hartwig, C., Kang, M. G., Newsome, Z. L. J., Poosankam, P., Song, D., and Yin, H. 2007. BitScope: Automatically dissecting malicious binaries. Tech. rep. CMU-CS-07-133, Carnegie Mellon University.Google Scholar
- Bucur, S., Ureche, V., Zamfir, C., and Candea, G. 2011. Parallel symbolic execution for automated real-world software testing. In Proceedings of the ACM EuroSys European Conference on Computer Systems. Google Scholar
Digital Library
- Bungale, P. P. and Luk, C.-K. 2007. PinOS: a programmable framework for whole-system dynamic instrumentation. In Proceedings of the International Conference on Virtual Execution Environments. Google Scholar
Digital Library
- Burrows, M., Erlingson, U., Leung, S.-T., Vandevoorde, M. T., Waldspurger, C. A., Walker, K., and Weihl, W. E. 2000. Efficient and flexible value sampling. In Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems. Google Scholar
Digital Library
- Cadar, C., Ganesh, V., Pawlowski, P. M., Dill, D. L., and Engler, D. R. 2006. EXE: Automatically generating inputs of death. In Proceedings of the Conference on Computer and Communication Security. Google Scholar
Digital Library
- Cadar, C., Dunbar, D., and Engler, D. R. 2008. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In Proceedings of the Symposium on Operating Systems Design and Implementation. Google Scholar
Digital Library
- Chipounov, V. and Candea, G. 2010. Reverse engineering of binary device drivers with RevNIC. In Proceedings of the ACM EuroSys European Conference on Computer Systems. Google Scholar
Digital Library
- Chipounov, V., Kuznetsov, V., and Candea, G. 2011. S2E: A platform for in-vivo multipath analysis of software systems. In Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems. Google Scholar
Digital Library
- Dillig, I., Dillig, T., and Aiken, A. 2008. Sound, complete and scalable path-sensitive analysis. In Proceedings of the Conference on Programming Language Design and Implementation. Google Scholar
Digital Library
- DTrace. 2011. Dtrace. http://www.sun.com/bigadmin/content/dtrace/index.jsp.Google Scholar
- Godefroid, P. 1997. Model checking for programming languages using VeriSoft. In Proceedings of the Symposium on Principles of Programming Languages. Google Scholar
Digital Library
- Godefroid, P. 2007. Compositional dynamic test generation. In Proceedings of the Symposium on Principles of Programming Languages. Google Scholar
Digital Library
- Godefroid, P., Klarlund, N., and Sen, K. 2005. DART: Directed automated random testing. In Proceedings of the Conference on Programming Language Design and Implementation. Google Scholar
Digital Library
- Godefroid, P., Levin, M. Y., and Molnar, D. 2008. Automated whitebox fuzz testing. In Proceedings of the Network and Distributed System Security Symposium.Google Scholar
- IEEE. 2005. Standard 1666: SystemC language reference manual. http://standards.ieee.org/getieee/1666/.Google Scholar
- Intel. 2011. Intel 64 and IA-32 Architectures Software Developers Manual. Vol. 2.Google Scholar
- Java PathFinder. 2007. Java PathFinder. http://javapathfinder.sourceforge.net.Google Scholar
- King, J. C. 1975. A new approach to program testing. In Proceedings of the International Conference on Reliable Software. Google Scholar
Digital Library
- Kuznetsov, V., Chipounov, V., and Candea, G. 2010. Testing closed-source binary device drivers with DDT. In Proceedings of the USENIX Annual Technical Conference. Google Scholar
Digital Library
- Lam, M. S., Whaley, J., Livshits, V. B., Martin, M. C., Avots, D., Carbin, M., and Unkel, C. 2005. Context-sensitive program analysis as database queries. In Proceedings of the Symposium on Principles of Database Systems. Google Scholar
Digital Library
- Lattner, C. and Adve, V. 2004. LLVM: A compilation framework for lifelong program analysis and transformation. In Proceedings of the International Symposium on Code Generation and Optimization. Google Scholar
Digital Library
- Levon, J. and Elie, P. 1998. Oprofile. http://oprofile.sourceforge.net.Google Scholar
- Lua 2010. Lua: A lightweight embeddable scripting language. http://www.lua.org/.Google Scholar
- Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V. J., and Hazelwood, K. 2005. PIN: Building customized program analysis tools with dynamic instrumentation. In Proceedings of the Conference on Programming Language Design and Implemenation. Google Scholar
Digital Library
- Microsoft. 2011a. WHDC: Develop hardware for windows. http://www.microsoft.com/whdc.Google Scholar
- Microsoft. 2011b. Windbg. http://msdn.microsoft.com/en-us/windows/hardware/gg463009.Google Scholar
- Miller, B., Fredriksen, L., and So, B. 1990. An empirical study of the reliability of UNIX utilities. Comm. ACM 33, 12. Google Scholar
Digital Library
- Murphy, C., Kaiser, G., Vo, I., and Chu, M. 2009. Quality assurance of software applications using the in vivo testing approach. In Proceedings of the International Conference on Software Testing Verification and Validation. Google Scholar
Digital Library
- Musuvathi, M., Qadeer, S., Ball, T., Basler, G., Nainar, P. A., and Neamtiu, I. 2008. Finding and reproducing Heisenbugs in concurrent programs. In Proceedings of the Symposium on Operating System Design and Implementation. Google Scholar
Digital Library
- Pesterev, A., Zeldovich, N., and Morris, R. T. 2010. Locating cache performance bottlenecks using data profiling. In Proceedings of the ACM EuroSys European Conference on Computer Systems. Google Scholar
Digital Library
- Prasad, V., Cohen, W., Eigler, F. C., Hunt, M., Keniston, J., and Chen, B. 2005. Locating system problems using dynamic instrumentation. In Proceedings of the Linux Symposium.Google Scholar
- Păsăreanu, C., Mehlitz, P., Bushnell, D., Gundy-Burlet, K., Lowry, M., Person, S., and Pape, M. 2008. Combining unit-level symbolic execution and system-level concrete execution for testing NASA software. In Proceedings of the International Symposium on Software Testing and Analysis. Google Scholar
Digital Library
- Pulkkinen, T., Nelson, K., Pulkkinen, E., Cumming, M., and Schulze, M. 2011. libsigc++ --- The Typesafe Callback Framework for C++. http://libsigc.sourceforge.net/.Google Scholar
- Savage, S., Burrows, M., Nelson, G., Sobalvarro, P., and Anderson, T. 1997. Eraser: A dynamic data race detector for multithreaded programs. ACM Trans. Comput. Syst. 15, 4. Google Scholar
Digital Library
- Schwarz, B., Debray, S., and Andrews, G. 2002. Disassembly of executable code revisited. In Proceedings of the Working Conference on Reverse Engineering. Google Scholar
Digital Library
- Sen, K. 2007. Concolic testing. In Proceedings of the International Conference on Automated Software Engineering. Google Scholar
Digital Library
- Sen, K., Marinov, D., and Agha, G. 2005. CUTE: A concolic unit testing engine for C. In Proceedings of the Symposium on the Foundations of Software Engineering. Google Scholar
Digital Library
- Song, D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M. G., Liang, Z., Newsome, J., Poosankam, P., and Saxena, P. 2008. Bitblaze: A new approach to computer security via binary analysis. In Proceedings of the International Conference on Information Systems Security. Google Scholar
Digital Library
- Valgrind. 2011. Valgrind. http://valgrind.org/.Google Scholar
- Wheeler, D. 2010. SLOCCount. http://www.dwheeler.com/sloccount/.Google Scholar
- Yang, J., Sar, C., and Engler, D. 2006. EXPLODE: A lightweight, general system for finding serious storage system errors. In Proceedings of the Symposium on Operating Systems Design and Implementation. Google Scholar
Digital Library
- Yang, J., Chen, T., Wu, M., Xu, Z., Liu, X., Lin, H., Yang, M., Long, F., Zhang, L., and Zhou, L. 2009. MoDist: Transparent model checking of unmodified distributed systems. In Proceedings of the Symposium on Networked Systems Design and Implementation. Google Scholar
Digital Library
- Yourst, M. T. 2007. PTLsim: A cycle accurate full system x86-64 microarchitectural simulator. In Proceedings of the IEEE International Symposium on Performance Analysis of Systems and Software.Google Scholar
Cross Ref
Index Terms
The S2E Platform: Design, Implementation, and Applications
Recommendations
S2E: a platform for in-vivo multi-path analysis of software systems
ASPLOS '11This paper presents S2E, a platform for analyzing the properties and behavior of software systems. We demonstrate S2E's use in developing practical tools for comprehensive performance profiling, reverse engineering of proprietary software, and bug ...
S2E: a platform for in-vivo multi-path analysis of software systems
ASPLOS '11This paper presents S2E, a platform for analyzing the properties and behavior of software systems. We demonstrate S2E's use in developing practical tools for comprehensive performance profiling, reverse engineering of proprietary software, and bug ...
S2E: a platform for in-vivo multi-path analysis of software systems
ASPLOS XVI: Proceedings of the sixteenth international conference on Architectural support for programming languages and operating systemsThis paper presents S2E, a platform for analyzing the properties and behavior of software systems. We demonstrate S2E's use in developing practical tools for comprehensive performance profiling, reverse engineering of proprietary software, and bug ...






Comments