skip to main content
research-article

The S2E Platform: Design, Implementation, and Applications

Authors Info & Claims
Published:01 February 2012Publication History
Skip Abstract Section

Abstract

This article presents S2E, a platform for analyzing the properties and behavior of software systems, along with its use in developing tools for comprehensive performance profiling, reverse engineering of proprietary software, and automated testing of kernel-mode and user-mode binaries. Conceptually, S2E is an automated path explorer with modular path analyzers: the explorer uses a symbolic execution engine to drive the target system down all execution paths of interest, while analyzers measure and/or check properties of each such path. S2E users can either combine existing analyzers to build custom analysis tools, or they can directly use S2E’s APIs.

S2E’s strength is the ability to scale to large systems, such as a full Windows stack, using two new ideas: selective symbolic execution, a way to automatically minimize the amount of code that has to be executed symbolically given a target analysis, and execution consistency models, a way to make principled performance/accuracy trade-offs during analysis. These techniques give S2E three key abilities: to simultaneously analyze entire families of execution paths instead of just one execution at a time; to perform the analyses in-vivo within a real software stack---user programs, libraries, kernel, drivers, etc.---instead of using abstract models of these layers; and to operate directly on binaries, thus being able to analyze even proprietary software.

References

  1. Anderson, J., Berc, L., Dean, J., Ghemawat, S., Henzinger, M., Leung, S.-T., Sites, D., Vandevoorde, M., Waldspurger, C. A., and Weihl, W. E. 1997. Continuous profiling: Where have all the cycles gone? In Proceedings of the Symposium on Operating Systems Principles. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Ball, T., Bounimova, E., Cook, B., Levin, V., Lichtenberg, J., McGarvey, C., Ondrusek, B., Rajamani, S. K., and Ustuner, A. 2006. Thorough static analysis of device drivers. In Proceedings of the ACM EuroSys European Conference on Computer Systems. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Ball, T., Bounimova, E., Levin, V., Kumar, R., and Lichtenberg, J. 2010. The static driver verifier research platform. In Proceedings of the International Conference on Computer Aided Verification. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Bellard, F. 2005. QEMU, a fast and portable dynamic translator. In Proceedings of the USENIX Annual Technical Conference. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Bessey, A., Block, K., Chelf, B., Chou, A., Fulton, B., Hallem, S., Henri-Gros, C., Kamsky, A., McPeak, S., and Engler, D. 2010. A few billion lines of code later: Using static analysis to find bugs in the real world. Comm. ACM 53, 2. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Bochs. 2011. Bochs IA-32 emulator. http://bochs.sourceforge.net/.Google ScholarGoogle Scholar
  7. Boonstoppel, P., Cadar, C., and Engler, D. R. 2008. RWset: Attacking path explosion in constraint-based test generation. In Proceedings of the International Conference on Tools and Algorithms for the Construction and Analysis of Systems. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Brumley, D., Hartwig, C., Kang, M. G., Newsome, Z. L. J., Poosankam, P., Song, D., and Yin, H. 2007. BitScope: Automatically dissecting malicious binaries. Tech. rep. CMU-CS-07-133, Carnegie Mellon University.Google ScholarGoogle Scholar
  9. Bucur, S., Ureche, V., Zamfir, C., and Candea, G. 2011. Parallel symbolic execution for automated real-world software testing. In Proceedings of the ACM EuroSys European Conference on Computer Systems. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Bungale, P. P. and Luk, C.-K. 2007. PinOS: a programmable framework for whole-system dynamic instrumentation. In Proceedings of the International Conference on Virtual Execution Environments. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Burrows, M., Erlingson, U., Leung, S.-T., Vandevoorde, M. T., Waldspurger, C. A., Walker, K., and Weihl, W. E. 2000. Efficient and flexible value sampling. In Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Cadar, C., Ganesh, V., Pawlowski, P. M., Dill, D. L., and Engler, D. R. 2006. EXE: Automatically generating inputs of death. In Proceedings of the Conference on Computer and Communication Security. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Cadar, C., Dunbar, D., and Engler, D. R. 2008. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In Proceedings of the Symposium on Operating Systems Design and Implementation. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Chipounov, V. and Candea, G. 2010. Reverse engineering of binary device drivers with RevNIC. In Proceedings of the ACM EuroSys European Conference on Computer Systems. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Chipounov, V., Kuznetsov, V., and Candea, G. 2011. S2E: A platform for in-vivo multipath analysis of software systems. In Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Dillig, I., Dillig, T., and Aiken, A. 2008. Sound, complete and scalable path-sensitive analysis. In Proceedings of the Conference on Programming Language Design and Implementation. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. DTrace. 2011. Dtrace. http://www.sun.com/bigadmin/content/dtrace/index.jsp.Google ScholarGoogle Scholar
  18. Godefroid, P. 1997. Model checking for programming languages using VeriSoft. In Proceedings of the Symposium on Principles of Programming Languages. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Godefroid, P. 2007. Compositional dynamic test generation. In Proceedings of the Symposium on Principles of Programming Languages. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Godefroid, P., Klarlund, N., and Sen, K. 2005. DART: Directed automated random testing. In Proceedings of the Conference on Programming Language Design and Implementation. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Godefroid, P., Levin, M. Y., and Molnar, D. 2008. Automated whitebox fuzz testing. In Proceedings of the Network and Distributed System Security Symposium.Google ScholarGoogle Scholar
  22. IEEE. 2005. Standard 1666: SystemC language reference manual. http://standards.ieee.org/getieee/1666/.Google ScholarGoogle Scholar
  23. Intel. 2011. Intel 64 and IA-32 Architectures Software Developers Manual. Vol. 2.Google ScholarGoogle Scholar
  24. Java PathFinder. 2007. Java PathFinder. http://javapathfinder.sourceforge.net.Google ScholarGoogle Scholar
  25. King, J. C. 1975. A new approach to program testing. In Proceedings of the International Conference on Reliable Software. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Kuznetsov, V., Chipounov, V., and Candea, G. 2010. Testing closed-source binary device drivers with DDT. In Proceedings of the USENIX Annual Technical Conference. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Lam, M. S., Whaley, J., Livshits, V. B., Martin, M. C., Avots, D., Carbin, M., and Unkel, C. 2005. Context-sensitive program analysis as database queries. In Proceedings of the Symposium on Principles of Database Systems. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Lattner, C. and Adve, V. 2004. LLVM: A compilation framework for lifelong program analysis and transformation. In Proceedings of the International Symposium on Code Generation and Optimization. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Levon, J. and Elie, P. 1998. Oprofile. http://oprofile.sourceforge.net.Google ScholarGoogle Scholar
  30. Lua 2010. Lua: A lightweight embeddable scripting language. http://www.lua.org/.Google ScholarGoogle Scholar
  31. Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V. J., and Hazelwood, K. 2005. PIN: Building customized program analysis tools with dynamic instrumentation. In Proceedings of the Conference on Programming Language Design and Implemenation. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Microsoft. 2011a. WHDC: Develop hardware for windows. http://www.microsoft.com/whdc.Google ScholarGoogle Scholar
  33. Microsoft. 2011b. Windbg. http://msdn.microsoft.com/en-us/windows/hardware/gg463009.Google ScholarGoogle Scholar
  34. Miller, B., Fredriksen, L., and So, B. 1990. An empirical study of the reliability of UNIX utilities. Comm. ACM 33, 12. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Murphy, C., Kaiser, G., Vo, I., and Chu, M. 2009. Quality assurance of software applications using the in vivo testing approach. In Proceedings of the International Conference on Software Testing Verification and Validation. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Musuvathi, M., Qadeer, S., Ball, T., Basler, G., Nainar, P. A., and Neamtiu, I. 2008. Finding and reproducing Heisenbugs in concurrent programs. In Proceedings of the Symposium on Operating System Design and Implementation. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Pesterev, A., Zeldovich, N., and Morris, R. T. 2010. Locating cache performance bottlenecks using data profiling. In Proceedings of the ACM EuroSys European Conference on Computer Systems. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Prasad, V., Cohen, W., Eigler, F. C., Hunt, M., Keniston, J., and Chen, B. 2005. Locating system problems using dynamic instrumentation. In Proceedings of the Linux Symposium.Google ScholarGoogle Scholar
  39. Păsăreanu, C., Mehlitz, P., Bushnell, D., Gundy-Burlet, K., Lowry, M., Person, S., and Pape, M. 2008. Combining unit-level symbolic execution and system-level concrete execution for testing NASA software. In Proceedings of the International Symposium on Software Testing and Analysis. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Pulkkinen, T., Nelson, K., Pulkkinen, E., Cumming, M., and Schulze, M. 2011. libsigc++ --- The Typesafe Callback Framework for C++. http://libsigc.sourceforge.net/.Google ScholarGoogle Scholar
  41. Savage, S., Burrows, M., Nelson, G., Sobalvarro, P., and Anderson, T. 1997. Eraser: A dynamic data race detector for multithreaded programs. ACM Trans. Comput. Syst. 15, 4. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. Schwarz, B., Debray, S., and Andrews, G. 2002. Disassembly of executable code revisited. In Proceedings of the Working Conference on Reverse Engineering. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Sen, K. 2007. Concolic testing. In Proceedings of the International Conference on Automated Software Engineering. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Sen, K., Marinov, D., and Agha, G. 2005. CUTE: A concolic unit testing engine for C. In Proceedings of the Symposium on the Foundations of Software Engineering. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. Song, D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M. G., Liang, Z., Newsome, J., Poosankam, P., and Saxena, P. 2008. Bitblaze: A new approach to computer security via binary analysis. In Proceedings of the International Conference on Information Systems Security. Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. Valgrind. 2011. Valgrind. http://valgrind.org/.Google ScholarGoogle Scholar
  47. Wheeler, D. 2010. SLOCCount. http://www.dwheeler.com/sloccount/.Google ScholarGoogle Scholar
  48. Yang, J., Sar, C., and Engler, D. 2006. EXPLODE: A lightweight, general system for finding serious storage system errors. In Proceedings of the Symposium on Operating Systems Design and Implementation. Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. Yang, J., Chen, T., Wu, M., Xu, Z., Liu, X., Lin, H., Yang, M., Long, F., Zhang, L., and Zhou, L. 2009. MoDist: Transparent model checking of unmodified distributed systems. In Proceedings of the Symposium on Networked Systems Design and Implementation. Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. Yourst, M. T. 2007. PTLsim: A cycle accurate full system x86-64 microarchitectural simulator. In Proceedings of the IEEE International Symposium on Performance Analysis of Systems and Software.Google ScholarGoogle ScholarCross RefCross Ref

Index Terms

  1. The S2E Platform: Design, Implementation, and Applications

            Recommendations

            Comments

            Login options

            Check if you have access through your login credentials or your institution to get full access on this article.

            Sign in

            Full Access

            • Published in

              cover image ACM Transactions on Computer Systems
              ACM Transactions on Computer Systems  Volume 30, Issue 1
              Special Issue APLOS 2011
              February 2012
              137 pages
              ISSN:0734-2071
              EISSN:1557-7333
              DOI:10.1145/2110356
              Issue’s Table of Contents

              Copyright © 2012 ACM

              Publisher

              Association for Computing Machinery

              New York, NY, United States

              Publication History

              • Published: 1 February 2012
              • Accepted: 1 October 2011
              • Received: 1 August 2011
              Published in tocs Volume 30, Issue 1

              Permissions

              Request permissions about this article.

              Request Permissions

              Check for updates

              Qualifiers

              • research-article
              • Research
              • Refereed

            PDF Format

            View or Download as a PDF file.

            PDF

            eReader

            View online with eReader.

            eReader
            About Cookies On This Site

            We use cookies to ensure that we give you the best experience on our website.

            Learn more

            Got it!