S2E - A Platform for In-Vivo Multi-Path Software Analysis
C C++ SMT Assembly Python Haxe Other
#3 Compare This branch is 101 commits ahead, 116 commits behind S2E:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
docs
guest
klee
patches
qemu
stp
tools
.gitignore
Makefile
README
S2E-AUTHORS
config.lua
s2e.config
s2e.creator
s2e.creator.user.example
s2e.files
s2e.includes
s2e.refresh_project.py

README

S²E: A Platform for In-Vivo Multi-Path Software Analysis
========================================================
https://s2e.epfl.ch


S2E is a platform for writing tools that analyze the properties and behavior of software systems. So far, S2E has been used to develop a comprehensive performance profiler, a reverse engineering tool for proprietary software, and a bug finding tool for both kernel-mode and user-mode binaries. Building these tools on top of S2E took less than 770 LOC and 40 person-hours each.

S2E’s novelty consists of its ability to scale to large real systems, such as a full Windows stack. S2E is based on two new ideas:

    1. Selective symbolic execution, a way to automatically
       minimize the amount of code that has to be executed
       symbolically given a target analysis; and

    2. Relaxed execution consistency models, a way to make
       principled performance/accuracy trade-offs in complex
       analyses.

These techniques give S2E three key abilities:

    1. to simultaneously analyze entire families of execution
       paths, instead of just one execution at a time;
    
    2. to perform the analyses in-vivo within a real software
       stack—user programs, libraries, kernel, drivers, etc.—
       instead of using abstract models of these layers; and
       to operate directly on binaries, thus being able to analyze
       even proprietary software.

Conceptually, S2E is an automated path explorer with modular path analyzers: the explorer drives the target system down all execution paths of interest, while analyzers check properties of each such path (e.g., to look for bugs) or simply collect information (e.g., count page faults). Desired paths can be specified in multiple ways, and S2E users can either combine existing
analyzers to build a custom analysis tool, or write new analyzers using the S2E API.

S2E helps make analyses based on symbolic execution practical for large software that runs in real environments, without requiring explicit modeling of these environments.

S2E is built upon the KLEE symbolic execution engine (http://klee.llvm.org) and the QEMU virtual machine emulator (http://qemu.org).

Documentation
=============

Setup instruction and user documentation can be found in the /docs folder, both in RST and HTML format.