Latest Releases

16 Oct. 2017 - S²E V2.0

  • Rearchitected version of S²E, decoupled from QEMU
  • KVM-compatible interface
    • is a shim library that intercepts ioctl to /dev/kvm
    • can be LD_PRELOADed into QEMU or any other KVM-compatible VMM.
  • Modular and flexible architecture, any component of S²E can be reused independently
    • libs2e: exposes the symbolic execution engine and the dynamic binary translator through a KVM-compatible interface
    • libs2ecore: main S²E execution engine
    • libs2eplugins: S²E plugins
    • libcpu: processor emulation library, extracted from QEMU 1.0
    • libtcg: dynamic binary translator backend, extracted from QEMU 1.0
    • libvmi: virtual machine introspection library
    • libq: JSON serialization support, to interface S²E with Web services, extracted from QEMU 1.0
    • libcoroutine: cooperative threading support, extracted from QEMU 1.0
    • libfsigc++: fast drop-in replacement for the libsigc++ library
    • klee: symbolic LLVM interpreter
    • lua: LUA scripting engine
  • Supports latest versions of Linux and Windows XP, 7, 8, 8.1, 10
    • Windows crash dump generation, compatible with WinDbg
    • Exposes OS events to plugins (process/thread creation/destruction, memory mappings, module loads, etc.)
  • Advanced tooling to easily set up symbolic execution for arbitrary programs
    • Automatic generation of S²E configuration file and launch script based on the binary to analyze
    • Easy file transfers between the guest and the host during symbolic execution, ideal for per-path core dump extraction, etc.
    • Code coverage support
  • Up to 6x faster concrete execution than S²E 1.3
  • Z3 constraint solver
  • Extensive set of plugins and tools for vulnerability analysis and proof of vulnerability generation
    • Easily show the exploitability of a crash
    • Demonstrated during the DARPA Cyber Grand Challenge
  • Concolic execution
  • State merging
    • Exponentially reduces number of paths to explore by combining similar execution paths
  • Function models
    • Exponentially reduces number of paths to explore by replacing standard library functions with equivalent models
  • Advanced path searchers
    • Modular searcher architecture, mix and match existing searchers, and combine them with your own
    • Class-Uniform Path Analysis minimizes likelihood of exploration getting stuck
  • Fuzzer integration
    • SeedSearcher plugin automatically picks up seeds generated by a fuzzer or other analysis tools and schedules them for exploration
    • Generate new test cases that can be used to guide fuzzers and other tools
  • Revgen: static x86 to LLVM translator

Old Releases

The following releases are archived.

05 Dec. 2013 - S²E V1.3

  • x86-64 guests support, LLVM 3.2

27 Apr. 2012 - S²E V1.2

  • QEMU 1.0, LLVM 3.0, Clang
  • S²E now includes the latest features of QEMU and uses a modern toolchain
  • Concolic Execution
  • Reuse your existing testsuites to easily reach deep parts of programs under analysis

10 Sep. 2011 - S²E V1.1

  • Experimental ARM support
  • Analyze embedded applications
  • Available in the arm-experimental branch of the repository
  • Multi-core support
  • Explore orders of magnitude more paths
  • 20x faster plugin infrastructure
  • Complete plugin-intensive analyses such as Windows driver testing in minutes instead of hours
  • 2x faster concrete execution
  • Run bigger systems