Latest Releases

You can find the latest stable version of S2E on master. We compile here from time to time a list of features available as of a given date.

29 May 2019

  • Support for symbolic FP/MMX/SSE registers on x86 guests. You can now run programs that use these registers without forcing concretizations when symbolic data enters them. Big thanks to @humeafo for implementing this!
  • Added a testsuite. It covers most tutorials and exercises major aspects of S2E functionality. This should considerably reduce regressions and make it easier for you to add new features without fearing of breaking things.
  • Major performance improvements for concrete/symbolic execution and faster parallel mode.
  • Code coverage generation is now orders of magnitude faster for large binaries. You will get a Linux kernel coverage report in seconds instead of minutes.
  • Plugins now record execution traces in protobuf format.
  • Fixed guest hangs when running S2E in parallel mode (by Alan Wang).
  • Many other bug fixes and improvements both in the code and the documentation.

14 January 2019

  • QEMU 3.0 support
  • Windows 7 32-bit guest support
  • Ubuntu 18.04 host support
  • Documentation updates
    • KVM interface design
    • Testing error recovery code in Windows drivers with multi-path fault injection
    • Using SystemTap with S2E
    • Combining Kaitai Struct and S2E for analyzing parsers
    • Analyzing trigger-based malware with S2E
    • Automated proof of vulnerability generation on Linux, Windows, and Decree platforms
    • Getting code coverage for various types of binaries
    • Setting up Windows development environment
  • Various engine fixes and refactorings

16 October 2017 - S²E V2.0

  • Rearchitected version of S²E, decoupled from QEMU
  • KVM-compatible interface
    • is a shim library that intercepts ioctl to /dev/kvm
    • can be LD_PRELOADed into QEMU or any other KVM-compatible VMM.
  • Modular and flexible architecture, any component of S²E can be reused independently
    • libs2e: exposes the symbolic execution engine and the dynamic binary translator through a KVM-compatible interface
    • libs2ecore: main S²E execution engine
    • libs2eplugins: S²E plugins
    • libcpu: processor emulation library, extracted from QEMU 1.0
    • libtcg: dynamic binary translator backend, extracted from QEMU 1.0
    • libvmi: virtual machine introspection library
    • libq: JSON serialization support, to interface S²E with Web services, extracted from QEMU 1.0
    • libcoroutine: cooperative threading support, extracted from QEMU 1.0
    • libfsigc++: fast drop-in replacement for the libsigc++ library
    • klee: symbolic LLVM interpreter
    • lua: LUA scripting engine
  • Supports latest versions of Linux and Windows XP, 7, 8, 8.1, 10
    • Windows crash dump generation, compatible with WinDbg
    • Exposes OS events to plugins (process/thread creation/destruction, memory mappings, module loads, etc.)
  • Advanced tooling to easily set up symbolic execution for arbitrary programs
    • Automatic generation of S²E configuration file and launch script based on the binary to analyze
    • Easy file transfers between the guest and the host during symbolic execution, ideal for per-path core dump extraction, etc.
    • Code coverage support
  • Up to 6x faster concrete execution than S²E 1.3
  • Z3 constraint solver
  • Extensive set of plugins and tools for vulnerability analysis and proof of vulnerability generation
    • Easily show the exploitability of a crash
    • Demonstrated during the DARPA Cyber Grand Challenge
  • Concolic execution
  • State merging
    • Exponentially reduces number of paths to explore by combining similar execution paths
  • Function models
    • Exponentially reduces number of paths to explore by replacing standard library functions with equivalent models
  • Advanced path searchers
    • Modular searcher architecture, mix and match existing searchers, and combine them with your own
    • Class-Uniform Path Analysis minimizes likelihood of exploration getting stuck
  • Fuzzer integration
    • SeedSearcher plugin automatically picks up seeds generated by a fuzzer or other analysis tools and schedules them for exploration
    • Generate new test cases that can be used to guide fuzzers and other tools
  • Revgen: static x86 to LLVM translator

Old Releases

The following releases are archived.

05 Dec. 2013 - S²E V1.3

  • x86-64 guests support, LLVM 3.2

27 Apr. 2012 - S²E V1.2

  • QEMU 1.0, LLVM 3.0, Clang
  • S²E now includes the latest features of QEMU and uses a modern toolchain
  • Concolic Execution
  • Reuse your existing testsuites to easily reach deep parts of programs under analysis

10 Sep. 2011 - S²E V1.1

  • Experimental ARM support
  • Analyze embedded applications
  • Available in the arm-experimental branch of the repository
  • Multi-core support
  • Explore orders of magnitude more paths
  • 20x faster plugin infrastructure
  • Complete plugin-intensive analyses such as Windows driver testing in minutes instead of hours
  • 2x faster concrete execution
  • Run bigger systems