Latest Releases

You can find the latest stable version of S2E on master. We compile here from time to time a list of important updates.


  • Added support for Linux 6.8.2 guests.
  • Upgraded to libdwarf 0.9.1, which gives better support for debug symbols.
  • Fixed slow symbol lookup in s2e-env.
  • Fixed pretty printer support when running S2E in GDB.


  • Upgraded TCG to 8.1.2.
  • Added Debian 12.5 support (host + guest images).


  • Upgraded TCG to 7.2.0.
  • Use pre-compiled LLVM/Clang to reduce build time.
  • Cleaned up KLEE APIs to access guest memory.
  • Various fixes and improvements in execution tracer plugins.
  • Removed Revgen.


  • Added support for Ubuntu 22.04 and Debian 11.3 guest images.
  • Removed support for Debian 9 images.
  • Replaced s2eget and s2eput with s2ecmd get|put.


  • Upgraded the symbolic execution engine to LLVM 14.
  • Added support for Debian 11 and Ubuntu 22.04 LTS.


  • Added control flow integrity checker with Microsoft Office support.
  • UserSpaceTracer plugin supports per-thread tracing.
  • Added the Tickler plugin and the corresponding Windows guest tool in order to automatically click on dialog boxes while testing Microsoft Office and other apps.
  • Added the Screenshot plugin in order to record screenshots of the guest.
  • Added a command to s2e-env to automatically generate S2E plugin boilerplate.


  • Added support for Microsoft Office 2010, 2013, 2016, 2019.
  • Added tutorial about symbolic execution of VBA macros.
  • Improved image building makefile to make it easier to add support for other Windows apps.
  • Better support for seed files in s2e new_project.
  • Added libs2e.dll to make it easier to call S2E APIs from other programs.
  • Removed Windows 8.1 and 10 1703 images.


  • Upgraded to LLVM 10.0.0.
  • Added support for Ubuntu 20.04 LTS.
  • Updated the Windows 10 image to 1909.
  • Applied latest patches to Windows XP and 7 images (up to 2016 and 2020 respectively).



  • Upgraded to LLVM 9.0.0 from 3.9.1.
  • S2E now compiles with Clang 9.0.
  • Consolidated the 14 repositories that composed libs2e into a monorepo. The old repositories will be deleted after Feb 14.


  • Upgraded the code generation backend (TCG, Tiny Code Generator) from version 1.0 to 4.0. This is a prerequisite for upgrading the x86 translator to support new instruction sets.
  • Tutorial on how to profile S2E.
  • Fixed memory leaks and optimized memory usage in KLEE. Made all KLEE expressions immutable, merged MemoryObject and ObjectState, removed unused fields, use reference counting for all objects, minimize memory allocations, etc.
  • Optimized calling of external functions in KLEE. Invoke these functions directly instead of generating complex LLVM stubs for every call site.
  • Fixed sign extension in solver interface that was resulting in incorrect solver results.
  • Fixed performance bug in the expression simplifier that was causing symbolic execution to get stuck on large expressions.
  • Upgraded the docker image from Ubuntu 16.04 to 18.04.
  • Ubuntu 16.04 is not supported anymore due to glib package issues.


  • Support for symbolic FP/MMX/SSE registers on x86 guests. You can now run programs that use these registers without forcing concretizations when symbolic data enters them. Big thanks to @humeafo for implementing this!
  • Added a testsuite. It covers most tutorials and exercises major aspects of S2E functionality. This should considerably reduce regressions and make it easier for you to add new features without fearing of breaking things.
  • Major performance improvements for concrete/symbolic execution and faster parallel mode.
  • Code coverage generation is now orders of magnitude faster for large binaries. You will get a Linux kernel coverage report in seconds instead of minutes.
  • Plugins now record execution traces in protobuf format.
  • Fixed guest hangs when running S2E in parallel mode (by Alan Wang).
  • Many other bug fixes and improvements both in the code and the documentation.


  • QEMU 3.0 support
  • Windows 7 32-bit guest support
  • Ubuntu 18.04 host support
  • Documentation updates
    • KVM interface design
    • Testing error recovery code in Windows drivers with multi-path fault injection
    • Using SystemTap with S2E
    • Combining Kaitai Struct and S2E for analyzing parsers
    • Analyzing trigger-based malware with S2E
    • Automated proof of vulnerability generation on Linux, Windows, and Decree platforms
    • Getting code coverage for various types of binaries
    • Setting up Windows development environment
  • Various engine fixes and refactorings

2017-10-16 - S2E V2.0

  • Rearchitected version of S²E, decoupled from QEMU
  • KVM-compatible interface
    • is a shim library that intercepts ioctl to /dev/kvm
    • can be LD_PRELOADed into QEMU or any other KVM-compatible VMM.
  • Modular and flexible architecture, any component of S²E can be reused independently
    • libs2e: exposes the symbolic execution engine and the dynamic binary translator through a KVM-compatible interface
    • libs2ecore: main S²E execution engine
    • libs2eplugins: S²E plugins
    • libcpu: processor emulation library, extracted from QEMU 1.0
    • libtcg: dynamic binary translator backend, extracted from QEMU 1.0
    • libvmi: virtual machine introspection library
    • libq: JSON serialization support, to interface S²E with Web services, extracted from QEMU 1.0
    • libcoroutine: cooperative threading support, extracted from QEMU 1.0
    • libfsigc++: fast drop-in replacement for the libsigc++ library
    • klee: symbolic LLVM interpreter
    • lua: LUA scripting engine
  • Supports latest versions of Linux and Windows XP, 7, 8, 8.1, 10
    • Windows crash dump generation, compatible with WinDbg
    • Exposes OS events to plugins (process/thread creation/destruction, memory mappings, module loads, etc.)
  • Advanced tooling to easily set up symbolic execution for arbitrary programs
    • Automatic generation of S²E configuration file and launch script based on the binary to analyze
    • Easy file transfers between the guest and the host during symbolic execution, ideal for per-path core dump extraction, etc.
    • Code coverage support
  • Up to 6x faster concrete execution than S²E 1.3
  • Z3 constraint solver
  • Extensive set of plugins and tools for vulnerability analysis and proof of vulnerability generation
    • Easily show the exploitability of a crash
    • Demonstrated during the DARPA Cyber Grand Challenge
  • Concolic execution
  • State merging
    • Exponentially reduces number of paths to explore by combining similar execution paths
  • Function models
    • Exponentially reduces number of paths to explore by replacing standard library functions with equivalent models
  • Advanced path searchers
    • Modular searcher architecture, mix and match existing searchers, and combine them with your own
    • Class-Uniform Path Analysis minimizes likelihood of exploration getting stuck
  • Fuzzer integration
    • SeedSearcher plugin automatically picks up seeds generated by a fuzzer or other analysis tools and schedules them for exploration
    • Generate new test cases that can be used to guide fuzzers and other tools
  • Revgen: static x86 to LLVM translator

Old Releases

The following releases are archived.

2013-12-05 - S2E V1.3

  • x86-64 guests support, LLVM 3.2

2012-04-27 - S²E V1.2

  • QEMU 1.0, LLVM 3.0, Clang
  • S²E now includes the latest features of QEMU and uses a modern toolchain
  • Concolic Execution
  • Reuse your existing testsuites to easily reach deep parts of programs under analysis

2011-09-10 - S²E V1.1

  • Experimental ARM support
  • Analyze embedded applications
  • Available in the arm-experimental branch of the repository
  • Multi-core support
  • Explore orders of magnitude more paths
  • 20x faster plugin infrastructure
  • Complete plugin-intensive analyses such as Windows driver testing in minutes instead of hours
  • 2x faster concrete execution
  • Run bigger systems