You can find the latest stable version of S2E on master. We compile here from time to time a list of features available as of a given date.
29 May 2019
- Support for symbolic FP/MMX/SSE registers on x86 guests. You can now run programs that use these registers without forcing concretizations when symbolic data enters them. Big thanks to @humeafo for implementing this!
- Added a testsuite. It covers most tutorials and exercises major aspects of S2E functionality. This should considerably reduce regressions and make it easier for you to add new features without fearing of breaking things.
- Major performance improvements for concrete/symbolic execution and faster parallel mode.
- Code coverage generation is now orders of magnitude faster for large binaries. You will get a Linux kernel coverage report in seconds instead of minutes.
- Plugins now record execution traces in
- Fixed guest hangs when running S2E in parallel mode (by Alan Wang).
- Many other bug fixes and improvements both in the code and the documentation.
14 January 2019
- QEMU 3.0 support
- Windows 7 32-bit guest support
- Ubuntu 18.04 host support
- Documentation updates
- KVM interface design
- Testing error recovery code in Windows drivers with multi-path fault injection
- Using SystemTap with S2E
- Combining Kaitai Struct and S2E for analyzing parsers
- Analyzing trigger-based malware with S2E
- Automated proof of vulnerability generation on Linux, Windows, and Decree platforms
- Getting code coverage for various types of binaries
- Setting up Windows development environment
- Various engine fixes and refactorings
16 October 2017 - S²E V2.0
- Rearchitected version of S²E, decoupled from QEMU
- KVM-compatible interface
libs2e.sois a shim library that intercepts
- can be
LD_PRELOADed into QEMU or any other KVM-compatible VMM.
- Modular and flexible architecture, any component of S²E can be reused independently
libs2e: exposes the symbolic execution engine and the dynamic binary translator through a KVM-compatible interface
libs2ecore: main S²E execution engine
libs2eplugins: S²E plugins
libcpu: processor emulation library, extracted from QEMU 1.0
libtcg: dynamic binary translator backend, extracted from QEMU 1.0
libvmi: virtual machine introspection library
libq: JSON serialization support, to interface S²E with Web services, extracted from QEMU 1.0
libcoroutine: cooperative threading support, extracted from QEMU 1.0
libfsigc++: fast drop-in replacement for the
klee: symbolic LLVM interpreter
lua: LUA scripting engine
- Supports latest versions of Linux and Windows XP, 7, 8, 8.1, 10
- Windows crash dump generation, compatible with WinDbg
- Exposes OS events to plugins (process/thread creation/destruction, memory mappings, module loads, etc.)
- Advanced tooling to easily set up symbolic execution for arbitrary programs
- Automatic generation of S²E configuration file and launch script based on the binary to analyze
- Easy file transfers between the guest and the host during symbolic execution, ideal for per-path core dump extraction, etc.
- Code coverage support
- Up to 6x faster concrete execution than S²E 1.3
- Z3 constraint solver
- Extensive set of plugins and tools for vulnerability analysis and proof of vulnerability generation
- Easily show the exploitability of a crash
- Demonstrated during the DARPA Cyber Grand Challenge
- Concolic execution
- State merging
- Exponentially reduces number of paths to explore by combining similar execution paths
- Function models
- Exponentially reduces number of paths to explore by replacing standard library functions with equivalent models
- Advanced path searchers
- Modular searcher architecture, mix and match existing searchers, and combine them with your own
- Class-Uniform Path Analysis minimizes likelihood of exploration getting stuck
- Fuzzer integration
SeedSearcherplugin automatically picks up seeds generated by a fuzzer or other analysis tools and schedules them for exploration
- Generate new test cases that can be used to guide fuzzers and other tools
- Revgen: static x86 to LLVM translator
The following releases are archived.
05 Dec. 2013 - S²E V1.3
- x86-64 guests support, LLVM 3.2
27 Apr. 2012 - S²E V1.2
- QEMU 1.0, LLVM 3.0, Clang
- S²E now includes the latest features of QEMU and uses a modern toolchain
- Concolic Execution
- Reuse your existing testsuites to easily reach deep parts of programs under analysis
10 Sep. 2011 - S²E V1.1
- Experimental ARM support
- Analyze embedded applications
- Available in the arm-experimental branch of the repository
- Multi-core support
- Explore orders of magnitude more paths
- 20x faster plugin infrastructure
- Complete plugin-intensive analyses such as Windows driver testing in minutes instead of hours
- 2x faster concrete execution
- Run bigger systems