Symbolic execution with SymCC: Don't interpret, compile!

Poeplau, Sebastian; Francillon, Aurélien
USENIX Security 2020, 29th USENIX Security Symposium, 12-14 August 2020, Boston, MA, USA (Virtual Conference)

Distinguished Paper Award

A major impediment to practical symbolic execution is speed, especially when compared to near-native speed solutions like fuzz testing. We propose a compilation-based approach to symbolic execution that performs better than state-of-the-art implementations by orders of magnitude.We present SYMCC, an LLVM-based C and C++ compiler that builds concolic execution right into the binary. It can be used by software developers as a drop-in replacement for clang and clang++, and we show how to add support for other languages with little effort. In comparison with KLEE, SYMCC is faster by up to three orders of magnitude and an average factor of 12. It also outperforms QSYM, a system that recently showed great performance improvements over other implementations, by up to two orders of magnitude and an average factor of 10. Using it on real-world software, we found that our approach consistently achieves higher coverage, and we discovered two vulnerabilities in the heavily tested OpenJPEG project, which have been confirmed by the project maintainers and assigned CVE identifiers.

HAL
Type:
Conférence
City:
Boston
Date:
2020-08-12
Department:
Sécurité numérique
Eurecom Ref:
6293
Copyright:
Copyright Usenix. Personal use of this material is permitted. The definitive version of this paper was published in USENIX Security 2020, 29th USENIX Security Symposium, 12-14 August 2020, Boston, MA, USA (Virtual Conference) and is available at :

PERMALINK : https://www.eurecom.fr/publication/6293