FsSymExe
FsSymExe
is a static symbolic execution engine based on LLVM IR and written in F#.
This is used as a configurable symbolic execution engine in our paper, "Precise and Scalable Detection of Use-after-Compacting-Garbage-Collection Bugs", which appeared in Usenix Security 2021.
We expect that this can be leveraged to detect other kinds of vulnerabilities or write another analysis.
Installation
- Install
dotnet
Installation of dotnet
depends on OS, so please check this link.
- Clone and build
FsSymExe
$ git clone git@github.com:DaramG/FsSymExe.git
$ cd FsSymExe
$ make
Usage
We can use FsSymExe by setting configurations such as callbacks for specific operations and an user configurable state. You can find a list of configurations in here. This is a part of the symbolic state definitions and represents user configurable settings.
type State<'T> =
...
UserState: 'T
IsReachable: State<'T> -> BlockID -> int -> State<'T> option
GetSymFunc: State<'T> -> ID -> SymFunc_<'T> option
StmtCb: State<'T> -> int -> State<'T>
CallCb: State<'T> -> int -> ID -> State<'T>
LoadCb: State<'T> -> Expr -> ExprSize -> Expr -> State<'T>
StoreCb: State<'T> -> Expr -> Expr -> State<'T>
ReturnCb: State<'T> -> Expr option -> State<'T>
UseSAT: bool
Here is an example code that installs user configurable settings.
let check conf prog =
let state =
State.init prog GcState.empty
|> State.setUseSAT false
|> State.setIsReachable isReachable
|> State.setLoadCb loadCb
|> State.setStoreCb storeCb
|> State.setReturnCb returnCb
You can get the full code for this example in this project.
Projects
FsSymExe
is used in these proejcts: