Sebastian PoeplauAurélien FrancillonUSENIX Security Symposium
SymCC [3]编译时的插桩代码 一、解释型 1、KLEE(OSDI'08) KLEE [1]是目前学术界应用最为广泛的、开源维护最好的符号执行引擎,需要将原始程序(通常是程序源码)编译成LLVM IR,然后使用KLEE工具进行加载和解释执行 个人感觉KLEE还是偏向学术,默认不支持under-constraint symbolic execution,且对于code instrumentation、...
Save the code astest.c. To compile it with symbolic execution built in, we call symcc as we would normally call clang: $ ./symcc test.c -o test Before starting the analysis, create a directory for the results and tell SymCC about it: ...
KLEE - Symbolic execution engine built on LLVM. Cloud9 - Parallel symbolic execution engine built on KLEE. Kite - Based on KLEE and LLVM. SymCC - A compiler wrapper which embeds symbolic execution into the program during compilation, and an associated run-time support library. GenSym - A comp...
You can have a quick look at the results with the following one-liner: foriin/tmp/output/00000*;do;od -A x -t x1z$i;done This is a very basic use of symbolic execution. See SymCC's documentation for more advanced scenarios. Since SymQEMU is based on it, it understands all the sa...