[KLEE] It’s hard to perform high-coverage software test by hands! Reverse engineering [S2E, Triton] e.g. Path coverage, Deobfuscation Exploit generation (Includes crash) [AEG, S2E, Driller] eg. Control flow hijack 15 Usage of symbolic execution (Previous researches) [KLEE] Cadar, C., Dunbar, D., and Engler, D. (2008). KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. [S2E] Chipounov, V., Kuznetsov, V., and Candea, G. (2012). The S2E platform: Design, implementation, and applications. [Triton] https://github.com/JonathanSalwan/Tigress_protection [AEG] T. Avgerinos, S. K. Cha, B. L. Tze Hao, and D. Brumley. (2011). AEG: Automatic Exploit Generation. [Driller] Stephens, N., Grosen, J., Salls, C., Dutcher, A., Wang, R., Corbetta, J., Shoshitaishvili, Y., Kruegel, C., and Vigna, G. (2016). Driller: Augmenting fuzzing through selective symbolic execution. Today’s topic