Practical Symbolic Execution for VR and RE

TIME: 09:00 to 17:00 CEST/GMT+2

The “Practical Symbolic Execution for VR and RE” course is a detailed dive into symbolic execution for Reverse Engineers and Vulnerability Researchers. This course provides a diverse set of demonstrations and labs that will help students learn how to effectively apply symbolic execution to their work. A practical approach to symbolic execution will give students hands-on experience solving real world problems through the development of custom analysis tooling.

Students can expect to create custom analysis tooling using symbolic execution. The labs cover a variety of practical situations that will help students explore applications of symbolic execution. These real-world problems will also help them to understand symbolic execution’s strengths and limitations. In the labs students will programmatically root-cause crashes, detect various forms of memory corruption, generate unique test cases, and more. The techniques taught are applicable to a variety of low-level binaries and firmware.

Topics Covered

Symbolic Execution Concepts

• Symbolic Execution Base Concepts
  – Lifting
  – Expressions as ASTs
  – Solving

• Common uses of Symbolic Execution
• Common Symbolic Execution Weaknesses
• Popular Symbolic Execution Tooling

Framework Introductions

• Introduction to a few useful Symbolic Execution Frameworks
• Triton Introduction and Demos
• MAAT Introduction and Demos
• Framework Comparisons

Analysis Introduction

• Taint Analysis
• Using Concrete Traces
• Symbolic Hooks
• Crash Triaging
• Crash Root-Cause Analysis

Path Exploration

• Test Case Generation
• Different Exploration Strategies
• Exploration Heuristics

Vulnerability Detection

• Overflows and Write-What-Where Detection
• ToCToU Race Condition Detection
• Scope Vulnerability Detection
• Patches and Variants Discussion

Deobfuscation

• Anti-Static Obfuscation defeat strategies
• Anti-Dynamic Obfuscation defeat strategies