RIVER: A Binary Analysis Framework Using Symbolic Execution and Reversible x86 Instructions

  • Teodor Stoenescu
  • Alin Stefanescu
  • Sorina Predut
  • Florentin Ipate
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9995)


We present a binary analysis framework based on symbolic execution with the distinguishing capability to execute stepwise forward and also backward through the execution tree. It was developed internally at Bitdefender and code-named RIVER. The framework provides components such as a taint engine, a dynamic symbolic execution engine, and integration with Z3 for constraint solving.


Symbolic Execution Intermediate Representation Binary File Taint Analysis Execution Tree 



We thank Sorin Baltateanu and Traian Serbanuta for fruitful discussions and acknowledge partial support from MuVeT and MEASURE projects (PN-II-ID-PCE-2011-3-0688 and PN-III-P3-3.5-EUK-2016-0020).


  1. 1.
    European-Commission: Commission signs agreement with industry on cybersecurity and steps up efforts to tackle cyber-threats. http://europa.eu/rapid/press-release_IP-16-2321_en.htm. Accessed July 2016
  2. 2.
    DARPA-US: Cyber grand challenge (2016). http://cgc.darpa.mil
  3. 3.
    Cadar, C., Sen, K.: Symbolic execution for software testing: three decades later. Commun. ACM 56(2), 82–90 (2013)CrossRefGoogle Scholar
  4. 4.
    Pasareanu, C.S., Visser, W.: A survey of new trends in symbolic execution for software testing and analysis. STTT 11(4), 339–353 (2009)CrossRefGoogle Scholar
  5. 5.
    Sen, K., Marinov, D., Agha, G.: CUTE: a concolic unit testing engine for C. In: Proceedings of ESEC/FSE, pp. 263–272. ACM (2005)Google Scholar
  6. 6.
    Cadar, C., et al.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: Proceedings of OSDI, pp. 209–224. USENIX (2008)Google Scholar
  7. 7.
    Luckow, K.S., Pasareanu, C.S.: Symbolic PathFinder v7. ACM SIGSOFT Softw. Eng. Notes 39(1), 1–5 (2014)CrossRefGoogle Scholar
  8. 8.
    Song, D., et al.: BitBlaze: a new approach to computer security via binary analysis. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 1–25. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-89862-7_1 CrossRefGoogle Scholar
  9. 9.
    Cha, S.K., Avgerinos, T., Rebert, A., Brumley, D.: Unleashing Mayhem on binary code. In: Proceedings of SP 2012, pp. 380–394. IEEE (2012)Google Scholar
  10. 10.
    Salwan, J., Saudel, F.: Triton: a dynamic symbolic execution framework. In: Proceedings of SSTIC, pp. 31–54 (2015). http://triton.quarkslab.com
  11. 11.
  12. 12.
    de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-78800-3_24 CrossRefGoogle Scholar
  13. 13.
    Chipounov, V., Kuznetsov, V., Candea, G.: The S2E platform: design, implementation, and applications. ACM Trans. Comput. Syst. 30(1), 2 (2012)CrossRefGoogle Scholar
  14. 14.
    Rizzi, E.F., et al.: On the techniques we create, the tools we build, and their misalignments: a study of KLEE. In: Proceedings of ICSE 2016, pp. 132–143. ACM (2016)Google Scholar
  15. 15.
    Ciortea, L., Zamfir, C., Bucur, S., Chipounov, V., Candea, G.: Cloud9: a software testing service. Oper. Syst. Rev. 43(4), 5–10 (2009)CrossRefGoogle Scholar
  16. 16.
    Stephens, N., et al.: Driller: augmenting fuzzing through selective symbolic execution. In: Proceedings of NDSS 2016, pp. 1–16. The Internet Society (2016)Google Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Teodor Stoenescu
    • 1
  • Alin Stefanescu
    • 2
  • Sorina Predut
    • 2
  • Florentin Ipate
    • 2
  1. 1.BitdefenderBucharestRomania
  2. 2.University of BucharestBucharestRomania

Personalised recommendations