RIVER: A Binary Analysis Framework Using Symbolic Execution and Reversible x86 Instructions

  • Teodor Stoenescu
  • Alin Stefanescu
  • Sorina Predut
  • Florentin Ipate
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9995)


We present a binary analysis framework based on symbolic execution with the distinguishing capability to execute stepwise forward and also backward through the execution tree. It was developed internally at Bitdefender and code-named RIVER. The framework provides components such as a taint engine, a dynamic symbolic execution engine, and integration with Z3 for constraint solving.


  1. 1.
    European-Commission: Commission signs agreement with industry on cybersecurity and steps up efforts to tackle cyber-threats. http://europa.eu/rapid/press-release_IP-16-2321_en.htm. Accessed July 2016
  2. 2.
    DARPA-US: Cyber grand challenge (2016). http://cgc.darpa.mil
  3. 3.
    Cadar, C., Sen, K.: Symbolic execution for software testing: three decades later. Commun. ACM 56(2), 82–90 (2013)CrossRefGoogle Scholar
  4. 4.
    Pasareanu, C.S., Visser, W.: A survey of new trends in symbolic execution for software testing and analysis. STTT 11(4), 339–353 (2009)CrossRefGoogle Scholar
  5. 5.
    Sen, K., Marinov, D., Agha, G.: CUTE: a concolic unit testing engine for C. In: Proceedings of ESEC/FSE, pp. 263–272. ACM (2005)Google Scholar
  6. 6.
    Cadar, C., et al.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: Proceedings of OSDI, pp. 209–224. USENIX (2008)Google Scholar
  7. 7.
    Luckow, K.S., Pasareanu, C.S.: Symbolic PathFinder v7. ACM SIGSOFT Softw. Eng. Notes 39(1), 1–5 (2014)CrossRefGoogle Scholar
  8. 8.
    Song, D., et al.: BitBlaze: a new approach to computer security via binary analysis. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 1–25. Springer, Heidelberg (2008). doi:10.1007/978-3-540-89862-7_1 CrossRefGoogle Scholar
  9. 9.
    Cha, S.K., Avgerinos, T., Rebert, A., Brumley, D.: Unleashing Mayhem on binary code. In: Proceedings of SP 2012, pp. 380–394. IEEE (2012)Google Scholar
  10. 10.
    Salwan, J., Saudel, F.: Triton: a dynamic symbolic execution framework. In: Proceedings of SSTIC, pp. 31–54 (2015). http://triton.quarkslab.com
  11. 11.
  12. 12.
    de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008). doi:10.1007/978-3-540-78800-3_24 CrossRefGoogle Scholar
  13. 13.
    Chipounov, V., Kuznetsov, V., Candea, G.: The S2E platform: design, implementation, and applications. ACM Trans. Comput. Syst. 30(1), 2 (2012)CrossRefGoogle Scholar
  14. 14.
    Rizzi, E.F., et al.: On the techniques we create, the tools we build, and their misalignments: a study of KLEE. In: Proceedings of ICSE 2016, pp. 132–143. ACM (2016)Google Scholar
  15. 15.
    Ciortea, L., Zamfir, C., Bucur, S., Chipounov, V., Candea, G.: Cloud9: a software testing service. Oper. Syst. Rev. 43(4), 5–10 (2009)CrossRefGoogle Scholar
  16. 16.
    Stephens, N., et al.: Driller: augmenting fuzzing through selective symbolic execution. In: Proceedings of NDSS 2016, pp. 1–16. The Internet Society (2016)Google Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Teodor Stoenescu
    • 1
  • Alin Stefanescu
    • 2
  • Sorina Predut
    • 2
  • Florentin Ipate
    • 2
  1. 1.BitdefenderBucharestRomania
  2. 2.University of BucharestBucharestRomania

Personalised recommendations