Symbolic Execution

The present article analyses the relationship between the language of punishment and the public space in Dubrovnik from the Middle Ages until the beginning of the XIX century. It overviews justice sites and tries to understand their function in civic life. It is remarkable how criminal rituals adapted to the urban setting already at the beginning of the XV century, increasingly referring to the symbolic meaning of the places where they are carried out. In the following century the long process for the settlement of the punitive rituals and for the reduction of the stages of justice began. With these changes as a background, the birth of the modern state can be discerned, a state that aims at building a global image of power.

Security analysts spend days or even weeks in trying to understand the inner workings of malicious software, using a plethora of manually orchestrated tools. Devising automated tools and techniques to assist and speed up the analysis process remains a major endeavor in computer security. While manual intervention will likely remain a key ingredient in the short and mid term, the recent advances in static and dynamic analysis techniques have the potential to significantly impact the malware analysis practice. In this paper we show how an analyst can use symbolic execution techniques to unveil critical behavior of a remote access trojan (RAT). Using a tool we implemented in the Angr framework , we analyze a sample drawn from a well-known RAT family that leverages thread injection vulnerabilities in the Microsoft Win32 API. Our case study shows how to automatically derive the list of commands supported by the RAT and the sequence of system calls that are activated for each of them, systematically exploring the stealthy communication protocol with the server and yielding clues to potential threats that may pass unnoticed by a manual inspection.

The text begins with the defining of the circus exhibitions performed on a vertical pole and with the historical track¬ing of these traditions in ancient cultures. Following this introduction, the author defines the representations of the Cosmic Axis as an ancient mytho-religious paradigm universal for all mankind. Furthermore, he examines picto¬rial and ritualistic examples of poles i.e. columns with a circle or a wheel (Heaven or Sun), followed by traditions through which he discovers the character of the actors engaged in these rituals, more precisely, the holder of the pole and the acrobat balancing and rotating around its top. In addition, the author points to the sacrifice to which the pole i.e. the cosmic axis secures passing from one to another cosmic zone or to another state of existence as a key component. In this context he also refers to the execution columns (gallows, impaling pole, breaking wheel…) which originally functioned as instruments of sacrifice. The sacrificial aspects are also emphasized within the framework of Christian traditions (Christ`s Crucifixion; monks – stylites) as well as in modern times (striptease and pole dancing). Within these frameworks, he also examines the shamanistic aspects, as well as the notion of improvement of the performer accomplished by his climbing, staying or hanging on the cosmic axis, conceived as form of self-sacrifice, departure from this world and communication with the other world.

Key words: semiotics of the circus, mythologization of the cosmos, acrobatics, axis mundi, cosmic axis, cosmic tree, cosmic column, shamanism, executions, crucifixion

The English public execution contained elements of both tragedy and the carnivalesque (or comic), yet scholars have debated on the significance and causation of these competing elements. This paper seeks unify the two by first explaining the significance of both the tragic and comic and second by explaining how these factors are intertwined.

Many security and software testing applications require checking whether certain properties of a program hold for any possible usage scenario. For instance, a tool for identifying software vulnerabilities may need to rule out the existence of any backdoor to bypass a program's authentication. One approach would be to test the program using different, possibly random inputs. As the backdoor may only be hit for very specific program workloads, automated exploration of the space of possible inputs is of the essence. Symbolic execution provides an elegant solution to the problem, by systematically exploring many possible execution paths at the same time without necessarily requiring concrete inputs. Rather than taking on fully specified input values, the technique abstractly represents them as symbols, resorting to constraint solvers to construct actual instances that would cause property violations. Symbolic execution has been incubated in dozens of tools developed over the last four decades, leading to major practical breakthroughs in a number of prominent software reliability applications. The goal of this survey is to provide an overview of the main ideas, challenges, and solutions developed in the area, distilling them for a broad audience.

Symbolic execution is a popular program analysis technique that allows seeking for bugs by reasoning over multiple alternative execution states at once. As the number of states to explore may grow exponentially, a symbolic executor may quickly run out of space. For instance, a memory access to a symbolic address may potentially reference the entire address space, leading to a combinatorial explosion of the possible resulting execution states. To cope with this issue, state-of-the-art executors concretize symbolic addresses that span memory intervals larger than some threshold. Unfortunately, this could result in missing interesting execution states, e.g., where a bug arises. In this paper we introduce MEMSIGHT, a new approach to symbolic memory that reduces the need for concretization, hence offering the opportunity for broader state explorations and more precise pointer reasoning. Rather than mapping address instances to data as previous tools do, our technique maps symbolic address expressions to data, maintaining the possible alternative states resulting from the memory referenced by a symbolic address in a compact, implicit form. A preliminary experimental investigation on prominent benchmarks from the DARPA Cyber Grand Challenge shows that MEMSIGHT enables the exploration of states unreachable by previous techniques.

In the field of security software, the Common Criteria (CC) constitute an ISO standard for the evaluation of products and systems from Information Technologies. The international recognition of the Common Criteria justifies the investment undertaken by the manufacturers to obtain the certification of their products. The evaluation criteria are defined according to the Evaluation Assurance Level (EAL). There are seven EALs: EAL1 to EAL7, in an increasing order of security demand. For the upper levels of evaluation, the use of formal methods is mandatory. In that case, supplies intended to realize evaluation activities must contain components associated to modelling, proof and test. This contribution proposes a methodology and a tool (AGATHA (1,2)) which allow to cover the requirements associated to test generation for the upper levels of the Common Criteria. In that case, the criterion used to stop the test generation activity is defined as follows: the generated test case set covers...

This article presents EXE, an effective bug-finding tool that automatically generates inputs that crash real code. Instead of running code on manually or randomly constructed input, EXE runs it on symbolic input initially allowed to be anything. As checked code runs, EXE tracks the constraints on each symbolic (ie, input-derived) memory location. If a statement uses a symbolic value, EXE does not run it, but instead adds it as an input-constraint; all other statements run as usual. If code conditionally checks a symbolic ...

Interpolation has been successfully applied in formal meth-
ods for model checking and test-case generation for sequential programs.
Security protocols, however, exhibit such idiosyncrasies that make them unsuitable to the direct application of such methods. In this paper, we address this problem and present an interpolation-based method for security protocol verification. Our method starts from a formal protocol specification and combines Craig interpolation, symbolic execution and the standard Dolev-Yao intruder model to search for possible attacks on the protocol. Interpolants are generated as a response to search failure in order to prune possible useless traces and speed up the exploration.
We illustrate our method by means of a concrete example and discuss the results obtained by using a prototype implementation.

Conditioned slicing can be applied to reverse engineering problems which involve the extraction of executable fragments of code in the context of some criteria of interest. This paper introduces ConSUS, a conditioner for the Wide Spectrum Language, WSL. The symbolic executor of ConSUS prunes the symbolic execution paths, and its predicate reasoning system uses the FermaT simplify transformation in place of a more conventional theorem prover We show that this combination of pruning and simplification-as-reasoner ...