{"id":13362909,"url":"https://github.com/JonathanSalwan/Triton","last_synced_at":"2025-03-12T15:31:01.511Z","repository":{"id":26362059,"uuid":"29811166","full_name":"JonathanSalwan/Triton","owner":"JonathanSalwan","description":"Triton is a dynamic binary analysis library. Build your own program analysis tools, automate your reverse engineering, perform software verification or just emulate code.","archived":false,"fork":false,"pushed_at":"2024-10-24T00:37:01.000Z","size":60158,"stargazers_count":3523,"open_issues_count":31,"forks_count":537,"subscribers_count":136,"default_branch":"master","last_synced_at":"2024-10-29T15:09:34.793Z","etag":null,"topics":["binary-analysis","binary-translation","deobfuscation","dynamic-analysis","emulator","instruction-semantics","lifter","program-analysis","reverse-engineering","symbolic-execution","taint-analysis"],"latest_commit_sha":null,"homepage":"https://triton-library.github.io","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/JonathanSalwan.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2015-01-25T10:59:16.000Z","updated_at":"2024-10-28T15:13:49.000Z","dependencies_parsed_at":"2023-02-12T05:02:04.854Z","dependency_job_id":"8991df2b-1489-4ceb-bc84-990c623cb41c","html_url":"https://github.com/JonathanSalwan/Triton","commit_stats":null,"previous_names":[],"tags_count":10,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JonathanSalwan%2FTriton","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JonathanSalwan%2FTriton/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JonathanSalwan%2FTriton/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JonathanSalwan%2FTriton/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/JonathanSalwan","download_url":"https://codeload.github.com/JonathanSalwan/Triton/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243095787,"owners_count":20235548,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["binary-analysis","binary-translation","deobfuscation","dynamic-analysis","emulator","instruction-semantics","lifter","program-analysis","reverse-engineering","symbolic-execution","taint-analysis"],"created_at":"2024-07-29T23:01:09.354Z","updated_at":"2025-03-12T15:31:01.502Z","avatar_url":"https://github.com/JonathanSalwan.png","language":"C++","funding_links":[],"categories":["C++","Reversing","Reverse Engine"],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\u003cimg width=\"50%\" src=\"https://triton-library.github.io/files/triton2.png\"/\u003e\u003c/p\u003e\n\n**Triton** is a dynamic binary analysis library. It provides internal components that allow you to build your program analysis tools,\nautomate reverse engineering, perform software verification or just emulate code.\n\n* Dynamic **symbolic** execution\n* Dynamic **taint** analysis\n* AST representation of the **x86**, **x86-64**, **ARM32**, **AArch64** and **RISC-V 32/64**  ISA semantic\n* Expressions **synthesis**\n* SMT **simplification** passes\n* **Lifting** to **LLVM** as well as **Z3** and back\n* **SMT solver** interface to **Z3** and **Bitwuzla**\n* **C++** and **Python** API\n\n\u003cp align=\"center\"\u003e\n    \u003cimg src=\"https://triton-library.github.io/files/triton_v09_architecture.svg\" width=\"80%\"/\u003e\u003c/br\u003e\n    \u003cimg src=\"https://triton-library.github.io/files/triton_multi_os.png\"/\u003e\n\u003c/p\u003e\n\nAs **Triton** is a kind of a part-time project, please, **don't blame us** if it is not fully reliable. [Open issues](https://github.com/JonathanSalwan/Triton/issues) or\n[pull requests](https://github.com/JonathanSalwan/Triton/pulls) are always better than trolling =). However, you can follow the development on twitter\n[@qb_triton](https://twitter.com/qb_triton).\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/JonathanSalwan/Triton/actions/workflows/linux.yml/\"\u003e\n    \u003cimg src=\"https://img.shields.io/github/actions/workflow/status/JonathanSalwan/Triton/linux.yml?branch=master\u0026label=Linux\u0026logo=linux\u0026logoColor=white\"\u003e\n  \u003c/a\u003e\n  \u0026nbsp;\n  \u003ca href=\"https://github.com/JonathanSalwan/Triton/actions/workflows/osx.yml/\"\u003e\n    \u003cimg src=\"https://img.shields.io/github/actions/workflow/status/JonathanSalwan/Triton/osx.yml?branch=master\u0026label=OSX\u0026logo=apple\"\u003e\n  \u003c/a\u003e\n  \u0026nbsp;\n  \u003ca href=\"https://github.com/JonathanSalwan/Triton/actions/workflows/vcpkg.yml/\"\u003e\n    \u003cimg src=\"https://img.shields.io/github/actions/workflow/status/JonathanSalwan/Triton/vcpkg.yml?branch=master\u0026label=Windows\u0026logo=windows\u0026logoColor=white\"\u003e\n  \u003c/a\u003e\n  \u0026nbsp;\n  \u003ca href=\"https://codecov.io/gh/JonathanSalwan/Triton\"\u003e\n    \u003cimg src=\"https://codecov.io/gh/JonathanSalwan/Triton/branch/master/graph/badge.svg\" alt=\"Codecov\" /\u003e\n  \u003c/a\u003e\n  \u0026nbsp;\n  \u003ca href=\"https://github.com/JonathanSalwan/Triton/releases\"\u003e\n    \u003cimg src=\"https://img.shields.io/github/v/release/JonathanSalwan/Triton?logo=github\"\u003e\n  \u003c/a\u003e\n  \u0026nbsp;\n  \u003ca href=\"https://github.com/jonathansalwan/Triton/tree/dev-v1.0\"\u003e\n    \u003cimg src=\"https://img.shields.io/static/v1?label=dev\u0026message=v1.0\u0026logo=github\u0026color=blue\"\u003e\n  \u003c/a\u003e\n  \u0026nbsp;\n  \u003ca href=\"https://twitter.com/qb_triton\"\u003e\n   \u003cimg src=\"https://img.shields.io/static/v1?color=1da1f2\u0026label=Follow\u0026message=2K\u0026logo=twitter\u0026logoColor=white\u0026style=square\"\u003e\n  \u003c/a\u003e\n\u003c/p\u003e\n\n# Quick start\n\n* [Installation](#install)\n* [Python API](https://triton-library.github.io/documentation/doxygen/py_triton_page.html)\n* [C++ API](https://triton-library.github.io/documentation/doxygen/annotated.html)\n* [Python Examples](https://github.com/JonathanSalwan/Triton/tree/master/src/examples/python)\n* [They already used Triton](#they-already-used-triton)\n\n## Getting started\n\n```python\nfrom triton import *\n\n\u003e\u003e\u003e # Create the Triton context with a defined architecture\n\u003e\u003e\u003e ctx = TritonContext(ARCH.X86_64)\n\n\u003e\u003e\u003e # Define concrete values (optional)\n\u003e\u003e\u003e ctx.setConcreteRegisterValue(ctx.registers.rip, 0x40000)\n\n\u003e\u003e\u003e # Symbolize data (optional)\n\u003e\u003e\u003e ctx.symbolizeRegister(ctx.registers.rax, 'my_rax')\n\n\u003e\u003e\u003e # Execute instructions\n\u003e\u003e\u003e ctx.processing(Instruction(b\"\\x48\\x35\\x34\\x12\\x00\\x00\")) # xor rax, 0x1234\n\u003e\u003e\u003e ctx.processing(Instruction(b\"\\x48\\x89\\xc1\")) # mov rcx, rax\n\n\u003e\u003e\u003e # Get the symbolic expression\n\u003e\u003e\u003e rcx_expr = ctx.getSymbolicRegister(ctx.registers.rcx)\n\u003e\u003e\u003e print(rcx_expr)\n(define-fun ref!8 () (_ BitVec 64) ref!1) ; MOV operation - 0x40006: mov rcx, rax\n\n\u003e\u003e\u003e # Solve constraint\n\u003e\u003e\u003e ctx.getModel(rcx_expr.getAst() == 0xdead)\n{0: my_rax:64 = 0xcc99}\n\n\u003e\u003e\u003e # 0xcc99 XOR 0x1234 is indeed equal to 0xdead\n\u003e\u003e\u003e hex(0xcc99 ^ 0x1234)\n'0xdead'\n```\n\n\n## Install\n\nTriton relies on the following dependencies:\n\n```\n* libcapstone                \u003e= 5.0.x   https://github.com/capstone-engine/capstone\n* libboost      (optional)   \u003e= 1.68\n* libpython     (optional)   \u003e= 3.6\n* libz3         (optional)   \u003e= 4.6.0   https://github.com/Z3Prover/z3\n* libbitwuzla   (optional)   \u003e= 0.4.x   https://github.com/bitwuzla/bitwuzla\n* llvm          (optional)   \u003e= 12\n```\n\n\n### Linux and MacOS\n\n```console\n$ git clone https://github.com/JonathanSalwan/Triton\n$ cd Triton\n$ mkdir build ; cd build\n$ cmake ..\n$ make -j3\n$ sudo make install\n```\n\nBy default, LLVM and Bitwuzla are not compiled. If you want to enjoy the full power of Triton, the cmake compile is:\n\n```console\n$ cmake -DLLVM_INTERFACE=ON -DCMAKE_PREFIX_PATH=$(llvm-config --prefix) -DBITWUZLA_INTERFACE=ON ..\n```\n\n#### MacOS M1 Note:\n\nIn case if you get compilation errors like:\n\n```\nCould NOT find PythonLibs (missing: PYTHON_LIBRARIES PYTHON_INCLUDE_DIRS)\n```\n\nTry to specify `PYTHON_EXECUTABLE`, `PYTHON_LIBRARIES` and `PYTHON_INCLUDE_DIRS` for your specific Python version:\n\n```console\ncmake -DCMAKE_INSTALL_PREFIX=/opt/homebrew/ \\\n      -DPYTHON_EXECUTABLE=/opt/homebrew/bin/python3 \\\n      -DPYTHON_LIBRARIES=/opt/homebrew/Cellar/python@3.10/3.10.8/Frameworks/Python.framework/Versions/3.10/lib/libpython3.10.dylib \\\n      -DPYTHON_INCLUDE_DIRS=/opt/homebrew/opt/python@3.10/Frameworks/Python.framework/Versions/3.10/include/python3.10/ \\\n      ..\n```\n\nThis information you can get out from this snippet:\n\n```python\nfrom sysconfig import get_paths\ninfo = get_paths()\nprint(info)\n```\n\n#### Python Autocompletion\n\nIf Python autocompletion is not working, follow these steps:\n\n1. Execute the [script](doc/autocomplete/generate_autocomplete.py)\n2. Place the generated triton.pyi file in the same directory as the Triton shared object you want to provide hints for (for example, `/usr/lib/python3.13/`).\n\nYour IDE must support parsing .pyi files.\n\n### Windows\n\nYou can use cmake to generate the .sln file of libTriton.\n\n```console\n\u003e git clone https://github.com/JonathanSalwan/Triton.git\n\u003e cd Triton\n\u003e mkdir build\n\u003e cd build\n\u003e cmake -G \"Visual Studio 14 2015 Win64\" \\\n  -DBOOST_ROOT=\"C:/Users/jonathan/Works/Tools/boost_1_61_0\" \\\n  -DPYTHON_INCLUDE_DIRS=\"C:/Python36/include\" \\\n  -DPYTHON_LIBRARIES=\"C:/Python36/libs/python36.lib\" \\\n  -DZ3_INCLUDE_DIRS=\"C:/Users/jonathan/Works/Tools/z3-4.6.0-x64-win/include\" \\\n  -DZ3_LIBRARIES=\"C:/Users/jonathan/Works/Tools/z3-4.6.0-x64-win/bin/libz3.lib\" \\\n  -DCAPSTONE_INCLUDE_DIRS=\"C:/Users/jonathan/Works/Tools/capstone-5.0.1-win64/include\" \\\n  -DCAPSTONE_LIBRARIES=\"C:/Users/jonathan/Works/Tools/capstone-5.0.1-win64/capstone.lib\" ..\n```\n\nHowever, if you prefer to directly download the precompiled library, check out our AppVeyor's [artefacts](https://ci.appveyor.com/project/JonathanSalwan/triton/history).\nNote that if you use AppVeyor's artefacts, you probably have to install the [Visual C++ Redistributable](https://www.microsoft.com/en-US/download/details.aspx?id=30679)\npackages for Visual Studio 2012.\n\n\n### Installing from vcpkg\n\nThe Triton port in vcpkg is kept up to date by Microsoft team members and community contributors.\nThe url of vcpkg is: https://github.com/Microsoft/vcpkg. You can download and install Triton using\nthe vcpkg dependency manager:\n\n```console\n$ git clone https://github.com/Microsoft/vcpkg.git\n$ cd vcpkg\n$ ./bootstrap-vcpkg.sh  # ./bootstrap-vcpkg.bat for Windows\n$ ./vcpkg integrate install\n$ ./vcpkg install triton\n```\n\nIf the version is out of date, please [create an issue or pull request](https://github.com/Microsoft/vcpkg) on the vcpkg repository.\n\n\n# Contributors\n\n* [**Alberto Garcia Illera**](https://twitter.com/algillera) - Cruise Automation\n* [**Alexey Vishnyakov**](https://vishnya.xyz/) - ISP RAS\n* [**Black Binary**](https://github.com/black-binary) - n/a\n* [**Christian Heitman**](https://github.com/cnheitman) - Quarkslab\n* [**Daniil Kuts**](https://github.com/apach301) - ISP RAS\n* [**Jessy Campos**](https://github.com/ek0) - n/a\n* [**Matteo F.**](https://twitter.com/fvrmatteo) - n/a\n* [**Pierrick Brunet**](https://github.com/pbrunet) - Quarkslab\n* [**PixelRick**](https://github.com/PixelRick) - n/a\n* [**Romain Thomas**](https://twitter.com/rh0main) - Quarkslab\n* [**And many more**](https://github.com/JonathanSalwan/Triton/graphs/contributors)\n\n\n## They already used Triton\n\n### Tools\n\n* [Exrop](https://github.com/d4em0n/exrop): Automatic ROPChain Generation.\n* [Pimp](https://github.com/kamou/pimp): Triton based R2 plugin for concolic execution and total control.\n* [Ponce](https://github.com/illera88/Ponce): IDA 2016 plugin contest winner! Symbolic Execution just one-click away!\n* [QSynthesis](https://github.com/quarkslab/qsynthesis): Greybox Synthesizer geared for deobfuscation of assembly instructions.\n* [TritonDSE](https://github.com/quarkslab/tritondse): Triton-based DSE library with loading and exploration capabilities.\n* [Titan](https://github.com/archercreat/titan): Titan is a VMProtect devirtualizer using Triton.\n\n### Papers and conference\n\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003e\n\u003cb\u003eSydr-Fuzz: Continuous Hybrid Fuzzing and Dynamic Analysis for Security Development Lifecycle\u003c/b\u003e\u003cbr /\u003e\n \u003cb\u003eTalk at\u003c/b\u003e: Ivannikov ISP RAS Open Conference, Moscow, Russia, 2022. [\u003ca href=\"publications/ISPOPEN2022-sydr-fuzz.pdf\"\u003epaper\u003c/a\u003e] [\u003ca href=\"publications/ISPOPEN2022-slide-sydr-fuzz-vishnyakov.pdf\"\u003eslide\u003c/a\u003e]\u003cbr /\u003e\n \u003cb\u003eAuthors\u003c/b\u003e: Vishnyakov A., Kuts D., Logunova V., Parygina D., Kobrin E., Savidov G., Fedotov A.\u003cbr /\u003e\n \u003cb\u003eAbstract\u003c/b\u003e: \u003cem\u003eNowadays automated dynamic analysis frameworks for\n continuous testing are in high demand to ensure software safety and satisfy the\n security development lifecycle (SDL) requirements. The security bug hunting\n efficiency of cutting-edge hybrid fuzzing techniques outperforms widely\n utilized coverage-guided fuzzing. We propose an enhanced dynamic analysis\n pipeline to leverage productivity of automated bug detection based on hybrid\n fuzzing. We implement the proposed pipeline in the continuous fuzzing toolset\n Sydr-Fuzz which is powered by hybrid fuzzing orchestrator, integrating our DSE\n tool Sydr with libFuzzer and AFL++. Sydr-Fuzz also incorporates security\n predicate checkers, crash triaging tool Casr, and utilities for corpus\n minimization and coverage gathering. The benchmarking of our hybrid fuzzer\n against alternative state-of-the-art solutions demonstrates its superiority\n over coverage-guided fuzzers while remaining on the same level with advanced\n hybrid fuzzers. Furthermore, we approve the relevance of our approach by\n discovering 85 new real-world software flaws within the OSS-Sydr-Fuzz project.\n Finally, we open Casr source code to the community to facilitate examination of\n the existing crashes.\u003c/em\u003e\n\u003c/li\u003e\u003cbr/\u003e\n\u003cli\u003e\n\u003cb\u003eStrong Optimistic Solving for Dynamic Symbolic Execution\u003c/b\u003e\u003cbr /\u003e\n \u003cb\u003eTalk at\u003c/b\u003e: Ivannikov Memorial Workshop, Kazan, Russia, 2022. [\u003ca href=\"publications/IVMEM2022-strong-optimistic-parygina.pdf\"\u003epaper\u003c/a\u003e] [\u003ca href=\"publications/IVMEM2022-slide-strong-optimistic-parygina.pdf\"\u003eslide\u003c/a\u003e]\u003cbr /\u003e\n \u003cb\u003eAuthors\u003c/b\u003e: Parygina D., Vishnyakov A., Fedotov A.\u003cbr /\u003e\n \u003cb\u003eAbstract\u003c/b\u003e: \u003cem\u003eDynamic symbolic execution (DSE) is an effective method\n for automated program testing and bug detection. It is increasing the code\n coverage by the complex branches exploration during hybrid fuzzing. DSE tools\n invert the branches along some execution path and help fuzzer examine\n previously unavailable program parts. DSE often faces over- and underconstraint\n problems. The first one leads to significant analysis complication while the\n second one causes inaccurate symbolic execution.\n We propose strong optimistic solving method that eliminates irrelevant path\n predicate constraints for target branch inversion. We eliminate such symbolic\n constraints that the target branch is not control dependent on. Moreover, we\n separately handle symbolic branches that have nested control transfer\n instructions that pass control beyond the parent branch scope, e.g. return,\n goto, break, etc. We implement the proposed method in our dynamic symbolic\n execution tool Sydr.\n We evaluate the strong optimistic strategy, the optimistic strategy that\n contains only the last constraint negation, and their combination. The results\n show that the strategies combination helps increase either the code coverage or\n the average number of correctly inverted branches per one minute. It is optimal\n to apply both strategies together in contrast with other configurations.\u003c/em\u003e\n\u003c/li\u003e\u003cbr/\u003e\n\u003cli\u003e\n\u003cb\u003eGreybox Program Synthesis: A New Approach to Attack Dataflow Obfuscation\u003c/b\u003e\u003cbr /\u003e\n \u003cb\u003eTalk at\u003c/b\u003e: Blackhat USA, Las Vegas, Nevada, 2021. [\u003ca href=\"publications/BHUSA2021-David-Greybox-Program-Synthesis.pdf\"\u003eslide\u003c/a\u003e]\u003cbr /\u003e\n \u003cb\u003eAuthors\u003c/b\u003e: Robin David\u003cbr /\u003e\n \u003cb\u003eAbstract\u003c/b\u003e: \u003cem\u003eThis talk presents the latest advances in program synthesis applied for deobfuscation. It aims at demystifying this analysis technique\n by showing how it can be put into action on obfuscation. Especially the implementation Qsynthesis released for this talk shows a complete end-to-end workflow\n to deobfuscate assembly instructions back in optimized (deobfuscated) instructions reassembled back in the binary.\u003c/em\u003e\n\u003c/li\u003e\u003cbr/\u003e\n\u003cli\u003e\n\u003cb\u003eFrom source code to crash test-case through software testing automation\u003c/b\u003e\u003cbr /\u003e\n \u003cb\u003eTalk at\u003c/b\u003e: C\u0026ESAR, Rennes, France, 2021. [\u003ca href=\"publications/CESAR2021_robin-david-paper.pdf\"\u003epaper\u003c/a\u003e] [\u003ca href=\"publications/CESAR2021_robin-david-slide.pdf\"\u003eslide\u003c/a\u003e]\u003cbr /\u003e\n \u003cb\u003eAuthors\u003c/b\u003e: Robin David, Jonathan Salwan, Justin Bourroux\u003cbr /\u003e\n \u003cb\u003eAbstract\u003c/b\u003e: \u003cem\u003eThis paper present an approach automating the software testing process from a source code to the dynamic testing of the compiled program.  More specifically, from a static\n analysis report indicating alerts on source lines it enables testing to cover these lines dynamically and opportunistically checking whether  whether or not they can trigger\n a crash. The result is a test corpus allowing to cover alerts and to trigger them if they happen to be true positives. This paper discuss the  methodology employed to track\n alerts down in the compiled binary, the testing engines selection process and the results obtained on a TCP/IP stack implementation for embedded  and IoT systems.\u003c/em\u003e\n\u003c/li\u003e\u003cbr/\u003e\n\u003cli\u003e\n\u003cb\u003eSymbolic Security Predicates: Hunt Program Weaknesses\u003c/b\u003e\u003cbr /\u003e\n \u003cb\u003eTalk at\u003c/b\u003e: Ivannikov ISP RAS Open Conference, Moscow, Russia, 2021. [\u003ca href=\"publications/ISPOPEN2021-security-predicates-vishnyakov.pdf\"\u003epaper\u003c/a\u003e] [\u003ca href=\"publications/ISPOPEN2021-slide-security-predicates-vishnyakov.pdf\"\u003eslide\u003c/a\u003e]\u003cbr /\u003e\n \u003cb\u003eAuthors\u003c/b\u003e: A.Vishnyakov, V.Logunova, E.Kobrin, D.Kuts, D.Parygina, A.Fedotov\u003cbr /\u003e\n \u003cb\u003eAbstract\u003c/b\u003e: \u003cem\u003eDynamic symbolic execution (DSE) is a powerful method for\n path exploration during hybrid fuzzing and automatic bug detection. We propose\n security predicates to effectively detect undefined behavior and memory access\n violation errors. Initially, we symbolically execute program on paths that\n don’t trigger any errors (hybrid fuzzing may explore these paths). Then we\n construct a symbolic security predicate to verify some error condition. Thus, we\n may change the program data flow to entail null pointer dereference, division\n by zero, out-of-bounds access, or integer overflow weaknesses. Unlike static\n analysis, dynamic symbolic execution does not only report errors but also\n generates new input data to reproduce them. Furthermore, we introduce function\n semantics modeling for common C/C++ standard library functions. We aim to model\n the control flow inside a function with a single symbolic formula. This assists\n bug detection, speeds up path exploration, and overcomes overconstraints in\n path predicate. We implement the proposed techniques in our dynamic symbolic\n execution tool Sydr. Thus, we utilize powerful methods from Sydr such as path\n predicate slicing that eliminates irrelevant constraints.\n We present Juliet Dynamic to measure dynamic bug detection tools accuracy. The\n testing system also verifies that generated inputs trigger sanitizers. We\n evaluate Sydr accuracy for 11 CWEs from Juliet test suite. Sydr shows 95.59%\n overall accuracy. We make Sydr evaluation artifacts publicly available to\n facilitate results reproducibility.\u003c/em\u003e\n\u003c/li\u003e\u003cbr/\u003e\n\u003cli\u003e\n\u003cb\u003eTowards Symbolic Pointers Reasoning in Dynamic Symbolic Execution\u003c/b\u003e\u003cbr /\u003e\n \u003cb\u003eTalk at\u003c/b\u003e: Ivannikov Memorial Workshop, Nizhny Novgorod, Russia, 2021. [\u003ca href=\"publications/IVMEM2021-symbolic-pointers-kuts.pdf\"\u003epaper\u003c/a\u003e] [\u003ca href=\"publications/IVMEM2021-slide-symbolic-pointers-kuts.pdf\"\u003eslide\u003c/a\u003e]\u003cbr /\u003e\n \u003cb\u003eAuthors\u003c/b\u003e: Daniil Kuts\u003cbr /\u003e\n \u003cb\u003eAbstract\u003c/b\u003e: \u003cem\u003eDynamic symbolic execution is a widely used technique for\n automated software testing, designed for execution paths exploration and\n program errors detection. A hybrid approach has recently become widespread,\n when the main goal of symbolic execution is helping fuzzer increase program\n coverage. The more branches symbolic executor can invert, the more useful it is\n for fuzzer. A program control flow often depends on memory values, which are\n obtained by computing address indexes from user input. However, most DSE tools\n don't support such dependencies, so they miss some desired program branches. We\n implement symbolic addresses reasoning on memory reads in our dynamic symbolic\n execution tool Sydr. Possible memory access regions are determined by either\n analyzing memory address symbolic expressions, or binary searching with\n SMT-solver. We propose an enhanced linearization technique to model memory\n accesses. Different memory modeling methods are compared on the set of\n programs. Our evaluation shows that symbolic addresses handling allows to\n discover new symbolic branches and increase the program coverage.\u003c/em\u003e\n\u003c/li\u003e\u003cbr/\u003e\n\u003cli\u003e\n\u003cb\u003eQSynth: A Program Synthesis based Approach for Binary Code Deobfuscation\u003c/b\u003e\u003cbr /\u003e\n \u003cb\u003eTalk at\u003c/b\u003e: BAR, San Diego, California, 2020. [\u003ca href=\"publications/BAR2020-qsynth-robin-david.pdf\"\u003epaper\u003c/a\u003e]\u003cbr /\u003e\n \u003cb\u003eAuthors\u003c/b\u003e: Robin David, Luigi Coniglio, Mariano Ceccato\u003cbr /\u003e\n \u003cb\u003eAbstract\u003c/b\u003e: \u003cem\u003eWe present a generic approach leveraging both DSE and program synthesis to successfully synthesize programs  obfuscated with Mixed-Boolean-Arithmetic, Data-Encoding\n or Virtualization. The synthesis algorithm proposed is an offline enumerate synthesis primitive guided by top-down breath-first search.  We shows its effectiveness\n against a state-of-the-art obfuscator and its scalability as it supersedes other similar approaches based on synthesis. We also show its effectiveness in presence of\n composite obfuscation (combination of various techniques). This ongoing work enlightens the effectiveness of synthesis to target certain kinds of obfuscations and\n opens the way to more robust algorithms and simplification strategies.\u003c/em\u003e\n\u003c/li\u003e\u003cbr/\u003e\n\u003cli\u003e\n\u003cb\u003eSydr: Cutting Edge Dynamic Symbolic Execution\u003c/b\u003e\u003cbr /\u003e\n \u003cb\u003eTalk at\u003c/b\u003e: Ivannikov ISP RAS Open Conference, Moscow, Russia, 2020. [\u003ca href=\"publications/ISPRAS2020-sydr.pdf\"\u003epaper\u003c/a\u003e] [\u003ca href=\"publications/ISPOPEN2020-slide-sydr-vishnyakov.pdf\"\u003eslide\u003c/a\u003e] [\u003ca href=\"https://www.ispras.ru/conf/2020/video/compiler-technology-11-december.mp4#t=6021\"\u003evideo\u003c/a\u003e]\u003cbr /\u003e\n \u003cb\u003eAuthors\u003c/b\u003e: A.Vishnyakov, A.Fedotov, D.Kuts, A.Novikov, D.Parygina, E.Kobrin, V.Logunova, P.Belecky, S.Kurmangaleev\u003cbr /\u003e\n \u003cb\u003eAbstract\u003c/b\u003e: \u003cem\u003eDynamic symbolic execution (DSE) has enormous amount of applications in computer  security (fuzzing, vulnerability discovery, reverse-engineering, etc.). We propose\n several performance and accuracy improvements for dynamic symbolic execution.  Skipping non-symbolic instructions allows to build a path predicate 1.2--3.5 times faster.\n Symbolic engine simplifies formulas during symbolic execution. Path  predicate slicing eliminates irrelevant conjuncts from solver queries. We handle each jump table\n (switch statement) as multiple branches and describe the method for symbolic execution of multi-threaded programs. The proposed solutions were implemented in Sydr tool.\n Sydr performs inversion of branches in path predicate. Sydr combines DynamoRIO dynamic binary instrumentation tool with Triton symbolic engine.\u003c/em\u003e\n\u003c/li\u003e\u003cbr/\u003e\n\u003cli\u003e\n\u003cb\u003eSymbolic Deobfuscation: From Virtualized Code Back to the Original\u003c/b\u003e\u003cbr /\u003e\n \u003cb\u003eTalk at\u003c/b\u003e: DIMVA, Paris-Saclay, France, 2018. [\u003ca href=\"publications/DIMVA2018-deobfuscation-salwan-bardin-potet.pdf\"\u003epaper\u003c/a\u003e] [\u003ca href=\"publications/DIMVA2018-slide-deobfuscation-salwan-bardin-potet.pdf\"\u003eslide\u003c/a\u003e]\u003cbr /\u003e\n \u003cb\u003eAuthors\u003c/b\u003e: Jonathan Salwan, Sébastien Bardin, Marie-Laure Potet\u003cbr /\u003e\n \u003cb\u003eAbstract\u003c/b\u003e: \u003cem\u003eSoftware protection has taken an important place during the last decade in order to protect legit software against reverse engineering or tampering.\n Virtualization is considered as one of the very best defenses against such attacks. We present a generic approach based on symbolic path exploration, taint and\n recompilation allowing to recover, from a virtualized code, a devirtualized code semantically identical to the original one and close in size. We define criteria\n and metrics to evaluate the relevance of the deobfuscated results in terms of correctness and precision. Finally we propose an open-source setup allowing to evaluate\n the proposed approach against several forms of virtualization.\u003c/em\u003e\n\u003c/li\u003e\u003cbr/\u003e\n\u003cli\u003e\n\u003cb\u003eDeobfuscation of VM based software protection \u003c/b\u003e\u003cbr /\u003e\n \u003cb\u003eTalk at\u003c/b\u003e: SSTIC, Rennes, France, 2017. [\u003ca href=\"publications/SSTIC2017-French-Article-desobfuscation_binaire_reconstruction_de_fonctions_virtualisees-salwan_potet_bardin.pdf\"\u003efrench paper\u003c/a\u003e] [\u003ca href=\"publications/SSTIC2017_Deobfuscation_of_VM_based_software_protection.pdf\"\u003eenglish slide\u003c/a\u003e] [\u003ca href=\"https://static.sstic.org/videos2017/SSTIC_2017-06-07_P08.mp4\"\u003efrench video\u003c/a\u003e]\u003cbr /\u003e\n \u003cb\u003eAuthors\u003c/b\u003e: Jonathan Salwan, Sébastien Bardin, Marie-Laure Potet\u003cbr /\u003e\n \u003cb\u003eAbstract\u003c/b\u003e: \u003cem\u003eIn this presentation we describe an approach which consists to automatically analyze virtual machine based software protections and which recompiles a new\n version of the binary without such protections. This automated approach relies on a symbolic execution guide by a taint analysis and some concretization policies, then\n on a binary rewriting using LLVM transition.\u003c/em\u003e\n\u003c/li\u003e\u003cbr/\u003e\n\u003cli\u003e\n\u003cb\u003eHow Triton can help to reverse virtual machine based software protections\u003c/b\u003e\u003cbr /\u003e\n \u003cb\u003eTalk at\u003c/b\u003e: CSAW SOS, NYC, New York, 2016. [\u003ca href=\"publications/CSAW2016-SOS-Virtual-Machine-Deobfuscation-RThomas_JSalwan.pdf\"\u003eslide\u003c/a\u003e]\u003cbr /\u003e\n \u003cb\u003eAuthors\u003c/b\u003e: Jonathan Salwan, Romain Thomas\u003cbr /\u003e\n \u003cb\u003eAbstract\u003c/b\u003e: \u003cem\u003eThe first part of the talk is going to be an introduction to the Triton framework to expose its components and to explain how they work together.\n Then, the second part will include demonstrations on how it's possible to reverse virtual machine based protections using taint analysis, symbolic execution, SMT\n simplifications and LLVM-IR optimizations.\u003c/em\u003e\n\u003c/li\u003e\u003cbr/\u003e\n\u003cli\u003e\n\u003cb\u003eDynamic Binary Analysis and Obfuscated Codes\u003c/b\u003e\u003cbr  /\u003e\n \u003cb\u003eTalk at\u003c/b\u003e: St'Hack, Bordeaux, France, 2016. [\u003ca href=\"publications/StHack2016_Dynamic_Binary_Analysis_and_Obfuscated_Codes_RThomas_JSalwan.pdf\"\u003eslide\u003c/a\u003e]\u003cbr  /\u003e\n \u003cb\u003eAuthors\u003c/b\u003e: Jonathan Salwan, Romain Thomas\u003cbr /\u003e\n \u003cb\u003eAbstract\u003c/b\u003e: \u003cem\u003eAt this presentation we will talk about how a DBA (Dynamic Binary Analysis) may help a reverse engineer to reverse obfuscated code. We will first\n introduce some basic obfuscation techniques and then expose how it's possible to break some stuffs (using our open-source DBA framework - Triton) like detect opaque\n predicates, reconstruct CFG, find the original algorithm, isolate sensible data and many more... Then, we will conclude with a demo and few words about our future work.\u003c/em\u003e\n\u003c/li\u003e\u003cbr/\u003e\n\u003cli\u003e\n\u003cb\u003eHow Triton may help to analyse obfuscated binaries\u003c/b\u003e\u003cbr  /\u003e\n \u003cb\u003ePublication at\u003c/b\u003e: MISC magazine 82, 2015. [\u003ca href=\"publications/MISC-82_French_Paper_How_Triton_may_help_to_analyse_obfuscated_binaries_RThomas_JSalwan.pdf\"\u003efrench article\u003c/a\u003e]\u003cbr  /\u003e\n \u003cb\u003eAuthors\u003c/b\u003e: Jonathan Salwan, Romain Thomas\u003cbr /\u003e\n \u003cb\u003eAbstract\u003c/b\u003e: \u003cem\u003eBinary obfuscation is used to protect software's intellectual property. There exist different kinds of obfucation but roughly, it transforms a binary\n structure into another binary structure by preserving the same semantic. The aim of obfuscation is to ensure that the original information is \"drown\" in useless information\n that will make reverse engineering harder. In this article we will show how we can analyse an ofbuscated program and break some obfuscations using the Triton framework.\u003c/em\u003e\n\u003c/li\u003e\u003cbr/\u003e\n\u003cli\u003e\n\u003cb\u003eTriton: A Concolic Execution Framework\u003c/b\u003e\u003cbr  /\u003e\n \u003cb\u003eTalk at\u003c/b\u003e: SSTIC, Rennes, France, 2015. [\u003ca href=\"publications/SSTIC2015_French_Paper_Triton_Framework_dexecution_Concolique_FSaudel_JSalwan.pdf\"\u003efrench paper\u003c/a\u003e] [\u003ca href=\"publications/SSTIC2015_English_slide_detailed_version_Triton_Concolic_Execution_FrameWork_FSaudel_JSalwan.pdf\"\u003edetailed english slide\u003c/a\u003e] \u003cbr /\u003e\n \u003cb\u003eAuthors\u003c/b\u003e: Jonathan Salwan, Florent Saudel\u003cbr /\u003e\n \u003cb\u003eAbstract\u003c/b\u003e: \u003cem\u003eThis talk is about the release of Triton, a concolic execution framework based on Pin. It provides components like a taint engine, a dynamic symbolic execution\n engine, a snapshot engine, translation of x64 instruction to SMT2, a Z3 interface to solve constraints and Python bindings. Based on these components, Triton offers the possibility\n to build tools for vulnerabilities research or reverse-engineering assistance.\u003c/em\u003e\n\u003c/li\u003e\u003cbr/\u003e\n\u003cli\u003e\n\u003cb\u003eDynamic Behavior Analysis Using Binary Instrumentation\u003c/b\u003e\u003cbr  /\u003e\n \u003cb\u003eTalk at\u003c/b\u003e: St'Hack, Bordeaux, France, 2015. [\u003ca href=\"publications/StHack2015_Dynamic_Behavior_Analysis_using_Binary_Instrumentation_Jonathan_Salwan.pdf\"\u003eslide\u003c/a\u003e]\u003cbr  /\u003e\n \u003cb\u003eAuthors\u003c/b\u003e: Jonathan Salwan\u003cbr /\u003e\n \u003cb\u003eAbstract\u003c/b\u003e: \u003cem\u003eThis talk can be considered like the part 2 of our talk at SecurityDay. In the previous part, we talked about how it was possible to cover a targeted function\n in memory using the DSE (Dynamic Symbolic Execution) approach. Cover a function (or its states) doesn't mean find all vulnerabilities, some vulnerability doesn't crashes the program.\n That's why we must implement specific analysis to find specific bugs. These analysis are based on the binary instrumentation and the runtime behavior analysis of the program. In this\n talk, we will see how it's possible to find these following kind of bugs : off-by-one, stack / heap overflow, use-after-free, format string and {write, read}-what-where.\u003c/em\u003e\n\u003c/li\u003e\u003cbr/\u003e\n\u003cli\u003e\n\u003cb\u003eCovering a function using a Dynamic Symbolic Execution approach\u003c/b\u003e\u003cbr  /\u003e\n \u003cb\u003eTalk at\u003c/b\u003e: Security Day, Lille, France, 2015. [\u003ca href=\"publications/SecurityDay2015_dynamic_symbolic_execution_Jonathan_Salwan.pdf\"\u003eslide\u003c/a\u003e]\u003cbr  /\u003e\n \u003cb\u003eAuthors\u003c/b\u003e: Jonathan Salwan\u003cbr /\u003e\n \u003cb\u003eAbstract\u003c/b\u003e: \u003cem\u003eThis talk is about binary analysis and instrumentation. We will see how it's possible to target a specific function, snapshot the context memory/registers before the\n function, translate the instrumentation into an intermediate representation,apply a taint analysis based on this IR, build/keep formulas for a Dynamic Symbolic Execution (DSE), generate\n a concrete value to go through a specific path, restore the context memory/register and generate another concrete value to go through another path then repeat this operation until the\n target function is covered.\u003c/em\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\n\n## Cite Triton\n\n```latex\n@inproceedings{SSTIC2015-Saudel-Salwan,\n  author    = {Saudel, Florent and Salwan, Jonathan},\n  title     = {Triton: A Dynamic Symbolic Execution Framework},\n  booktitle = {Symposium sur la s{\\'{e}}curit{\\'{e}} des technologies de l'information\n               et des communications},\n  series    = {SSTIC},\n  pages     = {31--54},\n  address   = {Rennes, France},\n  month     = jun,\n  year      = {2015},\n}\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FJonathanSalwan%2FTriton","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FJonathanSalwan%2FTriton","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FJonathanSalwan%2FTriton/lists"}