S²E: A Platform for In-Vivo Multi-Path Software Analysis

Open Positions

If you're a hardcore systems programmer and want to work on a revolutionary new concept, let's talk!

Latest Releases

05 Dec. 2013 - S2E V1.3

  • x86-64 guests support, LLVM 3.2

27 Apr. 2012 - S2E V1.2

  • QEMU 1.0, LLVM 3.0, Clang
    S2E now includes the latest features of QEMU and uses a modern toolchain
  • Concolic Execution
    Reuse your existing testsuites to easily reach deep parts of programs under analysis

10 Sep. 2011 - S2E V1.1

  • Experimental ARM support
    Analyze embedded applications
    Available in the arm-experimental branch of the repository
  • Multi-core support
    Explore orders of magnitude more paths
  • 20x faster plugin infrastructure
    Complete plugin-intensive analyses such as Windows driver testing in minutes instead of hours
  • 2x faster concrete execution
    Run bigger systems


S2E in a Box
Hands-on experience of multi-path software analysis in a preconfigured environment.
Requires VMware Player
Source Code
Including build instructions, documentation, tutorials, and more.

S2E is a platform for writing tools that analyze the properties and behavior of software systems. So far, we have used S2E to develop a comprehensive performance profiler, a reverse engineering tool for proprietary software, and a bug finding tool for both kernel-mode and user-mode binaries. Building these tools on top of S2E took less than 770 LOC and 40 person-hours each.

S2E’s novelty consists of its ability to scale to large real systems, such as a full Windows stack. S2E is based on two new ideas:

  • Selective symbolic execution, a way to automatically minimize the amount of code that has to be executed symbolically given a target analysis; and
  • Relaxed execution consistency models, a way to make principled performance/accuracy trade-offs in complex analyses.

These techniques give S2E three key abilities:

  • to simultaneously analyze entire families of execution paths, instead of just one execution at a time;
  • to perform the analyses in-vivo within a real software stack—user programs, libraries, kernel, drivers, etc.—instead of using abstract models of these layers; and
  • to operate directly on binaries, thus being able to analyze even proprietary software.

Conceptually, S2E is an automated path explorer with modular path analyzers: the explorer drives the target system down all execution paths of interest, while analyzers check properties of each such path (e.g., to look for bugs) or simply collect information (e.g., count page faults). Desired paths can be specified in multiple ways, and S2E users can either combine existing analyzers to build a custom analysis tool, or write new analyzers using the S2E API.

S2E helps make analyses based on symbolic execution practical for large software that runs in real environments, without requiring explicit modeling of these environments.


The S2E Platform: Design, Implementation, and Applications.
Vitaly Chipounov, Volodymyr Kuznetsov, and George Candea.
ACM Transactions on Computer Systems (TOCS ) Special issue: Best papers of ASPLOS, February 2012.

S2E: A Platform for In Vivo Multi-Path Analysis of Software Systems.
Vitaly Chipounov, Volodymyr Kuznetsov, George Candea.
16th Intl. Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), Newport Beach, CA, March 2011.
Presentation Slides

Testing Closed-Source Binary Device Drivers with DDT.
Volodymyr Kuznetsov, Vitaly Chipounov, George Candea.
USENIX Annual Technical Conference (USENIX), Boston, MA, June 2010.
DDT tool won the Silver Prize at the 2012 World Open-Source Software Challenge
Presentation Video

Reverse Engineering of Binary Device Drivers with RevNIC.
Vitaly Chipounov and George Candea.
5th ACM SIGOPS/EuroSys European Conference on Computer Systems (EuroSys), Paris, France, April 2010.

Selective Symbolic Execution.
Vitaly Chipounov, Vlad Georgescu, Cristian Zamfir, George Candea.
5th Workshop on Hot Topics in System Dependability (HotDep), Lisbon, Portugal, June 2009

S2E is built upon the KLEE symbolic execution engine and the QEMU virtual machine emulator.

For more details, including downloading and setting up, please navigate the tabs above.