Symbolic Execution and Debugging Synchronization

TL;DR

This thesis presents a novel approach combining symbolic execution with dynamic debugging to enhance reverse engineering, enabling seamless transfer of execution states between a debugger and symbolic executor.

Contribution

It introduces a synchronization mechanism between debuggers and symbolic executors, implemented on angr, supporting IDA Pro and GDB for improved reverse engineering workflows.

Findings

Enables transfer of execution state between debugger and symbolic executor

Supports multiple debugger frontends including IDA Pro and GDB

Enhances manual analysis by automating input discovery for code paths

Abstract

In this thesis, we introduce the idea of combining symbolic execution with dynamic analysis for reverse engineering. Differently from DSE, we devise an approach where the reverse engineer can use a debugger to drive and inspect a concrete execution engine of the application code and then, when needed, transfer the execution into a symbolic executor in order to automatically identify the input values required to reach a target point in the code. After that, the user can also transfer back the correct input values found with symbolic execution in order to continue the debugging. The synchronization between a debugger and a symbolic executor can enhance manual dynamic analysis and allow a reverser to easily solve small portions of code without leaving the debugger. We implemented a synchronization mechanism on top of the binary analysis framework angr, allowing for transferring the state of the debugged process to the angr environment and back. The backend library is debugger agnostic and can be extended to work with various frontends. We implemented a frontend for the IDA Pro debugger and one for the GNU Debugger, which are both widely popular among reverse engineers.