Zorya: Automated Concolic Execution of Single-Threaded Go Binaries

TL;DR

Zorya advances concolic execution for Go binaries by translating them into Ghidra's P-Code, enabling efficient vulnerability detection and bug discovery in critical infrastructure applications.

Contribution

This work introduces Zorya, a novel concolic execution framework for Go binaries that improves scalability and bug detection through path filtering and function-mode analysis.

Findings

Achieves 1.8-3.9x speedups with panic-reachability gating

Detects all panics in tested vulnerabilities, outperforming existing tools

Function-mode analysis significantly enhances performance on complex programs

Abstract

Go's adoption in critical infrastructure intensifies the need for systematic vulnerability detection, yet existing symbolic execution tools struggle with Go binaries due to runtime complexity and scalability challenges. In this work, we build upon Zorya, a concolic execution framework that translates Go binaries to Ghidra's P-Code intermediate representation to address these challenges. We added the detection of bugs in concretely not taken paths and a multi-layer filtering mechanism to concentrate symbolic reasoning on panic-relevant paths. Evaluation on five Go vulnerabilities demonstrates that panic-reachability gating achieves 1.8-3.9x speedups when filtering 33-70% of branches, and that Zorya detects all panics while existing tools detect at most two. Function-mode analysis proved essential for complex programs, running roughly two orders of magnitude faster than starting from main. This work establishes that specialized concolic execution can achieve practical vulnerability detection in language ecosystems with runtime safety checks.