Symbolic Execution and Debugging Synchronization
This work addresses the problem of inefficiency in reverse engineering for security analysts by providing a tool that integrates symbolic execution into debugging workflows, though it is incremental as it builds on existing frameworks like angr.
The paper tackles the challenge of manual dynamic analysis in reverse engineering by introducing a synchronization mechanism between a debugger and a symbolic executor, enabling users to transfer execution states to automatically find input values for reaching target code points and then return to debugging, with implementations for IDA Pro and GNU Debugger.
In this thesis, we introduce the idea of combining symbolic execution with dynamic analysis for reverse engineering. Differently from DSE, we devise an approach where the reverse engineer can use a debugger to drive and inspect a concrete execution engine of the application code and then, when needed, transfer the execution into a symbolic executor in order to automatically identify the input values required to reach a target point in the code. After that, the user can also transfer back the correct input values found with symbolic execution in order to continue the debugging. The synchronization between a debugger and a symbolic executor can enhance manual dynamic analysis and allow a reverser to easily solve small portions of code without leaving the debugger. We implemented a synchronization mechanism on top of the binary analysis framework angr, allowing for transferring the state of the debugged process to the angr environment and back. The backend library is debugger agnostic and can be extended to work with various frontends. We implemented a frontend for the IDA Pro debugger and one for the GNU Debugger, which are both widely popular among reverse engineers.