From TinyGo to gc Compiler: Extending Zorya's Concolic Framework to Real-World Go Binaries
This work addresses the challenge of vulnerability detection in real-world multi-threaded Go binaries for security researchers and developers.
The authors extend Zorya, a concolic execution framework, from single-threaded TinyGo binaries to multi-threaded binaries from Go's standard gc compiler, and detect 7 out of 11 real-world vulnerabilities in production Go projects, including a silent integer overflow missed by other tools.
Zorya is a concolic execution framework that lifts compiled binaries to Ghidra's P-Code intermediate representation and uses the Z3 SMT solver to detect vulnerabilities by reasoning over both concrete and symbolic values. Previous versions supported only single-threaded TinyGo binaries. In this paper, we extend Zorya to multi-threaded binaries produced by Go's standard gc compiler. This is achieved by restoring OS thread states from gdb dumps, neutralizing runtime preemption, and introducing overlay path analysis with copy-on-write semantics to detect silent vulnerabilities on untaken branches. We rigorously assess Zorya on 11 real-world vulnerabilities from production Go projects such as Kubernetes, Go-Ethereum, and CoreDNS. Our evaluation shows that Zorya detects seven bugs at the binary level, including a silent integer overflow detects no other evaluated tool finds without a manually written oracle.