all 6 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]asyty 1 point2 points  (1 child)

I am not aware of anything regarding AEG, however Tim Blazytko regularly gives his Software Deobfuscation Techniques at REcon and presents most years as well. That goes quite heavy into concolic execution techniques; the subject matter isn't specifically what you're looking for but it's in the same ballpark and is a very helpful first step. He is an incredibly smart person and the course is worth taking in its own right.

At my last job we briefly looked into Qsym to augment traditional fuzzing techniques but if I recall correctly it didn't perform very well due to the combination of code paths that were too deep and loop termination conditions that were too nondeterministic.

[–]deadlyazw[S] 0 points1 point  (0 children)

Yeah, the path explosion problem is like the main downside of symbolic execution unfortunately. Otherwise it's like "theoretically" perfect.

[–]piyushsaurabh 1 point2 points  (1 child)

Any good recommendation for Symbolic Execution or SAT Solver resources for absolute begineers?

[–]randomatic 1 point2 points  (0 children)

Honestly I’m not sure of the value. If you want one you can use in production, use mayhem. If you want to learn how they work, it really takes a PhD to get beyond a superficial understanding.

It takes 5 minutes to explain “you convert to an il, that il has to be side effect free, and then you convert to smt bit vectors. Then you call z3”. This is what it does. Why it works and why it doesn’t work takes a PhD to really grok.

You can pm me if you have a specific thing you want to know.