A command-line tool for creating and administering isolated development
environments for S2E. Each environment contains all the
tools required to run S2E plus one or more "projects". A project is essentially
an analysis target. For example, one project might be the analysis of a CGC
binary, while another project
might be the analysis of the file program from
Coreutils.
We assume that you are working on an Ubuntu 18.04 LTS 64-bit OS. You will need the following packages:
$ sudo apt-get install git gcc python3 python3-dev python3-venvSome commands (such as basic block coverage) require a disassembler. Supported disassemblers include:
- IDA Pro
- Radare. Requires r2pipe
- Binary Ninja. Requires GUI-less processing
We recommend installing s2e-env into a virtual environment.
git clone https://github.com/S2E/s2e-env.git
cd s2e-env
python3 -m venv venv
. venv/bin/activate
pip install .
# Note: if you use pip earlier than version 19, you must add --process-dependency-links:
pip install . --process-dependency-linksRun tests with the following command:
$ ./test.shThis will create a fresh virtual environment venv-test, install all requirements,
run pylint, the tests, and record coverage.
s2e-env is configurable in two ways. Firstly, there is a global YAML
configuration file located in s2e_env/dat/config.yaml. This configuration
file controls how all environments are created. You are not normally required
to modify the settings in this file. If you wish to customize how environments
are created, you should edit this file before running pip install to
install s2e-env.
For example, you may want to clone the S2E source repos via SSH rather than
HTTPS, in which case you would set the repos, url option to
[email protected]:S2E.
A second YAML configuration file, s2e.yaml, is created in each S2E
environment. This contains settings that are local to each S2E environment. For
example, if you want to generate basic block coverage, you will also have to
set the ida, path option.
The package can be installed via pip, thus making the s2e command
available.
To list the available commands:
s2e help --commands
To get help on a particular command:
s2e <subcommand> --help
Most commands use the S2EDIR environment variable so that commands can be run
from any directory. S2EDIR can be set by sourcing s2e_activate in your
environment directory. Sourcing this file also makes s2e_deactivate
available, which unsets the S2E environment variables.
Alternatively, most commands take an optional --env /path/to/env argument.
This argument can be used to specify the path to the S2E environment you want
to execute the command in.
Note that one of the S2EDIR environment variable or --env option
must be used.
Each command follows the Unix philosophy that each command ("tool") consists of a small program designed to accomplish a single, particular task, rather than trying to develop monolithic commands to do a number of tasks.
A typical workflow is therefore:
- Run
s2e init $DIRto create a new S2E environment in$DIR. This will create the environment, install dependencies (unless--skip-dependenciesis used) and fetch all of the S2E engine code. - Activate the environment via
. $DIR/s2e_activate. - Look around the source code, make some modifications, etc. Then when you are
ready to build run
s2e build. - You'll need some images to analyze your software in! See what images are
available with
s2e image_build. - Run
s2e image_build $TEMPLATEto build one of the images listed in the previous step. This will create the image in theimagesdirectory. - Use
s2e new_projectto create a new analysis project. This will create all the launch scripts, configuration files and bootstrap scripts necessary to perform the analysis on a given target. Currently Linux ELF executables, Decree CGC binaries, Windows PE executables and Windows DLLs can be targeted with thenew_projectcommand. - Change into the project directory and run the S2E analysis with the
launch-s2e.shscript. - After your analysis has finished, a number of subcommands exist to analyze
and summarize your results, e.g. the
coverageandexecution_tracesubcommands.
Other useful commands:
s2e infocan be used to display a summary of the S2E environment.- To download the latest changes from the git repositories, run
s2e update. - Projects can be shared using
s2e export_projectands2e import_project.
s2e init generates the following directory structure in your S2E environment.
.
├── build/
├── images/
├── install/
├── projects/
├── s2e.yaml
├── source/
build: Staging directory for buildsimages: Images created withs2e image_buildgo hereinstall: Installed executables, libraries, header files, etc.projects: Analysis projects created withs2e new_projectgo heres2e.yaml: A per-environment configuration file. This file is also used to "mark" the directory as an S2E environment, so please do not delete it!source: Source code repositories
Extending with new commands is relatively simple. s2e-env is heavily
influenced by Django's command subsystem,
so there is a wealth of documentation already available (for example,
here).
For example, to create a command foo:
-
Create a new Python module
s2e_env/commands/foo.py -
In
foo.pydefine aCommandclass that extendss2e_env.command.BaseCommand- The base class. Probably not that useful to inherit directly from this classs2e_env.command.EnvCommand- For commands that operate on an existing S2E environments2e_env.command.ProjectCommand- For commands that operate on an existing analysis project
-
The only method required in your
Commandclass ishandle(self, *args, **options). This method contains your command logic -
You may optionally define an
add_arguments(self, parser)method for parsing command-line arguments specific to thefoocommand. Theparserargument is essentially anArgumentParserfrom the argparse library.If you extend from
EnvCommandyou must call the superadd_arguments, i.e.:def add_arguments(self, parser): super(Command, self).add_arguments(parser) # Add your arguments/options here
-
On error, an
s2e_env.command.CommandErrorshould be raised -
Use the
loggingmodule for printing messages. When callinglogging.getLoggerthe command name should be provided as the logger name.
Like Django's command subsystem (see
here),
s2e-env also allows you to call commands programatically
via the call_command function.
Example:
from s2e_env.commands.new_project import Command as NewProjectCommand
from s2e_env.manage import call_command
def create_s2e_project(target_path, s2e_env_path):
call_command(NewProjectCommand(), target_path, env=s2e_env_path, force=True)Occasionally the default analysis projects (e.g., Windows driver, Linux
application, etc.) may not meet your requirements. In these cases, a custom
project may be created by extending the
s2e_env.commands.project_creation.abstract_project.AbstractProject class.
This child class must implement the following methods:
_configure: Generates a configuration dictionary that describes the project. The contents of this dictionary are up to the user; and_create: Creates the actual project on disk. This should including, making the project directory, and creating the files necessary to run the project in this project directory. The project creation is guided by the configuration dictionary generated in_make_config. The path to the project should be returned from this method.
Optionally, the child class may also implement:
_get_instructions: Return a string that is displayed to the user upon successful creation of a project; and_is_valid_image: If an image is not specified, this method is used as a predicate when automatically selecting an image.
Currently, custom projects can only be used programmatically as follows:
import os
from s2e_env.commands.new_project import Command as NewProjectCommand
from s2e_env.commands.project_creation import AbstractProject
from s2e_env.manage import call_command
class MyProject(AbstractProject):
def _configure(self, target, *args, **kwargs):
return dict(project_dir='/path/to/my/project')
def _create(self, config, force=False):
os.mkdir(config['project_dir'])
return config['project_dir']
def _get_instructions(self, config):
return 'Your project has been successfully created in %s' % config['project_dir']
call_command(NewProjectCommand(), env='/path/to/s2e', project_class=MyProject)
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent