In the current prototype of Mimesis, it employs S2E for full-system symbolic execution to analyze a given network function program binaries together with the Linux kernel running in a QEMU KVM. We implemented a custom S2E plugin to control the symbolic execution process, combined with a kernel module built with SystemTap to automatically instrument the Linux kernel for (1) injecting a symbolic packet/frame as input, (2) recording the egress packets/frames, and (3) terminating the symbolic execution.
To understand the design of Mimesis, it is encouraged to read through the code directly. However, the following documentations provide some background knowledge of S2E, SystemTap, QEMU, and BDDs, which may be helpful.
- S2E
- SystemTap
- QEMU
- BDDs
Please take a look at the code in an order similar to the following to understand how Mimesis works.
depends/setup.shscripts/build.shscripts/s2e.shsrc/sender.cppsrc/symbolic_ingress.stpsrc/s2e/libs2eplugins/src/s2e/Plugins/Mimesis.cppsrc/libps/manager.cppsrc/libps/packetset.cppsrc/libps/klee-interpreter.cppsrc/libps/bitvector.cppsrc/libps/bdd.cpp
Note
Please see the project notes for all the updates and action items.
Functional to-do items.
- Parse the SMT constraints into BDD-based packet sets. (ongoing)
- Build the library for BDD-based packet sets. (ongoing)
- Create the NF model class/module. (ongoing)
Performance to-do items.
- Parallelize the analysis.
- Concolic execution.
- State merging.
- Fork profiling.
- (FAQ) Handling path explostion.
- (FAQ) Logging for constraint solving queries.
- Profiling CPU and memory usage.
To report bugs, fix issues, or provide code changes, please either file an issue or submit a pull request.