What’s Changed with This Release:

What’s New:

  1. Added SymbEx assessment.

  2. Added HeapOverflow SymbEx analysis. Detects instances of CWE-122: Heap-Based Buffer Overflow and CWE-415: Double Free.

  3. Added StackOverflow SymbEx analysis. Detects instances of CWE-121: Stack-Based Buffer Overflow.

  4. Added StringFormat SymbEx analysis. Detects instances of CWE-134: Use of Externally-Controlled Format String.

  5. Added SymbolicIP SymbEx analysis. Detects instances of CWE-121: Stack-Based Buffer Overflow that overwrite the instruction pointer.

  6. Added SymbolicWrite SymbEx analysis. Detects instances of CWE-129: Improper Validation of Array Index and CWE-823: Use of Out-of-range Pointer Offset.

What’s Updated:

  1. Fixed various minor bugs and performance issues.

Feature details

New Feature: SymbEx assessment

The SymbEx assessment uses symbolic execution to detect and report memory-safety violations and other forms of undefined behavior in binary programs at a significantly lower false-postive rate compared to other competing approaches.

New Feature: HeapOverflow SymbEx analysis

Detects instances of CWE-122: Heap-Based Buffer Overflow and CWE-415: Double Free.

New Feature: StackOverflow SymbEx analysis

Detects instances of CWE-121: Stack-Based Buffer Overflow.

New Feature: StringFormat SymbEx analysis

Detects instances of CWE-134: Use of Externally-Controlled Format String.

New Feature: SymbolicIP SymbEx analysis

Detects instances of CWE-121: Stack-Based Buffer Overflow that overwrite the instruction pointer.

New Feature: SymbolicWrite SymbEx analysis.

Detects instances of CWE-129: Improper Validation of Array Index and CWE-823: Use of Out-of-range Pointer Offset.