This paper presents S 2 E, a platform for analyzing the properties and behavior of software systems. We demonstrate S 2 E's use in developing practical tools for comprehensive performance profiling, reverse engineering of proprietary software, and bug finding for both kernel-mode and user-mode binaries. Building these tools on top of S 2 E took less than 770 LOC and 40 person-hours each. S 2 E's novelty consists of its ability to scale to large real systems, such as a full Windows stack. S 2 E
... s based on two new ideas: selective symbolic execution, a way to automatically minimize the amount of code that has to be executed symbolically given a target analysis, and relaxed execution consistency models, a way to make principled performance/accuracy trade-offs in complex analyses. These techniques give S 2 E three key abilities: to simultaneously analyze entire families of execution paths, instead of just one execution at a time; to perform the analyses in-vivo within a real software stack-user programs, libraries, kernel, drivers, etc.-instead of using abstract models of these layers; and to operate directly on binaries, thus being able to analyze even proprietary software. Conceptually, S 2 E is an automated path explorer with modular path analyzers: the explorer drives the target system down all execution paths of interest, while analyzers check properties of each such path (e.g., to look for bugs) or simply collect information (e.g., count page faults). Desired paths can be specified in multiple ways, and S 2 E users can either combine existing analyzers to build a custom analysis tool, or write new analyzers using the S 2 E API.