1 Typically analyzers try to explore the whole program, but they looking for specific defect type in specific program parts. BORG (buffer over-read guard) uses static analysis and dynamic analysis, taint propagation and symbolic execution to detect buffer overread bugs. Operates on binaries.

Buffer overwrites may be used to bypass ASLR and DEP or extract sensitive user information.

BORG is based on S²E. It uses guided symbolic execution. They declare, paths grow exponentially with the number of branch points. They try to guide DSE towards “interesting” parts of the program using path selection heuristics.

2 They (1) select target, (2) guide execution towards those targets, (3) detect a bug.

Sergey Vartanov, 2007–2020