Agnech
Engine 5 of 7

Symbolic Execution Engine

Explore all possible execution paths mathematically. Generate concrete exploit inputs that prove vulnerabilities are real.

Overview

Symbolic Execution treats program inputs as mathematical symbols rather than concrete values. By solving the constraints that govern execution paths, Bloodhound can prove whether a vulnerability is actually reachable and generate inputs that trigger it.

Why Symbolic Execution?

Zero False Positives
If it reports a bug, it's real
Exploit Proof
Generates working attack inputs
Deep Bugs
Finds bugs hidden by complex logic

How It Works

JavaScript
1// Original code
2function processPayment(amount, discount) {
3  if (amount > 1000) {
4    if (discount > 50) {
5      // Vulnerability: negative amount possible
6      const final = amount - (amount * discount / 100);
7      if (final < 0) {
8        refund(-final);  // 💥 Bug: refund on purchase!
9      }
10    }
11  }
12}
13

14// Symbolic execution traces:
15// Let amount = α, discount = β (symbolic variables)
16

17// Path 1: amount ≤ 1000
18//   Constraint: α ≤ 1000
19//   Result: No bug (early return)
20

21// Path 2: amount > 1000 AND discount ≤ 50
22//   Constraint: α > 1000 ∧ β ≤ 50
23//   Result: No bug (discount check fails)
24

25// Path 3: amount > 1000 AND discount > 50 AND final ≥ 0
26//   Constraint: α > 1000 ∧ β > 50 ∧ (α - α*β/100) ≥ 0
27//   Result: No bug (no refund)
28

29// Path 4: amount > 1000 AND discount > 50 AND final < 0 ⚠️
30//   Constraint: α > 1000 ∧ β > 50 ∧ (α - α*β/100) < 0
31//   Solving: β > 100 needed for final < 0
32//   Solution: α = 2000, β = 150
33//   EXPLOIT: processPayment(2000, 150) triggers bug!

Constraint Solving

Bloodhound uses SMT (Satisfiability Modulo Theories) solvers to find concrete values that satisfy path constraints.

Supported Constraint Types

Arithmetic

  • • Integer arithmetic (+, -, *, /, %)
  • • Floating point operations
  • • Bitwise operations (&, |, ^, ~)
  • • Overflow/underflow detection

Strings

  • • String concatenation
  • • Length constraints
  • • Substring operations
  • • Regex matching

Arrays

  • • Array indexing
  • • Bounds checking
  • • Element constraints
  • • Length tracking

Objects

  • • Property access
  • • Type constraints
  • • Null/undefined checks
  • • Prototype chains

Handling Path Explosion

Programs can have exponentially many paths. Bloodhound uses several techniques to make analysis tractable.

Path Merging

Paths with similar states are merged to reduce redundant exploration. This trades precision for coverage.

Directed Search

Prioritizes paths that lead toward sinks (dangerous operations). Uses heuristics from taint analysis.

Loop Bounding

Limits loop iterations to prevent infinite exploration. Configurable depth based on scan mode.

Function Summaries

Caches the behavior of analyzed functions to avoid re-analysis. Dramatically speeds up large codebases.

Exploit Generation

When a vulnerability is found, symbolic execution generates concrete inputs that trigger it.

Text
1// Bloodhound Vulnerability Report
2

3━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
4CRITICAL: SQL Injection in getUserData()
5File: src/api/users.ts:47
6━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
7

8Symbolic execution found a path from user input to SQL query.
9

10Path constraints solved:
11  • req.query.id must be a string
12  • Length must be > 0
13  • Must contain SQL metacharacter
14

15Generated exploit:
16  GET /api/users?id=1' OR '1'='1
17

18Expected behavior:
19  Returns single user with id=1
20

21Actual behavior with exploit:
22  Returns ALL users (authentication bypass)
23

24Proof of exploitability: ✓ CONFIRMED
25━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Blockchain Exploit Proofs

For smart contracts, symbolic execution generates transaction sequences that can drain funds or manipulate state.

Limitations

Symbolic execution is powerful but has inherent limitations:

  • External calls: Can't reason about network requests, database state, or file contents without mocking.
  • Concurrency: Thread interleavings create exponential path explosion.
  • Dynamic features: eval(), reflection, and dynamic dispatch are challenging to model.
  • Time complexity: Analysis time grows with program complexity. Apex mode allows longer analysis.

Next Engine

The Graph Analysis Engine uses the execution paths discovered by symbolic execution to build comprehensive code relationship graphs.