SymFit is a symbolic execution framework for analyzing binaries built around the SymSan backend. This document provides instructions for building and running SymFit using Docker.
Currently porting to QEMU 9.0.
A version of SymFit that supports kernel concolic execution: https://github.com/enlighten5/symfit-kernel
SymFit now includes an MCP (Model Context Protocol) server that enables LLM agents to perform automated concolic execution on binaries. The MCP server provides a standardized interface for:
- Running symbolic execution campaigns
- Managing test case corpora
- Analyzing coverage and results
- Automating binary analysis workflows
See mcp-server/README.md for setup instructions and mcp-server/EXAMPLES.md for usage examples.
You can check out our ready-to-use Docker container on GitHub Container Registry:
docker pull ghcr.io/bitsecurerlab/symfit:latestYou can build SymFit against prebuilt Symsan artifacts (recommended), without checking out external/symsan (the directory may be absent).
AUTO_DOWNLOAD_SYMSAN=1 ./build.sh allBy default this pulls the first .tar.gz asset from bitsecurerlab/symsan latest release.
You can narrow asset selection if needed:
AUTO_DOWNLOAD_SYMSAN=1 \
SYMSAN_RELEASE_ASSET_PATTERN='linux.*x86_64.*\.tar\.gz$' \
./build.sh allSYMSAN_TARBALL=https://github.com/bitsecurerlab/symsan/releases/download/<tag>/<symsan-artifact>.tar.gz \
./build.sh allbuild.sh will download/extract the tarball into build/symsan/ and then build SymFit.
If you already unpacked Symsan artifacts and they contain bin/fgtest:
USE_PREBUILT_SYMSAN=1 SYMSAN_BUILD=/path/to/symsan ./build.sh symfit-symsanIf you want to build Symsan from source, first clone Symsan separately, then pass SYMSAN_SRC:
git clone https://github.com/bitsecurerlab/symsan.git /path/to/symsan
SYMSAN_SRC=/path/to/symsan ./build.sh allThis will compile SymFit with the SymSan backend. The build artifacts will be located in:
build/symfit-symsan/- SymFit QEMU binariesbuild/symsan/- SymSan tools and libraries
SymFit uses a modified QEMU to perform symbolic execution on binary programs. The basic workflow is:
- Prepare your target program - Compile the program you want to analyze
- Set up environment variables - Configure paths and options
- Run symbolic execution - Execute the program with SymFit
A complete example is provided in tests/symfit/:
cd tests/symfit
./run.shThis automated test will:
- Compile the test program (
test.c) - Initialize a corpus with seed inputs
- Iteratively generate new test cases using symbolic execution
- Display progress and results
To see detailed execution information:
DEBUG=1 ./run.shThe test script supports the following environment variables for customization:
BUILD_DIR- Path to the build directory (default:../../build)SYMFIT- Path to the SymFit QEMU binaryFGTEST- Path to the fgtest toolTEST_BINARY- Path to the test binaryMAX_ROUNDS- Maximum number of testing rounds (default: 5)
Example with custom settings:
MAX_ROUNDS=10 BUILD_DIR=/custom/path ./run.shTo manually run SymFit on a program:
# Set environment variables
# `fgtest` still uses the historical `SYMCC_*` variable names for I/O paths.
export SYMCC_INPUT_FILE=/path/to/input
export SYMCC_OUTPUT_DIR=/path/to/output
export SYMCC_AFL_COVERAGE_MAP=/path/to/covmap
export TAINT_OPTIONS="taint_file=/path/to/input"
# Run SymFit
/path/to/build/symsan/bin/fgtest \
/path/to/build/symfit-symsan/x86_64-linux-user/symfit-x86_64 \
/path/to/your/programSymFit generates:
- New test cases in
$SYMCC_OUTPUT_DIR- Each file is a generated input that explores different execution paths - Coverage map at
$SYMCC_AFL_COVERAGE_MAP- AFL-style bitmap showing code coverage
The Docker image provides a pre-built environment with all dependencies:
# Run SymFit in Docker
docker run --rm \
-v /path/to/your/binary:/binary:ro \
-v /path/to/workdir:/workdir \
ghcr.io/bitsecurerlab/symfit:latest \
/workspace/build/symsan/bin/fgtest \
/workspace/build/symfit-symsan/x86_64-linux-user/symfit-x86_64 \
/binaryContributions are welcome! Please feel free to submit issues and pull requests.
See LICENSE file for details.