SymFit is a symbolic execution framework for analyzing binaries, supporting multiple backends such as SymCC and SymSan. This document provides instructions for building and running SymFit using Docker.
Currently porting to QEMU 9.0.
A version of SymFit that supports kernel concolic execution: https://github.com/enlighten5/symfit-kernel
SymFit now includes an MCP (Model Context Protocol) server that enables LLM agents to perform automated concolic execution on binaries. The MCP server provides a standardized interface for:
- Running symbolic execution campaigns
- Managing test case corpora
- Analyzing coverage and results
- Automating binary analysis workflows
See mcp-server/README.md for setup instructions and mcp-server/EXAMPLES.md for usage examples.
You can check out our ready-to-use Docker container on GitHub Container Registry:
docker pull ghcr.io/bitsecurerlab/symfit:latestTo build SymFit from source, use the provided build script:
./build.shThis will compile SymFit with the SymSan backend. The build artifacts will be located in:
build/symfit-symsan/- SymFit QEMU binariesbuild/symsan/- SymSan tools and libraries
SymFit uses a modified QEMU to perform symbolic execution on binary programs. The basic workflow is:
- Prepare your target program - Compile the program you want to analyze
- Set up environment variables - Configure paths and options
- Run symbolic execution - Execute the program with SymFit
A complete example is provided in tests/symfit/:
cd tests/symfit
./run.shThis automated test will:
- Compile the test program (
test.c) - Initialize a corpus with seed inputs
- Iteratively generate new test cases using symbolic execution
- Display progress and results
To see detailed execution information:
DEBUG=1 ./run.shThe test script supports the following environment variables for customization:
BUILD_DIR- Path to the build directory (default:../../build)SYMFIT- Path to the SymFit QEMU binaryFGTEST- Path to the fgtest toolTEST_BINARY- Path to the test binaryMAX_ROUNDS- Maximum number of testing rounds (default: 5)
Example with custom settings:
MAX_ROUNDS=10 BUILD_DIR=/custom/path ./run.shTo manually run SymFit on a program:
# Set environment variables
export SYMCC_INPUT_FILE=/path/to/input
export SYMCC_OUTPUT_DIR=/path/to/output
export SYMCC_AFL_COVERAGE_MAP=/path/to/covmap
export TAINT_OPTIONS="taint_file=/path/to/input"
# Run SymFit
/path/to/build/symsan/bin/fgtest \
/path/to/build/symfit-symsan/x86_64-linux-user/symqemu-x86_64 \
/path/to/your/programSymFit generates:
- New test cases in
$SYMCC_OUTPUT_DIR- Each file is a generated input that explores different execution paths - Coverage map at
$SYMCC_AFL_COVERAGE_MAP- AFL-style bitmap showing code coverage
The Docker image provides a pre-built environment with all dependencies:
# Run SymFit in Docker
docker run --rm \
-v /path/to/your/binary:/binary:ro \
-v /path/to/workdir:/workdir \
ghcr.io/bitsecurerlab/symfit:latest \
/workspace/build/symsan/bin/fgtest \
/workspace/build/symfit-symsan/x86_64-linux-user/symqemu-x86_64 \
/binaryContributions are welcome! Please feel free to submit issues and pull requests.
See LICENSE file for details.