Open Source · Ledger Donjon × Télécom Paris

Automated vulnerability detection in Go binaries

Zorya is a concolic execution engine built in Rust. It translates binaries to Ghidra's P-Code, drives symbolic exploration with Z3, and finds crashes in compiled Go programs — no source code required.

View on GitHub Read the docs
$ zorya /path/to/binary ███████╗ ██████╗ ██████╗ ██╗ ██╗ █████╗ ╚══███╔╝██╔═══██╗██╔══██╗╚██╗ ██╔╝██╔══██╗ ███╔╝ ██║ ██║██████╔╝ ╚████╔╝ ███████║ ███╔╝ ██║ ██║██╔══██╗ ╚██╔╝ ██╔══██║ ███████╗╚██████╔╝██║ ██║ ██║ ██║ ██║ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ Next Generation Concolic Analysis What is the source language of the binary? › Go (TinyGo) Go (Standard) C / Other
How it works
From binary to vulnerability report
Zorya generates CPU and memory dumps via GDB, lifts binary code to P-Code, then drives concolic execution with Z3 to synthesize inputs that trigger panics and crashes.
1
Go Binary
ELF input, any arch
2
GDB Dumps
CPU registers + memory
3
Ghidra Lift
Raw P-Code IR
4
Concolic Engine
Rust + Z3 solver
5
Report
PoC inputs + traces
Capabilities
Engineered for Go's complexity
Go binaries embed a heavyweight runtime that general-purpose symbolic executors don't model. Zorya was built from the ground up to handle it.
🎯

Panic-Guided Exploration

Multi-layer filtering concentrates symbolic reasoning on panic-relevant paths, achieving 1.8–3.9× speedups by pruning 33–70% of irrelevant branches.

🔒

Built for Binaries Analysis

Zorya analyzes executables with symbols to help developers find bugs in the binaries they build before production deployment.

⚙️

Detection Strategies

Zorya discovers bugs in two complementary ways: runtime panic-function checks and de facto bug discovery through overlay concolic execution on alternative paths.

🧩

P-Code as the Intermediate Representation

Ghidra's intermediate representation abstracts ISA specifics. Analyze x86_64, ARM, or any Ghidra-supported architecture through one engine.

🔬

Real-World Validated

Tested against go-ethereum (Geth), Kubernetes, Gin framework, Omni Network, and known CVEs including CVE-2022-30631.

🚀

Guided & Fuzzer Modes

Interactive guided mode for exploration, plus a fuzzer module for automated batch campaigns with JSON configs and timeout management.

Detection
What Zorya finds
Logic-related bugs and language-specific vulnerabilities that traditional fuzzers and static analyzers miss.
PANIC
Nil Pointer Dereference
Unchecked pointer access causing runtime panic
PANIC
Index Out of Bounds
Array/slice access beyond allocated length
LOGIC
Integer Overflow
Arithmetic overflow in unchecked operations
REACH
Reachable Panic Paths
panic() calls reachable from external input
Documentation
Learn Zorya (auto-synced with GitHub)
Each page below is rendered directly from the main branch of the original repo. Every push updates this website automatically.
Loading documentation...
Open in GitHub →

Fetching latest documentation from the repository...

Companion Project
Zorya-Volos for concurrency bug detection
zorya-volos extends the Zorya approach to target multi-threaded behaviors and concurrency vulnerabilities in Go binaries.

Why Zorya-Volos?

Concurrency bugs are often non-deterministic and difficult to trigger with regular fuzzing. Volos focuses on goroutine interactions and interleaving-sensitive failures.

  • Focused on race-condition-style and scheduling-dependent bug patterns
  • Designed as a fork to keep compatibility with Zorya workflows
  • Useful for deeper analysis of concurrent code paths
zorya-volos Repository → Volos Documentation

Relationship with Zorya

Use mainline Zorya for broad single-threaded vulnerability exploration, then pivot to Volos when concurrency-specific analysis is needed.

  • Main project: stable core analysis pipeline
  • Fork project: concurrency-focused research track
  • Both remain linked through shared architecture ideas
Get Started
Installation
Docker or build from source. Requires Rust, Go, Python, and Ghidra.
Docker (recommended)
git clone --recursive \ https://github.com/Ledger-Donjon/zorya cd zorya docker build -t zorya:latest . # Run interactively docker run -it --rm \ --security-opt seccomp=unconfined \ --cap-add=SYS_PTRACE \ -v $(pwd)/results:/opt/zorya/results \ zorya:latest
From source
git clone --recursive \ https://github.com/Ledger-Donjon/zorya cd zorya # Setup Ghidra + Pyhidra make ghidra-config # Build everything make all # Run on a test binary zorya /path/to/binary
Research
Publications
Zorya is developed as part of a CIFRE PhD thesis at Télécom Paris (LTCI) in collaboration with Ledger Donjon.
Zorya: Automated Concolic Execution of Single-Threaded Go Binaries
ACM SAC 2026 — 41st Symposium on Applied Computing, Thessaloniki
arXiv →
2026
Concolic Execution Optimized for Go Binaries using Ghidra's P-Code
Springer — Software Engineering and Management: Theory and Applications
Springer →
2026
Exposing Go's Hidden Bugs: A Novel Concolic Framework
SERA 2025 — IEEE/ACIS International Conference on Software Engineering
IEEE Xplore →
2025
Talks
Presentations
Arsenal
Black Hat Asia 2026
Singapore — Tool demonstration

Official Black Hat Arsenal session page with schedule details and project context.

Open event page →
Talk
EthCC[8] 2025
Cannes — Blockchain client security

Recorded conference talk:

Watch on YouTube →
EthCC 2025 talk thumbnail Watch video
Seminar
Cybersecurity & Defense Day
Institut Polytechnique de Paris
Open Source
Start analyzing Go binaries today
Zorya is free, open source, and actively maintained. Contributions welcome.
GitHub Repository karolinagorna.net →