Blog

Unveiling Zorya-Volos at Black Hat Asia 2026

April in Singapore is always a memorable experience, but this year’s trip for Black Hat Asia 2026 was particularly special [1]. The Marina Bay Sands provided an incredible backdrop for the Arsenal track, where researchers and engineers gather to share the specialized tools they’ve been pouring their late nights into. The energy on the floor was fantastic—there’s nothing quite like connecting with peers who understand the very specific headaches of low-level security research and binary analysis.

Fig 1. Me + Karolina and some cool folks who came to learn about Zorya

I had the privilege of presenting alongside my brilliant research partner (almost Dr) Karolina Gorna. We were there to unveil our joint project: Zorya-Volos, a concolic execution engine specifically tailored for Go binaries [2]. For those who couldn’t make the talk, the foundation of our framework, Zorya, is built to perform concolic execution directly on compiled Go executables [3]. To achieve this, it relies heavily on Ghidra, utilizing its p-code intermediate representation to translate the compiled instructions into a format our engine can effectively reason about [4]. Karolina led the charge on this front, mapping execution traces and leveraging SMT solvers to automatically uncover critical logic flaws. Her work with Zorya is particularly effective at hunting down crashes like null pointer dereferences directly from the binary. Our continued research on scaling Zorya’s capabilities—specifically extending it to handle the complex runtime and multi-threading of standard gc-compiled binaries. Additionally Zorya has recently been published at accepted EASE 2026 [5], again mostly through the work of the brilliant soon to be Dr Gorna.

While Zorya handles the core symbolic execution, the second half of the framework—developed here at KMSEC—is Volos [2]. Volos is a memory concurrency engine designed to detect race conditions within these Go binaries. Analyzing compiled code for concurrency issues is notoriously difficult due to the loss of typing information and the immense complexities of thread interleaving. Volos solves this by applying happens-before lockset analysis directly at the instruction level. By monitoring memory interactions and tracking vector clocks and lock states across goroutines, Volos definitively pinpoints where threads access shared memory without proper locking mechanisms.

Fig 2. Zorya up next!

What truly sets the combined framework apart is how it satisfies a very rarified set of criteria. Zorya-Volos is built on four defining pillars: (i) it is a Consume and Off The Shelf (COTS)-tested, (ii) inherently race-condition aware, (iii) completely binary-friendly, and  (iv) symbolically enhanced tool. These four pillars place it in a highly automatable, fuzzing-adaptable space. By operating directly on binaries—the most reliable, ground-truth-based format available for programs—the framework greatly speeds up the overall analysis process while evaluating complex logic and memory states.

Building Volos aligns perfectly with our core mission at KMSEC: delivering practical, indepth security assessment and research. Automated, surface-level scanners can only get you so far; tackling deeply embedded concurrency bugs requires bespoke engineering and a willingness to get into the weeds of the binary.

If your team is tackling complex security challenges, we are always open to collaborating on new research or providing specialized support. Whether you need deep-dive vulnerability analysis, custom tool development, or advanced technical training for your engineers, feel free to explore our [consultancy and training services](https://kmsecurity.co.za/services) to see how we can partner together.

We invite the community to dig into the framework, read the research, and leverage these tools in your own assessments using the resources below.

Lastly the slides from our talk are available here: BHAS26_Arsenal_Zorya.pptx (1)

References and Further Reading

  • [1] Black Hat Asia 2026. “Zorya: Go Binary Vulnerability Detection with Concolic Execution.” Arsenal Schedule. Available: [https://blackhat.com/asia-26/arsenal/schedule/index.html#zorya-go-binary-vulnerability-detection-with-concolic-execution-50425](https://blackhat.com/asia-26/arsenal/schedule/index.html#zorya-go-binary-vulnerability-detection-with-concolic-execution-50425)
  • [2] KMSEC137. “Zorya-Volos Framework.” GitHub Repository. Available: [https://github.com/kmsec137/zorya-volos](https://github.com/kmsec137/zorya-volos)
  • [3] Gorna, K. “Zorya – Concolic Execution Engine for Go Binaries.” Project Page. Available: [https://zorya.karolinagorna.net/](https://zorya.karolinagorna.net/)
  • [4] National Security Agency. “Ghidra Software Reverse Engineering Framework.” (P-Code Documentation). Available: [https://ghidra.re/](https://ghidra.re/)
  • [5] Gorna, K., Iooss, N., Seurin, Y., Khatoun, R., & Makan, K. (2026). “From TinyGo to gc Compiler: Extending Zorya’s Concolic Framework to Real-World Go Binaries.” *Accepted in the 30th ACM International Conference on Evaluation and Assessment in Software Engineering (EASE 2026).* arXiv preprint. Available: [https://arxiv.org/abs/2605.03492](https://arxiv.org/abs/2605.03492)

Keith is the founder of KMSecurity (Pty) Ltd. and a passionate security researcher with a storied career of helping clients all over the world become aware of the information security risks. Keith has worked for clients in Europe, the Americas and Asia and in that time gained experience assessing for clients from a plethora of industries and technologies. Keith’s experience renders him ready to tackle any application, network or organisation his clients need help with and is always eager to learn new environments. As a security researcher Keith has uncovered bugs in some prominent applications and services including Google Chrome Browser, various Google Services and components of the Mozilla web browser.

Related Posts

Back To Top