Skip to content

Latest commit

 

History

History
91 lines (77 loc) · 9.55 KB

README.md

File metadata and controls

91 lines (77 loc) · 9.55 KB

Awesome angr Awesome

A collection of resources/tools and analyses for the angr binary analysis framework. This page does not only collect links and external resources, but its meant to be an harbour to release any non-official extensions/tool/utils that can be useful when working with angr.

ExplorationTechniques 📁

A collection of exploration techniques written by the community

  • SimgrViz: an exploration technique that collects information regarding the states generated by the SimulationManager and creates a graph that can be later visualized to debug the analyses (.dot file).
  • MemLimiter: an exploration technique to stop the analysis when memory consumption is too high!
  • ExplosionDetector: stop the analysis when there are too many states or other critical errors happen.
  • KLEECoverageOptimizeSearch: KLEE technique to improve coverage.
  • KLEERandomSearch: an ET for random path selection.
  • LoopExhaustion: a loop exhaustion search strategy.
  • StochasticSearch: an ET for stocastic search of active states.
  • HeartBeat: An exploration technique to make sure symbolic execution is alive and provides some utility to gently hijack into the DSE while it is running.

Documentation 📖

Projects 🚀

List of academic/not-acadamic projects based on angr which code is open source.

  • Heaphopper - Apply symbolic execution to automatically verify security properties of most common heap libraries.
  • angr-cli - Command line interface for angr a la peda/GEF/pwndbg.
  • Syml - Use ML to prioritize exploration of promising vulnerable paths.
  • Angrop - Generate ropchains using angr and symbolic execution.
  • Angr-management - GUI for angr.
  • Mechaphish - AEG system for CGC.
  • angr-static-analysis-for-vuzzer64 - angr-based static analysis module for Vuzzer.
  • FirmXRay-angr - An angr version of the base address detection analysis implemented in FirmXRay.
  • IVTSpotter - An IVT Spotter for monolithic ARM firmware images.
  • MemSight - Rethinking Pointer Reasoning in Symbolic Execution.
  • Karonte - Detecting Insecure Multi-binary Interactions in Embedded Firmware.
  • BootStomp - A bootloader vulnerability finder.
  • SaTC - A prototype of Shared-keywords aware Taint Checking(SaTC), a static analysis method that tracks user input between front-end and back-end for vulnerability discovery effectively and efficiently.
  • Arbiter - Arbiter is a combination of static and dynamic analyses, built on top of angr, that can be used to detect some vulnerability classes.

Blogposts 📰

Papers 📃

Here a collection of papers which used or whose project is based on the angr framework.

Year Paper
2022 Heapster: Analyzing the Security of Dynamic Allocators for Monolithic Firmware Images
2022 Arbiter: Bridging the Static and Dynamic Divide in Vulnerability Discovery on Binary Programs
2022 Ferry: State-Aware Symbolic Execution for Exploring State-Dependent Program Paths
2022 Fuzzware: Using Precise MMIO Modeling for Effective Firmware Fuzzing
2021 Jetset: Targeted Firmware Rehosting for Embedded Systems
2021 SoK: All You Ever Wanted to Know About x86/x64 Binary Disassembly But Were Afraid to Ask
2021 SyML: Guiding Symbolic Execution Toward Vulnerable States Through Pattern Learning
2021 DIANE: Identifying Fuzzing Triggers in Apps to Generate Under-constrained Inputs for IoT Devices
2021 Sharing More and Checking Less: Leveraging Common Input Keywords to Detect Bugs in Embedded Systems
2021 Boosting symbolic execution via constraint solving time prediction (experience paper)
2020 DICE: Automatic Emulation of DMA Input Channels for Dynamic Firmware Analysis
2020 Towards Constant-Time Foundations for the New Spectre Era
2020 Symbion: Interleaving Symbolic with Concrete Execution
2020 KARONTE: Detecting Insecure Multi-binary Interactions in Embedded Firmware
2020 Device-agnostic Firmware Execution is Possible: A Concolic Execution Approach for Peripheral Emulation
2020 KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities
2020 BugMiner: Mining the Hard-to-Reach Software Vulnerabilities through the Target-Oriented Hybrid Fuzzer
2019 Enhancing Symbolic Execution by Machine Learning Based Solver Selection
2019 BinTrimmer: Towards Static Binary Debloating Through Abstract Interpretation
2019 Sleak: Automating Address Space Layout Derandomization
2019 Time and Order: Towards Automatically Identifying Side-Channel Vulnerabilities in Enclave Binaries
2018 HeapHopper: Bringing Bounded Model Checking to Heap Implementation Security
2018 Efficient Extraction of Malware Signatures Through System Calls and Symbolic Execution: An Experience Report
2018 Dynamic Path Pruning in Symbolic Execution
2018 On Benchmarking the Capability of Symbolic Execution Tools with Logic Bombs
2017 Rethinking Pointer Reasoning in Symbolic Execution
2017 Your Exploit is Mine: Automatic Shellcode Transplant for Remote Exploits
2017 BOOMERANG: Exploiting the Semantic Gap in Trusted Execution Environments
2017 Ramblr: Making Reassembly Great Again
2017 BootStomp: On the Security of Bootloaders in Mobile Devices
2017 Piston: Uncooperative Remote Runtime Patching
2016 SoK: (State of) The Art of War: Offensive Techniques in Binary Analysis
2016 Driller: Augmenting Fuzzing Through Selective Symbolic Execution
2015 Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware