Awesome angr

A collection of resources/tools and analyses for the angr binary analysis framework. This page does not only collect links and external resources, but its meant to be an harbour to release any non-official extensions/tool/utils that can be useful when working with angr.

ExplorationTechniques 📁

A collection of exploration techniques written by the community

SimgrViz: an exploration technique that collects information regarding the states generated by the SimulationManager and creates a graph that can be later visualized to debug the analyses (.dot file).
MemLimiter: an exploration technique to stop the analysis when memory consumption is too high!
ExplosionDetector: stop the analysis when there are too many states or other critical errors happen.
KLEECoverageOptimizeSearch: KLEE technique to improve coverage.
KLEERandomSearch: an ET for random path selection.
LoopExhaustion: a loop exhaustion search strategy.
StochasticSearch: an ET for stocastic search of active states.
HeartBeat: An exploration technique to make sure symbolic execution is alive and provides some utility to gently hijack into the DSE while it is running.

Documentation 📖

docs.angr.op - Official angr general documentatoin website.
angr.io - Official angr API documentation.
Intro to Binary Analysis with Z3 and angr - FSecureLABS workshop on using Z3 and the angr framework.

Projects 🚀

List of academic/not-acadamic projects based on angr which code is open source.

Heaphopper - Apply symbolic execution to automatically verify security properties of most common heap libraries.
angr-cli - Command line interface for angr a la peda/GEF/pwndbg.
Syml - Use ML to prioritize exploration of promising vulnerable paths.
Angrop - Generate ropchains using angr and symbolic execution.
Angr-management - GUI for angr.
Mechaphish - AEG system for CGC.
angr-static-analysis-for-vuzzer64 - angr-based static analysis module for Vuzzer.
FirmXRay-angr - An angr version of the base address detection analysis implemented in FirmXRay.
IVTSpotter - An IVT Spotter for monolithic ARM firmware images.
MemSight - Rethinking Pointer Reasoning in Symbolic Execution.
Karonte - Detecting Insecure Multi-binary Interactions in Embedded Firmware.

Blogposts 📰

angr-blog - Official angr blog.
A reaching definition engine for binary analysis built-in in angr. - A walk-through of the ReachingDefinition analysis built-in in angr.
shellphish-phrack - Phrack article on Mechaphish, the AEG system based on angr that got 3rd place at the CGC.
angr-tutorial - Introduction to angr - baby steps in symbolic execution.

Papers 📃

Here a collection of papers which used or whose project is based on the angr framework.

Year	Paper
2021	SoK: All You Ever Wanted to Know About x86/x64 Binary Disassembly But Were Afraid to Ask
2021	SyML: Guiding Symbolic Execution Toward Vulnerable States Through Pattern Learning
2021	DIANE: Identifying Fuzzing Triggers in Apps to Generate Under-constrained Inputs for IoT Devices
2021	Boosting symbolic execution via constraint solving time prediction (experience paper)
2020	DICE: Automatic Emulation of DMA Input Channels for Dynamic Firmware Analysis
2020	Towards Constant-Time Foundations for the New Spectre Era
2020	Symbion: Interleaving Symbolic with Concrete Execution
2020	KARONTE: Detecting Insecure Multi-binary Interactions in Embedded Firmware
2020	Device-agnostic Firmware Execution is Possible: A Concolic Execution Approach for Peripheral Emulation
2020	KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities
2019	BinTrimmer: Towards Static Binary Debloating Through Abstract Interpretation
2019	Sleak: Automating Address Space Layout Derandomization
2018	HeapHopper: Bringing Bounded Model Checking to Heap Implementation Security
2017	Rethinking Pointer Reasoning in Symbolic Execution
2017	Your Exploit is Mine: Automatic Shellcode Transplant for Remote Exploits
2017	BOOMERANG: Exploiting the Semantic Gap in Trusted Execution Environments
2017	Ramblr: Making Reassembly Great Again
2017	BootStomp: On the Security of Bootloaders in Mobile Devices
2017	Piston: Uncooperative Remote Runtime Patching
2016	SoK: (State of) The Art of War: Offensive Techniques in Binary Analysis
2016	Driller: Augmenting Fuzzing Through Selective Symbolic Execution
2015	Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware

2019.(SC2NRF)State Consistency Checking for Non-reentrant Function Based on Taint Assisted Symbol Execution 2018.VMPBL: Identifying Vulnerable Functions Based on Machine Learning Combining Patched Information and Binary Comparison Technique by LCS 2015.(Multi-MH)Cross-architecture bug search in binary executables 2020.(SimTA)Finding 1-Day Vulnerabilities in Trusted Applications using Selective Symbolic Execution 2021.(EmTaint)Finding Taint-Style Vulnerabilities in Linux-based Embedded Firmware with SSE-based Alias Analysis 2019.FIoT: Detecting the Memory Corruption in Lightweight IoT Device Firmware 2020.Towards Learning Representations of Binary Executable Files for Security Tasks 2019.CryptoREX: Large-scale Analysis of Cryptographic Misuse in IoT Devices 2016.(MockingBird)Cross-architecture binary semantics understanding via similar code comparison 2017.(CACompare)Binary code clone detection across architectures and compiling configurations 2018.FirmUp: Precise static detection of common vulnerabilities in firmware 2018.(Zeek)Binary Similarity Detection Using Machine Learning 2019.(GeneDiff)Semantic-based representation binary clone detection for cross-architectures in the internet of things 2019.(BinSeeker)Semantic Learning and Emulation Based Cross-platform Binary Vulnerability Seeker 2018.BinMatch: A Semantics-based Hybrid Approach on Binary Code Clone Analysis 2021.Implementing a high-efficiency similarity analysis approach for firmware code 2021.QuickBCC: Quick and Scalable Binary Vulnerable Code Clone Detection 2018.(BinAuthor)On Leveraging Coding Habits for Effective Binary Authorship Attribution 2020.A Novel Concolic Execution Approach on Embedded Device 2020.(Symba)Techniques for Malware Analysis based on Symbolic Execution 2017.Assisting malware analysis with symbolic execution: A case study 2018.Bintaint: A Static Taint Analysis Method for Binary Vulnerability Mining 2020.VYPER: Vulnerability detection in binary code 2016.(WatSym)Combining static analysis and targeted symbolic execution for scalable bug-finding in application binaries 2019.(Gerbil)Identifying Privilege Separation Vulnerabilities in IoT Firmware with Symbolic Execution 2016.A lightweight method for accelerating discovery of taint-style vulnerabilities in embedded systems 2020.CPA: Accurate Cross-Platform Binary Authorship Characterization Using LDA 2019.On Preventing Symbolic Execution Attacks by Low Cost Obfuscation 2020.Symbolic Execution and Debugging Synchronization 2020.(angr-shape)A Shape-inference-based Approach to Enhance Constraint Independence Optimization

papers refering angr or VEXIR(but might not popular)

2019.(SC2NRF)State Consistency Checking for Non-reentrant Function Based on Taint Assisted Symbol Execution 2018.VMPBL: Identifying Vulnerable Functions Based on Machine Learning Combining Patched Information and Binary Comparison Technique by LCS 2015.(Multi-MH)Cross-architecture bug search in binary executables 2020.(SimTA)Finding 1-Day Vulnerabilities in Trusted Applications using Selective Symbolic Execution 2021.(EmTaint)Finding Taint-Style Vulnerabilities in Linux-based Embedded Firmware with SSE-based Alias Analysis 2019.FIoT: Detecting the Memory Corruption in Lightweight IoT Device Firmware 2020.Towards Learning Representations of Binary Executable Files for Security Tasks 2019.CryptoREX: Large-scale Analysis of Cryptographic Misuse in IoT Devices 2016.(MockingBird)Cross-architecture binary semantics understanding via similar code comparison 2017.(CACompare)Binary code clone detection across architectures and compiling configurations 2018.FirmUp: Precise static detection of common vulnerabilities in firmware 2018.(Zeek)Binary Similarity Detection Using Machine Learning 2019.(GeneDiff)Semantic-based representation binary clone detection for cross-architectures in the internet of things 2019.(BinSeeker)Semantic Learning and Emulation Based Cross-platform Binary Vulnerability Seeker 2018.BinMatch: A Semantics-based Hybrid Approach on Binary Code Clone Analysis 2021.Implementing a high-efficiency similarity analysis approach for firmware code 2021.QuickBCC: Quick and Scalable Binary Vulnerable Code Clone Detection 2018.(BinAuthor)On Leveraging Coding Habits for Effective Binary Authorship Attribution 2020.A Novel Concolic Execution Approach on Embedded Device 2020.(Symba)Techniques for Malware Analysis based on Symbolic Execution 2017.Assisting malware analysis with symbolic execution: A case study 2018.Bintaint: A Static Taint Analysis Method for Binary Vulnerability Mining 2020.VYPER: Vulnerability detection in binary code 2016.(WatSym)Combining static analysis and targeted symbolic execution for scalable bug-finding in application binaries 2019.(Gerbil)Identifying Privilege Separation Vulnerabilities in IoT Firmware with Symbolic Execution 2016.A lightweight method for accelerating discovery of taint-style vulnerabilities in embedded systems 2020.CPA: Accurate Cross-Platform Binary Authorship Characterization Using LDA 2019.On Preventing Symbolic Execution Attacks by Low Cost Obfuscation 2020.Symbolic Execution and Debugging Synchronization 2020.(angr-shape)A Shape-inference-based Approach to Enhance Constraint Independence Optimization

opened by xrkk 0