Angr – User-friendly binary analysis platform

 (github.com)

73 points | by adulau 2157 days ago

5 comments

  • q3k 2157 days ago
    The interesting part about Angr (and arguably, its' reason for existence) is that it can execute native (x86_64, ARM, others...) concolically [1] - ie., given a binary and a requested end state, it will strive using both formal methods and brute force to find input required to reach that state. All automatically, including converting binary code to an IL (cle & Vagrant IL via PyVEX), executing that IL (simuvex) and interacting with SMT solvers (claripy). This can be used for finding bugs, reverse engineering and exploit generation, at least in a toy/CTF setting.

    Angr is also the open-source part of the Shellphish/UCSB contestant (Mechanical Phish) that competed in the DARPA CGC [2].

    [1] - https://en.wikipedia.org/wiki/Concolic_testing

    [2] - https://en.wikipedia.org/wiki/2016_Cyber_Grand_Challenge

    [-]
    • saagarjha 2157 days ago
      > Angr is also the open-source part of the Shellphish/UCSB contestant (Mechanical Phish) that competed in the DARPA CGC

      It's not the only open-source part: https://github.com/mechaphish

  • xvilka 2157 days ago
    There are other similar platforms (listing biggest ones):

    1. BAP (OCaml) - https://github.com/BinaryAnalysisPlatform/bap

    2. BinCAT (OCaml) - https://github.com/airbus-seclab/bincat

    3. radare2 (C) + radeco (Rust)(WIP) - https://github.com/radare/radare2 + https://github.com/radare/radeco-lib

    4. Falcon (Rust) (WIP) - https://github.com/falconre/falcon

    And a bunch of others, less common or less featureful.

  • pag 2157 days ago
    If you're an everyday C/C++ programmer and can't imagine how Angr could fit into your workflow, then check out DeepState (https://github.com/trailofbits/deepstate). It is a Google Test-compatible unit testing framework that lets you write parameterized unit tests, using Angr to perform the state space exploration. What that means is that you can write a unit test, e.g. that addition of two integers doesn't overflow (it can), and using the power of Angr, DeepState will evaluate your test for all possible integers, not hard-coded ones, and not just some randomly chosen ones.
    [-]
    • rurban 2157 days ago
      For this usually CBMC is used. http://www.cprover.org/cbmc/

      You can also use CBMC to solve the usual state reverse engineering problems, like coverage analysis, finding input for output, hash collisions, ...

  • akrasuski1 2157 days ago
    Hm, if the example written on README is representative for current usage, then it surely changed a lot recently. I remember checking angr out a few months ago, and simply running a binary required a few dozens of, mostly boilerplate, code. I may try it again now, looks like it improved since then.
  • TACIXAT 2157 days ago
    Did Manticore lead to a focus on ease of use? Not sure I've seen angr described as user friendly before.
    [-]
    • ltfish 2155 days ago
      You are more or less correct. The `project.execute()` API was indeed inspired by Manticore!