Awesome angr

A collection of resources/tools and analyses for the angr binary analysis framework. This page does not only collect links and external resources, but its meant to be an harbour to release any non-official extensions/tool/utils that can be useful when working with angr.

ExplorationTechniques 📁

A collection of exploration techniques written by the community

• SimgrViz: an exploration technique that collects information regarding the states generated by the SimulationManager and creates a graph that can be later visualized to debug the analyses (.dot file).
• MemLimiter: an exploration technique to stop the analysis when memory consumption is too high!
• ExplosionDetector: stop the analysis when there are too many states or other critical errors happen.
• KLEECoverageOptimizeSearch: KLEE technique to improve coverage.
• KLEERandomSearch: an ET for random path selection.
• LoopExhaustion: a loop exhaustion search strategy.
• StochasticSearch: an ET for stocastic search of active states.
• HeartBeat: An exploration technique to make sure symbolic execution is alive and provides some utility to gently hijack into the DSE while it is running.

Documentation 📖

• docs.angr.op - Official angr general documentatoin website.
• angr.io - Official angr API documentation.
• Intro to Binary Analysis with Z3 and angr - FSecureLABS workshop on using Z3 and the angr framework.

Projects 🚀

List of academic/not-acadamic projects based on angr which code is open source.

• Heaphopper - Apply symbolic execution to automatically verify security properties of most common heap libraries.
• angr-cli - Command line interface for angr a la peda/GEF/pwndbg.
• Syml - Use ML to prioritize exploration of promising vulnerable paths.
• Angrop - Generate ropchains using angr and symbolic execution.
• Angr-management - GUI for angr.
• Mechaphish - AEG system for CGC.
• angr-static-analysis-for-vuzzer64 - angr-based static analysis module for Vuzzer.
• FirmXRay-angr - An angr version of the base address detection analysis implemented in FirmXRay.
• IVTSpotter - An IVT Spotter for monolithic ARM firmware images.
• MemSight - Rethinking Pointer Reasoning in Symbolic Execution.
• Karonte - Detecting Insecure Multi-binary Interactions in Embedded Firmware.
• BootStomp - A bootloader vulnerability finder.
• SaTC - A prototype of Shared-keywords aware Taint Checking(SaTC), a static analysis method that tracks user input between front-end and back-end for vulnerability discovery effectively and efficiently.
• Arbiter - Arbiter is a combination of static and dynamic analyses, built on top of angr, that can be used to detect some vulnerability classes.

Blogposts 📰

• angr-blog - Official angr blog.
• A reaching definition engine for binary analysis built-in in angr. - A walk-through of the ReachingDefinition analysis built-in in angr.
• shellphish-phrack - Phrack article on Mechaphish, the AEG system based on angr that got 3rd place at the CGC.
• angr-tutorial - Introduction to angr - baby steps in symbolic execution.
• bcheck - Binary check tool to identify command injection and format string vulnerabilities in blackbox binaries.

Papers 📃

Here a collection of papers which used or whose project is based on the angr framework.

Year	Paper
2022	Heapster: Analyzing the Security of Dynamic Allocators for Monolithic Firmware Images
2022	Arbiter: Bridging the Static and Dynamic Divide in Vulnerability Discovery on Binary Programs
2022	Ferry: State-Aware Symbolic Execution for Exploring State-Dependent Program Paths
2022	Fuzzware: Using Precise MMIO Modeling for Effective Firmware Fuzzing
2021	Jetset: Targeted Firmware Rehosting for Embedded Systems
2021	SoK: All You Ever Wanted to Know About x86/x64 Binary Disassembly But Were Afraid to Ask
2021	SyML: Guiding Symbolic Execution Toward Vulnerable States Through Pattern Learning
2021	DIANE: Identifying Fuzzing Triggers in Apps to Generate Under-constrained Inputs for IoT Devices
2021	Sharing More and Checking Less: Leveraging Common Input Keywords to Detect Bugs in Embedded Systems
2021	Boosting symbolic execution via constraint solving time prediction (experience paper)
2020	DICE: Automatic Emulation of DMA Input Channels for Dynamic Firmware Analysis
2020	Towards Constant-Time Foundations for the New Spectre Era
2020	Symbion: Interleaving Symbolic with Concrete Execution
2020	KARONTE: Detecting Insecure Multi-binary Interactions in Embedded Firmware
2020	Device-agnostic Firmware Execution is Possible: A Concolic Execution Approach for Peripheral Emulation
2020	KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities
2020	BugMiner: Mining the Hard-to-Reach Software Vulnerabilities through the Target-Oriented Hybrid Fuzzer
2019	Enhancing Symbolic Execution by Machine Learning Based Solver Selection
2019	BinTrimmer: Towards Static Binary Debloating Through Abstract Interpretation
2019	Sleak: Automating Address Space Layout Derandomization
2019	Time and Order: Towards Automatically Identifying Side-Channel Vulnerabilities in Enclave Binaries
2018	HeapHopper: Bringing Bounded Model Checking to Heap Implementation Security
2018	Efficient Extraction of Malware Signatures Through System Calls and Symbolic Execution: An Experience Report
2018	Dynamic Path Pruning in Symbolic Execution
2018	On Benchmarking the Capability of Symbolic Execution Tools with Logic Bombs
2017	Rethinking Pointer Reasoning in Symbolic Execution
2017	Your Exploit is Mine: Automatic Shellcode Transplant for Remote Exploits
2017	BOOMERANG: Exploiting the Semantic Gap in Trusted Execution Environments
2017	Ramblr: Making Reassembly Great Again
2017	BootStomp: On the Security of Bootloaders in Mobile Devices
2017	Piston: Uncooperative Remote Runtime Patching
2016	SoK: (State of) The Art of War: Offensive Techniques in Binary Analysis
2016	Driller: Augmenting Fuzzing Through Selective Symbolic Execution
2015	Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware