Awesome angr Awesome

A collection of resources/tools and analyses for the angr binary analysis framework. This page does not only collect links and external resources, but its meant to be an harbour to release any non-official extensions/tool/utils that can be useful when working with angr.

ExplorationTechniques
?

A collection of exploration techniques written by the community

  • SimgrViz: an exploration technique that collects information regarding the states generated by the SimulationManager and creates a graph that can be later visualized to debug the analyses (.dot file).
  • MemLimiter: an exploration technique to stop the analysis when memory consumption is too high!
  • ExplosionDetector: stop the analysis when there are too many states or other critical errors happen.
  • KLEECoverageOptimizeSearch: KLEE technique to improve coverage.
  • KLEERandomSearch: an ET for random path selection.
  • LoopExhaustion: a loop exhaustion search strategy.
  • StochasticSearch: an ET for stocastic search of active states.
  • HeartBeat: An exploration technique to make sure symbolic execution is alive and provides some utility to gently hijack into the DSE while it is running.

Documentation
?

Projects
?

List of academic/not-acadamic projects based on angr which code is open source.

  • Heaphopper – Apply symbolic execution to automatically verify security properties of most common heap libraries.
  • angr-cli – Command line interface for angr a la peda/GEF/pwndbg.
  • Syml – Use ML to prioritize exploration of promising vulnerable paths.
  • Angrop – Generate ropchains using angr and symbolic execution.
  • Angr-management – GUI for angr.
  • Mechaphish – AEG system for CGC.
  • angr-static-analysis-for-vuzzer64 – angr-based static analysis module for Vuzzer.
  • FirmXRay-angr – An angr version of the base address detection analysis implemented in FirmXRay.
  • IVTSpotter – An IVT Spotter for monolithic ARM firmware images.
  • MemSight – Rethinking Pointer Reasoning in Symbolic Execution.
  • Karonte – Detecting Insecure Multi-binary Interactions in Embedded Firmware.

Blogposts
?

Papers
?

Here a collection of papers which used or whose project is based on the angr framework.

Year Paper
2021 SoK: All You Ever Wanted to Know About x86/x64 Binary Disassembly But Were Afraid to Ask
2021 SyML: Guiding Symbolic Execution Toward Vulnerable States Through Pattern Learning
2021 DIANE: Identifying Fuzzing Triggers in Apps to Generate Under-constrained Inputs for IoT Devices
2021 Boosting symbolic execution via constraint solving time prediction (experience paper)
2020 DICE: Automatic Emulation of DMA Input Channels for Dynamic Firmware Analysis
2020 Towards Constant-Time Foundations for the New Spectre Era
2020 Symbion: Interleaving Symbolic with Concrete Execution
2020 KARONTE: Detecting Insecure Multi-binary Interactions in Embedded Firmware
2020 Device-agnostic Firmware Execution is Possible: A Concolic Execution Approach for Peripheral Emulation
2020 KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities
2019 BinTrimmer: Towards Static Binary Debloating Through Abstract Interpretation
2019 Sleak: Automating Address Space Layout Derandomization
2018 HeapHopper: Bringing Bounded Model Checking to Heap Implementation Security
2017 Rethinking Pointer Reasoning in Symbolic Execution
2017 Your Exploit is Mine: Automatic Shellcode Transplant for Remote Exploits
2017 BOOMERANG: Exploiting the Semantic Gap in Trusted Execution Environments
2017 Ramblr: Making Reassembly Great Again
2017 BootStomp: On the Security of Bootloaders in Mobile Devices
2017 Piston: Uncooperative Remote Runtime Patching
2016 SoK: (State of) The Art of War: Offensive Techniques in Binary Analysis
2016
2015 Firmalice – Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware

GitHub

https://github.com/degrigis/awesome-angr