angr, a binary analysis framework

What is angr?

angr is a python framework for analyzing binaries. It focuses on both static and dynamic symbolic ("concolic") analysis, making it applicable to a variety of tasks.

As an introduction to angr's capabilities, here is a brief code example that analyzes a fake backdoored firmware image to perform control-flow analysis and find the backdoor via symbolic execution:

>>> import angr
>>> proj = angr.Project('./fauxware')
>>> cfg = proj.analyses.CFG()
>>> dict(proj.kb.functions)
{4195552L: <Function _init (0x4004e0)>,
 4195600L: <Function plt.puts (0x400510)>,
 4195616L: <Function plt.printf (0x400520)>,
 4195632L: <Function plt.read (0x400530)>,
 4195648L: <Function plt.__libc_start_main (0x400540)>,
 4195664L: <Function plt.strcmp (0x400550)>,
 4195680L: <Function plt.open (0x400560)>,
 4195696L: <Function plt.exit (0x400570)>,
 4195712L: <Function _start (0x400580)>,
 4195756L: <Function call_gmon_start (0x4005ac)>,
 4195904L: <Function frame_dummy (0x400640)>,
 4195940L: <Function authenticate (0x400664)>,
 4196077L: <Function accepted (0x4006ed)>,
 4196093L: <Function rejected (0x4006fd)>,
 4196125L: <Function main (0x40071d)>,
 4196320L: <Function __libc_csu_init (0x4007e0)>,
 4196480L: <Function __do_global_ctors_aux (0x400880)>}
>>> pg = proj.factory.path_group().explore(find=0x4006ed)
>>> pg.found[0].state.posix.dumps(0)
'\x00\x00\x00\x00\x00\x00\x00\x00\x00SOSNEAKY\x00'

How do I learn?

There are a few resources you can use to help you get up to speed!

Documentation and walk-throughs available in e-book form and repository form, including ready-to-run examples
The API reference
The presentations from angr's debut at DEFCON 23 (video) and Blackhat 2015 (video)
Presentations discussing Shellphish's use of angr in the DARPA Cyber Grand Challenge at HITCON ENT 2015, HITCON CMT 2015, and 32C3 (video)

What's it made of?

angr is made up of several subprojects, all of which are open-source!

an executable and library loader, CLE
a library describing various architectures, archinfo
a Python wrapper around the binary code lifter VEX, PyVEX
a VEX simulation engine, SimuVEX
a data backend to abstract away differences between static and symbolic domains, Claripy
the full-program analysis suite itself, angr
a GUI for some features of angr, angr-management

How has it been used academically?

If you have used angr or its sub-components in research, please cite the paper describing it:

@inproceedings{shoshitaishvili2016state,
  title={{SoK: (State of) The Art of War: Offensive Techniques in Binary Analysis}},
  author={Shoshitaishvili, Yan and Wang, Ruoyu and Salls, Christopher and
          Stephens, Nick and Polino, Mario and Dutcher, Andrew and Grosen, John and
          Feng, Siji and Hauser, Christophe and Kruegel, Christopher and Vigna, Giovanni},
  booktitle={IEEE Symposium on Security and Privacy},
  year={2016}
}

Show more papers

Show fewer papers

Additionally, the angr authors have used angr in the following publications:

@inproceedings{stephens2016driller,
  title={{Driller: Augmenting Fuzzing Through Selective Symbolic Execution}},
  author={Stephens, Nick and Grosen, John and Salls, Christopher and Dutcher, Andrew and
          Wang, Ruoyu and Corbetta, Jacopo and Shoshitaishvili, Yan and
          Kruegel, Christopher and Vigna, Giovanni},
  booktitle={Proceedings of the 2016 Network and Distributed System Security Symposium},
  year={2016}
}

@inproceedings{shoshitaishvili2015firmalice,
  title={{Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities
         in Binary Firmware}},
  author={Shoshitaishvili, Yan and Wang, Ruoyu and Hauser, Christophe and
          Kruegel, Christopher and Vigna, Giovanni},
  booktitle={Proceedings of the 2015 Network and Distributed System Security Symposium},
  year={2015}
}

Finally, angr (or its subcomponents) have been used in many other academic works:

@article{parvez2016combining,
  title={{Combining Static Analysis and Targeted Symbolic Execution for Scalable
         Bug-finding in Application Binaries}},
  author={Parvez, Muhammad Riyad},
  year={2016},
  publisher={University of Waterloo}
}

@inproceedings{pewny2015cross,
  title={{Cross-Architecture Bug Search in Binary Executables}},
  author={Pewny, Jannik and Garmany, Behrad and Gawlik, Robert and Rossow, Christian
          and Holz, Thorsten},
  booktitle={Security and Privacy (SP), 2015 IEEE Symposium on},
  pages={709--724},
  year={2015},
  organization={IEEE}
}

@inproceedings{vogl2014dynamic,
  title={{Dynamic hooks: hiding control flow changes within non-control data}},
  author={Vogl, Sebastian and Gawlik, Robert and Garmany, Behrad and Kittel, Thomas
          and Pfoh, Jonas and Eckert, Claudia and Holz, Thorsten},
  booktitle={23rd USENIX Security Symposium (USENIX Security 14)},
  pages={813--328},
  year={2014}
}

And non-academically?

angr was one of the underpinnings of Shellphish's Cyber Reasoning System for the DARPA Cyber Grand Challenge, enabling them to win third place in the final round! Shellphish has also used angr in many CTFs.

Who works on angr?

angr is worked on by several researchers in the Computer Security Lab at UC Santa Barbara. Core developers (arbitrarily, 1000+ lines of code!) include:

Yan Shoshitaishvili
Ruoyu (Fish) Wang
Andrew Dutcher
Christophe Hauser
John Grosen
Chris Salls
Nick Stephens
Nilo Redini

angr would never have happened if it were not for the vision, wisdom, guidance, and support of our professors:

Christopher Kruegel
Giovanni Vigna

Additionally, we would like to acknowledge the following individuals for their work on and support of angr:

Ronny Chevalier
Aravind Machiry
Sébastien Duquette