angr
We're launching an angr blog! The first post, with plans for the upcoming year, is here.

What is angr?

angr is a python framework for analyzing binaries. It focuses on both static and dynamic symbolic ("concolic") analysis, making it applicable to a variety of tasks.

As an introduction to angr's capabilities, here is a brief code example that analyzes a fake backdoored firmware image to perform control-flow analysis and find the backdoor via symbolic execution:

>>> import angr
>>> proj = angr.Project('./fauxware')
>>> cfg = proj.analyses.CFG()
>>> dict(proj.kb.functions)
{4195552L: <Function _init (0x4004e0)>,
 4195600L: <Function plt.puts (0x400510)>,
 4195616L: <Function plt.printf (0x400520)>,
 4195632L: <Function plt.read (0x400530)>,
 4195648L: <Function plt.__libc_start_main (0x400540)>,
 4195664L: <Function plt.strcmp (0x400550)>,
 4195680L: <Function plt.open (0x400560)>,
 4195696L: <Function plt.exit (0x400570)>,
 4195712L: <Function _start (0x400580)>,
 4195756L: <Function call_gmon_start (0x4005ac)>,
 4195904L: <Function frame_dummy (0x400640)>,
 4195940L: <Function authenticate (0x400664)>,
 4196077L: <Function accepted (0x4006ed)>,
 4196093L: <Function rejected (0x4006fd)>,
 4196125L: <Function main (0x40071d)>,
 4196320L: <Function __libc_csu_init (0x4007e0)>,
 4196480L: <Function __do_global_ctors_aux (0x400880)>}
>>> pg = proj.factory.path_group().explore(find=0x4006ed)
>>> pg.found[0].state.posix.dumps(0)
'\x00\x00\x00\x00\x00\x00\x00\x00\x00SOSNEAKY\x00'

How do I learn?

There are a few resources you can use to help you get up to speed!

How do I get involved (or get help)?

There are a few resources you can use to help you get up to speed or get you contributing to the project!

In all this, please keep in mind that angr is a large project being frantically worked on by a very small group of overworked students. It's open source, with a typical open source support model (i.e., pray for the best).

For an idea of what to help with, check this out.

What's angr made of?

angr is made up of several subprojects, all of which are open-source!

How has it been used?

We have used angr heavily in our academic research! If you have used angr or its sub-components in your research, please cite at least the following paper describing it:

@inproceedings{shoshitaishvili2016state,
  title={{SoK: (State of) The Art of War: Offensive Techniques in Binary Analysis}},
  author={Shoshitaishvili, Yan and Wang, Ruoyu and Salls, Christopher and
          Stephens, Nick and Polino, Mario and Dutcher, Andrew and Grosen, John and
          Feng, Siji and Hauser, Christophe and Kruegel, Christopher and Vigna, Giovanni},
  booktitle={IEEE Symposium on Security and Privacy},
  year={2016}
}

Non-academically, angr was one of the underpinnings of Shellphish's Cyber Reasoning System for the DARPA Cyber Grand Challenge, enabling them to win third place in the final round (more info here)! Shellphish has also used angr in many CTFs.

Who works on angr?

angr is worked on by several researchers in the Computer Security Lab at UC Santa Barbara. Core developers (arbitrarily, 1000+ lines of code!) include:

angr would never have happened if it were not for the vision, wisdom, guidance, and support of our professors:

Additionally, there are many open-source contributors, which you can see at the various repositories in the github orgs.