angr

What is angr?

angr is a python framework for analyzing binaries. It focuses on both static and dynamic symbolic ("concolic") analysis, making it applicable to a variety of tasks.

As an introduction to angr's capabilities, here is a brief code example that analyzes a fake backdoored firmware image to perform control-flow analysis and find the backdoor via symbolic execution:

>>> import angr
>>> proj = angr.Project('./fauxware')
>>> cfg = proj.analyses.CFG()
>>> dict(proj.kb.functions)
{4195552L: <Function _init (0x4004e0)>,
 4195600L: <Function plt.puts (0x400510)>,
 4195616L: <Function plt.printf (0x400520)>,
 4195632L: <Function plt.read (0x400530)>,
 4195648L: <Function plt.__libc_start_main (0x400540)>,
 4195664L: <Function plt.strcmp (0x400550)>,
 4195680L: <Function plt.open (0x400560)>,
 4195696L: <Function plt.exit (0x400570)>,
 4195712L: <Function _start (0x400580)>,
 4195756L: <Function call_gmon_start (0x4005ac)>,
 4195904L: <Function frame_dummy (0x400640)>,
 4195940L: <Function authenticate (0x400664)>,
 4196077L: <Function accepted (0x4006ed)>,
 4196093L: <Function rejected (0x4006fd)>,
 4196125L: <Function main (0x40071d)>,
 4196320L: <Function __libc_csu_init (0x4007e0)>,
 4196480L: <Function __do_global_ctors_aux (0x400880)>}
>>> pg = proj.factory.path_group().explore(find=0x4006ed)
>>> pg.found[0].state.posix.dumps(0)
'\x00\x00\x00\x00\x00\x00\x00\x00\x00SOSNEAKY\x00'

How do I learn?

There are a few resources you can use to help you get up to speed!

What's it made of?

angr is made up of several subprojects, all of which are open-source!

How has it been used academically?

If you have used angr or its sub-components in research, please cite the paper describing it:

@inproceedings{shoshitaishvili2016state,
  title={{SoK: (State of) The Art of War: Offensive Techniques in Binary Analysis}},
  author={Shoshitaishvili, Yan and Wang, Ruoyu and Salls, Christopher and
          Stephens, Nick and Polino, Mario and Dutcher, Andrew and Grosen, John and
          Feng, Siji and Hauser, Christophe and Kruegel, Christopher and Vigna, Giovanni},
  booktitle={IEEE Symposium on Security and Privacy},
  year={2016}
}

And non-academically?

angr was one of the underpinnings of Shellphish's Cyber Reasoning System for the DARPA Cyber Grand Challenge, enabling them to win third place in the final round! Shellphish has also used angr in many CTFs.

Who works on angr?

angr is worked on by several researchers in the Computer Security Lab at UC Santa Barbara. Core developers (arbitrarily, 1000+ lines of code!) include:

angr would never have happened if it were not for the vision, wisdom, guidance, and support of our professors:

Additionally, we would like to acknowledge the following individuals for their work on and support of angr: