Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/degrigis/awesome-angr
A collection of resources/tools and analyses for the angr binary analysis framework.
https://github.com/degrigis/awesome-angr
List: awesome-angr
Last synced: about 1 month ago
JSON representation
A collection of resources/tools and analyses for the angr binary analysis framework.
- Host: GitHub
- URL: https://github.com/degrigis/awesome-angr
- Owner: degrigis
- Created: 2021-09-09T18:30:18.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2022-07-28T18:17:18.000Z (over 2 years ago)
- Last Synced: 2024-05-21T16:11:04.088Z (7 months ago)
- Language: Python
- Homepage:
- Size: 128 KB
- Stars: 144
- Watchers: 8
- Forks: 8
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- ultimate-awesome - awesome-angr - A collection of resources/tools and analyses for the angr binary analysis framework. (Other Lists / Monkey C Lists)
README
# Awesome angr [![Awesome](https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg)](https://github.com/sindresorhus/awesome)
A collection of resources/tools and analyses for the [angr](https://github.com/angr) binary analysis framework.
This page does not only collect links and external resources, but its meant to be an harbour to release any non-official extensions/tool/utils that can be useful when working with angr.## ExplorationTechniques 📁
A collection of exploration techniques written by the community
* *SimgrViz*: an exploration technique that collects information regarding the states generated by the SimulationManager and creates a graph that can be later visualized to debug the analyses (.dot file).
* *MemLimiter*: an exploration technique to stop the analysis when memory consumption is too high!
* *ExplosionDetector*: stop the analysis when there are too many states or other critical errors happen.
* *KLEECoverageOptimizeSearch*: KLEE technique to improve coverage.
* *KLEERandomSearch*: an ET for random path selection.
* *LoopExhaustion*: a loop exhaustion search strategy.
* *StochasticSearch*: an ET for stocastic search of active states.
* *HeartBeat*: An exploration technique to make sure symbolic execution is alive and provides some utility to gently hijack into the DSE while it is running.## Documentation :book:
* [docs.angr.op](https://docs.angr.io/) - Official angr general documentatoin website.
* [angr.io](http://angr.io/api-doc/angr.html) - Official angr API documentation.
* [Intro to Binary Analysis with Z3 and angr](https://github.com/FSecureLABS/z3_and_angr_binary_analysis_workshop) - FSecureLABS workshop on using Z3 and the angr framework.## Projects :rocket:
List of academic/not-acadamic projects based on angr which code is open source.
* [Heaphopper](https://github.com/angr/heaphopper) - Apply symbolic execution to automatically verify security properties of most common heap libraries.
* [angr-cli](https://github.com/fmagin/angr-cli) - Command line interface for angr a la peda/GEF/pwndbg.
* [Syml](https://github.com/ucsb-seclab/syml) - Use ML to prioritize exploration of promising vulnerable paths.
* [Angrop](https://github.com/angr/angrop) - Generate ropchains using angr and symbolic execution.
* [Angr-management](https://github.com/angr/angr-management) - GUI for angr.
* [Mechaphish](https://github.com/mechaphish) - AEG system for CGC.
* [angr-static-analysis-for-vuzzer64](https://github.com/ash09/angr-static-analysis-for-vuzzer64) - angr-based static analysis module for Vuzzer.
* [FirmXRay-angr](https://github.com/ucsb-seclab/monolithic-firmware-collection/tree/master/utils/firmxray) - An angr version of the base address detection analysis implemented in [FirmXRay](https://github.com/OSUSecLab/FirmXRay).
* [IVTSpotter](https://github.com/ucsb-seclab/monolithic-firmware-collection/blob/master/utils/ivt_spotter/spot_ivt.py) - An IVT Spotter for monolithic ARM firmware images.
* [MemSight](https://github.com/season-lab/memsight) - Rethinking Pointer Reasoning in Symbolic Execution.
* [Karonte](https://github.com/ucsb-seclab/karonte) - Detecting Insecure Multi-binary Interactions in Embedded Firmware.
* [BootStomp](https://github.com/ucsb-seclab/BootStomp) - A bootloader vulnerability finder.
* [SaTC](https://github.com/NSSL-SJTU/SaTC/) - A prototype of Shared-keywords aware Taint Checking(SaTC), a static analysis method that tracks user input between front-end and back-end for vulnerability discovery effectively and efficiently.
* [Arbiter](https://github.com/jkrshnmenon/arbiter) - Arbiter is a combination of static and dynamic analyses, built on top of angr, that can be used to detect some vulnerability classes.
## Blogposts :newspaper:
* [angr-blog](https://angr.io/) - Official angr blog.
* [A reaching definition engine for binary analysis built-in in angr.](https://degrigis.github.io/posts/angr_rd/) - A walk-through of the ReachingDefinition analysis built-in in angr.
* [shellphish-phrack](http://phrack.org/papers/cyber_grand_shellphish.html) - Phrack article on [Mechaphish](https://github.com/mechaphish), the AEG system based on angr that got 3rd place at the CGC.
* [angr-tutorial](https://blog.notso.pro/2019-03-20-angr-introduction-part0/) - Introduction to angr - baby steps in symbolic execution.
* [bcheck](https://github.com/ChrisTheCoolHut/bcheck) - Binary check tool to identify command injection and format string vulnerabilities in blackbox binaries.## Papers :page_with_curl:
Here a collection of papers which used or whose project is based on the angr framework.
| Year | Paper |
| :------------- | :----------: |
| 2022 | [Heapster: Analyzing the Security of Dynamic Allocators for Monolithic Firmware Images](https://degrigis.github.io/bins/heapster.pdf)
| 2022 | [Arbiter: Bridging the Static and Dynamic Divide in Vulnerability Discovery on Binary Programs](https://www.s3.eurecom.fr/docs/usenixsec22_arbiter.pdf)
| 2022 | [Ferry: State-Aware Symbolic Execution for Exploring State-Dependent Program Paths](https://www.usenix.org/system/files/sec22summer_zhou-shunfan.pdf)
| 2022 | [Fuzzware: Using Precise MMIO Modeling for Effective Firmware Fuzzing](https://sites.cs.ucsb.edu/~vigna/publications/2022_USENIXSecurity_Fuzzware.pdf)
| 2021 | [Jetset: Targeted Firmware Rehosting for Embedded Systems](https://www.usenix.org/system/files/sec21fall-johnson.pdf)
| 2021 | [SoK: All You Ever Wanted to Know About x86/x64 Binary Disassembly But Were Afraid to Ask](https://www.portokalidis.net/files/sok86disas_oakland21.pdf)
| 2021 | [SyML: Guiding Symbolic Execution Toward Vulnerable States Through Pattern Learning](https://conand.me/publications/ruaro-syml-2021.pdf)
| 2021 | [DIANE: Identifying Fuzzing Triggers in Apps to Generate Under-constrained Inputs for IoT Devices](https://conand.me/publications/redini-diane-2021.pdf)
| 2021 | [Sharing More and Checking Less: Leveraging Common Input Keywords to Detect Bugs in Embedded Systems](https://www.usenix.org/system/files/sec21fall-chen-libo.pdf)
| 2021 | [Boosting symbolic execution via constraint solving time prediction (experience paper)](https://dl.acm.org/doi/10.1145/3460319.3464813)
| 2020 | [DICE: Automatic Emulation of DMA Input Channels for Dynamic Firmware Analysis](https://arxiv.org/pdf/2007.01502.pdf)
| 2020 | [Towards Constant-Time Foundations for the New Spectre Era](https://cseweb.ucsd.edu/~cdisselk/papers/ct-foundations.pdf)
| 2020 | [Symbion: Interleaving Symbolic with Concrete Execution](https://sites.cs.ucsb.edu/~vigna/publications/2020_CNS_Symbion.pdf) |
| 2020 | [KARONTE: Detecting Insecure Multi-binary Interactions in Embedded Firmware](https://www.badnack.it/static/papers/University/karonte.pdf) |
| 2020 | [Device-agnostic Firmware Execution is Possible: A Concolic Execution Approach for Peripheral Emulation](https://dl.acm.org/doi/10.1145/3427228.3427280) |
| 2020 | [KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities](https://www.usenix.org/system/files/sec20summer_chen-weiteng_prepub.pdf)
| 2020 | [BugMiner: Mining the Hard-to-Reach Software Vulnerabilities through the Target-Oriented Hybrid Fuzzer](https://www.mdpi.com/2079-9292/10/1/62/pdf)
| 2019 | [Enhancing Symbolic Execution by Machine Learning Based Solver Selection](https://www.csie.ntu.edu.tw/~hchsiao/pub/2019_BAR.pdf)
| 2019 | [BinTrimmer: Towards Static Binary Debloating Through Abstract Interpretation](https://sites.cs.ucsb.edu/~chris/research/doc/dimva19_bintrimmer.pdf)
| 2019 | [Sleak: Automating Address Space Layout Derandomization](https://par.nsf.gov/servlets/purl/10155109)
| 2019 | [Time and Order: Towards Automatically Identifying Side-Channel Vulnerabilities in Enclave Binaries](https://www.usenix.org/conference/raid2019/presentation/wang-wubing)
| 2018 | [HeapHopper: Bringing Bounded Model Checking to Heap Implementation Security](https://sites.cs.ucsb.edu/~chris/research/doc/usenix18_heaphopper.pdf)
| 2018 | [Efficient Extraction of Malware Signatures Through System Calls and Symbolic Execution: An Experience Report](https://hal.inria.fr/hal-01954483/document)
| 2018 | [Dynamic Path Pruning in Symbolic Execution](https://www.csie.ntu.edu.tw/~hchsiao/pub/2018_IEEE_DSC.pdf)
| 2018 | [On Benchmarking the Capability of Symbolic Execution Tools with Logic Bombs](https://arxiv.org/pdf/1712.01674.pdf)
| 2017 | [Rethinking Pointer Reasoning in Symbolic Execution](https://github.com/season-lab/memsight/raw/master/publications/memsight-ase17.pdf)
| 2017 | [Your Exploit is Mine: Automatic Shellcode Transplant for Remote Exploits](https://www.ieee-security.org/TC/SP2017/papers/579.pdf)
| 2017 | [BOOMERANG: Exploiting the Semantic Gap in Trusted Execution Environments](https://sites.cs.ucsb.edu/~vigna/publications/2017_NDSS_Boomerang.pdf)
| 2017 | [Ramblr: Making Reassembly Great Again](https://sefcom.asu.edu/publications/ramblr-making-reassembly-great-again-ndss2017.pdf)
| 2017 | [BootStomp: On the Security of Bootloaders in Mobile Devices](https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-redini.pdf) |
| 2017 | [Piston: Uncooperative Remote Runtime Patching](https://sefcom.asu.edu/publications/piston-uncooperative-remote-runtime-patching-acsac2017.pdf)
| 2016 | [SoK: (State of) The Art of War: Offensive Techniques in Binary Analysis](https://sites.cs.ucsb.edu/~vigna/publications/2016_SP_angrSoK.pdf)
| 2016 | [Driller: Augmenting Fuzzing Through Selective Symbolic Execution](https://sites.cs.ucsb.edu/~chris/research/doc/ndss16_driller.pdf)
| 2015 | [Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware](https://sites.cs.ucsb.edu/~chris/research/doc/ndss15_firmalice.pdf) |