Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.
Awesome Lists | Featured Topics | Projects
https://github.com/degrigis/awesome-angr

A collection of resources/tools and analyses for the angr binary analysis framework.
https://github.com/degrigis/awesome-angr
List: awesome-angr
Last synced: about 1 month ago
JSON representation
A collection of resources/tools and analyses for the angr binary analysis framework.
Host: GitHub
URL: https://github.com/degrigis/awesome-angr
Owner: degrigis
Created: 2021-09-09T18:30:18.000Z (about 3 years ago)
Default Branch: main
Last Pushed: 2022-07-28T18:17:18.000Z (about 2 years ago)
Last Synced: 2024-05-21T16:11:04.088Z (4 months ago)
Language: Python
Homepage:
Size: 128 KB
Stars: 144
Watchers: 8
Forks: 8
Open Issues: 0
Metadata Files:
- Readme: README.md
Awesome Lists containing this project

ultimate-awesome - awesome-angr - A collection of resources/tools and analyses for the angr binary analysis framework. (Other Lists / PowerShell Lists)
README

        # Awesome angr [![Awesome](https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg)](https://github.com/sindresorhus/awesome)

A collection of resources/tools and analyses for the [angr](https://github.com/angr) binary analysis framework.

This page does not only collect links and external resources, but its meant to be an harbour to release any non-official extensions/tool/utils that can be useful when working with angr.

## ExplorationTechniques 📁

A collection of exploration techniques written by the community

* *SimgrViz*: an exploration technique that collects information regarding the states generated by the SimulationManager and creates a graph that can be later visualized to debug the analyses (.dot file). 

* *MemLimiter*: an exploration technique to stop the analysis when memory consumption is too high!

* *ExplosionDetector*: stop the analysis when there are too many states or other critical errors happen.

* *KLEECoverageOptimizeSearch*: KLEE technique to improve coverage. 

* *KLEERandomSearch*: an ET for random path selection.

* *LoopExhaustion*: a loop exhaustion search strategy.

* *StochasticSearch*: an ET for stocastic search of active states.

* *HeartBeat*: An exploration technique to make sure symbolic execution is alive and provides some utility to gently hijack into the DSE while it is running.

## Documentation :book:

* [docs.angr.op](https://docs.angr.io/) - Official angr general documentatoin website.

* [angr.io](http://angr.io/api-doc/angr.html) - Official angr API documentation.

* [Intro to Binary Analysis with Z3 and angr](https://github.com/FSecureLABS/z3_and_angr_binary_analysis_workshop) - FSecureLABS workshop on using Z3 and the angr framework.

## Projects :rocket:

List of academic/not-acadamic projects based on angr which code is open source.

* [Heaphopper](https://github.com/angr/heaphopper) - Apply symbolic execution to automatically verify security properties of most common heap libraries.

* [angr-cli](https://github.com/fmagin/angr-cli) - Command line interface for angr a la peda/GEF/pwndbg.

* [Syml](https://github.com/ucsb-seclab/syml) - Use ML to prioritize exploration of promising vulnerable paths.

* [Angrop](https://github.com/angr/angrop) - Generate ropchains using angr and symbolic execution.

* [Angr-management](https://github.com/angr/angr-management) - GUI for angr.

* [Mechaphish](https://github.com/mechaphish) - AEG system for CGC.

* [angr-static-analysis-for-vuzzer64](https://github.com/ash09/angr-static-analysis-for-vuzzer64) - angr-based static analysis module for Vuzzer.

* [FirmXRay-angr](https://github.com/ucsb-seclab/monolithic-firmware-collection/tree/master/utils/firmxray) - An angr version of the base address detection analysis implemented in [FirmXRay](https://github.com/OSUSecLab/FirmXRay).

* [IVTSpotter](https://github.com/ucsb-seclab/monolithic-firmware-collection/blob/master/utils/ivt_spotter/spot_ivt.py) - An IVT Spotter for monolithic ARM firmware images.

* [MemSight](https://github.com/season-lab/memsight) - Rethinking Pointer Reasoning in Symbolic Execution.

* [Karonte](https://github.com/ucsb-seclab/karonte) - Detecting Insecure Multi-binary Interactions in Embedded Firmware.

* [BootStomp](https://github.com/ucsb-seclab/BootStomp) - A bootloader vulnerability finder.

* [SaTC](https://github.com/NSSL-SJTU/SaTC/) - A prototype of Shared-keywords aware Taint Checking(SaTC), a static analysis method that tracks user input between front-end and back-end for vulnerability discovery effectively and efficiently.

* [Arbiter](https://github.com/jkrshnmenon/arbiter) - Arbiter is a combination of static and dynamic analyses, built on top of angr, that can be used to detect some vulnerability classes.

## Blogposts :newspaper:

* [angr-blog](https://angr.io/) - Official angr blog.

* [A reaching definition engine for binary analysis built-in in angr.](https://degrigis.github.io/posts/angr_rd/) - A walk-through of the ReachingDefinition analysis built-in in angr.

* [shellphish-phrack](http://phrack.org/papers/cyber_grand_shellphish.html) - Phrack article on [Mechaphish](https://github.com/mechaphish), the AEG system based on angr that got 3rd place at the CGC.

* [angr-tutorial](https://blog.notso.pro/2019-03-20-angr-introduction-part0/) - Introduction to angr - baby steps in symbolic execution.

* [bcheck](https://github.com/ChrisTheCoolHut/bcheck) - Binary check tool to identify command injection and format string vulnerabilities in blackbox binaries.

## Papers :page_with_curl:

Here a collection of papers which used or whose project is based on the angr framework.

| Year       | Paper     | 

| :------------- | :----------: | 

| 2022 | [Heapster: Analyzing the Security of Dynamic Allocators for Monolithic Firmware Images](https://degrigis.github.io/bins/heapster.pdf)

| 2022 | [Arbiter: Bridging the Static and Dynamic Divide in Vulnerability Discovery on Binary Programs](https://www.s3.eurecom.fr/docs/usenixsec22_arbiter.pdf)

| 2022 | [Ferry: State-Aware Symbolic Execution for Exploring State-Dependent Program Paths](https://www.usenix.org/system/files/sec22summer_zhou-shunfan.pdf)

| 2022 | [Fuzzware: Using Precise MMIO Modeling for Effective Firmware Fuzzing](https://sites.cs.ucsb.edu/~vigna/publications/2022_USENIXSecurity_Fuzzware.pdf)

| 2021 | [Jetset: Targeted Firmware Rehosting for Embedded Systems](https://www.usenix.org/system/files/sec21fall-johnson.pdf)

| 2021 | [SoK: All You Ever Wanted to Know About x86/x64 Binary Disassembly But Were Afraid to Ask](https://www.portokalidis.net/files/sok86disas_oakland21.pdf)

| 2021 | [SyML: Guiding Symbolic Execution Toward Vulnerable States Through Pattern Learning](https://conand.me/publications/ruaro-syml-2021.pdf)

| 2021 | [DIANE: Identifying Fuzzing Triggers in Apps to Generate Under-constrained Inputs for IoT Devices](https://conand.me/publications/redini-diane-2021.pdf)

| 2021 | [Sharing More and Checking Less: Leveraging Common Input Keywords to Detect Bugs in Embedded Systems](https://www.usenix.org/system/files/sec21fall-chen-libo.pdf)

| 2021 | [Boosting symbolic execution via constraint solving time prediction (experience paper)](https://dl.acm.org/doi/10.1145/3460319.3464813)

| 2020 | [DICE: Automatic Emulation of DMA Input Channels for Dynamic Firmware Analysis](https://arxiv.org/pdf/2007.01502.pdf)

| 2020 | [Towards Constant-Time Foundations for the New Spectre Era](https://cseweb.ucsd.edu/~cdisselk/papers/ct-foundations.pdf)

| 2020 | [Symbion: Interleaving Symbolic with Concrete Execution](https://sites.cs.ucsb.edu/~vigna/publications/2020_CNS_Symbion.pdf) |

| 2020 | [KARONTE: Detecting Insecure Multi-binary Interactions in Embedded Firmware](https://www.badnack.it/static/papers/University/karonte.pdf) | 

| 2020 | [Device-agnostic Firmware Execution is Possible: A Concolic Execution Approach for Peripheral Emulation](https://dl.acm.org/doi/10.1145/3427228.3427280) |

| 2020 | [KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities](https://www.usenix.org/system/files/sec20summer_chen-weiteng_prepub.pdf)

| 2020 | [BugMiner: Mining the Hard-to-Reach Software Vulnerabilities through the Target-Oriented Hybrid Fuzzer](https://www.mdpi.com/2079-9292/10/1/62/pdf)

| 2019 | [Enhancing Symbolic Execution by Machine Learning Based Solver Selection](https://www.csie.ntu.edu.tw/~hchsiao/pub/2019_BAR.pdf)

| 2019 | [BinTrimmer: Towards Static Binary Debloating Through Abstract Interpretation](https://sites.cs.ucsb.edu/~chris/research/doc/dimva19_bintrimmer.pdf)

| 2019 | [Sleak: Automating Address Space Layout Derandomization](https://par.nsf.gov/servlets/purl/10155109)

| 2019 | [Time and Order: Towards Automatically Identifying Side-Channel Vulnerabilities in Enclave Binaries](https://www.usenix.org/conference/raid2019/presentation/wang-wubing)

| 2018 | [HeapHopper: Bringing Bounded Model Checking to Heap Implementation Security](https://sites.cs.ucsb.edu/~chris/research/doc/usenix18_heaphopper.pdf)

| 2018 | [Efficient Extraction of Malware Signatures Through System Calls and Symbolic Execution: An Experience Report](https://hal.inria.fr/hal-01954483/document)

| 2018 | [Dynamic Path Pruning in Symbolic Execution](https://www.csie.ntu.edu.tw/~hchsiao/pub/2018_IEEE_DSC.pdf)

| 2018 | [On Benchmarking the Capability of Symbolic Execution Tools with Logic Bombs](https://arxiv.org/pdf/1712.01674.pdf)

| 2017 | [Rethinking Pointer Reasoning in Symbolic Execution](https://github.com/season-lab/memsight/raw/master/publications/memsight-ase17.pdf)

| 2017 | [Your Exploit is Mine: Automatic Shellcode Transplant for Remote Exploits](https://www.ieee-security.org/TC/SP2017/papers/579.pdf)

| 2017 | [BOOMERANG: Exploiting the Semantic Gap in Trusted Execution Environments](https://sites.cs.ucsb.edu/~vigna/publications/2017_NDSS_Boomerang.pdf)

| 2017 | [Ramblr: Making Reassembly Great Again](https://sefcom.asu.edu/publications/ramblr-making-reassembly-great-again-ndss2017.pdf)

| 2017 | [BootStomp: On the Security of Bootloaders in Mobile Devices](https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-redini.pdf) |

| 2017 | [Piston: Uncooperative Remote Runtime Patching](https://sefcom.asu.edu/publications/piston-uncooperative-remote-runtime-patching-acsac2017.pdf)

| 2016 | [SoK: (State of) The Art of War: Offensive Techniques in Binary Analysis](https://sites.cs.ucsb.edu/~vigna/publications/2016_SP_angrSoK.pdf)

| 2016 | [Driller: Augmenting Fuzzing Through Selective Symbolic Execution](https://sites.cs.ucsb.edu/~chris/research/doc/ndss16_driller.pdf)

| 2015 | [Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware](https://sites.cs.ucsb.edu/~chris/research/doc/ndss15_firmalice.pdf) |