Klee and Angr are tools for symbolic execution. Klee is a symbolic virtual machine that executes programs symbolically and generates test cases by solving constraints. It works on LLVM bitcode. Angr is a Python framework for analyzing binaries using static and dynamic symbolic analysis. It lifts binaries into an intermediate representation called VEX to analyze machine code across architectures. Both tools explore all paths in a program and solve path constraints to generate inputs that execute each path.
This document discusses software obfuscation techniques using C++ metaprogramming. It presents several implementations of string obfuscation using templates to encrypt strings at compile-time. It also discusses obfuscating function calls using finite state machines generated with metaprogramming. Debugger detection is added to fight dynamic analysis. The techniques aim to make reverse engineering and static/dynamic analysis more difficult without changing program semantics.
Valgrind is an open source tool for debugging and profiling Linux x86 programs. It uses dynamic binary instrumentation to detect memory errors like use of uninitialized values, memory leaks, and invalid reads/writes. It includes tools like Memcheck for memory errors, Massif for heap profiling, Helgrind for data race detection, and Callgrind for call graph and profiling information. The presentation discusses how Valgrind works, its various tools, and best practices for using it to improve code quality and find bugs.
Aiming at complete code coverage by unit tests tends to be cumbersome, especially for cases where external API calls a part of the code base. For these reasons, Python comes with the unittest.mock library, appearing to be a powerful companion in replacing parts of the system under test.
This full day course will give you a hands-on, deep dive into React Native. In this course, you will learn how to build cross-platform mobile applications from scratch using Facebook's React Native.
It is quite often that software developers have absolutely no clue about the cost of an error. It is very important that the error be found at the earliest possible stage.
This document provides an introduction to C++ programming including problem solving skills, software evolution, procedural and object oriented programming concepts, basic C++ programs, operators, header files, conditional statements, loops, functions, pointers, structures and arrays. It discusses topics such as analyzing problems, planning algorithms, coding solutions, evaluating results, procedural and object oriented paradigms, inheritance, polymorphism, flowcharts, basic syntax examples, and more. Various examples are provided to illustrate key concepts in C++.
The document discusses finding bugs in compilers through random testing. It found serious bugs in all tested C compilers, including 287 bugs reported so far in GCC and commercial compilers. Random testing programs are generated that perform random operations and check results. This uncovered wrong-code bugs where compilers generate code computing incorrect values as well as crash bugs. The majority of bugs were found in optimization levels above -O0. Further work is needed to expand testing to more platforms and language features and make the testing process more accessible to outside contributors.
This document provides an overview of CBStreams, a ColdFusion module that implements Java Streams functionality for processing data in a functional programming style. It discusses key concepts like lazy evaluation, intermediate operations that transform streams, and terminal operations that produce final results. Examples are given for building streams from various data sources, applying filters, maps, reductions and more. Lambda expressions and closures play an important role in functional-style stream processing.
Mock what? What Mock?Learn What is Mocking, and how to use Mocking with ColdFusion testing, development, and continuous integration. Look at Mocking and Stubbing with a touch of Theory and a lot of Examples, including what you could test, and what you should test… and what you shouldn't test (but might be fun).
Unit testing in iOS featuring OCUnit, GHUnit & OCMockRobot Media
This document provides an overview and introduction to unit testing in iOS. It discusses OCUnit, GHUnit and OCMock, which are common frameworks for unit testing, mock objects, and assertions in Objective-C and iOS. The key points covered include:
- OCUnit is the default unit testing framework for Objective-C, with built-in support in Xcode.
- GHUnit is an alternative open source framework that provides a GUI runner and additional macros.
- OCMock allows mocking objects to control and isolate dependencies in tests.
- Examples are provided of writing tests with OCUnit, GHUnit and using mock objects with OCMock.
- Reasons for unit testing like fixing bugs early and easier
Elixir is a dynamic, functional language designed for building scalable and maintainable applications. It leverages the Erlang VM, known for running low-latency, distributed and fault-tolerant systems. Elixir compiles to Erlang bytecode and provides developers' productivity through amazing tooling and documentation while enabling concurrency programming without locks or semaphores. The document then provides examples of Elixir types, functions, macros, and tools like Mix and Phoenix.
This document discusses code analysis and techniques for predicting runtime errors in source code. It describes existing solutions like detecting uninitialized variables, overflows, divide by zeros, incorrect argument data types. It also discusses detecting out-of-bounds array and pointer references, memory allocation/deallocation errors, and memory leaks. The document outlines the design of a code analyzer that takes C code as input, performs lexical and syntax analysis to generate intermediate code, and then uses the intermediate code to predict possible runtime errors. Further work mentioned includes evaluating the intermediate code to perform data and control flow analysis for error prediction.
Fortran & Link with Library & Brief Explanation of MKL BLASJongsu "Liam" Kim
This document discusses Fortran programming best practices and features. It recommends avoiding labeled DO loops, EQUIVALENCE, and COMMON blocks due to errors and complexity. Instead, it suggests using CYCLE and EXIT statements, WHERE constructs, and DO CONCURRENT for vectorization. The document also covers sparse matrix storage formats and using Intel MKL and BLAS routines for linear algebra operations.
Triton and Symbolic execution on GDB@DEF CON ChinaWei-Bo Chen
Triton and Symbolic execution on GDB is a talk about symbolic execution. It introduces Triton, a symbolic execution framework, and SymGDB, which combines Triton with GDB to enable symbolic execution directly within the GDB debugger. Key points include how Triton works, its components like the symbolic execution engine and AST representations, and how SymGDB utilizes the GDB Python API to synchronize Triton's state with the debugged program and allow symbolic analysis of programs within GDB. Examples demonstrating SymGDB on crackme programs that take symbolic user input are also presented.
SPARKNaCl: A verified, fast cryptographic libraryAdaCore
SPARKNaCl https://github.com/rod-chapman/SPARKNaCl is a new, freely-available, verified and fast reference implementation of the NaCl cryptographic API, based on the TweetNaCl distribution. It has a fully automated, complete and sound proof of type-safety and several key correctness properties. In addition, the code is surprisingly fast - out-performing TweetNaCl's C implementation on an Ed25519 Sign operation by a factor of 3 at all optimisation levels on a 32-bit RISC-V bare-metal machine. This talk will concentrate on how "Proof Driven Optimisation" can result in code that is both correct and fast.
JCConf 2020 - New Java Features Released in 2020Joseph Kuo
The document discusses new features in Java releases from JDK 13 to JDK 15, including syntax changes like switch expressions and text blocks, API changes like helpful NullPointerExceptions and reimplementing sockets, and improvements to garbage collectors like ZGC and NUMA-aware memory allocation for G1. It provides code examples to demonstrate the new features and explains their motivations and impacts.
This document discusses symbolic execution and the Triton framework. It begins with an introduction to symbolic execution and why it is useful for tasks like static and dynamic analysis. Triton is then introduced as a dynamic binary analysis framework that uses symbolic execution. Key components of Triton like the symbolic execution engine and AST representations are described. Finally, SymGDB is presented as a way to combine Triton with GDB to simplify symbolic execution debugging workflows. Examples analyzing crackme programs are provided to demonstrate SymGDB.
This document provides an introduction to Python programming including installation, basic syntax, data types, control flow, modules, sockets, structs, pwntools, vulnerabilities, practice problems, and references for further learning. It covers topics such as printing, taking input, lists, arithmetic, conditional statements, loops, functions, importing modules, sending/receiving data over sockets, packing/unpacking integers, using pwntools, and exploiting vulnerabilities like pickle injection. Example code is provided throughout to demonstrate the concepts.
1. The document discusses format string vulnerabilities and how to exploit them. Format strings allow printing variable values without specifying the type or number of parameters, allowing arbitrary memory reads and writes.
2. Examples show how to use format strings with the %n specifier to write specific values to arbitrary memory addresses by calculating offsets on the stack.
3. Exploiting format strings allows operations like GOT hijacking, leaking memory, and writing variable values to gain arbitrary code execution on vulnerable programs. The document provides resources for practicing these techniques.
This document provides information about x86 architecture including registers, flags, modes, common instructions, Intel and AT&T syntax, system calls, examples, and references. It defines the purpose of key registers like EAX, EBX, ESP and flags. It explains real and protect modes and differences between Intel and AT&T syntax. Examples demonstrate how to write assembly code and call system calls. References provided can be used to learn more about x86 assembly programming.
Retrieval Augmented Generation Evaluation with RagasZilliz
Retrieval Augmented Generation (RAG) enhances chatbots by incorporating custom data in the prompt. Using large language models (LLMs) as judge has gained prominence in modern RAG systems. This talk will demo Ragas, an open-source automation tool for RAG evaluations. Christy will talk about and demo evaluating a RAG pipeline using Milvus and RAG metrics like context F1-score and answer correctness.
Redefining Cybersecurity with AI CapabilitiesPriyanka Aash
In this comprehensive overview of Cisco's latest innovations in cybersecurity, the focus is squarely on resilience and adaptation in the face of evolving threats. The discussion covers the imperative of tackling Mal information, the increasing sophistication of insider attacks, and the expanding attack surfaces in a hybrid work environment. Emphasizing a shift towards integrated platforms over fragmented tools, Cisco introduces its Security Cloud, designed to provide end-to-end visibility and robust protection across user interactions, cloud environments, and breaches. AI emerges as a pivotal tool, from enhancing user experiences to predicting and defending against cyber threats. The blog underscores Cisco's commitment to simplifying security stacks while ensuring efficacy and economic feasibility, making a compelling case for their platform approach in safeguarding digital landscapes.
Demystifying Neural Networks And Building Cybersecurity ApplicationsPriyanka Aash
In today's rapidly evolving technological landscape, Artificial Neural Networks (ANNs) have emerged as a cornerstone of artificial intelligence, revolutionizing various fields including cybersecurity. Inspired by the intricacies of the human brain, ANNs have a rich history and a complex structure that enables them to learn and make decisions. This blog aims to unravel the mysteries of neural networks, explore their mathematical foundations, and demonstrate their practical applications, particularly in building robust malware detection systems using Convolutional Neural Networks (CNNs).
Keynote : AI & Future Of Offensive SecurityPriyanka Aash
In the presentation, the focus is on the transformative impact of artificial intelligence (AI) in cybersecurity, particularly in the context of malware generation and adversarial attacks. AI promises to revolutionize the field by enabling scalable solutions to historically challenging problems such as continuous threat simulation, autonomous attack path generation, and the creation of sophisticated attack payloads. The discussions underscore how AI-powered tools like AI-based penetration testing can outpace traditional methods, enhancing security posture by efficiently identifying and mitigating vulnerabilities across complex attack surfaces. The use of AI in red teaming further amplifies these capabilities, allowing organizations to validate security controls effectively against diverse adversarial scenarios. These advancements not only streamline testing processes but also bolster defense strategies, ensuring readiness against evolving cyber threats.
Self-Healing Test Automation Framework - HealeniumKnoldus Inc.
Revolutionize your test automation with Healenium's self-healing framework. Automate test maintenance, reduce flakes, and increase efficiency. Learn how to build a robust test automation foundation. Discover the power of self-healing tests. Transform your testing experience.
Finetuning GenAI For Hacking and DefendingPriyanka Aash
Generative AI, particularly through the lens of large language models (LLMs), represents a transformative leap in artificial intelligence. With advancements that have fundamentally altered our approach to AI, understanding and leveraging these technologies is crucial for innovators and practitioners alike. This comprehensive exploration delves into the intricacies of GenAI, from its foundational principles and historical evolution to its practical applications in security and beyond.
How UiPath Discovery Suite supports identification of Agentic Process Automat...DianaGray10
📚 Understand the basics of the newly persona-based LLM-powered Agentic Process Automation and discover how existing UiPath Discovery Suite products like Communication Mining, Process Mining, and Task Mining can be leveraged to identify APA candidates.
Topics Covered:
💡 Idea Behind APA: Explore the innovative concept of Agentic Process Automation and its significance in modern workflows.
🔄 How APA is Different from RPA: Learn the key differences between Agentic Process Automation and Robotic Process Automation.
🚀 Discover the Advantages of APA: Uncover the unique benefits of implementing APA in your organization.
🔍 Identifying APA Candidates with UiPath Discovery Products: See how UiPath's Communication Mining, Process Mining, and Task Mining tools can help pinpoint potential APA candidates.
🔮 Discussion on Expected Future Impacts: Engage in a discussion on the potential future impacts of APA on various industries and business processes.
Enhance your knowledge on the forefront of automation technology and stay ahead with Agentic Process Automation. 🧠💼✨
Speakers:
Arun Kumar Asokan, Delivery Director (US) @ qBotica and UiPath MVP
Naveen Chatlapalli, Solution Architect @ Ashling Partners and UiPath MVP
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...Zilliz
Enterprises have traditionally prioritized data quantity, assuming more is better for AI performance. However, a new reality is setting in: high-quality data, not just volume, is the key. This shift exposes a critical gap – many organizations struggle to understand their existing data and lack effective curation strategies and tools. This talk dives into these data challenges and explores the methods of automating data curation.
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingDianaGray10
The power of Snowflake analytics enables CRM systems to improve operational efficiency, while gaining deeper insights into closed/won opportunities.
In this webinar, learn how infusing Snowflake into your CRM can quickly provide analysis for sales wins by region, product, customer segmentation, customer lifecycle—and more!
Using prebuilt connectors, we’ll show how workflows using Snowflake, Salesforce, and Zendesk tickets can significantly impact future sales.
Choosing the Best Outlook OST to PST Converter: Key Features and Considerationswebbyacad software
When looking for a good software utility to convert Outlook OST files to PST format, it is important to find one that is easy to use and has useful features. WebbyAcad OST to PST Converter Tool is a great choice because it is simple to use for anyone, whether you are tech-savvy or not. It can smoothly change your files to PST while keeping all your data safe and secure. Plus, it can handle large amounts of data and convert multiple files at once, which can save you a lot of time. It even comes with 24*7 technical support assistance and a free trial, so you can try it out before making a decision. Whether you need to recover, move, or back up your data, Webbyacad OST to PST Converter is a reliable option that gives you all the support you need to manage your Outlook data effectively.
Improving Learning Content Efficiency with Reusable Learning ContentEnterprise Knowledge
Enterprise Knowledge’s Emily Crockett, Content Engineering Consultant, presented “Improve Learning Content Efficiency with Reusable Learning Content” at the Learning Ideas conference on June 13th, 2024.
This presentation explored the basics of reusable learning content, including the types of reuse and the key benefits of reuse such as improved content maintenance efficiency, reduced organizational risk, and scalable differentiated instruction & personalization. After this primer on reuse, Crockett laid out the basic steps to start building reusable learning content alongside a real-life example and the technology stack needed to support dynamic content. Key objectives included:
- Be able to explain the difference between reusable learning content and duplicate content
- Explore how a well-designed learning content model can reduce duplicate content and improve your team’s efficiency
- Identify key tasks and steps in creating a learning content model
Latest Tech Trends Series 2024 By EY IndiaEYIndia1
Stay ahead of the curve with our comprehensive Tech Trends Series! Explore the latest technology trends shaping the world today, from the 2024 Tech Trends report and top emerging technologies to their impact on business technology trends. This series delves into the most significant technological advancements, giving you insights into both established and emerging tech trends that will revolutionize various industries.
"Hands-on development experience using wasm Blazor", Furdak Vladyslav.pptxFwdays
I will share my personal experience of full-time development on wasm Blazor
What difficulties our team faced: life hacks with Blazor app routing, whether it is necessary to write JavaScript, which technology stack and architectural patterns we chose
What conclusions we made and what mistakes we committed
2. $whoami
• 陳威伯(bananaappletw)
• Master of National Chiao Tung
University
• Organizations:
• Software Quality Laboratory
• Bamboofox member
• Vice president of NCTUCSC
• Specialize in:
• symbolic execution
• binary exploit
• Talks:
• HITCON CMT 2015
• HITCON CMT 2017
3. What is symbolic execution?
• Symbolic execution is a means of analyzing a program to determine
what inputs cause each part of a program to execute
• System-level
• S2e(https://github.com/dslab-epfl/s2e)
• User-level
• Angr(http://angr.io/)
• Triton(https://triton.quarkslab.com/)
• Code-based
• klee(http://klee.github.io/)
5. Klee
• Symbolic virtual machine built on top of the LLVM compiler
infrastructure
• Website: http://klee.github.io/
• Github: https://github.com/klee/klee
• Klee paper: http://llvm.org/pubs/2008-12-OSDI-KLEE.pdf (Worth
reading)
• Main goal of Klee:
1. Hit every line of executable code in the program
2. Detect at each dangerous operation
6. Installation
• Install docker
• sudo apt-get install docker.io
• Get klee image
• sudo docker pull klee/klee
• Run klee docker image
• sudo docker run --rm -ti --ulimit='stack=-1:-1' klee/klee
• Test environment
• Ubuntu 17.04 desktop amd64
7. Introduction
• Klee is a symbolic machine to generate test cases
• Need source code to compile to LLVM bitcode
• Steps:
• Replace input with Klee function to make memory region symbolic
• Compile source code to LLVM bitcode
• Run Klee
• Get the test cases and path's information
8. Steps
• Source code at ~/klee_src/examples/get_sign.c
• Include klee library
#include <klee/klee.h>
• Make input symbolic
klee_make_symbolic(&a, sizeof(a), "a");
• Compile to LLVM bitcode
clang -I ../../include -emit-llvm -c -g get_sign.c
9. Steps
• Examine LLVM bitcode
llvm-dis get_sign.bc
• Running KLEE
klee get_sign.bc
• Show information about test case
ktest-tool ./klee-last/*.ktest
13. Functions
• klee_make_symbolic(address, size, name)
Make memory address symbolic
klee_make_symbolic(&c, sizeof(c), "c");
Notice: Don't overlap symbolic memory regions
• klee_assume(condition)
Add condition constraint on input
klee_assume((c==2)||(d==3));
• klee_prefer_cex(object, condition)
When generating test cases, prefer certain values between equivalent test
cases
klee_prefer_cex(input, 32 <= input[i] && input[i] <= 126);
14. Functions
• Insert assert on target path
klee_assert(0)
• Find assert test case
ls ./klee-last/ | grep .assert
• Show information about test case
ktest-tool ./klee-last/*.ktest
• Using GNU c library functions
Run with --libc=uclibc --posix-runtime parameters
15. Environment Modeling
• For example:
• command-line arguments
• environment variables
• file
• data and metadata
• network packets
• ……
• Klee redirects library call to models
• If fd refers to a concrete file
Klee use pread to multiplex access from KLEE’s many states onto the one actual
underlying file descriptor
• If fd refers to a symbolic file
read() copies from the underlying symbolic buffer
16. Environment Modeling
• -sym-arg <N>
Replace by a symbolic argument with length N
• -sym-args <MIN> <MAX> <N>
Replace by at least MIN arguments and at most MAX arguments, each with
maximum length N
• -sym-files <NUM> <N>
Make NUM symbolic files (‘A’, ‘B’, ‘C’, etc.), each with size N (excluding stdin)
• -sym-stdin <N>
Make stdin symbolic with size N
18. Architecture
• Represent Klee as an interpreter loop which select a state to run and
then symbolically executes a single instruction in the context of that
state
• When Klee meets the conditional branch instruction, it clones the
state so that it could explore both paths
• By implementing heap as immutable map, portions of the heap
structure itself can also be shared amongst multiple states(copy on
write)
19. Architecture
• Potentially dangerous operations implicitly generate branches that
check if any input value exists that could cause an error(e.g., zero
divisor)
• When processing instruction, if all given operands are concrete,
performs the operation natively, returning a constant expression
• When KLEE detects an error or when a path reaches an exit call, Klee
solves the current path's constraints
20. Diagram
1. Step the program until it
meets the branch
#include <klee/klee.h>
int get_sign(int x) {
if (x == 0)
return 0;
if (x < 0)
return -1;
else
return 1;
}
int main() {
int a;
klee_make_symbolic(&a, sizeof(a), "a");
return get_sign(a);
}
21. Diagram
1. Step the program until it
meets the branch
2. If all given operands are
concrete, return constant
expression. If not, record
current condition constraints
and clone the state.
#include <klee/klee.h>
int get_sign(int x) {
if (x == 0)
return 0;
if (x < 0)
return -1;
else
return 1;
}
int main() {
int a;
klee_make_symbolic(&a, sizeof(a), "a");
return get_sign(a);
}
22. Diagram
1. Step the program until it
meets the branch
2. If all given operands are
concrete, return constant
expression. If not, record
current condition constraints
and clone the state
3. Step the states until they hit
exit call or error
X==0
Constraints:
X!=0
Next instruction:
if (x < 0)
Constraints:
X==0
Next instruction:
return 0;
23. Diagram
1. Step the program until it
meets the branch
2. If all given operands are
concrete, return constant
expression. If not, record
current condition constraints
and clone the state
3. Step the states until they hit
exit call or error
4. Solve the conditional
constraint
X==0
Constraints:
X!=0
Next instruction:
if (x < 0)
Constraints:
X==0
Next instruction:
return 0;
24. Diagram
1. Step the program until it meets the branch
2. If all given operands are concrete, return constant expression. If
not, record current condition constraints and clone the state
3. Step the states until they hit exit call or error
4. Solve the conditional constraint
5. Loop until no remaining states or user-defined timeout is reached
25. Exercises
• ccr
Sum of continuous number
https://bamboofox.cs.nctu.edu.tw/courses/1/challenges/67
• Suicide
Product of continuous number
https://bamboofox.cs.nctu.edu.tw/courses/1/challenges/68
26. Angr
• Website: http://angr.io/
• Angr is a python framework for analyzing binaries. It combines both
static and dynamic symbolic ("concolic") analysis, making it applicable
to a variety of tasks.
• Flow
• Loading a binary into the analysis program.
• Translating a binary into an intermediate representation (IR).
• Performing the actual analysis
27. Installation
• sudo apt-get install -y python-pip python-dev libffi-dev build-essential
virtualenvwrapper
• Virtualenv
• mkvirtualenv angr && pip install angr
• Direct install in system
• sudo pip install angr
• Test environment
• Ubuntu 17.04 desktop amd64
28. Flow
• Import angr
import angr
• Load the binary and initialize angr project
project = angr.Project('./ais3_crackme')
• Define argv1 as 100 bytes bitvectors
argv1 = claripy.BVS("argv1",100*8)
• Initialize the state with argv1
state = project.factory.entry_state(args=["./crackme1",argv1])
29. Flow
• Initialize the simulation manager
simgr = p.factory.simgr(state)
• Explore the states that matches the condition
simgr.explore(find= 0x400602)
• Extract one state from found states
found = simgr.found[0]
• Solve the expression with solver
solution = found.solver.eval(argv1, cast_to=str)
30. ais3 crackme
• Binary could be found in: https://github.com/angr/angr-
doc/blob/master/examples/ais3_crackme/
• Run binary with argument
• If argument is correct
print "Correct! that is the secret key!"
• else
print "I'm sorry, that's the wrong secret key!"
34. Loader
• Load the binary through angr.Project
• Loading options
• auto_load_libs
• When there is no SimProcedure
• True(Default, real library function is executed)
• False(return a generic "stub" SimProcedure called ReturnUnconstrained)
35. Intermediate Representation
• In order to be able to analyze and execute machine code from
different CPU architectures, Angr performs most of its analysis on an
intermediate representation
• Angr's intermediate representation is VEX(Valgrind), since the
uplifting of binary code into VEX is quite well supported
36. Intermediate Representation
• IR abstracts away several architecture differences when dealing with
different architectures
• Register names: VEX models the registers as a separate memory space, with
integer offsets
• Memory access: The IR abstracts difference between architectures access
memory in different ways
• Memory segmentation: Some architectures support memory segmentation
through the use of special segment registers
• Instruction side-effects: Most instructions have side-effects
37. Intermediate Representation
• addl %eax, %ebx • t3 = GET:I32(0)
• # get %eax, a 32-bit integer
• t2 = GET:I32(12)
• # get %ebx, a 32-bit integer
• t1 = Add32(t3,t2)
• # addl
• PUT(0) = t1
• # put %eax
38. Simulation Managers
• simgr.step()
Step forward all states in a given stash by one basic block
• simgr.run()
Step until everything terminates
• simgr.explore(conditions)
• find, avoid:
• An address to find or avoid
• A set or list of addresses to find or avoid
• A function that takes a state and returns whether or not it matches.
39. Bit-Vector Symbol
• claripy.BVS(name, size)
• name: The name of the symbol.
• size: The size (in bits) of the bit-vector.
• chop(bits)
• bits: A list of smaller bitvectors, each bits in length.
40. State
• Property
• registers: The state's register file as a flat memory region
• memory: The state's memory as a flat memory region
• solver(e.g., se): The solver engine for this state
• posix: information about the operating system or environment model(e.g.,
posix.files[fd])
• add_constraints(BVS condition)
• inspect.b(event, when=angr.BP_AFTER, action=debug_func)
• event: mem_read, reg_write
• when: BP_BEFORE or BP_AFTER
• action: debug_func
41. SimMemory
• load(addr, size=None)
• addr: memory address
• size: The sizein bytes
• find(addr, what)
• addr: The start address
• what: what to search for
• store(addr, data, size=None)
• addr: address to store at
• data: The data(claripy expression or something convertable to a claripy expression)
• size: The data size(claripy expression or something convertable to a claripy
expression)
42. Stash types
active This stash contains the states that will be stepped by default, unless an alternate stash is specified.
deadended
A state goes to the deadended stash when it cannot continue the execution for some reason,
including no more valid instructions, unsat state of all of its successors, or an invalid instruction
pointer.
pruned
When using LAZY_SOLVES, states are not checked for satisfiability unless absolutely necessary.
When a state is found to be unsat in the presence of LAZY_SOLVES, the state hierarchy is traversed
to identify when, in its history, it initially became unsat. All states that are descendants of that point
(which will also be unsat, since a state cannot become un-unsat) are pruned and put in this stash.
unconstrained
If the save_unconstrained option is provided to the SimulationManager constructor, states that are
determined to be unconstrained (i.e., with the instruction pointer controlled by user data or some
other source of symbolic data) are placed here.
unsat
If the save_unsat option is provided to the SimulationManager constructor, states that are
determined to be unsatisfiable (i.e., they have constraints that are contradictory, like the input
having to be both "AAAA" and "BBBB" at the same time) are placed here.
43. Hooking
• project.hook(address, hook)
• hook is a SimProcedure instance
• At every step, angr checks if the current address has been hooked,
and if so, runs the hook instead of the binary code at that address
• You could also use symbol to locate the address
• proj.hook_symbol(name, hook)
• You could use hook as function decorator, length is to jump after
finishing the hook @proj.hook(0x20000, length=5)
def my_hook(state):
state.regs.rax = 1
45. Symbolic Function
• Project tries to replace external calls to library functions by using
symbolic summaries termed SimProcedures
• Because SimProcedures are library hooks written in Python, it has
inaccuracy
• If you encounter path explosion or inaccuracy, you can do:
1. Disable the SimProcedure
2. Replace the SimProcedure with something written directly to the situation
in question
3. Fix the SimProcedure
46. Symbolic Function(scanf)
• Source code:
https://github.com/angr/angr/blob/master/angr/procedures/libc/sca
nf.py
1. Get first argument(pointer to format string)
2. Define function return type by the architecture
3. Parse format string
4. According format string, read input from file descriptor 0(i.e.,
standard input)
5. Do the read operation
47. Symbolic Function(scanf)
from angr.procedures.stubs.format_parser import FormatParser
from angr.sim_type import SimTypeInt, SimTypeString
class scanf(FormatParser):
def run(self, fmt):
self.argument_types = {0: self.ty_ptr(SimTypeString())}
self.return_type = SimTypeInt(self.state.arch.bits, True)
fmt_str = self._parse(0)
f = self.state.posix.get_file(0)
region = f.content
start = f.pos
(end, items) = fmt_str.interpret(start, 1, self.arg, region=region)
# do the read, correcting the internal file position and logging the action
self.state.posix.read_from(0, end - start)
return items
48. Symbolic Function(scanf)
class SimProcedure(object):
@staticmethod
def ty_ptr(self, ty):
return SimTypePointer(self.arch, ty)
class FormatParser(SimProcedure):
def _parse(self, fmt_idx):
"""
fmt_idx: The index of the (pointer to the) format string in the
arguments list.
"""
def interpret(self, addr, startpos, args, region=None):
"""
Interpret a format string, reading the data at `addr` in `region` into `args`
starting at `startpos`.
"""
51. Exercises
• angrman
https://bamboofox.cs.nctu.edu.tw/courses/1/challenges/69
Local binary
• magicpuzzle
Server response the base64-encoded binary, try to find out the differences,
and automatically generate the exploit
https://bamboofox.cs.nctu.edu.tw/courses/1/challenges/70
• Sushi
Server response the base64-encoded binary, try to find out the differences,
and automatically generate the exploit
https://bamboofox.cs.nctu.edu.tw/courses/1/challenges/72