angr-paper: 2016_SP_angrSoK
Eveneko Blogger


(Finding and exploiting vulnerabilities in binary code is a challenging task.)

(In this paper, we present a binary analysis framework that implements a number of analysis techniques that have been proposed in the past. We present a systematized implementation of these techniques, which allows other researchers to compose them and develop new approaches.)




  • 低级语言不能提供安全保证。(many low-level languages provide few security guarantees, often leading to vulnerabilities.)
  • 编译器和工具栏也有问题。(compilers and tool chains are not bug-free. )

安全研究界为确定二元计划中的缺陷,已经在开发分析技术方面投入了大量的努力。(To this end, the security research community has invested a substantial amount of effort in developing analysis techniques to identify flaws in binary programs)


  • 每次研究得从头开始,浪费资源。
  • 复现困难。

所以有了 angr ,二进制分析框架,包含多个已有的静态动态技术,以利用他们各自的特点。

Cyber Grand Challenge 这个竞赛用来解决第二个问题,数据集提供测试套件。
(This dataset of binaries provides a perfect test suite with which to gauge the relative effectiveness of various analyses that have been recently proposed in the literature.)


  1. 我们在一个单一的、连贯的框架中复制了许多现有的攻击性二进制分析方法,以提供对当前攻击性二进制分析技术的相对有效性的理解。
  2. 我们展示了结合各种二元分析技术并大规模应用它们的困难(以及这些困难的解决方案)。
  3. 我们开源了我们的框架 angr,供后代研究二进制代码分析使用

Automated Binary Analysis


  • replayability 和 coverage
  • semantic insight 和 data domain

replayability & semantic insight 和 scalability 的冲突

Background: Static Vulnerability Discovery

Static Vulnerability Discovery

  • Recovering control flow
    • 主要难点:indirect jump
    • properties: soundness & completeness(需要trade-off)
  • Flow Modeling
    • Graph-based vulnerability discovery 依赖对bug建模,一般是已知漏洞
  • Data Modeling
    • Value-Set Analysis

Dynamic Vulnerability Discovery

  • Dynamic Concrete Execution
    • 执行真实值,需要用户提供输入(test case)
    • fuzzing (Coverage-based & Taint-based)
  • Dynamic Symbolic Execution
    • Classical dynamic symbolic execution 可能会有路径爆炸问题(通过优先排序/合并路径缓解)
    • Symbolic-assisted fuzzing(利用fuzzing的速度优势解决路径爆炸,同时解决fuzzing 缺乏语义信息的问题)
    • Under-constrained symbolic execution


  • reproduction
  • generation
  • harding(来对抗防御)

Analysis engine

  • 跨架构(ARM, MIPS, 32-bits,64-bites)
  • 跨平台(不同操作系统)
  • 支持不同的分析范例(前面提到的分析方法)
  • 实用性(usability)
  • 子模块设计
    • IR 使用VEX
    • binary loading 使用CLE
    • Program State Representation/Modification (SimuVEX)
    • Data Model
      • 由 Claripy 抽象表示
      • 提供几个前端
    • Full-Program Analysis
      • 提供了完整的程序分析,如CFG recovery,动态符号执行。分析的入口点为“Project”,可以访问其他子模块的所有功能
      • 两个主要接口:Path Groups & Analyses


  • 静态分析(作了改进)
    • Graph-based:CFG的恢复(CFGAccurate CFGFast)
    • Data-based:Value-Set analysis
  • 动态分析(重新实现)
    • dynamic symbolic execution
    • under-constrained symbolic execution
    • symbolic-assisted fuzzing
  • Crash reproduction
  • Exploit generation
  • Exploit hardening:绕过ASLR等安全机制




  • Post title:angr-paper: 2016_SP_angrSoK
  • Post author:Eveneko
  • Create time:2021-07-02 16:26:20
  • Post link:
  • Copyright Notice:All articles in this blog are licensed under BY-NC-SA unless stating additionally.