angr / angr-platforms Goto Github PK
View Code? Open in Web Editor NEWA collection of extensions to angr to handle new platforms
Home Page: http://angr.io/
License: BSD 2-Clause "Simplified" License
A collection of extensions to angr to handle new platforms
Home Page: http://angr.io/
License: BSD 2-Clause "Simplified" License
Hi, I am trying your new architecture (angr-bf). I wanna feel new experience.
Unfortunately, I got an error like this :
Traceback (most recent call last):
File "findflagsolver.py", line 5, in
from angr_bf import arch_bf, load_bf, simos_bf
File "/home/f000/.virtualenvs/aegg/local/lib/python2.7/site-packages/angr_bf/simos_bf.py", line 2, in
from angr.procedures import SIM_PROCEDURES as P, SIM_LIBRARIES as L
ImportError: No module named procedures
There is no module named procedures. I even have updated angr to the newest version.
I don't know how to solve it. Can you explain to me how to fix this ?
Thank you.
Hi.
I want to execute 'symbolic execution' with angr for riscv 64bit ELF file.
However, none of the programs support it.
So, do you have any plans to support riscv 64bit?
I have made a lifter for RISC-V 32 bit with multiplication and division, compact and atomic extensions to use in my masters thesis. I would like to add the resulting lifter to this repository for other people to use. However when I try to create a brahc called wip/risc-v_32bit I get the error that the permissions are denied. Could someone create the branch for me to push to?
Tracking issue for Atmel AVR microcontroller support
Here's The ISA: http://www.atmel.com/images/Atmel-0856-AVR-Instruction-Set-Manual.pdf
Here's the WIP branch: https://github.com/angr/angr-platforms/tree/wip/avr
Things to do:
The bf lifter does not work with angr master branch (7.8.7.1)
Traceback (most recent call last):
File "lift_bf.py", line 253, in <module>
lifter = LifterBF(irsb_, test1,len(test1) , len(test1), 0, None)
TypeError: __init__() takes exactly 3 arguments (7 given)
Is some special version needed?
As per angr/angr#2194 (comment), the recommended way to use angr with RISC-V binaries is via angr-platforms
. Furthermore, the comment suggests that issues found with the RISC-V in angr-platforms should be reported. We believe we found such an issue and are hence reporting it here.
While comparing SymEx-VP, a symbolic execution engine for RISC-V binaries, against other symbolic executors supporting RISC-V, we noticed that angr with angr-platforms
missed several paths on some of our benchmarks. Below, please find a minimal example for reproducing such an issue with angr.
Consider the following 32-bit RISC-V binary: https://user.informatik.uni-bremen.de/~tempel/angr/angr-base64-bug
This binary is based on the following C code, which has been taken from the base64 encode implementation of the RIOT operating system) and minimized to reproduce the outlined bug in angr (angr fails to find all execution paths in this binary):
#include <stdint.h>
#include <stddef.h>
void make_symbolic(void *ptr, size_t size) {
(void)ptr;
(void)size;
return; // hooked by angr, binsec will treat uninitialized memory as unconstrained symbolic.
}
void symex_exit(void) {
return; // used to indicate end of an execution path.
}
////////////////////////////////////////////////////////////////////////
#define BASE64_CAPITAL_UPPER_BOUND (25) /**< base64 'Z' */
#define BASE64_SMALL_UPPER_BOUND (51) /**< base64 'z' */
#define BASE64_NUMBER_UPPER_BOUND (61) /**< base64 '9' */
#define BASE64_PLUS (62) /**< base64 '+' */
#define BASE64_MINUS (62) /**< base64 '-' */
#define BASE64_SLASH (63) /**< base64 '/' */
#define BASE64_UNDERLINE (63) /**< base64 '_' */
#define BASE64_EQUALS (0xFE) /**< no base64 symbol '=' */
#define BASE64_NOT_DEFINED (0xFF) /**< no base64 symbol */
static char getsymbol(uint8_t code) {
if (code == BASE64_SLASH) {
return '/';
}
if (code == BASE64_PLUS) {
return '+';
}
if (code <= BASE64_CAPITAL_UPPER_BOUND) {
return (code + 'A');
}
if (code <= BASE64_SMALL_UPPER_BOUND) {
return (code + ('z' - BASE64_SMALL_UPPER_BOUND));
}
if (code <= BASE64_NUMBER_UPPER_BOUND) {
return (code + ('9' - BASE64_NUMBER_UPPER_BOUND));
}
return (char)BASE64_NOT_DEFINED;
}
static void encode_three_bytes(uint8_t *dest, uint8_t b1, uint8_t b2, uint8_t b3) {
dest[0] = getsymbol(b1 >> 2);
dest[1] = getsymbol(((b1 & 0x03) << 4) | (b2 >> 4));
dest[2] = getsymbol(((b2 & 0x0f) << 2) | (b3 >> 6));
dest[3] = getsymbol(b3 & 0x3f);
}
int main(void) {
static uint8_t dest[128];
uint8_t input[3];
make_symbolic(&input, sizeof(input));
// explore encode_three_bytes based on 3 symbolic input bytes.
encode_three_bytes(dest, input[0], input[1], input[2]);
symex_exit();
return 0;
}
We can explore all execution paths through this binary with BinSec as follows:
$ cat main.inc
halt at <symex_exit>
reach <symex_exit> 99999999 times
$ binsec -fml-solver-timeout 0 -sse -sse-depth 999999 -sse-script main.inc angr-base64-bug
Preprocessing simplifications
total 2811
sat 625
unsat 0
constant enum 2186
Satisfiability queries
total 1404
sat 624
unsat 780
unknown 0
time 7.45
average 0.01
Exploration
total paths 625
completed/cut paths 625
pending paths 0
stale paths 0
failed assertions 0
branching points 2186
max path depth 222
visited instructions (unrolled) 16202
visited instructions (static) 150
This output tells us that BinSec finds 625 execution paths through this binary. Other symbolic execution such as the aforementioned SymEx-VP or BinSym also find 625 execution paths. Note that the program doesn't use any symbolic memory indices, hence all engines should find the same amount of paths. However, when we execute this binary with the following angr script, angr only finds 25 paths:
#!/usr/bin/env python3
from angr_platforms import risc_v
from angr.exploration_techniques.spiller import Spiller
import angr
import time
import sys
import os
NUM_FOUND = 0
class MakeSymbolic(angr.SimProcedure):
def run(self, _addr, _size):
addr = self.state.solver.eval(_addr)
size = self.state.solver.eval(_size)
bvs = self.state.solver.Unconstrained(
F"memory<{hex(addr)}>",
size * 8,
uninitialized=False)
self.state.memory.store(addr, bvs)
return 0
def run_angr(path):
p = angr.Project(path)
state = p.factory.entry_state()
state.options.add(angr.options.ZERO_FILL_UNCONSTRAINED_REGISTERS)
# Make sure make_symbolic works as expected by hooking it.
p.hook_symbol('make_symbolic', MakeSymbolic())
simgr = p.factory.simgr(thing=state)
stop_symbol = p.loader.find_symbol('symex_exit')
simgr.explore(num_find=99999999999, find=stop_symbol.rebased_addr)
print(F"Found: {len(simgr.found)}")
if len(sys.argv) <= 1:
print("Missing file argument", file=sys.stderr)
sys.exit(1)
else:
filename = sys.argv[1]
run_angr(filename)
Run using:
$ python3 run-angr.py ./angr-base64-bug
Found: 25
Meaning, angr misses 600 execution paths in this binary. We presently believe this to be a bug with the RISC-V lifter provided by angr-platforms, possibly in the lifting of the SRA and SRAI instruction of the RISC-V instruction set architecture.
/home/angr/angr-dev/angr/angr/misc/bug_report.py:1: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses
import imp
angr environment report
=============================
Date: 2024-04-25 12:52:57.856919
Running in virtual environment at /home/angr/.virtualenvs/angr
Platform: linux-x86_64
Python version: 3.8.10 (default, Mar 15 2022, 12:22:08)
[GCC 9.4.0]
######## angr #########
Python found it in /home/angr/angr-dev/angr/angr
Pip version angr 9.2.0.dev0
Git info:
Current commit f3b175e19b5adbc25e1dc8be65dca0e00bf41e4b from branch master
Checked out from remote origin: https://github.com/angr/angr
######## ailment #########
Python found it in /home/angr/angr-dev/ailment/ailment
Pip version ailment 9.2.0.dev0
Git info:
Current commit 96c985be6acac572bb3c5d48978ba8513101bdfd from branch master
Checked out from remote origin: https://github.com/angr/ailment
######## cle #########
Python found it in /home/angr/angr-dev/cle/cle
Pip version cle 9.2.0.dev0
Git info:
Current commit cc079ff86361c28ec4861272e638f746b7416805 from branch master
Checked out from remote origin: https://github.com/angr/cle
######## pyvex #########
Python found it in /home/angr/angr-dev/pyvex/pyvex
Pip version pyvex 9.2.0.dev0
Git info:
Current commit aa671c93fd00026a15071bedc09321f20a89aa62 from branch master
Checked out from remote origin: https://github.com/angr/pyvex
######## claripy #########
Python found it in /home/angr/angr-dev/claripy/claripy
Pip version claripy 9.2.0.dev0
Git info:
Current commit 2c66f4fa56f2174250f1c82e1762bf02680ebde7 from branch master
Checked out from remote origin: https://github.com/angr/claripy
######## archinfo #########
Python found it in /home/angr/angr-dev/archinfo/archinfo
Pip version archinfo 9.2.0.dev0
Git info:
Current commit 69f79593e329b79311863b2c98a6f4fe3f14445c from branch master
Checked out from remote origin: https://github.com/angr/archinfo
######## z3 #########
Python found it in /home/angr/.virtualenvs/angr/lib/python3.8/site-packages/z3
Pip version z3-solver 4.8.15.0
Couldn't find git info
######## unicorn #########
Python found it in /home/angr/.virtualenvs/angr/lib/python3.8/site-packages/unicorn
Pip version unicorn 1.0.2rc4
Couldn't find git info
######### Native Module Info ##########
angr: <CDLL '/home/angr/angr-dev/angr/angr/state_plugins/../lib/angr_native.so', handle 16b96e0 at 0x7f4c52e67910>
unicorn: <CDLL '/home/angr/.virtualenvs/angr/lib/python3.8/site-packages/unicorn/lib/libunicorn.so', handle 106a6d0 at 0x7f4c581eb340>
pyvex: <cffi.api._make_ffi_library.<locals>.FFILibrary object at 0x7f4c58b2ca30>
z3: NOT FOUND
No response
Error during TriCore elf image loading to angr :
class ABS_E5_Instructions(Instruction)=>parse(self [tricore_hello.zip](https://github.com/angr/angr-platforms/files/8890878/tricore_hello.zip) , bitstrm)=>Instruction.parse(self, bitstrm)
Trying to import the msp430 module results in an error:
> pip install git+https://github.com/angr/angr-platforms.git
...
Successfully built angr-platforms
Installing collected packages: angr-platforms
Successfully installed angr-platforms-0.1
> python
Python 3.7.6 (tags/v3.7.6:43364a7ae0, Dec 19 2019, 00:42:30) [MSC v.1916 64 bit (AMD64)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import angr_platforms
>>> import angr_platforms.msp430
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
ModuleNotFoundError: No module named 'angr_platforms.msp430'
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.