angr / angr-platforms Goto Github PK

Hi, I am trying your new architecture (angr-bf). I wanna feel new experience.
Unfortunately, I got an error like this :

Traceback (most recent call last):
File "findflagsolver.py", line 5, in
from angr_bf import arch_bf, load_bf, simos_bf
File "/home/f000/.virtualenvs/aegg/local/lib/python2.7/site-packages/angr_bf/simos_bf.py", line 2, in
from angr.procedures import SIM_PROCEDURES as P, SIM_LIBRARIES as L
ImportError: No module named procedures

There is no module named procedures. I even have updated angr to the newest version.
I don't know how to solve it. Can you explain to me how to fix this ?
Thank you.

It looks like BPF support bitrotted between the PR being opened and the PR being merged in. @subwire or @fish, could you take a look?

Hi.

I want to execute 'symbolic execution' with angr for riscv 64bit ELF file.

However, none of the programs support it.

So, do you have any plans to support riscv 64bit?

I have made a lifter for RISC-V 32 bit with multiplication and division, compact and atomic extensions to use in my masters thesis. I would like to add the resulting lifter to this repository for other people to use. However when I try to create a brahc called wip/risc-v_32bit I get the error that the permissions are denied. Could someone create the branch for me to push to?

Tracking issue for Atmel AVR microcontroller support

Here's The ISA: http://www.atmel.com/images/Atmel-0856-AVR-Instruction-Set-Manual.pdf

Here's the WIP branch: https://github.com/angr/angr-platforms/tree/wip/avr

Things to do:

1. Finish the remaining ops. Mostly "st*"
2. Tie the "skip" instructions to the new two-pass features of gymrat
3. double-check a weird inconsistency we noticed w/r/t what the PC is
   during lift-time and during execute-time. The short version is, don't
   trust the PC at execute time. Use the address the lifter tells you
   the instruction is at as your PC, instead of the PC in the register.
4. Double-check our jump behavior w/r/t jumping to the destination, or
   the thing after it (apparently MSP430 had some inconsistency there)
5. Deal with the split-memory issues in AVR, namely how to map data and
   code memory into one memory space. My dumb approach is to just use
   some high bits of the address and magically translate all the lifted
   pointers. That might work. Not tested.
6. Deal with issues in the rest of angr related to the various sizes of
   pointers vs various sizes of registers vs. the not-strictly-defined
   size of the address space in AVR. Ignoring the problem and hoping for
   the best is an option.
7. Fix all of Eric's typos.
8. Environment support. I have no idea how we're going to do that (IO reg peripherals probably pending a future planned refactor)

The bf lifter does not work with angr master branch (7.8.7.1)

Traceback (most recent call last):
  File "lift_bf.py", line 253, in <module>
    lifter = LifterBF(irsb_, test1,len(test1) , len(test1), 0, None)
TypeError: __init__() takes exactly 3 arguments (7 given)

Is some special version needed?

Description

As per angr/angr#2194 (comment), the recommended way to use angr with RISC-V binaries is via angr-platforms. Furthermore, the comment suggests that issues found with the RISC-V in angr-platforms should be reported. We believe we found such an issue and are hence reporting it here.

While comparing SymEx-VP, a symbolic execution engine for RISC-V binaries, against other symbolic executors supporting RISC-V, we noticed that angr with angr-platforms missed several paths on some of our benchmarks. Below, please find a minimal example for reproducing such an issue with angr.

Steps to reproduce the bug

Consider the following 32-bit RISC-V binary: https://user.informatik.uni-bremen.de/~tempel/angr/angr-base64-bug

This binary is based on the following C code, which has been taken from the base64 encode implementation of the RIOT operating system) and minimized to reproduce the outlined bug in angr (angr fails to find all execution paths in this binary):

#include <stdint.h>
#include <stddef.h>

void make_symbolic(void *ptr, size_t size) {
	(void)ptr;
	(void)size;
	return; // hooked by angr, binsec will treat uninitialized memory as unconstrained symbolic.
}

void symex_exit(void) {
	return; // used to indicate end of an execution path.
}

////////////////////////////////////////////////////////////////////////

#define BASE64_CAPITAL_UPPER_BOUND     (25)     /**< base64 'Z'           */
#define BASE64_SMALL_UPPER_BOUND       (51)     /**< base64 'z'           */
#define BASE64_NUMBER_UPPER_BOUND      (61)     /**< base64 '9'           */
#define BASE64_PLUS                    (62)     /**< base64 '+'           */
#define BASE64_MINUS                   (62)     /**< base64 '-'           */
#define BASE64_SLASH                   (63)     /**< base64 '/'           */
#define BASE64_UNDERLINE               (63)     /**< base64 '_'           */
#define BASE64_EQUALS                  (0xFE)   /**< no base64 symbol '=' */
#define BASE64_NOT_DEFINED             (0xFF)   /**< no base64 symbol     */

static char getsymbol(uint8_t code) {
    if (code == BASE64_SLASH) {
        return '/';
    }

    if (code == BASE64_PLUS) {
        return '+';
    }

    if (code <= BASE64_CAPITAL_UPPER_BOUND) {
        return (code + 'A');
    }

    if (code <= BASE64_SMALL_UPPER_BOUND) {
        return (code + ('z' - BASE64_SMALL_UPPER_BOUND));
    }

    if (code <= BASE64_NUMBER_UPPER_BOUND) {
        return (code + ('9' - BASE64_NUMBER_UPPER_BOUND));
    }

    return (char)BASE64_NOT_DEFINED;
}

static void encode_three_bytes(uint8_t *dest, uint8_t b1, uint8_t b2, uint8_t b3) {
    dest[0] = getsymbol(b1 >> 2);
    dest[1] = getsymbol(((b1 & 0x03) << 4) | (b2 >> 4));
    dest[2] = getsymbol(((b2 & 0x0f) << 2) | (b3 >> 6));
    dest[3] = getsymbol(b3 & 0x3f);
}

int main(void) {
	static uint8_t dest[128];
	uint8_t input[3];

	make_symbolic(&input, sizeof(input));
        // explore encode_three_bytes based on 3 symbolic input bytes.
	encode_three_bytes(dest, input[0], input[1], input[2]);

	symex_exit();
	return 0;
}

We can explore all execution paths through this binary with BinSec as follows:

$ cat main.inc
halt at <symex_exit>
reach <symex_exit> 99999999 times
$ binsec -fml-solver-timeout 0 -sse -sse-depth 999999 -sse-script main.inc angr-base64-bug
             Preprocessing simplifications
               total          2811
               sat            625
               unsat          0
               constant enum  2186

             Satisfiability queries
               total          1404
               sat            624
               unsat          780
               unknown        0
               time           7.45
               average        0.01

           Exploration
             total paths                      625
             completed/cut paths              625
             pending paths                    0
             stale paths                      0
             failed assertions                0
             branching points                 2186
             max path depth                   222
             visited instructions (unrolled)  16202
             visited instructions (static)    150

This output tells us that BinSec finds 625 execution paths through this binary. Other symbolic execution such as the aforementioned SymEx-VP or BinSym also find 625 execution paths. Note that the program doesn't use any symbolic memory indices, hence all engines should find the same amount of paths. However, when we execute this binary with the following angr script, angr only finds 25 paths:

#!/usr/bin/env python3

from angr_platforms import risc_v
from angr.exploration_techniques.spiller import Spiller

import angr
import time
import sys
import os

NUM_FOUND = 0

class MakeSymbolic(angr.SimProcedure):
    def run(self, _addr, _size):
        addr = self.state.solver.eval(_addr)
        size = self.state.solver.eval(_size)

        bvs = self.state.solver.Unconstrained(
                F"memory<{hex(addr)}>",
                size * 8,
                uninitialized=False)

        self.state.memory.store(addr, bvs)
        return 0

def run_angr(path):
    p = angr.Project(path)

    state = p.factory.entry_state()
    state.options.add(angr.options.ZERO_FILL_UNCONSTRAINED_REGISTERS)

    # Make sure make_symbolic works as expected by hooking it.
    p.hook_symbol('make_symbolic', MakeSymbolic())

    simgr = p.factory.simgr(thing=state)

    stop_symbol = p.loader.find_symbol('symex_exit')
    simgr.explore(num_find=99999999999, find=stop_symbol.rebased_addr)

    print(F"Found: {len(simgr.found)}")

if len(sys.argv) <= 1:
    print("Missing file argument", file=sys.stderr)
    sys.exit(1)
else:
    filename = sys.argv[1]
    run_angr(filename)

Run using:

$ python3 run-angr.py ./angr-base64-bug
Found: 25

Meaning, angr misses 600 execution paths in this binary. We presently believe this to be a bug with the RISC-V lifter provided by angr-platforms, possibly in the lifting of the SRA and SRAI instruction of the RISC-V instruction set architecture.

Environment

/home/angr/angr-dev/angr/angr/misc/bug_report.py:1: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses
  import imp
angr environment report
=============================
Date: 2024-04-25 12:52:57.856919
Running in virtual environment at /home/angr/.virtualenvs/angr
Platform: linux-x86_64
Python version: 3.8.10 (default, Mar 15 2022, 12:22:08) 
[GCC 9.4.0]
######## angr #########
Python found it in /home/angr/angr-dev/angr/angr
Pip version angr 9.2.0.dev0
Git info:
	Current commit f3b175e19b5adbc25e1dc8be65dca0e00bf41e4b from branch master
	Checked out from remote origin: https://github.com/angr/angr
######## ailment #########
Python found it in /home/angr/angr-dev/ailment/ailment
Pip version ailment 9.2.0.dev0
Git info:
	Current commit 96c985be6acac572bb3c5d48978ba8513101bdfd from branch master
	Checked out from remote origin: https://github.com/angr/ailment
######## cle #########
Python found it in /home/angr/angr-dev/cle/cle
Pip version cle 9.2.0.dev0
Git info:
	Current commit cc079ff86361c28ec4861272e638f746b7416805 from branch master
	Checked out from remote origin: https://github.com/angr/cle
######## pyvex #########
Python found it in /home/angr/angr-dev/pyvex/pyvex
Pip version pyvex 9.2.0.dev0
Git info:
	Current commit aa671c93fd00026a15071bedc09321f20a89aa62 from branch master
	Checked out from remote origin: https://github.com/angr/pyvex
######## claripy #########
Python found it in /home/angr/angr-dev/claripy/claripy
Pip version claripy 9.2.0.dev0
Git info:
	Current commit 2c66f4fa56f2174250f1c82e1762bf02680ebde7 from branch master
	Checked out from remote origin: https://github.com/angr/claripy
######## archinfo #########
Python found it in /home/angr/angr-dev/archinfo/archinfo
Pip version archinfo 9.2.0.dev0
Git info:
	Current commit 69f79593e329b79311863b2c98a6f4fe3f14445c from branch master
	Checked out from remote origin: https://github.com/angr/archinfo
######## z3 #########
Python found it in /home/angr/.virtualenvs/angr/lib/python3.8/site-packages/z3
Pip version z3-solver 4.8.15.0
Couldn't find git info
######## unicorn #########
Python found it in /home/angr/.virtualenvs/angr/lib/python3.8/site-packages/unicorn
Pip version unicorn 1.0.2rc4
Couldn't find git info
######### Native Module Info ##########
angr: <CDLL '/home/angr/angr-dev/angr/angr/state_plugins/../lib/angr_native.so', handle 16b96e0 at 0x7f4c52e67910>
unicorn: <CDLL '/home/angr/.virtualenvs/angr/lib/python3.8/site-packages/unicorn/lib/libunicorn.so', handle 106a6d0 at 0x7f4c581eb340>
pyvex: <cffi.api._make_ffi_library.<locals>.FFILibrary object at 0x7f4c58b2ca30>
z3: NOT FOUND

Additional context

No response

Hello I was trying to launch CFG analysis over a risc-v binary, and I got the following error:

By replacing type to int_64 in the following way (inside instrs_risc.r_instr.py) I get no more the exception:

Is it correct the fix?

Error during TriCore elf image loading to angr :
class ABS_E5_Instructions(Instruction)=>parse(self [tricore_hello.zip](https://github.com/angr/angr-platforms/files/8890878/tricore_hello.zip) , bitstrm)=>Instruction.parse(self, bitstrm)

Trying to import the msp430 module results in an error:

> pip install git+https://github.com/angr/angr-platforms.git
...
Successfully built angr-platforms
Installing collected packages: angr-platforms
Successfully installed angr-platforms-0.1

> python
Python 3.7.6 (tags/v3.7.6:43364a7ae0, Dec 19 2019, 00:42:30) [MSC v.1916 64 bit (AMD64)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import angr_platforms
>>> import angr_platforms.msp430
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ModuleNotFoundError: No module named 'angr_platforms.msp430'