BB-Weight-Angr: Angr-based static analysis tool for vusec/vuzzer64 fuzzing tool

This repository contains a Angr-based static analysis module developed during my internship at VU Amsterdam for their fuzzing tool Vuzzer. It supports both the 32bit and 64bit versions of Vuzzer

r2angrdbg: use angr inside the radare2 debugger

Use angr inside the radare2 debugger.

Create an angr state from the current debugger state.

Practical Symbolic Execution and SATisfiability Module Theories (SMT) 101

Practical Symbolic Execution and SATisfiability Module Theories (SMT) 101

May 19, 2018 • By rui

Finding bugs is hard, reverse engineering is hard. Constraint solvers are the heart of many program analysis techniques, and can aid Fuzzing, and software verification.

This post contains a few hands-on experiments with Z3, a high performance theorem prover developed at Microsoft Research by Leonardo de Moura and Nikolaj Bjorner. With KLEE, a Symbolic Execution Engine built on top of the LLVM compiler infrastructure developed by Cristian Cadar, Daniel Dunbar, and Dawson Engler. And, angr, a binary analysis framework developed by the Computer Security Lab at UC Santa Barbara and their associated CTF team, Shellphish.[…]


BootStomp: Android bootloader vulnerability finder

BootStomp is a boot-loader bug finder. It looks for two different class of bugs: memory corruption and state storage vulnerabilities. For more info please refer to the BootStomp paper. To run BootStomp’s analyses, please read the following instructions. Note that BootStomp works with boot-loaders compiled for ARM architectures (32 and 64 bits both) and that results might slightly vary depending on angr and Z3’s versions. This is because of the time angr takes to analyze basic blocks and to Z3’s expression concretization results.[…]

print [!] Usage: + sys.argv[0] + <oeminfo.img> <exploit_oeminfo.img>\n

Lots of links to read at the end of the github readme web page.


new firmware tool: angr

A new firmware security tool called ‘angr’ was announced at Black Hat Briefings this week:

Angr is a platform-agnostic concolic binary analysis platform developed by the Seclab at the University of California Santa Barbara and their associated CTF team, Shellphish. angr is a multi-architecture binary analysis platform, with the capability to perform dynamic symbolic execution (like Mayhem, KLEE, etc) and various static analyses on binaries. Several challenges must be overcome to do this, and angr has components that meet all of these challenges:
 * Loading a binary into the analysis program.
 * Translating a binary into an intermediate representation (IR).
 * Translating that IR into a semantic representation (i.e., what it does, not just what it is).
 * Performing the actual analysis. This could be:
     + A full-program static analysis (i.e., type inference, program slicing).
     + A symbolic exploration of the program’s state space (i.e., “Can we execute it until we find an overflow?”).
     + Some combination of the above (i.e., “Let’s execute only program slices that lead to a memory write, to find an overflow.”)

The talk:

Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Chris Kruegel, Chief Scientist, Lastline
Over the last few years, as the world has moved closer to realizing the idea of the Internet of Things, an increasing number of the analog things with which we used to interact every day have been replaced with connected devices. The increasingly-complex systems that drive these devices have one thing in common ­– they must all communicate to carry out their intended functionality. Such communication is handled by firmware embedded in the device. And firmware, like any piece of software, is susceptible to a wide range of errors and vulnerabilities.