Symbolic Execution with ANGR on Real-World Targets

IN-PERSON 4 DAYS TRAINING: AUGUST 2023

Jeremy Blackthorne

Abstract

This is an 80% hands-on course with many demos, examples, exercises, and solutions. Exercises will be mostly x64 and ARM binaries for Linux, but we will also apply it to other architectures, such as MIPS and PowerPC. Although the theory behind symbolic execution is fascinating, we will only minimally cover it and will instead focus on the practical applications of angr.

Students are provided a preconfigured VM with all necessary tools and exercises. The instructor’s computer screen and voice will also be recorded during each day and provided for reference. Students can then review the recordings during the course and retain them for use afterwards.

Automated Binary Analysis with ANGR - Sample Lesson

Key Learning Objectives

  • Students will have the ability to perform symbolic and concolic execution with angr
  • Students have the ability to use manual and automated techniques with angr
  • Students will know how to leverage angr's strengths and complement its weaknesses

Detailed Syllabus

Background

  • Symbolic execution / Concolic execution
  • Bit vectors
  • SMT/SAT solving
  • Abstract syntax tree (AST) and DPLL algorithm
  • Path explosion problem

Angr Usage and API

  • API: loader, symbolic execution, solver engine
  • Emulator: stepping, running, hooking
  • Symbion and concolic execution: using debugger state with emulator
  • Diassembly, decompilation, control-flow graphs
  • Backward slicing
  • VEX IR, PyVex, and libVEX
  • Components: Capstone, Unicorn, claripy, Z3, valgrind
  • Extending angr functionality

Plug-ins, Tools, and Workflow Integration

  • Natural workflow of angr with IDA, Ghidra, qemu, pwntools and gdb
  • Pypcode: library allowing symbolic execution of Ghidra’s p-code
  • Plug-ins: Angry Ghidra, IDAngr, Jupyter’s Angry kernel
  • angr's GUI: angr-management
  • Other plugins

Applications

  • Malware deobfuscation
  • identifying vulnerabilities and creating proof-of-concepts for vulnerabilities
  • Crafting exploits
  • General RE

Who Should Attend

This training is for people who are in the weeds, assessing binaries for vulnerabilities, crafting exploits, and reverse engineering malware.

Knowledge Prerequisites

This is an intermediate class. Students are expected to have experience with RE, VR, Linux, C, Python, and x86-64 assembly. Students are not expected to have any experience with symbolic execution, SMT, or angr.

Hardware Requirements

Students are expected to have their own computers which can run an x86-64 virtual machine.

  • 50 GB of free hard disk space
  • 4GB of RAM
  • 4 Processor cores

Software Requirements

  • VMware -or-
  • Virtualbox