[angr] using angr as a binary-analysis tool to find bugs in automotive software

Claudia.Waldeck at bmw.de Claudia.Waldeck at bmw.de
Tue Apr 11 06:26:15 PDT 2017


Hi Fish, hi Yan

as I already told you, I want to implement a new architecture support for angr.
I'm doing this as an extern Bachelor-Thesis for BMW.
(I didn't start implementation until now, because first I want to know how to use angr)

Why we are doing this?
We want to use angr as a code-analysis tool for binaries to find bugs like "buffer-overflow", "endlessloops", "wrong pointer casting", "read not initialized variables" and so on.
We don't want to use it as a cyber-security tool, but as a kind of static (symbolic) code-analysis tool.

Why binary-analysis at automotive?
With this technique we want to find errors caused by compiler-errors or toolchain-errors - or finding errors in libs, which BMW gets from the suppliers.

Can you tell me, how can I find errors like "buffer-overflow" and "endlessloops" with angr-instructions?

I took a look at your solve.py-scripts at the angr-doc/examples folder, but this line of actions we cannot use.

I tried to trigger angr-error messages while giving binaries containing buffer-overflows and endlessloops.
For this, I generated a CFG, a VFG, a path-group.
The only message I got is at path_group.run() ["1 errored"] within a buffer-overflow binary - but unfortunately only within overflow with 23 Bytes (less than 23 Bytes overflow - no errors are visible for me).
Take a look at my attachments.

So I ask you: Please can you tell me, which angr-instructions I have to run to discover these kind of errors?

Thank you in advance.

Best regards

Claudia Waldeck

-----Ursprüngliche Nachricht-----
Von: Claudia Waldeck [mailto:waldeck.claudia at web.de] 
Gesendet: Dienstag, 11. April 2017 14:39
An: Waldeck Claudia, EV-331 <Claudia.Waldeck at bmw.de>
Betreff: Fwd: RE: [angr] Need help at effort estimation for developing adaptations for angr framework


-------- Forwarded Message --------
Subject: RE: [angr] Need help at effort estimation for developing adaptations for angr framework
Date: Thu, 16 Mar 2017 18:32:51 -0700
From: Fish Wang <fish at cs.ucsb.edu>
To: 'Claudia Waldeck' <waldeck.claudia at web.de>

angr runs on whatever architectures (x86, AMD64, and ARM) and operating systems (Linux, Windows, and macOS) that we support, which means it won't even run on the target arch you are talking about. angr performs all the analyses and execution with every instruction lifted and emulated, which means you can do it without access to an actual piece of hardware of the target arch.

Best,
Fish

> -----Original Message-----
> From: Claudia Waldeck [mailto:waldeck.claudia at web.de]
> Sent: Thursday, March 16, 2017 1:59 PM
> To: Fish Wang <fish at cs.ucsb.edu>
> Subject: Re: [angr] Need help at effort estimation for developing adaptations for
> angr framework
> 
> Hi Fish,
> 
> Thank you very much for your fast answer - and sorry for my bad English.
> 
> Just to get sure - the operating-system on the target (microcontroller) doesn't
> play any role for the binaryAnalysis with angr?
> 
> As far as I understand angr (sorry, I didn't work with angr until now), I can use
> angr on -in my case- "Windows"-Notebook and check binaries of several
> different architectures (arm, ppc, mips, ...) while the operating-system at the
> architecture is completely independent.
> 
> I'm asking, because I found out, that the Valgrind-tool is running ON the target
> (for example ppc) and is dependent of the used operating-system on the target.
> (for example ppc/linux).
> Because of angr is using some components of valgrind (vex), I just want to get
> sure, that these os-dependency is not relevant for angr.
> 
> Am I right at this point?
> 
> Thank you very much for your answers in advance.
> 
> Best regards
> 
> Claudia
> 
> 
> 
> 
> On 13.03.2017 09:54, Fish Wang wrote:
> > Hi Claudia,
> >
> >
> >
> > Here are my two cents:
> >
> >
> >
> > a)       You are fairly OK with Python programming,
> >
> > b)      You know the target architecture fairly well,
> >
> > c)       You don’t care about getting every single corner case correct,
> >
> > d)      The target architecture is as simple as or even simpler than MSP430.
> >
> >
> >
> > If all of the four conditions above are satisfied, then I would say 10 weeks are
> enough to implement a new architecture support in angr.
> >
> >
> >
> > Best,
> >
> > Fish
> >
> >
> >
> > *From:*angr [mailto:angr-bounces at lists.cs.ucsb.edu] *On Behalf Of *Yan
> > *Sent:* Sunday, March 12, 2017 6:43 PM
> > *To:* Claudia Waldeck <waldeck.claudia at web.de>
> > *Cc:* angr <angr at lists.cs.ucsb.edu>
> > *Subject:* Re: [angr] Need help at effort estimation for developing
> adaptations for angr framework
> >
> >
> >
> > Hello,
> >
> > It depends on the complexity of the architecture. One of our labmates,
> subwire, implemented Brainfuck support (handful of instructions) within a week,
> and MSP430 (just a tad more complex) in a bit longer. I think you can get
> partway there fairly quickly, but mostly for symbolic execution. Extending angr's
> static analysis to other platforms, currently, is a bit of an ordeal, but work is
> underway to fix that (though probably not within 10 weeks).
> >
> >
> >
> > Over the next week, we hope to release our brainfuck implementation so that
> you can see how to extend angr to new platforms.
> >
> >
> >
> > - Yan
> >
> >
> >
> > On Sat, Mar 11, 2017 at 8:25 AM, Claudia Waldeck <waldeck.claudia at web.de
> <mailto:waldeck.claudia at web.de>> wrote:
> >
> >     Hello angr-team,
> >
> >     my name is Claudia Waldeck, I am a Bachelor student in computer
> science on the Ludwig-Maximilians-University in munich, germany.
> >
> >     For my Bachelor-Thesis I will try to adapt the angr-framework to a
> further architecture, the 32bit TriCore Microcontroller of Infineon.
> >
> >     I want to know - do you think, this is possible within a few weeks (10
> weeks), or is it not possible within this time?
> >
> >     I cannot estimate the effort for this - but I think, you can do it. So I ask
> for your opinion for this.
> >
> >     Best regards in advance.
> >
> >     Claudia
> >     _______________________________________________
> >     angr mailing list
> >     angr at lists.cs.ucsb.edu <mailto:angr at lists.cs.ucsb.edu>
> >     https://lists.cs.ucsb.edu/mailman/listinfo/angr
> >
> >
> >

-------------- next part --------------
A non-text attachment was scrubbed...
Name: waldeck_buf_ov
Type: application/octet-stream
Size: 8643 bytes
Desc: waldeck_buf_ov
URL: <https://lists.cs.ucsb.edu/pipermail/angr/attachments/20170411/79f7f0c5/attachment-0002.obj>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: waldeck_buf_ov.c
URL: <https://lists.cs.ucsb.edu/pipermail/angr/attachments/20170411/79f7f0c5/attachment-0002.c>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: waldeck_endlessloop
Type: application/octet-stream
Size: 8621 bytes
Desc: waldeck_endlessloop
URL: <https://lists.cs.ucsb.edu/pipermail/angr/attachments/20170411/79f7f0c5/attachment-0003.obj>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: waldeck_endlessloop.c
URL: <https://lists.cs.ucsb.edu/pipermail/angr/attachments/20170411/79f7f0c5/attachment-0003.c>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: output_angr_CFG_basic_buffer_overflow.png
Type: image/png
Size: 86862 bytes
Desc: output_angr_CFG_basic_buffer_overflow.png
URL: <https://lists.cs.ucsb.edu/pipermail/angr/attachments/20170411/79f7f0c5/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: output_angr_CFG_endlessloop.png
Type: image/png
Size: 4707 bytes
Desc: output_angr_CFG_endlessloop.png
URL: <https://lists.cs.ucsb.edu/pipermail/angr/attachments/20170411/79f7f0c5/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: output_angr_CFGAccurate_basic_buffer_overflow.png
Type: image/png
Size: 52860 bytes
Desc: output_angr_CFGAccurate_basic_buffer_overflow.png
URL: <https://lists.cs.ucsb.edu/pipermail/angr/attachments/20170411/79f7f0c5/attachment-0008.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: output_angr_path_group_run_bufferOverflow.png
Type: image/png
Size: 105661 bytes
Desc: output_angr_path_group_run_bufferOverflow.png
URL: <https://lists.cs.ucsb.edu/pipermail/angr/attachments/20170411/79f7f0c5/attachment-0009.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: output_angr_pathgroup_endlessloop.png
Type: image/png
Size: 9885 bytes
Desc: output_angr_pathgroup_endlessloop.png
URL: <https://lists.cs.ucsb.edu/pipermail/angr/attachments/20170411/79f7f0c5/attachment-0010.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: output_angr_VFG_basic_buffer_overflow.png
Type: image/png
Size: 115003 bytes
Desc: output_angr_VFG_basic_buffer_overflow.png
URL: <https://lists.cs.ucsb.edu/pipermail/angr/attachments/20170411/79f7f0c5/attachment-0011.png>


More information about the angr mailing list