[angr] Help with angr

Audrey Dutcher audrey at rhelmot.io
Mon Mar 12 13:10:31 PDT 2018


I explained this in the previous email - in order to reduce complexity,
angr attempts to model library calls with implementations called
SimProcedures instead of letting the binary code present in the shared
library execute. This improves analysis tractability substancially, but
does mask the list of actual syscalls. If you've provided
use_sim_procedures=False, you should see the full list of syscalls, same as
strace. The precise list will be different than strace because strace will
also log syscalls for setting up the binary, such as the execve to start it
and the various mmap commands to map it and its shared libraries into
memory, or the syscalls to set up thread local storage, all of which are
handled by angr before execution begins. Additionally, because the
environment emulated by angr is different than your native host, that might
show up as subtle differences at times.

On Sun, Mar 11, 2018 at 8:09 PM, Niddodi, Chaitra <chaitra at illinois.edu>
wrote:

> Quick question - why does angr not generate the complete set of syscalls
> like how strace does ? Is there a way to get the entire list using angr ?
>
> Thanks,
> Chaitra
> ------------------------------
> *From:* Audrey Dutcher [audrey at rhelmot.io]
> *Sent:* Sunday, March 11, 2018 4:34 PM
>
> *To:* Niddodi, Chaitra
> *Cc:* angr at lists.cs.ucsb.edu
> *Subject:* Re: [angr] Help with angr
>
> Hi,
>
> If your binary is dynamically linked, angr will provide its own
> implementations of many common library functions, called SimProcedures.
> These implementations are just as privileged from a syscall from angr's
> point of view, so if the function would normally need to invoke a syscall
> in order to finish, it will not actually call a syscall since the
> SimProcedure can just tweak the state at the highest permission level it
> likes. There is not a mapping available for which procedure implementations
> "implicitly perform syscalls".
>
> To disable the use of these models, you should provide
> use_sim_procedures=False to the Project constructor. However, you must have
> all the dynamic libraries requested by the program available. angr will
> search in a few place for these, notably in your system libs folders, in
> the current working directory, and in the same folder as the binary. You
> can set except_missing_libs=True to throw an exception if any library is
> not available.
>
> Thanks,
> - Audrey
>
> On Sun, Mar 11, 2018 at 2:14 PM, Niddodi, Chaitra <chaitra at illinois.edu>
> wrote:
>
>> I'm trying to use angr to get the list of syscalls from the binary of a
>> simple C code. However, there are no syscalls listed in the output.
>>
>> This is my test code:
>>
>>
>>
>>
>> Where am I going wrong ?
>>
>> Thanks,
>> Chaitra
>>
>> ________________________________________
>> From: Audrey Dutcher [audrey at rhelmot.io]
>> Sent: Wednesday, February 14, 2018 3:24 PM
>> To: Niddodi, Chaitra
>> Cc: angr at lists.cs.ucsb.edu
>> Subject: Re: [angr] Help with angr
>>
>> Of course - you can just add an instrumentation breakpoint (SimInspect)
>> on syscalls, and you'll be notified whenever there's a syscall. However,
>> "exploring all paths" is rarely a feasible analysis option due to the
>> number of paths being exponential with respect to the number of branches.
>> You could control this state explosion via an exploration technique that
>> decides how to explore the state space, but you may run into issues with
>> environment support - if the decision to call one syscall is based on the
>> output of another syscall for which angr doesn't have a model implemented,
>> that syscall will appear impossible to reach.
>>
>> On Tue, Feb 13, 2018 at 7:30 PM, Niddodi, Chaitra <chaitra at illinois.edu
>> <mailto:chaitra at illinois.edu>> wrote:
>> Hello,
>>
>> I have a quick question. Using angr, can I get the list of all possible
>> system calls by exploring all paths in the binary?
>>
>>
>> Thanks,
>> Chaitra
>>
>> _______________________________________________
>> angr mailing list
>> angr at lists.cs.ucsb.edu<mailto:angr at lists.cs.ucsb.edu>
>> https://lists.cs.ucsb.edu/mailman/listinfo/angr
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cs.ucsb.edu/pipermail/angr/attachments/20180312/a50b06ea/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot (185).png
Type: image/png
Size: 30855 bytes
Desc: not available
URL: <https://lists.cs.ucsb.edu/pipermail/angr/attachments/20180312/a50b06ea/attachment-0001.png>


More information about the angr mailing list