[angr] Help with angr

Niddodi, Chaitra chaitra at illinois.edu
Mon Mar 12 18:58:57 PDT 2018


Thanks for the clarification.



Thanks,
Chaitra


-------- Original message --------
From: Audrey Dutcher <audrey at rhelmot.io>
Date: 3/12/18 3:10 PM (GMT-06:00)
To: "Niddodi, Chaitra" <chaitra at illinois.edu>
Cc: angr at lists.cs.ucsb.edu
Subject: Re: [angr] Help with angr

I explained this in the previous email - in order to reduce complexity, angr attempts to model library calls with implementations called SimProcedures instead of letting the binary code present in the shared library execute. This improves analysis tractability substancially, but does mask the list of actual syscalls. If you've provided use_sim_procedures=False, you should see the full list of syscalls, same as strace. The precise list will be different than strace because strace will also log syscalls for setting up the binary, such as the execve to start it and the various mmap commands to map it and its shared libraries into memory, or the syscalls to set up thread local storage, all of which are handled by angr before execution begins. Additionally, because the environment emulated by angr is different than your native host, that might show up as subtle differences at times.

On Sun, Mar 11, 2018 at 8:09 PM, Niddodi, Chaitra <chaitra at illinois.edu<mailto:chaitra at illinois.edu>> wrote:
Quick question - why does angr not generate the complete set of syscalls like how strace does ? Is there a way to get the entire list using angr ?

Thanks,
Chaitra
________________________________
From: Audrey Dutcher [audrey at rhelmot.io<mailto:audrey at rhelmot.io>]
Sent: Sunday, March 11, 2018 4:34 PM

To: Niddodi, Chaitra
Cc: angr at lists.cs.ucsb.edu<mailto:angr at lists.cs.ucsb.edu>
Subject: Re: [angr] Help with angr

Hi,

If your binary is dynamically linked, angr will provide its own implementations of many common library functions, called SimProcedures. These implementations are just as privileged from a syscall from angr's point of view, so if the function would normally need to invoke a syscall in order to finish, it will not actually call a syscall since the SimProcedure can just tweak the state at the highest permission level it likes. There is not a mapping available for which procedure implementations "implicitly perform syscalls".

To disable the use of these models, you should provide use_sim_procedures=False to the Project constructor. However, you must have all the dynamic libraries requested by the program available. angr will search in a few place for these, notably in your system libs folders, in the current working directory, and in the same folder as the binary. You can set except_missing_libs=True to throw an exception if any library is not available.

Thanks,
- Audrey

On Sun, Mar 11, 2018 at 2:14 PM, Niddodi, Chaitra <chaitra at illinois.edu<mailto:chaitra at illinois.edu>> wrote:
I'm trying to use angr to get the list of syscalls from the binary of a simple C code. However, there are no syscalls listed in the output.

This is my test code:


[cid:c6999100-a3ee-44db-9f5e-aeb740c41ac0]



Where am I going wrong ?

Thanks,
Chaitra

________________________________________
From: Audrey Dutcher [audrey at rhelmot.io<mailto:audrey at rhelmot.io>]
Sent: Wednesday, February 14, 2018 3:24 PM
To: Niddodi, Chaitra
Cc: angr at lists.cs.ucsb.edu<mailto:angr at lists.cs.ucsb.edu>
Subject: Re: [angr] Help with angr

Of course - you can just add an instrumentation breakpoint (SimInspect) on syscalls, and you'll be notified whenever there's a syscall. However, "exploring all paths" is rarely a feasible analysis option due to the number of paths being exponential with respect to the number of branches. You could control this state explosion via an exploration technique that decides how to explore the state space, but you may run into issues with environment support - if the decision to call one syscall is based on the output of another syscall for which angr doesn't have a model implemented, that syscall will appear impossible to reach.

On Tue, Feb 13, 2018 at 7:30 PM, Niddodi, Chaitra <chaitra at illinois.edu<mailto:chaitra at illinois.edu><mailto:chaitra at illinois.edu<mailto:chaitra at illinois.edu>>> wrote:
Hello,

I have a quick question. Using angr, can I get the list of all possible system calls by exploring all paths in the binary?


Thanks,
Chaitra

_______________________________________________
angr mailing list
angr at lists.cs.ucsb.edu<mailto:angr at lists.cs.ucsb.edu><mailto:angr at lists.cs.ucsb.edu<mailto:angr at lists.cs.ucsb.edu>>
https://lists.cs.ucsb.edu/mailman/listinfo/angr



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cs.ucsb.edu/pipermail/angr/attachments/20180313/6ea565d0/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot (185).png
Type: image/png
Size: 30855 bytes
Desc: Screenshot (185).png
URL: <https://lists.cs.ucsb.edu/pipermail/angr/attachments/20180313/6ea565d0/attachment-0001.png>


More information about the angr mailing list