Angry Hacking

How angr pwned CTFs and the CGC

Motivation 6 mins

Fundamentals of angr 3 mins

Pure awesomeness

angr modules 7 mins

Symbolic execution

Static analysis

angr applications 25 mins

"Crypto" challenge

Rop gadget finder

Executing arbitrary code

Cyber Grand Challenge

Open source! 3 minutes

http://angr.io

Credits

Why angr?

BAP

BitBlaze

amoco

BARF

Bindead

Triton

CodeReason

radare2

PySysEmu

miasm

paimei

insight

rdis

SemTrax

JARVIS

Jakstab

vivisect

2005 Hex-Rays was founded

2015 ???

2007 Hex-Rays Decompiler 1.0

2009 Hex-Rays IDA 5.5

2013 Hex-Rays IDA 6.4

2011 Hex-Rays IDA 6.1

Fundamentals of angr

• iPython-accessible
• powerful analyses
• versatile
• well-encapsulated
• open and expandable
• architecture "independent"
• x86, amd64, mips, mips64, arm, aarch64, ppc, ppc64

Static Analysis Routines

Symbolic Execution Engine

Control-Flow Graph

Data-Flow Analysis

Binary Loader

Value-Set Analysis

angr

ARE YOU READY FOR THE ANGRY POWER?

Symbolic execution

"How do I trigger path X or condition Y?"

​

• Dynamic analysis
• Input A? No. Input B? No. Input C? …
• Based on concrete inputs to application.
• (Concrete) static analysis
• "You can't"/"You might be able to"
• Based on various static techniques.

​

We need something slightly different.

"How do I trigger path X or condition Y?"

​

• Interpret the application.
• Track "constraints" on variables.
• When the required condition is triggered, "concretize" to obtain a possible input.

Constraint solving:

​

• Conversion from set of constraints to set of concrete values that satisfy them.
• NP-complete, in general.

Concretize

x = int(input())

if x >= 10:

if x < 100:

print "Two!"

else:

print "Lots!"

else:

print "One!"

​

x = int(input())

if x >= 10:

if x < 100:

print "Two!"

else:

print "Lots!"

else:

print "One!"

x = int(input())

if x >= 10:

if x < 100:

print "Two!"

else:

print "Lots!"

else:

print "One!"

x = int(input())

if x >= 10:

if x < 100:

print "Two!"

else:

print "Lots!"

else:

print "One!"

x = int(input())

if x >= 10:

if x < 100:

print "Two!"

else:

print "Lots!"

else:

print "One!"

x = int(input())

if x >= 10:

if x < 100:

print "Two!"

else:

print "Lots!"

else:

print "One!"

Static analysis

In [1]: import angr

​

In [2]: p = angr.Project("fauxware")

​

In [3]: cfg = p.analyses.CFG()

​

In [4]: print len(cfg.graph.nodes())

78

​

​

I want a faster CFG...

Check out GirlScout!

Umm... what’s BoyScout?

Value-Set Analysis (VSA)

Example

​

What is rbx in the yellow square?

cmp rbx, 0x1024

ja _OUT

cmp [rax+rbx], 1337

je _OUT

add rbx, 4

rbx?

mov rax, 0x400000

mov rbx, 0

Symbolic execution: state explosion

Naive static analysis: "anything"

Range analysis: "< 0x1024"

Can we do better?

Value Set Analysis - Strided Intervals

​

4[0x100, 0x120],32

High

Size

Example

​

What is rbx in the yellow square?

cmp rbx, 0x1024

ja _OUT

cmp [rax+rbx], 1337

je _OUT

add rbx, 4

rbx?

mov rax, 0x400000

mov rbx, 0

Widen

Narrow

1

2

3

4

5

6

• Limited variable relation analysis

extended Value-Set Analysis (VSA)

mov rcx, rax

dec rax

cmp rax, 5

je Left

Left

...

Right

...

rax == 5

• Limited variable relation analysis

extended Value-Set Analysis (VSA)

mov rcx, rax

dec rax

cmp rax, 5

je Left

Left

...

Right

...

rax == 5

rcx == 6

• Signedness-agnostic

Wrapped-interval analysis

​

​

extended Value-Set Analysis (VSA)

Jorge A. Navas

Peter Schachte

Harald Sondergaard

Peter J. Stuckey

angr applications

ROP gadget finder

"Crypto" Challenge!

Executing arbitrary code

rxc: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, stripped

​

We got some suspected ROP chains from the traffic!

rxc: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, stripped

​

Calling the tea_encipher() function

tea_encipher(info_block* info, void* data, int size);

Binary diffing

Cyber Grand Challenge

CB�vulnerable program

RB�patched program

POV�exploit

Cyber�Reasoning�System

CB

Proposed�RBs

Proposed�POVs

Autonomous vulnerability scanning

Shellphish CRS

Autonomous service resiliency

PCAP

Test cases

POV

RB

Autonomous processing

Autonomous patching

Program

Symbolic �inputs

Symbolic

execution engine

Security policies

Security

policy checker

POVs

Open Source

Major contributors:

• Zardus - Yan Shoshitaishvili
• Fish - Ruoyu Wang
• kereoz - Christophe Hauser
• rhelmot - Andrew Dutcher
• nezorg - John Grosen
• salls - Chris Salls

Special thanks to:

• our professors
• DARPA VET Project
• DARPA Cyber Grand Challenge

Open angr!

​

• http://angr.io
• https://github.com/angr
• angr@lists.cs.ucsb.edu

​

Pull requests, issues, questions, etc super-welcome! Let's bring on the next generation of binary analysis!

Birthday: September 2013

Total line numbers: 59950

Total commits: ALMOST 9000!! (actually ~6000)

Draft and backups

• motivation (keep it quick) - 6 mins
• "In the beginning, there was IDA. However, as the field of binary security advanced, there is now … still IDA?"
• We need something more!
• There are a few solutions, but they all suffer from lacking one of: cross-platform, open, active, usable.
• angr fundamentals - 3 mins
• power (state-of-the-art)
• ease of use (abstraction)
• expandable, cross-platform, blah blah
• main components - 20 minutes
• introduce a demo: some combination of a crackme and a pwnable
• symbolic execution (slides + demo)
• the demo should get us past the crackme portion using angr's symbolic execution
• VSA (slides + demo)
• the demo should allow us to identify an overflow to pwn
• dynamic execution (slides + demo)
• we'll demo a shellcode that's used to exploit the overflow
• angr applications - 10 minutes
• rop gadget finder (demo)
• binary diffing
• Cyber Grand Challenge
• open source! - 3 minutes
• http://angr.io
• Credits