Full Program »

M3. angr: Advancing Next Generation Research into Binary Analysis

Software is becoming increasingly more complex, and vulnerabilities more subtle. Better approaches are required to effectively analyze modern binaries, efficiently identify deeply buried defects, and intelligently assist human analysts with specific software reversing tasks. Tons of good techniques and approaches regarding binary analysis have recently emerged from both academia and industry, many of which are fairly applicable to real-world binary research tasks.

However, due to the lack of a flexible and approachable binary analysis platform, testing and applying these techniques becomes a difficult job.

angr is the next-generation binary analysis platform developed by the SecLab of University of California, Santa Barbara. It is flexible, easy to work with, cross-platform and cross-architecture, and has many techniques from academia already implemented and embedded inside. In this course, we will start about the fundamental underpinnings of angr, dynamic symbolic execution, and static binary analysis. We will then demonstrate best practices in doing symbolic execution and data dependence tracking in angr. In the end, we will show how angr can assist in bug hunting. All demos will be performed on CTF challenges and real-world programs.

Prerequisites.

·  Comfortable working with Python, both through Python scripts and the IPython interactive shell.

·  A working knowledge on x86/x64 assembly.

·  Basic knowledge of binary analysis and reversing, both static analysis techniques and dynamic approaches.

Outline:

1. Binary analysis 101

a. Goals of binary analysis

b. Introduction to binary analysis techniques

2. Introduction to angr

a. Fundamentals of angr

b. Using angr from a Python interactive interface

c. Loading a binary with angr

d. Loading a binary with libraries

e. Static analysis: CFG recovery

f. Introduction to symbolic execution

g. Symbolic execution demo

h. Q&A

3. Performing basic binary analysis tasks

a. CFG refinement

b. Using symbolic execution to solve CTF challenges

c. Effectively using symbolic execution to audit functions angr-assisted (or human-assisted)

d. Binary exploitation

e. Automatic ROP chain generation

f. Q&A

4. Bug hunting

a. Querying data dependence graphs

b. Vulnerability discovery with static analysis results

c. Vulnerability discovery with symbolic execution

d. Q&A

5. Best practices

a. What can be solved with symbolic execution?

b. What is symbolic execution good for?

c. Dealing with hard transformation routines

d. Performing symbolic execution efficiently

e. Q&A

6. Digging deeper

a. angr internals: claripy

b. angr internals: SimuVEX

c. How to develop on angr

 

About the Instructors:

Yan Shoshitaishvili and Fish Wang are PhD students in the security lab of UC Santa Barbara. When they're not slacking or participating in Capture the Flag competitions, they try to advance the state of the art in binary analysis. Their work have been published in numerous academic venues. For example, in 2013, they created an automatic tool, called MovieStealer, a tool to automatically break the DRM of streaming media services [1]. In 2015, they followed this up with an analysis of backdoors in embedded devices [2], and in 2016, they proposed a new vulnerability discovery technique [3] and carried out a comparative survey of the existing state of the art in the field [4]. Together with members in Shellphish, one of the top CTF teams, they played many CTFs and solved many binary challenges, and angr was of great help on many of them.

1.     Wang, R., Shoshitaishvili, Y., Kruegel, C., & Vigna, G. (2013). Steal This Movie: Automatically Bypassing DRM Protection in Streaming Media Services. Proceedings of the 22nd USENIX Security Symposium (USENIX Security 13) , 687–702.

2.     Shoshitaishvili, Y., Wang, R., Hauser, C., Kruegel, C., & Vigna, G. (2015). Firmalice Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware. In Proceedings of the Network and Distributed System Security Symposium (pp. 8–11). Internet Society.

3.     Stephens, N., Grosen, J., Salls, C., Dutcher, A., Wang, R., Corbetta, J., … Vigna, G. (2016). Driller: Augmenting Fuzzing Through Selective Symbolic Execution. In Proceedings of the Network and Distributed System Security Symposium .

4.     Shoshitaishvili, Y., Wang, R., Salls, C., Stephens, N., Polino, M., Dutcher, A., … Vigna, G. (2016). (State of) The Art of War: Offensive Techniques in Binary Analysis. In Proceedings of the IEEE Security and Privacy (pp. 138–157).