University Security Lab Gets angr(y) – Makes it Easy to Analyze Binaries
Following the fallout of the Mirai botnet, security has risen to the top of the agenda for organizations buying connected devices. Organizations now understand the need to analyze IoT device code for lingering vulnerabilities. However, IoT firmware is binary, and typically vendors don’t share the source code. So security teams are left to find their own way to analyze the binary code or be left susceptible to criminals exploiting vulnerabilities. As a result, anyone who wants to analyse IoT devices for vulnerabilities needs a good binary analysis tool.
The researchers at the University of California Santa Barbara (UCSB) Security Lab (lead by Lastline co-founders and Dr. Giovanni Vigna and Dr. Christopher Kruegel) also are interested in finding bugs in software and publishing their findings. With that in mind, they needed a system for performing static analysis and symbolic execution on binary code.
Generally, the goals of binary analysis are as follows:
- Program verification
- Program testing
- Vulnerability excavation
- Vulnerability signature generation
- Reverse engineering
- Exploit generation
The result: the UCSB team created angr – an open-source Python-based framework for analyzing binaries. Now, those who buy mission critical devices and software components can independently analyze them first without access to the source code (as mentioned above, vendors traditionally don’t hand that over). This can go a long way to avoid another Mirai-botnet scenario.
angr is a highly modular Python framework that performs binary analysis using VEX as an intermediate representation. (The name “angr” is a pun on VEX, since, you know, when something is vexing it makes you angry). It is made of many interlocking parts to provide useful abstractions for analysis. And because universities are not in the business of selling the technology they develop, the UCSB Security Lab has made angr openly available.
What can you do with angr? In short, analyze a lot of binaries. More specifically, you can perform:
- Symbolic execution
- Built-in analyses: CFG, BinDiff, Disassembly, Backward-Slice, Data-Flow Analysis, Value-Set Analysis, etc.
- Binary rewriting
- Type inference
- Symbolically-assisted fuzzing (driller)
- Automatic exploit generation
There are other binary analysis tools available (including Binary Analysis Platform [BAP], Reverse Engineering Intermediate Language [REIL], VEX, TCG – TinyCode) that perform elements of what angr does, but they don’t consolidate it all in one place and are not as widely deployed or as easy to use.
The proof is in the pudding – corporation (e.g. Cisco, Huawei), universities, researchers, and even government agency labs are using it. In fact, if one looks at GitHub, the project has been starred more than two thousand times and has been “forked” almost four hundred times.
This kind of widespread acceptance of the angr platform is an indication of how technological research, when provided as open source, is at the very forefront of protecting our ever-increasingly connected world.
Latest posts by Giovanni Vigna (see all)
- Can the Infosec Community Ever Be as Well-Organized as Digital Criminals? - October 9, 2018
- Machine Learning, Artificial Intelligence, and How the Two Fit into Information Security - October 3, 2018
- Lastline Survey Results Show the Industry’s Bleak Security Outlook on the Upcoming Midterm Elections - September 6, 2018