University Security Lab Gets angr(y) – Makes it Easy to Analyze Binaries

University Security Lab Gets angr(y) – Makes it Easy to Analyze Binaries

angrFollowing the fallout of the Mirai botnet, security has risen to the top of the agenda for organizations buying connected devices. Organizations now understand the need to analyze IoT device code for lingering vulnerabilities. However, IoT firmware is binary, and typically vendors don’t share the source code. So security teams are left to find their own way to analyze the binary code or be left susceptible to criminals exploiting vulnerabilities. As a result, anyone who wants to analyse IoT devices for vulnerabilities needs a good binary analysis tool.

The researchers at the University of California Santa Barbara (UCSB) Security Lab (lead by Lastline co-founders and Dr. Giovanni Vigna and Dr. Christopher Kruegel) also are interested in finding bugs in software and publishing their findings. With that in mind, they needed a system for performing static analysis and symbolic execution on binary code.

Generally, the goals of binary analysis are as follows:

  • Program verification
  • Program testing
  • Vulnerability excavation
  • Vulnerability signature generation
  • Reverse engineering
  • Exploit generation

angr–Binary Analysis

The result: the UCSB team created angr – an open-source Python-based framework for analyzing binaries. Now, those who buy mission critical devices and software components can independently analyze them first without access to the source code (as mentioned above, vendors traditionally don’t hand that over). This can go a long way to avoid another Mirai-botnet scenario.

angr is a highly modular Python framework that performs binary analysis using VEX as an intermediate representation. (The name “angr” is a pun on VEX, since, you know, when something is vexing it makes you angry). It is made of many interlocking parts to provide useful abstractions for analysis. And because universities are not in the business of selling the technology they develop, the UCSB Security Lab has made angr openly available.

What can you do with angr? In short, analyze a lot of binaries. More specifically, you can perform:

  • Symbolic execution
  • Built-in analyses: CFG, BinDiff, Disassembly, Backward-Slice, Data-Flow Analysis, Value-Set Analysis, etc.
  • Binary rewriting
  • Type inference
  • Symbolically-assisted fuzzing (driller)
  • Automatic exploit generation

There are other binary analysis tools available (including Binary Analysis Platform [BAP], Reverse Engineering Intermediate Language [REIL], VEX, TCG – TinyCode) that perform elements of what angr does, but they don’t consolidate it all in one place and are not as widely deployed or as easy to use.

GitHub

The proof is in the pudding – corporation (e.g. Cisco, Huawei), universities, researchers, and even government agency labs are using it. In fact, if one looks at GitHub, the project has been starred more than two thousand times and has been “forked” almost four hundred times.

This kind of widespread acceptance of the angr platform is an indication of how technological research, when provided as open source, is at the very forefront of protecting our ever-increasingly connected world.

Giovanni Vigna

Giovanni Vigna

Giovanni Vigna is one of the founders and CTO of Lastline as well as a Professor in the Department of Computer Science at the University of California in Santa Barbara. His current research interests include malware analysis, web security, vulnerability assessment, and mobile phone security. He also edited a book on Security and Mobile Agents and authored one on Intrusion Correlation. He has been the Program Chair of the International Symposium on Recent Advances in Intrusion Detection (RAID 2003), of the ISOC Symposium on Network and Distributed Systems Security (NDSS 2009), and of the IEEE Symposium on Security and Privacy in 2011. He is known for organizing and running an inter-university Capture The Flag hacking contest, called iCTF, that every year involves dozens of institutions around the world. Giovanni Vigna received his M.S. with honors and Ph.D. from Politecnico di Milano, Italy, in 1994 and 1998, respectively. He is a member of IEEE and ACM.
Giovanni Vigna