Inside the snake pit with ‘angr’ Python framework creator
Professor Giovanni Vigna has been lauded as the world’s fourth most influential researcher in cyber security and is the founder of Lastline, a malware protection company.
He is responsible for creating angr, a Python framework for analysing binaries that is used by the US Department of Defence to scan IoT devices before it introduces them to its networks.
In slightly more depth, angr combines both static and dynamic symbolic (‘concolic’) analysis, making it applicable to a variety of tasks.
NOTE: Concolic testing (a portmanteau of concrete and symbolic) is a hybrid software verification technique that performs symbolic execution, a classical technique that treats program variables as symbolic variables.
The Computer Weekly Developer Network gained access to Vigna to discuss the mechanics of angr and find out more about how software application development professionals should regard this technology.
CWDN: What is angr & who is it for?
Vigna: Well, angr is a highly modular Python framework that performs binary analysis using VEX as an intermediate representation. The name ‘angr’ is a pun on VEX, since when something is vexing, it makes you angry. It is made of many interlocking parts to provide useful abstractions for analysis. Under the hood, pretty much every primitive operation that angr does is a call into SimuVEX to execute some code.
All IoT firmware is binary and only vendors have the source code. But often, IoT vendors don’t share source code, so security teams are left to find their own way to analyse the binary code. That means that, if you want to analyse IoT devices for vulnerabilities, then you need good binary analysis tools.
Binary analysis goals: program verification; program testing; vulnerability excavation; vulnerability signature generation; reverse engineering; vulnerability excavation; exploit generation.
CWDN: What can we do with angr?
Vigna: In short, analyse a lot of binaries. More specifically, we can perform: symbolic execution; built-in analyses: CFG, BinDiff, Disassembly, Backward-Slice, Data-Flow Analysis; value-set analysis, etc; binary rewriting; type inference; symbolically-assisted fuzzing (driller); automatic exploit generation.
CWDN: Why did you create angr?
Vigna: The researchers at the University of California Santa Barbara Security Lab (which I am a part of) were interested in finding bugs in software, in publishing papers about finding bugs in software and wanted there to be a reasonable system for performing static analysis and symbolic execution on binary code.
On a more practical level, for organisations buying connected devices, security has risen to the top of the agenda. With the creation of angr, those buying pieces of firmware/software can now independently analyse it first without getting source code (as mentioned above, vendors don’t traditionally hand that over). This can go a long way to avoid another Mirai-botnet scenario.
CWDN: What is different about angr?
Vigna: There are other binary analysis tools, including Binary Analysis Platform (BAP), Reverse Engineering Intermediate Language (REIL), VEX, TCG – TinyCode that do elements of what angr does, but they don’t consolidate it all in one place and are not as widely or as easily used.
The proof is in the pudding – Cisco, Huawei, universities, researchers and even government research labs are using it. As a more specific example, the DoD uses it to analyse the hardware that it buys.
CWDN: Who can use (& get) angr?
Vigna: Thanks for asking, angr is an open source solution and can be found at anger.io. In over 20 years of researching and developing security technology, it has become clear to me that for research to have the most real-world impact, it must be given away, with no strings attached. This helps the technology to drive innovation, and means that there is less resistance to adopting it. Ultimately, I think it helps to make software better. Plus, as it is University owned property, it doesn’t need to make money.