angr Documentation
Search…
README
Introductory Errata
Core Concepts
Built-in Analyses
Advanced Topics
Gotchas
The Whole Pipeline
The Mixin Pattern
Optimizing Symbolic Execution
The Emulated Filesystem
Intermediate Representation
Working with Data and Conventions
Claripy
Symbolic Memory Addressing
Java Symbolic Execution
Symbion
Extending angr
Examples
Appendix
Powered By GitBook
Symbolic Memory Addressing
angr supports symbolic memory addressing, meaning that offsets into memory may be symbolic. Our implementation of this is inspired by "Mayhem". Specifically, this means that angr concretizes symbolic addresses when they are used as the target of a write. This causes some surprises, as users tend to expect symbolic writes to be treated purely symbolically, or "as symbolically" as we treat symbolic reads, but that is not the default behavior. However, like most things in angr, this is configurable.
The address resolution behavior is governed by concretization strategies, which are subclasses of angr.concretization_strategies.SimConcretizationStrategy. Concretization strategies for reads are set in state.memory.read_strategies and for writes in state.memory.write_strategies. These strategies are called, in order, until one of them is able to resolve addresses for the symbolic index. By setting your own concretization strategies (or through the use of SimInspect address_concretization breakpoints, described above), you can change the way angr resolves symbolic addresses.
For example, angr's default concretization strategies for writes are:
    1.
    A conditional concretization strategy that allows symbolic writes (with a maximum range of 128 possible solutions) for any indices that are annotated with angr.plugins.symbolic_memory.MultiwriteAnnotation.
    2.
    A concretization strategy that simply selects the maximum possible solution of the symbolic index.
To enable symbolic writes for all indices, you can either add the SYMBOLIC_WRITE_ADDRESSES state option at state creation time or manually insert a angr.concretization_strategies.SimConcretizationStrategyRange object into state.memory.write_strategies. The strategy object takes a single argument, which is the maximum range of possible solutions that it allows before giving up and moving on to the next (presumably non-symbolic) strategy.

Writing concretization strategies

TODO
Previous
Claripy
Next
Java Symbolic Execution
Copy link
Contents
Writing concretization strategies