These may be enabled by passing mode=xxx
to a state constructor.
Mode name | Description |
| The default mode. Useful for most emulation and analysis tasks. |
| Symbolic mode, but enables approximations for constraint solving. |
| A preset useful for static analysis. The memory model becomes an abstract region-mapping system, "fake return" successors skipping calls are added, and more. |
| A preset for extremely lightweight static analysis. Executing will skip all intensive processing to give a quick view of the behavior of code. |
| A preset for attempting to execute concretely through a program with a given input. Enables unicorn, enables resilience options, and will attempt to emulate access violations correctly. |
These are sets of options, found as angr.options.xxx
.
Set name | Description |
| Options necessary for basic execution |
| Options necessary for basic symbolic execution |
| Options that harden angr's emulation against unsupported operations, attempting to carry on by treating the result as an unconstrained symbolic value and logging the occasion to |
| Options that cause angr to keep a log of all the memory, register, and temporary references complete with dependency information in |
| Options that enable approximations of constraint solves via value-set analysis instead of calling into z3 |
| Options that cause data to be run through z3's simplifiers before it reaches memory or register storage |
| Options that enable the unicorn engine for executing on concrete data |
These are individual option objects, found as angr.options.XXX
.
Option name | Description | Sets | Modes | Implicit adds |
| Use | ​ |
| ​ |
| Allow splitting constraint sets during simplification | ​ |
| ​ |
| Track dependencies in SimActions | ​ | ​ | ​ |
| Use VSA when evaluating guard conditions | ​ | ​ | ​ |
| Use VSA when evaluating memory indices |
|
| ​ |
| Use VSA when evaluating memory load/store sizes |
|
| ​ |
| Use VSA when evaluating state satisfiability |
|
| ​ |
| Enables dependency tracking for all claripy ASTs | ​ | ​ | During execution |
| An internal option used to track dependencies in SimProcedures | ​ | ​ | During execution |
| Return a symbolic value without touching memory for any read that has a symbolic address | ​ |
| ​ |
| Do not perfrom any write that has a symbolic address | ​ |
| ​ |
| Handle huge writes of symbolic size by pretending they are actually smaller | ​ |
| ​ |
| Debug: trigger a breakpoint at the end of each block | ​ | ​ | ​ |
| Debug: trigger a breakpoint at the start of each block | ​ | ​ | ​ |
| Debug: trigger a breakpoint at the end of each IR statement | ​ | ​ | ​ |
| Debug: trigger a breakpoint at the start of each IR statement | ​ | ​ | ​ |
| Treat clean helpers that fail with errors as returning unconstrained symbolic values |
|
| ​ |
| Treat operations that fail with errors as returning unconstrained symbolic values |
|
| ​ |
| Treat unsupported clean helpers as returning unconstrained symbolic values |
|
| ​ |
| Treat unsupported dirty helpers as returning unconstrained symbolic values |
|
| ​ |
| Treat unsupported IR expressions as returning unconstrained symbolic values |
|
| ​ |
| Treat unsupported operations as returning unconstrained symbolic values |
|
| ​ |
| Treat unsupported IR statements as returning unconstrained symbolic values |
|
| ​ |
| Treat unsupported syscalls as returning unconstrained symbolic values |
|
| ​ |
| Discard emulation errors during veritesting |
|
| ​ |
| enable | ​ | ​ | ​ |
| Emulate call instructions as an unconstraining of the return value register | ​ | ​ | ​ |
| CGC: make sure all reads and writes go to stdin and stdout, respectively | ​ | ​ | ​ |
| CGC: always report "data available" in fdwait | ​ | ​ | ​ |
| CGC: always read the maximum amount of data requested in the receive syscall | ​ | ​ | ​ |
| Enable |
| all except | ​ |
| Concretize all symbolic expressions encountered during emulation | ​ | ​ | ​ |
| Concreteize the sizes of file reads | ​ | ​ | ​ |
| Concretize the sizes of symbolic writes to memory | ​ | ​ | ​ |
| Do not use SimConcretizationStrategyAny for reads; in case of read address concretization failures, return an unconstrained symbolic value | ​ | ​ | ​ |
| Do not use SimConcretizationStrategyAny for writes; in case of write address concretization failures, treat the store as a no-op | ​ | ​ | ​ |
| Set | ​ | ​ | ​ |
| Copy states instead of mutating the initial state directly |
| all | ​ |
| Downsize the claripy solver whenever possible to save memory | ​ | ​ | ​ |
| Perform IR clean calls |
| all except | ​ |
| Perform IR register reads |
| all | ​ |
| Perform IR memory loads |
| all | ​ |
| Perform IR computation operations |
| all | ​ |
| Perform IR register writes |
| all | ​ |
| For each | ​ |
| ​ |
| Perform IR memory stores |
| all | ​ |
| Keep in memory any state that might be a common ancestor in a merge | ​ | ​ | Veritesting |
| When in conjunction with | ​ | ​ | Automatically if supported |
| Ask all SimExceptions raised during execution to be handled by the SimOS | ​ |
| ​ |
| Use | ​ | ​ | ​ |
| Use | ​ |
| ​ |
| Treat the initial value of registers as zero instead of unconstrained symbolic |
|
| ​ |
| Don't try to concretize successor states with symbolic instruction pointers | ​ | ​ | ​ |
| In abstract memory, handle failed loads by returning a DCIS? | ​ | ​ | ​ |
| Don't check satisfiability until absolutely necessary | ​ | ​ | ​ |
| Maintain a mapping of symbolic variable to which memory address it "really" corresponds to, at the paged memory level? | ​ | ​ | ​ |
| Do not attempt to flatten symbolic-ip successors into discrete targets | ​ |
| ​ |
| Do not attempt to flatten symbolic-syscall-number successors into discrete targets | ​ |
| ​ |
| Use LibVEX's optimization |
| all | ​ |
| Maintain a mapping of symbolic variable to which memory region it corresponds to, at the abstract memory level | ​ |
| ​ |
| Enable | ​ | ​ | ​ |
| Maintain a mapping from AST hash to which addresses it is present in | ​ | ​ | ​ |
| Maintain a mapping from symbolic variable name to which addresses it is present in, required for | ​ |
| ​ |
| Run added constraints through z3's simplifcation | ​ | ​ | ​ |
| Run branch guards through z3's simplification | ​ | ​ | ​ |
| Perform simplification on all successor states generated | ​ | ​ | ​ |
| Run jump/call/branch targets through z3's simplification | ​ | ​ | ​ |
| Run the results of IR expressions through z3's simplification | ​ | ​ | ​ |
| Run the results of memory reads through z3's simplification | ​ | ​ | ​ |
| Run values stored to memory through z3's simplification |
|
| ​ |
| Run values read from registers through z3's simplification | ​ | ​ | ​ |
| Run values written to registers through z3's simplification |
|
| ​ |
| Run values returned from SimProcedures through z3's simplification | ​ | ​ | ​ |
| Raise a SimSegfaultException when attempting to interact with memory in a way not permitted by the current permissions | ​ |
| ​ |
| Only execute the last four instructions of each block | ​ | ​ | ​ |
| When disabled, throw an UnsupportedIROpError when encountering floating point operations |
| all | ​ |
| Enable constraint solving? |
|
| ​ |
| make |
| all | ​ |
| Treat each IR temporary as a symbolic variable; treat stores to them as constraint addition | ​ | ​ | ​ |
| Allow writes with symbolic addresses to be processed by concretization strategies; when disabled, only allow for variables annotated with the "multiwrite" annotation | ​ | ​ | ​ |
| When disabled, don't keep any constraints added to the state |
| all | ​ |
| Keep a SimAction for each constraint added |
| ​ | ​ |
| Keep a SimAction for each jump or branch |
| ​ | ​ |
| Keep a SimAction for each memory read and write |
| ​ | ​ |
| Keep track of which pages are mapped into memory and which are not |
| all | ​ |
| Keep a SimAction for each IR operation | ​ |
| ​ |
| Keep a SimAction for each register read and write |
| ​ | ​ |
| Maintain a listing of all the variables in all the constraints in the solver | ​ | ​ | ​ |
| Keep a SimAction for each temporary variable read and write |
| ​ | ​ |
| With | ​ |
| ​ |
| Enable under-constrained symbolic execution | ​ | ​ | ​ |
| Use unicorn engine to execute symbolically when data is concrete |
|
| Oppologist |
| Concretize any register variable unicorn tries to access | ​ | ​ | Oppologist |
| CGC: handle the transmit syscall without leaving unicorn |
|
| ​ |
| Attempt to stay in unicorn even in the presence of symbolic registers by checking that the tainted registers are unused at every step |
|
| ​ |
| Concretize variables if they prevent unicorn from executing too often | ​ | ​ | ​ |
| Keep |
|
| ​ |
| Track a list of the stack pointer's value at each block in |
| ​ | ​ |
| Prevent unicorn from mapping the zero page into memory | ​ | ​ | ​ |
| Broken/unused? | ​ | ​ | ​ |
| When using the resilience options, return zero instead of an unconstrained symbol | ​ | ​ | ​ |
| Use a "simplified" set of ccalls optimized for specific cases | ​ |
| ​ |
| In library functions and syscalls and hardware instructions accessing clock data, retrieve the real value from the host system. | ​ |
| ​ |
| Debug: When performing approximations, ensure that the approximation is sound by calling into z3 | ​ | ​ | ​ |
| Make the value of memory read from an uninitialized address zero instead of an unconstrained symbol | ​ |
| ​ |