angr.analyses.backward_slice

class angr.analyses.backward_slice.BackwardSlice

Bases: Analysis

Represents a backward slice of the program.

__init__(cfg, cdg, ddg, targets=None, cfg_node=None, stmt_id=None, control_flow_slice=False, same_function=False, no_construct=False)

Create a backward slice from a specific statement based on provided control flow graph (CFG), control dependence graph (CDG), and data dependence graph (DDG).

The data dependence graph can be either CFG-based, or Value-set analysis based. A CFG-based DDG is much faster to generate, but it only reflects those states while generating the CFG, and it is neither sound nor accurate. The VSA based DDG (called VSA_DDG) is based on static analysis, which gives you a much better result.

Parameters:

  • cfg – The control flow graph.

  • cdg – The control dependence graph.

  • ddg – The data dependence graph.

  • targets – A list of “target” that specify targets of the backward slices. Each target can be a tuple in form of (cfg_node, stmt_idx), or a CodeLocation instance.

  • cfg_node – Deprecated. The target CFGNode to reach. It should exist in the CFG.

  • stmt_id – Deprecated. The target statement to reach.

  • control_flow_slice – True/False, indicates whether we should slice only based on CFG. Sometimes when acquiring DDG is difficult or impossible, you can just create a slice on your CFG. Well, if you don’t even have a CFG, then…

  • no_construct – Only used for testing and debugging to easily create a BackwardSlice object.

dbg_repr(max_display=10)

Debugging output of this slice.

Parameters:

max_display – The maximum number of SimRun slices to show.

Returns:

A string representation.

dbg_repr_run(run_addr)

Debugging output of a single SimRun slice.

Parameters:

run_addr – Address of the SimRun.

Returns:

A string representation.

annotated_cfg(start_point=None)

Returns an AnnotatedCFG based on slicing result.

Query in taint graph to check if a specific taint will taint the IP in the future or not. The taint is specified with the tuple (simrun_addr, stmt_idx, taint_type).

Parameters:

  • simrun_addr – Address of the SimRun.

  • stmt_idx – Statement ID.

  • taint_type – Type of the taint, might be one of the following: ‘reg’, ‘tmp’, ‘mem’.

  • simrun_whitelist – A list of SimRun addresses that are whitelisted, i.e. the tainted exit will be ignored if it is in those SimRuns.

Returns:

True/False

is_taint_impacting_stack_pointers(simrun_addr, stmt_idx, taint_type, simrun_whitelist=None)

Query in taint graph to check if a specific taint will taint the stack pointer in the future or not. The taint is specified with the tuple (simrun_addr, stmt_idx, taint_type).

Parameters:

  • simrun_addr – Address of the SimRun.

  • stmt_idx – Statement ID.

  • taint_type – Type of the taint, might be one of the following: ‘reg’, ‘tmp’, ‘mem’.

  • simrun_whitelist – A list of SimRun addresses that are whitelisted.

Returns:

True/False.