angr.exploration_techniques.director

class angr.exploration_techniques.director.BaseGoal

Bases: object

REQUIRE_CFG_STATES = False
__init__(sort)
check(cfg, state, peek_blocks)
Parameters:

  • cfg (angr.analyses.CFGEmulated) – An instance of CFGEmulated.

  • state (angr.SimState) – The state to check.

  • peek_blocks (int) – Number of blocks to peek ahead from the current point.

Returns:

True if we can determine that this condition is definitely satisfiable if the path is taken, False otherwise.

Return type:

bool

check_state(state)

Check if the current state satisfies the goal.

Parameters:

state (angr.SimState) – The state to check.

Returns:

True if it satisfies the goal, False otherwise.

Return type:

bool

class angr.exploration_techniques.director.ExecuteAddressGoal

Bases: BaseGoal

A goal that prioritizes states reaching (or are likely to reach) certain address in some specific steps.

__init__(addr)
check(cfg, state, peek_blocks)

Check if the specified address will be executed

Parameters:

  • cfg

  • state

  • peek_blocks (int)

Returns:

Return type:

bool

check_state(state)

Check if the current address is the target address.

Parameters:

state (angr.SimState) – The state to check.

Returns:

True if the current address is the target address, False otherwise.

Return type:

bool

class angr.exploration_techniques.director.CallFunctionGoal

Bases: BaseGoal

A goal that prioritizes states reaching certain function, and optionally with specific arguments. Note that constraints on arguments (and on function address as well) have to be identifiable on an accurate CFG. For example, you may have a CallFunctionGoal saying “call printf with the first argument being ‘Hello, world’”, and CFGEmulated must be able to figure our the first argument to printf is in fact “Hello, world”, not some symbolic strings that will be constrained to “Hello, world” during symbolic execution (or simulation, however you put it).

REQUIRE_CFG_STATES = True
__init__(function, arguments)
check(cfg, state, peek_blocks)

Check if the specified function will be reached with certain arguments.

Parameters:

  • cfg

  • state

  • peek_blocks

Returns:

check_state(state)

Check if the specific function is reached with certain arguments

Parameters:

state (angr.SimState) – The state to check

Returns:

True if the function is reached with certain arguments, False otherwise.

Return type:

bool

class angr.exploration_techniques.director.Director

Bases: ExplorationTechnique

An exploration technique for directed symbolic execution.

A control flow graph (using CFGEmulated) is built and refined during symbolic execution. Each time the execution reaches a block that is outside of the CFG, the CFG recovery will be triggered with that state, with a maximum recovery depth (100 by default). If we see a basic block during state stepping that is not yet in the control flow graph, we go back to control flow graph recovery and “peek” more blocks forward.

When stepping a simulation manager, all states are categorized into three different categories:

  • Might reach the destination within the peek depth. Those states are prioritized.

  • Will not reach the destination within the peek depth. Those states are de-prioritized. However, there is a little chance for those states to be explored as well in order to prevent over-fitting.

__init__(peek_blocks=100, peek_functions=5, goals=None, cfg_keep_states=False, goal_satisfied_callback=None, num_fallback_states=5)

Constructor.

step(simgr, stash='active', **kwargs)
Parameters:

  • simgr

  • stash

  • kwargs

Returns:

add_goal(goal)

Add a goal.

Parameters:

goal (BaseGoal) – The goal to add.

Returns:

None