List of State Options¶
State Modes¶
These may be enabled by passing mode=xxx
to a state constructor.
Mode name |
Description |
---|---|
|
The default mode. Useful for most emulation and analysis tasks. |
|
Symbolic mode, but enables approximations for constraint solving. |
|
A preset useful for static analysis. The memory model becomes an abstract region-mapping system, “fake return” successors skipping calls are added, and more. |
|
A preset for extremely lightweight static analysis. Executing will skip all intensive processing to give a quick view of the behavior of code. |
|
A preset for attempting to execute concretely through a program with a given input. Enables unicorn, enables resilience options, and will attempt to emulate access violations correctly. |
Option Sets¶
These are sets of options, found as angr.options.xxx
.
Set name |
Description |
---|---|
|
Options necessary for basic execution |
|
Options necessary for basic symbolic execution |
|
Options that harden angr’s emulation against unsupported operations,
attempting to carry on by treating the result as an unconstrained
symbolic value and logging the occasion to |
|
Options that cause angr to keep a log of all the memory, register, and
temporary references complete with dependency information in
|
|
Options that enable approximations of constraint solves via value-set analysis instead of calling into z3 |
|
Options that cause data to be run through z3’s simplifiers before it reaches memory or register storage |
|
Options that enable the unicorn engine for executing on concrete data |
Options¶
These are individual option objects, found as angr.options.XXX
.
Option name |
Description |
Sets |
Modes |
Implicit adds |
---|---|---|---|---|
|
Use |
|
||
|
Allow splitting constraint sets during simplification |
|
||
|
Track dependencies in SimActions |
|||
|
Use VSA when evaluating guard conditions |
|||
|
Use VSA when evaluating memory indices |
|
|
|
|
Use VSA when evaluating memory load/store sizes |
|
|
|
|
Use VSA when evaluating state satisfiability |
|
|
|
|
Enables dependency tracking for all claripy ASTs |
During execution |
||
|
An internal option used to track dependencies in SimProcedures |
During execution |
||
|
Return a symbolic value without touching memory for any read that has a symbolic address |
|
||
|
Do not perform any write that has a symbolic address |
|
||
|
Handle huge writes of symbolic size by pretending they are actually smaller |
|
||
|
Debug: trigger a breakpoint at the end of each block |
|||
|
Debug: trigger a breakpoint at the start of each block |
|||
|
Debug: trigger a breakpoint at the end of each IR statement |
|||
|
Debug: trigger a breakpoint at the start of each IR statement |
|||
|
Treat clean helpers that fail with errors as returning unconstrained symbolic values |
|
|
|
|
Treat operations that fail with errors as returning unconstrained symbolic values |
|
|
|
|
Treat unsupported clean helpers as returning unconstrained symbolic values |
|
|
|
|
Treat unsupported dirty helpers as returning unconstrained symbolic values |
|
|
|
|
Treat unsupported IR expressions as returning unconstrained symbolic values |
|
|
|
|
Treat unsupported operations as returning unconstrained symbolic values |
|
|
|
|
Treat unsupported IR statements as returning unconstrained symbolic values |
|
|
|
|
Treat unsupported syscalls as returning unconstrained symbolic values |
|
|
|
|
Discard emulation errors during veritesting |
|
|
|
|
enable |
|||
|
Emulate call instructions as an unconstraining of the return value register |
|||
|
CGC: make sure all reads and writes go to stdin and stdout, respectively |
|||
|
CGC: always report “data available” in fdwait |
|||
|
CGC: always read the maximum amount of data requested in the receive syscall |
|||
|
Enable |
|
all except |
|
|
Concretize all symbolic expressions encountered during emulation |
|||
|
Concreteize the sizes of file reads |
|||
|
Concretize the sizes of symbolic writes to memory |
|||
|
Do not use SimConcretizationStrategyAny for reads; in case of read address concretization failures, return an unconstrained symbolic value |
|||
|
Do not use SimConcretizationStrategyAny for writes; in case of write address concretization failures, treat the store as a no-op |
|||
|
Set |
|||
|
Copy states instead of mutating the initial state directly |
|
all |
|
|
Downsize the claripy solver whenever possible to save memory |
|||
|
Perform IR clean calls |
|
all except |
|
|
Perform IR register reads |
|
all |
|
|
Perform IR memory loads |
|
all |
|
|
Perform IR computation operations |
|
all |
|
|
Perform IR register writes |
|
all |
|
|
For each |
|
||
|
Perform IR memory stores |
|
all |
|
|
Keep in memory any state that might be a common ancestor in a merge |
Veritesting |
||
|
When in conjunction with |
Automatically if supported |
||
|
Ask all SimExceptions raised during execution to be handled by the SimOS |
|
||
|
Use |
|||
|
Use |
|
||
|
Treat the initial value of registers as zero instead of unconstrained symbolic |
|
|
|
|
Don’t try to concretize successor states with symbolic instruction pointers |
|||
|
In abstract memory, handle failed loads by returning a DCIS? |
|||
|
Don’t check satisfiability until absolutely necessary |
|||
|
Maintain a mapping of symbolic variable to which memory address it “really” corresponds to, at the paged memory level? |
|||
|
Do not attempt to flatten symbolic-ip successors into discrete targets |
|
||
|
Do not attempt to flatten symbolic-syscall-number successors into discrete targets |
|
||
|
Use LibVEX’s optimization |
|
all |
|
|
Maintain a mapping of symbolic variable to which memory region it corresponds to, at the abstract memory level |
|
||
|
Enable |
|||
|
Maintain a mapping from AST hash to which addresses it is present in |
|||
|
Maintain a mapping from symbolic variable name to which addresses it is
present in, required for |
|
||
|
Run added constraints through z3’s simplifcation |
|||
|
Run branch guards through z3’s simplification |
|||
|
Perform simplification on all successor states generated |
|||
|
Run jump/call/branch targets through z3’s simplification |
|||
|
Run the results of IR expressions through z3’s simplification |
|||
|
Run the results of memory reads through z3’s simplification |
|||
|
Run values stored to memory through z3’s simplification |
|
|
|
|
Run values read from registers through z3’s simplification |
|||
|
Run values written to registers through z3’s simplification |
|
|
|
|
Run values returned from SimProcedures through z3’s simplification |
|||
|
Raise a SimSegfaultException when attempting to interact with memory in a way not permitted by the current permissions |
|
||
|
Only execute the last four instructions of each block |
|||
|
When disabled, throw an UnsupportedIROpError when encountering floating point operations |
|
all |
|
|
Enable constraint solving? |
|
|
|
|
make |
|
all |
|
|
Treat each IR temporary as a symbolic variable; treat stores to them as constraint addition |
|||
|
Allow writes with symbolic addresses to be processed by concretization strategies; when disabled, only allow for variables annotated with the “multiwrite” annotation |
|||
|
When disabled, don’t keep any constraints added to the state |
|
all |
|
|
Keep a SimAction for each constraint added |
|
||
|
Keep a SimAction for each jump or branch |
|
||
|
Keep a SimAction for each memory read and write |
|
||
|
Keep track of which pages are mapped into memory and which are not |
|
all |
|
|
Keep a SimAction for each IR operation |
|
||
|
Keep a SimAction for each register read and write |
|
||
|
Maintain a listing of all the variables in all the constraints in the solver |
|||
|
Keep a SimAction for each temporary variable read and write |
|
||
|
With |
|
||
|
Enable under-constrained symbolic execution |
|||
|
Use unicorn engine to execute symbolically when data is concrete |
|
|
Oppologist |
|
Concretize any register variable unicorn tries to access |
Oppologist |
||
|
CGC: handle the transmit syscall without leaving unicorn |
|
|
|
|
Attempt to stay in unicorn even in the presence of symbolic registers by checking that the tainted registers are unused at every step |
|
|
|
|
Concretize variables if they prevent unicorn from executing too often |
|||
|
Keep |
|
|
|
|
Track a list of the stack pointer’s value at each block in
|
|
||
|
Prevent unicorn from mapping the zero page into memory |
|||
|
Broken/unused? |
|||
|
When using the resilience options, return zero instead of an unconstrained symbol |
|||
|
Use a “simplified” set of ccalls optimized for specific cases |
|
||
|
In library functions and syscalls and hardware instructions accessing clock data, retrieve the real value from the host system. |
|
||
|
Debug: When performing approximations, ensure that the approximation is sound by calling into z3 |
|||
|
Make the value of memory read from an uninitialized address zero instead of an unconstrained symbol |
|