Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Inquiry about finding pointers, and points-to analysis

See original GitHub issue

Question

Hello. I am new to angr and I heard that angr can find stack and heap pointers. So I looked it up on angr Documentation, angr api doc and some examples but I could not find it. It seems that VSA_DDG class give me the function but I am not sure.

Is there any examples or guide to how to find heap pointers using angr? Or if I missed something from the documents mentioned above, please let me know.

Thank you.

Issue Analytics

State:
Created a year ago
Comments:5 (2 by maintainers)

Top GitHub Comments

1reaction

ltfishcommented, Nov 17, 2022

I want to find a heap variable of a C++ class instance and its aliases.

It is definitely non-trivial. Depending on how much information you know about the binary, this problem has different difficulty levels.

For example, if function names are available in the binary, you may be able to rely on knowing where new is called, and track the returned pointers from new across the entire binary. It’s basically a full-binary points-to analysis.

Since as you mentioned, this C++ class instance (or its pointer) is assigned to a heap variable. It requires you to properly model the heap as well. You must be able to differentiate the heap variable for this class instance and other heap variables that store other values.

You can definitely use angr’s VFG analysis (value-flow graph that implements value-set analysis) to perform value propagation. However, you’ll need to implement heap support, customize its CFG traversal, and implement points-to analysis data structures (since VFG only tracks values, not aliasing information). You don’t want to use CFGEmulated because it does not perform proper state merging (for performance concern).

You can also build your own points-to analysis on top of angr’s modern static analysis framework. Take a look at the source code for Propagator and ReachingDefinitionAnalysis. They should give you an idea of the basics that are required.

Unfortunately angr doesn’t do full-binary points-to analysis (I haven’t found a real use case for it anywhere yet) at this point. But we do provide enough building blocks for you to do-it-yourself.

can I find a list of functions called by indirect calls?

Yes. By default angr’s CFG (CFGFast) does resolve indirect jumps (including indirect calls) with the help of indirect jump resolvers. We don’t have public code that resolves indirect C++ virtual table calls, and resolving indirect virtual table calls efficiently is very much a research project (if not two…) on its own. One of my students attempted it, but the project is currently on-hold.

All resolved and unresolved indirect jumps (including calls) are stored in CFG.indirect_jumps indexed using the basic block address of each indirect jump.

0reactions

weaver9651commented, Nov 20, 2022

Thank you very much for your explanation! It is really helpful.

Top Results From Across the Web

Pointer Analysis - Yannis Smaragdakis

Pointer analysis or points-to analysis is a static program analysis that determines information on the values of pointer variables or expres-.

On the Importance of Points-To Analysis and Other Memory ...

ABSTRACT. In this paper, we evaluate the benefits achievable from pointer analysis and other memory disambiguation techniques for C/C++.

Lecture 12 Pointer Analysis - SUIF Compiler

Context-insensitive, flow-insensitive pointer analysis ... Find security errors by monitoring run-time behavior ... aliases vs. points-to analysis.

A Visual Guide to Pointer Analysis with cclyzer++: Part 1

Pointer analysis is a foundational static analysis with applications to the problems of program optimization, verification, bug finding, ...

pointer-analysis · GitHub Topics

Customized symbolic analysis to find pointer analysis bugs ... Python script to query JavaScript static analysis tooling for points to set of source ......