angr源码分析——BackwardSlice

BackwardSlice 程序反向切片，从给出的某一个目标点，获取所有到达该目标点的路径。angr的这个功能似乎并不完善，里面可以自己进行定制。在进行程序切片前，我们需要提供一个控制流图CFG。此外，为了确定程序反向的起始点，还需要提供一个target。下面是angr文档中给出的一个例子：

>>> import angr
# Load the project
>>> b = angr.Project("examples/fauxware/fauxware", load_options={"auto_load_libs": Fal
se})
# Generate a CFG first. In order to generate data dependence graph afterwards,
# you’ll have to keep all input states by specifying keep_stat=True. Feel free
# to provide more parameters (for example, context_sensitivity_level)for CFG
# recovery based on your needs.
>>> cfg = b.analyses.CFGAccurate(context_sensitivity_level=2, keep_state=True)
# Generate the control dependence graph
>>> cdg = b.analyses.CDG(cfg)
# Build the data dependence graph. It might take a while. Be patient!
>>> ddg = b.analyses.DDG(cfg)
# See where we wanna go... let’s go to the exit() call, which is modeled as a
# SimProcedure.
>>> target_func = cfg.kb.functions.function(name="exit")
# We need the CFGNode instance
>>> target_node = cfg.get_any_node(target_func.addr)
# Let’s get a BackwardSlice out of them!
# `targets` is a list of objects, where each one is either a CodeLocation
# object, or a tuple of CFGNode instance and a statement ID. Setting statement
# ID to -1 means the very beginning of that CFGNode. A SimProcedure does not
# have any statement, so you should always specify -1 for it.
>>> bs = b.analyses.BackwardSlice(cfg, cdg=cdg, ddg=ddg, targets=[ (target_node, -1) ]
) #
Here is our awesome program slice!
>>> print bs

先加载一个二进制文件，然后执行CFGAccurate算法，获取一个cfg；

执行CDG获取程序的控制依赖图CDG，执行DDG获取程序的数据依赖图DDG；

获取目标点targets，即，反向切片的起始点，最后生成的切片的结束点；

传入cfg, cdg,ddg以及targets，执行反向切片。

其中cdg与ddg是可选的，也就是可以不提供控制依赖图和数据依赖图。因为某些程序的数据依赖图ddg是生成不出来的。

下面我们跟以往一样，先了解BackwardSlice的API，然后探究它的算法。

classangr.analyses.backward_slice.BackwardSlice