BackwardSlice 程序反向切片,从给出的某一个目标点,获取所有到达该目标点的路径。angr的这个功能似乎并不完善,里面可以自己进行定制。在进行程序切片前,我们需要提供一个控制流图CFG。此外,为了确定程序反向的起始点,还需要提供一个target。下面是angr文档中给出的一个例子:
>>> import angr
# Load the project
>>> b = angr.Project("examples/fauxware/fauxware", load_options={"auto_load_libs": Fal
se})
# Generate a CFG first. In order to generate data dependence graph afterwards,
# you’ll have to keep all input states by specifying keep_stat=True. Feel free
# to provide more parameters (for example, context_sensitivity_level)for CFG
# recovery based on your needs.
>>> cfg = b.analyses.CFGAccurate(context_sensitivity_level=2, keep_state=True)
# Generate the control dependence graph
>>> cdg = b.analyses.CDG(cfg)
# Build the data dependence graph. It might take a while. Be patient!
>>> ddg = b.analyses.DDG(cfg)
# See where we wanna go... let’s go to the exit() call, which is modeled as a
# SimProcedure.
>>> target_func = cfg.kb.functions.function(name="exit")
# We need the CFGNode instance
>>> target_node = cfg.get_any_node(target_func.addr)
# Let’s get a BackwardSlice out of them!
# `targets` is a list of objects, where each one is either a CodeLocation
# object, or a tuple of CFGNode instance and a statement ID. Setting statement
# ID to -1 means the very beginning of that CFGNode. A SimProcedure does not
# have any statement, so you should always specify -1 for it.
>>> bs = b.analyses.BackwardSlice(cfg, cdg=cdg, ddg=ddg, targets=[ (target_node, -1) ]
) #
Here is our awesome program slice!
>>> print bs
先加载一个二进制文件,然后执行CFGAccurate算法,获取一个cfg;
执行CDG获取程序的控制依赖图CDG,执行DDG获取程序的数据依赖图DDG;
获取目标点targets,即,反向切片的起始点,最后生成的切片的结束点;
传入cfg, cdg,ddg以及targets,执行反向切片。
其中cdg与ddg是可选的,也就是可以不提供控制依赖图和数据依赖图。因为某些程序的数据依赖图ddg是生成不出来的。
下面我们跟以往一样,先了解BackwardSlice的API,然后探究它的算法。
classangr.analyses.backward_slice.
BackwardSlice