I would like to use angr for vulnerability research. I was thinking that if I did the following:
p = angr.Project('a.out', auto_load_libs=False)
sm = p.factory.simulation_manager()
while len(sm.unconstrained) == 0:
sm.step
then the unconstrained state could potentially point me to a vulnerability. I coded an obvious potential buffer overflow as follows:
void processPacket( char * pkt )
{
char buffer[255];
memcpy(buffer, &pkt[3], *((uint16_t*)&pkt[0]));
}
where the first two bytes of a packet determine the length of the rest of the packet and therefore the length of the memcpy.
angr did find an unconstrained state, but it was not readily obvious how to examine the unconstrained state to determine the cause of the vulnerability.
Once I find an unconstrained state, is there a way to determine the cause? Are vulnerability researchers using angr to look for potential vulnerabilities? Is there a typical methodology to do so?