HeapHopper is a bounded model checking framework for Heap-implementations
Branch: master
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
heaphopper Pin addr to concrete val in case of detection Feb 5, 2019
tests Fix typo Nov 3, 2018
.gitignore Extend gitignore Oct 15, 2018
.travis.yml Change travis image to xenial Aug 22, 2018
LICENSE Adjust license Aug 22, 2018
README.md Update README.md Oct 25, 2018
analysis.yaml Add setup.py Aug 21, 2018
overview.png Add README Feb 28, 2018
requirements.txt Another code cleanup Jul 11, 2018
setup.py Add setup.py Aug 21, 2018



Build Status License

HeapHopper is a bounded model checking framework for Heap-implementations.




sudo apt update && sudo apt install build-essential python3-dev virtualenvwrapper
git clone https://github.com/angr/heaphopper.git && cd ./heaphopper
mkvirtualenv -ppython3 heaphopper
pip install -e .

Required Packages

build-essential python3-dev virtualenvwrapper

Required Python-Packages

ana angr cle claripy IPython psutil pyelftools pyyaml


# Gen zoo of permutations
./heaphopper.py gen -c analysis.yaml

#  Trace instance
make -C tests
./heaphopper.py  trace -c tests/how2heap_fastbin_dup/analysis.yaml -b tests/how2heap_fastbin_dup/fastbin_dup.bin

# Gen PoC
./heaphopper.py poc -c tests/how2heap_fastbin_dup/analysis.yaml -r tests/how2heap_fastbin_dup/fastbin_dup.bin-result.yaml -d tests/how2heap_fastbin_dup/fastbin_dup.bin-desc.yaml -s tests/how2heap_fastbin_dup/fastbin_dup.c -b tests/how2heap_fastbin_dup/fastbin_dup.bin

# Tests
## Show source
cat tests/how2heap_fastbin_dup/fastbin_dup.c
## Run tests
## Show PoC source
cat tests/how2heap_fastbin_dup/pocs/malloc_non_heap/fastbin_dup.bin/poc_0_0.c
## Run PoC
cd tests
./run_poc.sh tests/how2heap_fastbin_dup/pocs/malloc_non_heap/fastbin_dup.bin/bin/poc_0_0.bin


This work has been published at the 27th USENIX Security Symposium.

You can read the paper here.


@inproceedings {heaphopper,
author = {Eckert, Moritz and Bianchi, Antonio and Wang, Ruoyu and Shoshitaishvili, Yan and Kruegel, Christopher and Vigna, Giovanni},
title = {HeapHopper: Bringing Bounded Model Checking to Heap Implementation Security},
booktitle = {27th {USENIX} Security Symposium ({USENIX} Security 18)},
year = {2018},
address = {Baltimore, MD},
url = {https://www.usenix.org/conference/usenixsecurity18/presentation/eckert},
publisher = {{USENIX} Association},