Reporting Tools

HeapHopper – A Bounded Model Checking Framework For Heap-implementations

HeapHopper - A Bounded Model Checking Framework For Heap-implementations

HeapHopper is a bounded model checking framework for Heap-implementations.


sudo apt update && sudo apt install build-essential python-dev virtualenvwrapper
git clone && cd ./heaphopper
mkvirtualenv -ppython2 heaphopper
pip install -e . Required Packages
build-essential python-dev virtualenvwrapper

Required Python-Packages

ana angr cle claripy IPython psutil pyelftools pyyaml


# Gen zoo of permutations gen -c analysis.yaml

# Trace instance
make -C tests trace -c tests/how2heap_fastbin_dup/analysis.yaml -b tests/how2heap_fastbin_dup/fastbin_dup.bin

# Gen PoC poc -c tests/how2heap_fastbin_dup/analysis.yaml -r tests/how2heap_fastbin_dup/fastbin_dup.bin-result.yaml -d tests/how2heap_fastbin_dup/fastbin_dup.bin-desc.yaml -s tests/how2heap_fastbin_dup/fastbin_dup.c -b tests/how2heap_fastbin_dup/fastbin_dup.bin

# Tests
cd tests
# Show source
cat how2heap_fastbin_dup/fastbin_dup.c
# Run tests
# Show PoC source
cat pocs/malloc_non_heap/fastbin_dup.bin/poc_0_0.c
# Run PoC
./ pocs/malloc_non_heap/fastbin_dup.bin/bin/poc_0_0.bin


This work has been published at the 27th USENIX Security Symposium.
You can read the paper here.

@inproceedings {heaphopper,
author = {Eckert, Moritz and Bianchi, Antonio and Wang, Ruoyu and Shoshitaishvili, Yan and Kruegel, Christopher and Vigna, Giovanni},
title = {HeapHopper: Bringing Bounded Model Checking to Heap Implementation Security},
booktitle = {27th {USENIX} Security Symposium ({USENIX} Security 18)},
year = {2018},
address = {Baltimore, MD},
url = {},
publisher = {{USENIX} Association},

Website security, detecting malwares on the website and removal services, website backup services, daily website file scanning and file changes monitoring

About the author


Add Comment

Click here to post a comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: