More radare 2 (6/?): functions call graph I'm investigating on a CVE concerning a well known library that is part of our dependency tree at $dayjob. Anything calling the vulnerable function is to be considered vulnerable, so I wanted to obtain a call graph of the function. An IDE would probably be able to figure that out for me, but I don't use one. On the other hand I'm learning Radare2 these days, so why not using it? Visualize global call graph: agC ag supports a number of graph visualization options. graphviz dot visualized from within r2: [...]> agCd | xdot - same but from shell: $ r2 -Aqc agCd ./package/usr/lib/lib....so | xdot - Visualize xref graph: agx @ addr The displayed xrefs are addresses because r2 will not list the name of the calling function, but the address of the calling site within functions. This is not very useful for our needs, so the global call graph mentioned above is more practical. While figuring out the call graph from the source code might be more natural, the binary analysis approach has the advantage of taking in account the compile-time configuration. This is effective In many software packages such as Busybox, U-Boot, Linux (kernel) and mbedTLS many features can be disabled in the build system.