AFLTriage is a tool to triage crashing input files using a debugger.

Overview

AFLTriage

AFLTriage is a tool to triage crashing input files using a debugger. It is designed to be portable and not require any run-time dependencies, besides libc and an external debugger. It supports triaging crashes generated by any program, not just AFL, but recognizes AFL directories specially, hence the name.

Some notable features include:

  • Multiple report formats: text, JSON, and raw debugger JSON
  • Parallel crash triage
  • Crash deduplication
  • Sanitizer report parsing
  • Supports binary targets with or without symbols/debugging information
  • Source code and variables will be annotated in reports for context

Currently AFLTriage only supports GDB and has only been tested on Linux C/C++ targets. Note that AFLTriage does not classify crashes by potential exploitablity. Accurate exploitability classification is very target and scenario specific and is best left to specialized tools and expert analysts.

Usage

Usage of AFLTriage is quite straightforward. You need your inputs to triage, an output directory for reports, and the binary and its arguments to triage.

Example:

$ afltriage -i fuzzing_directory -o reports ./target_binary --option-one @@
AFLTriage v1.0.0

[+] GDB is working (GNU gdb (Ubuntu 8.1.1-0ubuntu1) 8.1.1 - Python 3.6.9 (default, Jan 26 2021, 15:33:00))
[+] Image triage cmdline: "./target_binary --option-one @@"
[+] Reports will be output to directory "reports"
[+] Triaging AFL directory fuzzing_directory/ (41 files)
[+] Triaging 41 testcases
[+] Using 24 threads to triage
[+] Triaging   [41/41 00:00:02] [####################] CRASH: ASAN detected heap-buffer-overflow in buggy_function after a READ leading to SIGABRT (si_signo=6) / SI_TKILL (si_code=-6)
[+] Triage stats [Crashes: 25 (unique 12), No crash: 16, Errored: 0]

Similar to AFL the @@ is replaced with the path of the file to be triaged. AFLTriage will take care of the rest.

Building and Running

You will need a working Rust build environment. Once you have cargo and rust installed, building and running is simple:

cd afltriage-rs/
cargo run --help


   
    

    Finished dev [unoptimized + debuginfo] target(s) in 0.33s
     Running `target/debug/afltriage --help`


    
     
...

    
   

Extended Usage

afltriage 1.0.0
Quickly triage and summarize crashing testcases

USAGE:
    afltriage -i ... -o  ...

OPTIONS:
    -i ...
            A list of paths to a testcase, directory of testcases, AFL directory, and/or directory of AFL directories to
            be triaged. Note that this arg takes multiple inputs in a row (e.g. -i input1 input2...) so it cannot be the
            last argument passed to AFLTriage -- this is reserved for the command.
    -o 
            The output directory for triage report files. Use '-' to print entire reports to console.

    -t, --timeout 
     
      
            The timeout in milliseconds for each testcase to triage. [default: 60000]

    -j, --jobs 
      
                                       
            How many threads to use during triage.

        --report-formats 
       
        ... The triage report output formats. Multiple values allowed: e.g. text,json. [default: text] [possible values: text, json, rawjson] --bucket-strategy 
        
          The crash deduplication strategy to use. [default: afltriage] [possible values: none, afltriage, first_frame, first_frame_raw, first_5_frames, function_names, first_function_name] --child-output Include child output in triage reports. --child-output-lines 
         
           How many lines of program output from the target to include in reports. Use 0 to mean unlimited lines (not recommended). [default: 25] --stdin Provide testcase input to the target via stdin instead of a file. --profile-only Perform environment checks, describe the inputs to be triaged, and profile the target binary. --skip-profile Skip target profiling before input processing. --debug Enable low-level debugging output of triage operations. -h, --help Prints help information -V, --version Prints version information ARGS: 
          ... The binary executable and args to execute. Use '@@' as a placeholder for the path to the input file or --stdin. Optionally use -- to delimit the start of the command. 
         
        
       
      
     

Related Projects

License

AFLTriage is licensed under the BSD 3-clause "New" or "Revised". See LICENSE for more details.

You might also like...
Debugger and interpreter for the M8 pseudo-assembly language

m8db Debugger and interpreter for the M8 pseudo-assembly language. Inspired by gdb or lldb More infos: https://github.com/ah1m1/M8NI Usage: $ ./m8db (

rsdb, linux debugger written in Rust

rsdb Linux debugger written in Rust Road to version 1.0.0 Basic memory reading / writing ELF binary parsing Entry point Section Symbol Disassembler x8

rd is a record/replay debugger written in rust

rd The Record & Debug Tool The Record & Debug Tool (rd) is a Rust language port of the rr-debugger/rr debugger. With rd you can record Linux program e

A native debugger extension for VSCode based on LLDB
A native debugger extension for VSCode based on LLDB

Features Conditional breakpoints, function breakpoints, logpoints, Hardware data access breakpoints (watchpoints), Launch debuggee in integrated or ex

A simple interactive OSC (Open Sound Control) debugger for terminal
A simple interactive OSC (Open Sound Control) debugger for terminal

oscd, a simple interactive OSC debugger for the terminal by using nom as a lexer/parser, oscd offers auto type casting and support sending multiple osc arguments.

YARI - An interactive debugger for YARA Language
YARI - An interactive debugger for YARA Language

Interactive debugger for the YARA language written in Rust. Debugger directly calls libyara avoiding emulation to get the most accurate results.

Emulator and debugger for LPRS1 ISA & CPU

About LPRSemu is a simple emulator and debugger for LPRS1 ISA & CPU. It supports loading programs from assembly text files, binary string representati

 A process memory reader and debugger for Windows (x86_64)
A process memory reader and debugger for Windows (x86_64)

Winreader Winreader is a process memory reader and debugger for Windows, implemented and developed in the Rust language, using the official Microsoft

this tool visualizes audio input
this tool visualizes audio input

audiovis I tried to create a high quality classic audio visualiser with cpal as audio backend and wgpu as accelerated video frontend demo bar visualis

A tool to deserialize data from an input encoding, transform it and serialize it back into an output encoding.

dts A simple tool to deserialize data from an input encoding, transform it and serialize it back into an output encoding. Requires rust = 1.56.0. Ins

An efficient way to filter duplicate lines from input, à la uniq.

runiq This project offers an efficient way (in both time and space) to filter duplicate entries (lines) from texual input. This project was born from

Read input lines as byte slices for high efficiency

bytelines This library provides an easy way to read in input lines as byte slices for high efficiency. It's basically lines from the standard library,

Rust library for program synthesis of string transformations from input-output examples 🔮

Synox implements program synthesis of string transformations from input-output examples. Perhaps the most well-known use of string program synthesis in end-user programs is the Flash Fill feature in Excel. These string transformations are learned from input-output examples.

The trait for generating structured data from arbitrary, unstructured input.

Arbitrary The trait for generating structured data from arbitrary, unstructured input. About The Arbitrary crate lets you construct arbitrary instance

A library that creates a terminal-like window with feature-packed drawing of text and easy input handling. MIRROR.

BearLibTerminal provides a pseudoterminal window with a grid of character cells and a simple yet powerful API for flexible textual output and uncompli

TestDrive automatically scrapes input/output data from BOJ(Baekjoon Online Judge) and runs tests for your executable binary file!

🚖 TestDrive What does it do? TestDrive automatically scrapes input/output data from BOJ(Baekjoon Online Judge) and runs tests for your executable bin

desktop automation, screen capture, input listen/simulation, asar compress, color picker for nodejs and electron based on rust
desktop automation, screen capture, input listen/simulation, asar compress, color picker for nodejs and electron based on rust

desktop automation, screen capture, input listen/simulation, asar compress, color picker for nodejs and electron based on rust. 基于 Rust / WASM 提供截图、取色、键鼠事件监听模拟、压缩解压、图像处理、获取已安装应用等跨平台功能的现代异步 Nodejs 模块,占用空间小, 安装便捷, 使用简单, 高性能, 资源占用极小, 可取代 iohook 和 robotjs

TUI input library supporting multiple backends
TUI input library supporting multiple backends

tui-input WARNING: Most of the functionality is only human tested. A TUI input library supporting multiple backends. This crate can be used with tui-r

Take user input in Rust.

Take user input in Rust.

Comments
  • AFL_PRELOAD

    AFL_PRELOAD

    AFLTriage is great, super easy to use. I've run into a small issue though. I would like to LD_PRELOAD a library into my target when it is run. However, I cannot seem to see a way to pass an environment variable to the target without it also being passed to afl-triage itself. Whilst in the most part, environment variables can just be allowed to propagate from parent to the child, in the case of LD_PRELOAD this causes an issue.

    Obviously, you can't simply replace your target with a script, since the target then won't be the direct child of afl-triage, so for now, I've managed to workaround by making a small loader application which calls setenv and execve, but it would be awesome if you could just pass environment variables direct to afl-triage.

    Maybe something like...

    afl-triage -e LD_PRELOAD=mylib.so ...

    opened by WorksButNotTested 3
Owner
Qualcomm Innovation Center
Qualcomm Innovation Center
A Simple debugger for embedded rust.

This is a debugger for embedded rust code. It is in an early state so it doesn't work for a lot of different microcontrollers.

Niklas 4 Oct 16, 2022
Debugger and interpreter for the M8 pseudo-assembly language

m8db Debugger and interpreter for the M8 pseudo-assembly language. Inspired by gdb or lldb More infos: https://github.com/ah1m1/M8NI Usage: $ ./m8db (

nils 2 Sep 19, 2021
rsdb, linux debugger written in Rust

rsdb Linux debugger written in Rust Road to version 1.0.0 Basic memory reading / writing ELF binary parsing Entry point Section Symbol Disassembler x8

Younghoo Kim 4 May 2, 2022
Collect crash reports, triage, and estimate severity.

CASR: Crash Analysis and Severity Report CASR – collect crash reports, triage, and estimate severity. It is based on ideas from exploitable and apport

Ivannikov Institute for System Programming of the Russian Academy of Sciences 91 Feb 14, 2023
A command line tool that resembles a debugger as well as Cheat Engine, to search for values in memory

Summary This is a small command-line tool designed to peek around memory of a running Linux process. It also provides filtering mechanisms similar to

null 213 Jul 4, 2023
RustBoyAdvance-NG is a Nintendo™ Game Boy Advance emulator and debugger, written in the rust programming language.

RustBoyAdvance-NG Nintendo GameBoy Advance ™ emulator and debugger, written in rust. WebAssembly Demo: https://michelhe.github.io/rustboyadvance-ng/ P

MishMish 510 Dec 30, 2022
rd is a record/replay debugger written in rust

rd is a record/replay debugger written in rust

Sidharth Kshatriya 948 Dec 27, 2022
A Simple debugger for embedded rust.

This is a debugger for embedded rust code. It is in an early state so it doesn't work for a lot of different microcontrollers.

Niklas 4 Oct 16, 2022
rd is a record/replay debugger written in rust

rd The Record & Debug Tool The Record & Debug Tool (rd) is a Rust language port of the rr-debugger/rr debugger. With rd you can record Linux program e

Sidharth Kshatriya 948 Dec 27, 2022
"A light wrapper around rr, the time-travelling debugger

cargo-rr A light wrapper around rr, the time-travelling debugger. Do you find yourself running the same test over and over in the debugger, trying to

Daniel Franklin 123 Dec 7, 2022