qualcomm/AFLTriage

# AFLTriage AFLTriage 是一个使用调试器对崩溃输入文件进行分类的工具。 它设计为可移植且不依赖任何运行时依赖项，除了 libc 和外部调试器。 它支持对任何程序生成的崩溃进行分类，而不仅仅是 AFL，但会特别识别 AFL 目录，因此得名。 一些显著特性包括： * 多种报告格式：[文本](./src/report/res/test_report_text/asan_stack_bof.txt)、[JSON](./src/report/res/test_report_text/asan_stack_bof.json) 和 [原始调试器 JSON](./src/report/res/test_report_text/asan_stack_bof.rawjson) * 并行崩溃分类 * 崩溃去重 * 桑itizer报告解析 * 支持有无符号/调试信息的二进制目标 * 源代码和变量将在报告中注释以提供上下文 目前 AFLTriage 仅支持 GDB，且仅在 Linux C/C++ 目标上测试过。 请注意，AFLTriage 不会根据潜在的可利用性对崩溃进行分类。准确的利用性分类高度依赖于目标和场景，最好留给专门的工具和专家分析。 ## 用法 AFLTriage 的用法非常直接。你需要要分类的输入、报告的输出目录，以及要分类的二进制文件及其参数。 示例： ``` $ afltriage -i fuzzing_directory -o reports ./target_binary --option-one @@ AFLTriage v1.0.0 [+] GDB is working (GNU gdb (Ubuntu 8.1.1-0ubuntu1) 8.1.1 - Python 3.6.9 (default, Jan 26 2021, 15:33:00)) [+] Image triage cmdline: "./target_binary --option-one @@" [+] Reports will be output to directory "reports" [+] Triaging AFL directory fuzzing_directory/ (41 files) [+] Triaging 41 testcases [+] Using 24 threads to triage [+] Triaging [41/41 00:00:02] [####################] CRASH: ASAN detected heap-buffer-overflow in buggy_function after a READ leading to SIGABRT (si_signo=6) / SI_TKILL (si_code=-6) [+] Triage stats [Crashes: 25 (unique 12), No crash: 16, Errored: 0] ``` 与 AFL 类似，`@@` 会被替换为待分类文件的路径。AFLTriage 会处理其余部分。 ## 构建与运行 你需要一个可用的 Rust 构建环境。安装好 cargo 和 rust 后，构建和运行很简单： ``` cd afltriage-rs/ cargo run --help Finished dev [unoptimized + debuginfo] target(s) in 0.33s Running `target/debug/afltriage --help` ... ``` ## 扩展用法 ``` afltriage 1.0.0 Quickly triage and summarize crashing testcases USAGE: afltriage -i ... -o

... OPTIONS: -i ... A list of paths to a testcase, directory of testcases, AFL directory, and/or directory of AFL directories to be triaged. Note that this arg takes multiple inputs in a row (e.g. -i input1 input2...) so it cannot be the last argument passed to AFLTriage -- this is reserved for the command. -o

The output directory for triage report files. Use '-' to print entire reports to console. -t, --timeout The timeout in milliseconds for each testcase to triage. [default: 60000] -j, --jobs How many threads to use during triage. --report-formats ... The triage report output formats. Multiple values allowed: e.g. text,json. [default: text] [possible values: text, json, rawjson] --bucket-strategy The crash deduplication strategy to use. [default: afltriage] [possible values: none, afltriage, first_frame, first_frame_raw, first_5_frames, function_names, first_function_name] --child-output Include child output in triage reports. --child-output-lines How many lines of program output from the target to include in reports. Use 0 to mean unlimited lines (not recommended). [default: 25] --stdin Provide testcase input to the target via stdin instead of a file. --profile-only Perform environment checks, describe the inputs to be triaged, and profile the target binary. --skip-profile Skip target profiling before input processing. --debug Enable low-level debugging output of triage operations. -h, --help Prints help information -V, --version Prints version information ARGS: ... The binary executable and args to execute. Use '@@' as a placeholder for the path to the input file or --stdin. Optionally use -- to delimit the start of the command. ``` ## 相关项目 * [GDB Exploitable](https://github.com/jfoote/exploitable) - AFLTriage 的重要灵感来源 * [Crashwalk](https://github.com/bnagy/crashwalk) * afl-collect 来自 [afl-utils](https://github.com/rc0r/afl-utils) ## 许可证 AFLTriage 采用 BSD 3-clause "New" 或 "Revised" 许可证。更多细节请参见 [LICENSE](LICENSE)。

标签：AFL目录识别, ASAN, C/C++, GDB, JSON报告, libc, 事务性I/O, 云资产清单, 内存安全, 原始JSON, 变量注释, 可移植, 可视化界面, 地址错误, 堆溢出, 安全测试, 崩溃分析, 崩溃分类, 崩溃去重, 崩溃复现, 崩溃报告, 崩溃挖掘, 并行处理, 攻击性安全, 文本报告, 无运行时依赖, 源代码注释, 漏洞分析, 符号分析, 调试器集成, 调试解析, 路径探测, 输入变体, 输入模糊, 逆向工程, 通知系统