• Stars
    star
    279
  • Rank 147,967 (Top 3 %)
  • Language
    Rust
  • License
    Apache License 2.0
  • Created about 2 years ago
  • Updated 4 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Collect crash (or UndefinedBehaviorSanitizer error) reports, triage, and estimate severity.

CI Crates.io Documentation

CASR: Crash Analysis and Severity Report

CASR – collect crash (or UndefinedBehaviorSanitizer error) reports, triage, and estimate severity. It is based on ideas from exploitable and apport.

CASR is maintained by:

Overview

CASR is a set of tools that allows you to collect crash reports in different ways. Use casr-core binary to deal with coredumps. Use casr-san to analyze ASAN reports or casr-ubsan to analyze UBSAN reports. Try casr-gdb to get reports from gdb. Use casr-python to analyze python reports and get report from Atheris. Use casr-java to analyze java reports and get report from Jazzer.

Crash report contains many useful information: severity (like exploitable) for x86, x86_64, arm32, aarch64, rv32g, rv64g architectures, OS and package versions, command line, stack trace, register values, disassembly, and even source code fragment where crash appeared. Reports are stored in JSON format. casr-cli is meant to provide TUI for viewing reports. Reports triage (deduplication, clustering) is done by casr-cluster. Triage is based on stack trace comparison from gdb-command. casr-afl is used to triage crashes found by AFL++. casr-libfuzzer can triage crashes found by libFuzzer based fuzzer (C/C++/go-fuzz/Atheris /Jazzer). casr-dojo allows to upload new and unique CASR reports to DefectDojo (available with dojo feature).

Explanation of severity classes could be found here. You could take a closer look at usage details here.

casr_report

casr_dojo_finding

LibCASR

LibCASR provides API for parsing stacktraces, collecting crash reports, triaging crashes (deduplication and clustering), and estimating severity of crashes.

It can analyze crashes from different sources:

  • AddressSanitizer
  • UndefinedBehaviorSanitizer
  • Gdb output

and program languages:

  • C/C++
  • Rust
  • Go
  • Python
  • Java

It could be built with exploitable feature for severity estimation crashes collected from gdb. To save crash reports as json use serde feature.

Dependencies

Install build dependencies:

$ sudo apt install build-essential clang

Install Rust or update existing Rust installation:

$ rustup update

Install runtime dependencies:

$ sudo apt install gdb lsb-release

Install

Build from Git repository:

$ git clone https://github.com/ispras/casr
$ cargo build --release

Or you may just install Casr from crates.io:

$ cargo install casr

Add dojo feature if you want to install casr-dojo (the same for cargo build):

$ cargo install -F dojo casr

Usage

Create report from coredump:

$ casr-core -f casr/tests/casr_tests/bin/core.test_destAv -e casr/tests/casr_tests/bin/test_destAv -o destAv.casrep

Create report from AddressSanitizer output:

$ clang++ -fsanitize=address -O0 -g casr/tests/casr_tests/test_asan_df.cpp -o test_asan_df
$ casr-san -o asan.casrep -- ./test_asan_df

Create report from UndefinedBehaviorSanitizer output:

$ clang++ -fsanitize=undefined -O0 -g casr/tests/casr_tests/ubsan/test_ubsan.cpp -o test_ubsan
$ casr-ubsan -i casr/tests/casr_tests/ubsan/input1 -o output -- ./test_ubsan @@
$ casr-cli output

Create report from gdb:

$ casr-gdb -o destAv.gdb.casrep -- casr/tests/casr_tests/bin/test_destAv $(printf 'A%.s' {1..200})

Create report from python:

$ casr-python -o python.casrep -- casr/tests/casr_tests/python/test_casr_python.py

Create report from java:

$ casr-java -o java.casrep -- java casr/tests/casr_tests/java/Test1.java

View report:

$ casr-cli casr/tests/casr_tests/casrep/test_clustering_san/load_fuzzer_crash-120697a7f5b87c03020f321c8526adf0f4bcc2dc.casrep

View joint statistics about crash clusters:

$ casr-cli casr_reports

Create report for program that reads stdin:

$ casr-san --stdin seed -o san_bin.casrep -- ./san_bin

Deduplicate reports:

$ casr-cluster -d casr/tests/casr_tests/casrep/test_clustering_gdb out-dedup

Cluster reports:

$ casr-cluster -c out-dedup out-cluster

Triage crashes after AFL++ fuzzing with casr-afl:

$ cp casr/tests/casr_tests/bin/load_afl /tmp/load_afl
$ cp casr/tests/casr_tests/bin/load_sydr /tmp/load_sydr
$ casr-afl -i casr/tests/casr_tests/casrep/afl-out-xlnt -o casr/tests/tmp_tests_casr/casr_afl_out
$ # You may also additionally generate crash reports for uninstrumented binary with casr-gdb
$ casr-afl -i casr/tests/casr_tests/casrep/afl-out-xlnt -o casr/tests/tmp_tests_casr/casr_afl_out -- /tmp/load_sydr @@

Triage libFuzzer crashes with casr-libfuzzer:

$ casr-libfuzzer -i casr/tests/casr_tests/casrep/libfuzzer_crashes_xlnt -o casr/tests/tmp_tests_casr/casr_libfuzzer_out -- casr/tests/casr_tests/bin/load_fuzzer

Triage Atheris crashes with casr-libfuzzer:

$ unzip casr/tests/casr_tests/python/ruamel.zip
$ cp casr/tests/casr_tests/python/yaml_fuzzer.py .
$ casr-libfuzzer -i casr/tests/casr_tests/casrep/atheris_crashes_ruamel_yaml -o casr/tests/tmp_tests_casr/casr_libfuzzer_atheris_out -- ./yaml_fuzzer.py

Upload new and unique CASR reports to DefectDojo:

$ echo '[product]' > dojo.toml
$ echo 'name = "xlnt"' >> dojo.toml
$ echo '[engagement]' >> dojo.toml
$ echo "name = \"load_fuzzer $(date -Isec)\"" >> dojo.toml
$ echo '[test]' >> dojo.toml
$ echo 'test_type = "CASR DAST Report"' >> dojo.toml
$ casr-dojo -i casr/tests/casr_tests/casrep/test_clustering_san -u http://localhost:8080 -t 382f5dfdf2a339f7c3bb35442f9deb9b788a98d5 dojo.toml

Fuzzing Crash Triage Pipeline

When you have crashes from fuzzing you may do the following steps:

  1. Create reports for all crashes via casr-san, casr-gdb (if no sanitizers are present), casr-python, or casr-java.
  2. Deduplicate collected crash reports via casr-cluster -d.
  3. Cluster deduplicated crash reports via casr-cluster -c.
  4. Create reports and deduplicate them for all UBSAN errors via casr-ubsan.
  5. View reports from clusters using casr-cli or upload them to DefectDojo with casr-dojo.

If you use AFL++, the pipeline (without casr-ubsan and casr-dojo) could be done automatically by casr-afl.

If you use libFuzzer based fuzzer (C/C++/go-fuzz/Atheris), the pipeline (without casr-ubsan and casr-dojo) could be done automatically by casr-libfuzzer.

Contributing

Feel free to open issues or PRs! We appreciate your support!

Please follow the next recommendations for your pull requests:

  • compile with stable rust
  • use cargo fmt
  • check the output of cargo clippy --all
  • run tests cargo test

Cite Us

Savidov G., Fedotov A. Casr-Cluster: Crash Clustering for Linux Applications. 2021 Ivannikov ISPRAS Open Conference (ISPRAS), IEEE, 2021, pp. 47-51. DOI: 10.1109/ISPRAS53967.2021.00012 [paper] [slides]

@inproceedings{savidov2021casr,
  title = {{{Casr-Cluster}}: Crash Clustering for Linux Applications},
  author = {Savidov, Georgy and Fedotov, Andrey},
  booktitle = {2021 Ivannikov ISPRAS Open Conference (ISPRAS)},
  pages = {47--51},
  year = {2021},
  organization = {IEEE},
  doi = {10.1109/ISPRAS53967.2021.00012},
}

License

Licensed under Apache-2.0.

More Repositories

1

web-scraper-chrome-extension

Web data extraction tool implemented as chrome extension
JavaScript
171
star
2

dedoc

Dedoc is a library (service) for automate documents parsing and bringing to a uniform format. It automatically extracts content, logical structure, tables, and meta information from textual electronic documents. (Parse document; Document content extraction; Logical structure extraction; PDF parser; Scanned document parser; DOCX parser; HTML parser
Python
153
star
3

oss-sydr-fuzz

OSS-Sydr-Fuzz - OSS-Fuzz fork for hybrid fuzzing (fuzzer+DSE) open source software.
C
127
star
4

Futag

FUTAG (FUzzing Target Automated Generator) - автоматический генератор фаззинг-оберток для библиотек
Python
51
star
5

scrapy-puppeteer

Library that helps use puppeteer in scrapy.
Python
43
star
6

pu4spark

Positive-Unlabeled Learning for Apache Spark
Scala
40
star
7

rop-benchmark

ROP Benchmark is a tool to compare ROP compilers
Python
36
star
8

crusher

Python
35
star
9

qdt

QEMU Development Toolkit
Python
34
star
10

atr4s

Toolkit with state-of-the-art Automatic Terms Recognition methods in Scala
Scala
33
star
11

spark-openstack

Scripts to setup Spark cluster (any version) in any Openstack environment with optional useful tools.
Jinja
30
star
12

juliet-dynamic

Juliet C/C++ Dynamic Test Suite
23
star
13

qemu-gui

GUI for QEMU
C++
20
star
14

hdl-benchmarks

Collection of open HDL modules, subsystems and microprocessors (benchmarks) that are used for related tools testing.
Verilog
17
star
15

michman

Service for distributed systems deployment; part of Asperitas
Go
17
star
16

natch

Natch: инструмент определения поверхности атаки
Shell
16
star
17

sydr-benchmark

Sydr benchmark applications
C++
15
star
18

quix86

An x86-64 instruction decoder.
C
15
star
19

cotea

cotea: Ansible control tool
Python
14
star
20

EcgLib

Python
13
star
21

centos6.9-build-docker

CentOS 6.9 build Docker environment to distribute portable Linux binaries
Dockerfile
11
star
22

swat

SWAT - System-Wide Analysis Toolkit
C
11
star
23

proceedings

Proceedings of ISP RAS LaTeX Template
TeX
10
star
24

v8-aotc

V8 ahead-of-time compilation project
C++
10
star
25

scrapy-puppeteer-service

A special service that runs puputeer instances.
JavaScript
10
star
26

tact

C
8
star
27

lingvodoc-react

JavaScript
7
star
28

texterra-py

Texterra python sdk
Python
7
star
29

utopia-hls

Utopia: a High-Level Synthesis framework
C++
7
star
30

lingvodoc

More advanced Python version for Dialeqt project
JavaScript
7
star
31

riscv-avs

RISC-V Architecture Verification Suite (AVS)
Assembly
7
star
32

microtesk-old

MicroTESK: Specification-Based Framework for Developing Test Program Generators
7
star
33

tm

Regularized multilingual Probabilistic Semantic Analysis Scala implementation.
HTML
6
star
34

TrustedDynamic

Dockerfile
6
star
35

proceedings-md

Automatic markdown to docx converter that follows the Ispras proceedings design requirements
TypeScript
6
star
36

clouni

Cloud Unifier Tool for Service Orchestration
Python
5
star
37

dedoc-utils

Useful utilities for automatic document images processing
Python
5
star
38

FuzzedDataProviderCS

FuzzedDataProvider for C#, inspired by Google's FuzzedDataProvider.
C#
5
star
39

parmasan

Mirror repository with parmasan project
C++
5
star
40

microtesk

MicroTESK: Specification-Based Framework for Developing Test Program Generators
Java
5
star
41

gocotea

gocotea: Ansible control tool on Golang
Go
5
star
42

endometrium-dataset-analysis

This repository is dedicated to the analysis of the EndoNuke dataset
Jupyter Notebook
4
star
43

esoc

Ethernet Switch on Configurable Logic
Stata
3
star
44

angiocells_analysis

Jupyter Notebook
3
star
45

libosuction

A tool for stripping dynamic libraries of unneeded symbols
C
3
star
46

news-page-dataset

3
star
47

I3S

Python
2
star
48

parmasan-remake

Mirror repository with patched remake for parmasan
C
2
star
49

minimap2_index_modifier

C
2
star
50

hls-idct

Inverse Discrete Cosine Transform (IDCT) algorithm implementations are written in languages for High-Level Synthesis (HLS) and Hardware Construction (HC) tools.
Verilog
2
star
51

sv-tests

Test suites based on Verilog and SystemVerilog standards
Verilog
1
star
52

cv

Klever Continuous Verification Framework
Python
1
star
53

flagsup

Build flags extractor and summarizer.
Python
1
star
54

mammo_crop

Jupyter Notebook
1
star
55

dedockerfiles

Collection of dockerfiles for dedoc group projects
Dockerfile
1
star
56

qdt-guest-agent

C++
1
star
57

NetBlox

Java
1
star
58

staccato

Fork for the STACCATO project of University of Michigan
C
1
star
59

flint

Scalable machine learning framework
Scala
1
star
60

gephi-graphson

Importer and exporter plugins for Gephi for GraphSON format
Java
1
star
61

PTAHA

Patent Timesaving Automatic Helpful Apparatus
R
1
star
62

RISC-V-nML

RISC-V nML is a specification of ISA RISC-V in nML architecture decription language.
1
star