AFLTriage

AFLTriage is a tool to triage crashing input files using a debugger. It is designed to be portable and not require any run-time dependencies, besides libc and an external debugger. It supports triaging crashes generated by any program, not just AFL, but recognizes AFL directories specially, hence the name.

Some notable features include:

Multiple report formats: text, JSON, and raw debugger JSON
Parallel crash triage
Crash deduplication
Sanitizer report parsing
Supports binary targets with or without symbols/debugging information
Source code and variables will be annotated in reports for context

Currently AFLTriage only supports GDB and has only been tested on Linux C/C++ targets. Note that AFLTriage does not classify crashes by potential exploitablity. Accurate exploitability classification is very target and scenario specific and is best left to specialized tools and expert analysts.

Usage

Usage of AFLTriage is quite straightforward. You need your inputs to triage, an output directory for reports, and the binary and its arguments to triage.

Example:

$ afltriage -i fuzzing_directory -o reports ./target_binary --option-one @@
AFLTriage v1.0.0

[+] GDB is working (GNU gdb (Ubuntu 8.1.1-0ubuntu1) 8.1.1 - Python 3.6.9 (default, Jan 26 2021, 15:33:00))
[+] Image triage cmdline: "./target_binary --option-one @@"
[+] Reports will be output to directory "reports"
[+] Triaging AFL directory fuzzing_directory/ (41 files)
[+] Triaging 41 testcases
[+] Using 24 threads to triage
[+] Triaging   [41/41 00:00:02] [####################] CRASH: ASAN detected heap-buffer-overflow in buggy_function after a READ leading to SIGABRT (si_signo=6) / SI_TKILL (si_code=-6)
[+] Triage stats [Crashes: 25 (unique 12), No crash: 16, Errored: 0]

Similar to AFL the @@ is replaced with the path of the file to be triaged. AFLTriage will take care of the rest.

Building and Running

You will need a working Rust build environment. Once you have cargo and rust installed, building and running is simple:

cd afltriage-rs/
cargo run --help

<compilation>

    Finished dev [unoptimized + debuginfo] target(s) in 0.33s
     Running `target/debug/afltriage --help`

<AFLTriage usage>
...

Extended Usage

afltriage 1.0.0
Quickly triage and summarize crashing testcases

USAGE:
    afltriage -i <input>... -o <output> <command>...

OPTIONS:
    -i <input>...
            A list of paths to a testcase, directory of testcases, AFL directory, and/or directory of AFL directories to
            be triaged. Note that this arg takes multiple inputs in a row (e.g. -i input1 input2...) so it cannot be the
            last argument passed to AFLTriage -- this is reserved for the command.
    -o <output>
            The output directory for triage report files. Use '-' to print entire reports to console.

    -t, --timeout <timeout>
            The timeout in milliseconds for each testcase to triage. [default: 60000]

    -j, --jobs <jobs>                                
            How many threads to use during triage.

        --report-formats <report_formats>...
            The triage report output formats. Multiple values allowed: e.g. text,json. [default: text]  [possible
            values: text, json, rawjson]
        --bucket-strategy <bucket_strategy>
            The crash deduplication strategy to use. [default: afltriage]  [possible values: none, afltriage,
            first_frame, first_frame_raw, first_5_frames, function_names, first_function_name]
        --child-output                               
            Include child output in triage reports.

        --child-output-lines <child_output_lines>
            How many lines of program output from the target to include in reports. Use 0 to mean unlimited lines (not
            recommended). [default: 25]
        --stdin                                      
            Provide testcase input to the target via stdin instead of a file.

        --profile-only
            Perform environment checks, describe the inputs to be triaged, and profile the target binary.

        --skip-profile                               
            Skip target profiling before input processing.

        --debug                                      
            Enable low-level debugging output of triage operations.

    -h, --help                                       
            Prints help information

    -V, --version                                    
            Prints version information


ARGS:
    <command>...    
            The binary executable and args to execute. Use '@@' as a placeholder for the path to the input file or
            --stdin. Optionally use -- to delimit the start of the command.

Related Projects

GDB Exploitable - A big inspiration for AFLTriage
Crashwalk
afl-collect from afl-utils

License

AFLTriage is licensed under the BSD 3-clause "New" or "Revised". See LICENSE for more details.

quic/AFLTriage

quic

Reviews

Repository Details