Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Collect crash (or UndefinedBehaviorSanitizer error) reports, triage, and estimate severity.

License

NotificationsYou must be signed in to change notification settings

ispras/casr

Repository files navigation

Crates.ioDocumentationcodecovLicense

amd64aarch64riscv64darwin-arm64fuzzing

CASR: Crash Analysis and Severity Report

CASR – collect crash (or UndefinedBehaviorSanitizer error) reports, triage, and estimate severity.It is based on ideas fromexploitable andapport.

CASR is maintained by:

Overview

CASR is a set of tools that allows you to collect crash reports in differentways. Usecasr-core binary to deal with coredumps. Usecasr-san to analyzeASAN reports orcasr-ubsan to analyze UBSAN reports. Trycasr-gdb to getreports from gdb. Usecasr-python to analyze python reports and get reportfromAtheris. Usecasr-java to analyzejava reports and get report fromJazzer. Usecasr-js toanalyze JavaScript reports and get report fromJazzer.js orjsfuzz. Usecasr-csharp to analyze C#reports and get report fromSharpfuzz.Usecasr-lua to analyze Lua reports.

Crash report contains many useful information: severity (likeexploitable)for x86, x86_64, arm32, aarch64, rv32g, rv64g architectures,OS and package versions, command line, stack trace, register values,disassembly, and even source code fragment where crash appeared. Reports arestored in JSON format.casr-cli is meant to provide TUI for viewing reportsand converting them into SARIF report.Reports triage (deduplication, clustering) is done bycasr-cluster.Triage is based on stack trace comparison fromgdb-command.casr-afl is used to triage crashes found byAFL++and AFL-based fuzzerSharpfuzz.casr-libfuzzer can triage crashes found bylibFuzzer based fuzzer(C/C++/go-fuzz/Atheris/Jazzer/Jazzer.js/jsfuzz/luzer)orLibAFLbasedfuzzers.casr-dojo allows to upload new and unique CASR reports toDefectDojo (available withdojo feature).

Explanation of severity classes could be foundhere.You could take a closer look at usage detailshere.

casr_report

casr_dojo_finding

LibCASR

LibCASR provides API for parsing stacktraces, collecting crash reports,triaging crashes (deduplication and clustering), and estimating severity ofcrashes.

It can analyze crashes from different sources:

  • AddressSanitizer
  • MemorySanitizer
  • UndefinedBehaviorSanitizer
  • Gdb output

and program languages:

  • C/C++
  • C#
  • Go
  • Java
  • JavaScript
  • Lua
  • Python
  • Rust

It could be built withexploitable feature for severity estimation crashescollected from gdb. To save crash reports as json useserde feature.

Dependencies

Install runtime dependencies:

$ sudo apt install gdb lsb-release

Install build dependencies when building from source:

$ sudo apt install build-essential clang

InstallRust or update existing Rust installation:

$ rustup update

Install

Download latest Linux 64-bitreleaseor build from source as explained below.

N.B. Current MacOS support is experimental. Some Linux-based code likeexploitableandcasr-gdb may not properly work. Further contributions are very muchwelcomed here.

Build from Git repository:

$ git clone https://github.com/ispras/casr$ cargo update$ cargo build --release

Or you may just install Casr fromcrates.io:

$ cargo install casr

Adddojo feature if you want to installcasr-dojo (the same forcargo build):

$ cargo install -F dojo casr

Usage

Running in Docker: CASR disables address randomization for betterdeduplication and uses ptrace to run GDB. Thus, Docker should be started with--cap-add=SYS_PTRACE --security-opt seccomp=unconfined.

Create report from coredump:

$ casr-core -f casr/tests/casr_tests/bin/core.test_destAv -e casr/tests/casr_tests/bin/test_destAv -o destAv.casrep

Create report from AddressSanitizer output:

$ clang++ -fsanitize=address -O0 -g casr/tests/casr_tests/test_asan_df.cpp -o test_asan_df$ casr-san -o asan.casrep -- ./test_asan_df

Create report from MemorySanitizer output:

$ clang++ -fsanitize=memory -O0 -g casr/tests/casr_tests/test_msan.cpp -o test_msan$ casr-san -o msan.casrep -- ./test_msan

Create report from UndefinedBehaviorSanitizer output:

$ clang++ -fsanitize=undefined -O0 -g casr/tests/casr_tests/ubsan/test_ubsan.cpp -o test_ubsan$ casr-ubsan -i casr/tests/casr_tests/ubsan/input1 -o output -- ./test_ubsan @@$ casr-cli output

Create report from gdb:

$ casr-gdb -o destAv.gdb.casrep -- casr/tests/casr_tests/bin/test_destAv $(printf 'A%.s' {1..200})

Create report from python:

$ casr-python -o python.casrep -- casr/tests/casr_tests/python/test_casr_python.py

Create report from java:

$ casr-java -o java.casrep -- java casr/tests/casr_tests/java/Test1.java

Create report from #"$ casr-js -o js.casrep -- node casr/tests/casr_tests/js/test_casr_js.js">

$ casr-js -o js.casrep -- node casr/tests/casr_tests/js/test_casr_js.js

Create report from C#:

$ casr-csharp -o csharp.casrep -- dotnet run --project casr/tests/casr_tests/csharp/test_casr_csharp/test_casr_csharp.csproj

Create report from Lua:

$ casr-lua -o lua.casrep -- casr/tests/casr_tests/lua/test_casr_lua.lua

View report:

$ casr-cli casr/tests/casr_tests/casrep/test_clustering_san/load_fuzzer_crash-120697a7f5b87c03020f321c8526adf0f4bcc2dc.casrep

View joint statistics about crash clusters:

$ casr-cli casr_reports

Convert reports to SARIF report:

$ casr-cli --sarif out.sarif --tool libfuzzer --source-root /xlnt casr/tests/casr_tests/casrep/test_clustering_san

Create report for program that reads stdin:

$ casr-san --stdin seed -o san_bin.casrep -- ./san_bin

Deduplicate reports:

$ casr-cluster -d casr/tests/casr_tests/casrep/test_clustering_gdb out-dedup

Cluster reports:

$ casr-cluster -c out-dedup out-cluster

Triage crashes after AFL++ fuzzing with casr-afl:

$ cp casr/tests/casr_tests/bin/load_afl /tmp/load_afl$ cp casr/tests/casr_tests/bin/load_sydr /tmp/load_sydr$ casr-afl -i casr/tests/casr_tests/casrep/afl-out-xlnt -o casr/tests/tmp_tests_casr/casr_afl_out$ # You may also additionally generate crash reports for uninstrumented binary with casr-gdb$ casr-afl -i casr/tests/casr_tests/casrep/afl-out-xlnt -o casr/tests/tmp_tests_casr/casr_afl_out -- /tmp/load_sydr @@

Triage crashes after Sharpfuzz fuzzing with casr-afl:

$ cp -r casr/tests/casr_tests/csharp/test_casr_afl_csharp /tmp/test_casr_afl_csharp$ cp -r casr/tests/casr_tests/csharp/test_casr_afl_csharp_module /tmp/test_casr_afl_csharp_module$ dotnet publish /tmp/test_casr_afl_csharp/test_casr_afl_csharp.csproj -c Debug -o /tmp/test_casr_afl_csharp/bin$ casr-afl -i casr/tests/casr_tests/casrep/afl-out-sharpfuzz -o casr/tests/tmp_tests_casr/casr_afl_csharp_out$ # You may force your own run arguments using --ignore-cmdline$ casr-afl --ignore-cmdline -i casr/tests/casr_tests/casrep/afl-out-sharpfuzz -o casr/tests/tmp_tests_casr/casr_afl_csharp_out -- dotnet run --no-build --project /tmp/test_casr_afl_csharp/test_casr_afl_csharp.csproj @@$ # If you use vanilla AFL for fuzzing with Sharpfuzz, force your own run arguments via -- <ARGS>$ casr-afl -i casr/tests/casr_tests/casrep/afl-out-sharpfuzz/afl_main-worker -o casr/tests/tmp_tests_casr/casr_afl_csharp_out -- dotnet run --no-build --project /tmp/test_casr_afl_csharp/test_casr_afl_csharp.csproj @@

Triage libFuzzer crashes with casr-libfuzzer:

$ casr-libfuzzer -t 30 -i casr/tests/casr_tests/casrep/libfuzzer_crashes_xlnt -o casr/tests/tmp_tests_casr/casr_libfuzzer_out -- casr/tests/casr_tests/bin/load_fuzzer

Triage Atheris crashes with casr-libfuzzer:

$ unzip casr/tests/casr_tests/python/ruamel.zip$ casr-libfuzzer -i casr/tests/casr_tests/casrep/atheris_crashes_ruamel_yaml -o casr/tests/tmp_tests_casr/casr_libfuzzer_atheris_out -- casr/tests/casr_tests/python/yaml_fuzzer.py

Triage Jazzer.js crashes with casr-libfuzzer (Jazzer.js installationguide):

$ unzip casr/tests/casr_tests/js/xml2js.zip -d xml2js$ mkdir -p casr/tests/tmp_tests_casr/xml2js_fuzzer_out$ cp casr/tests/casr_tests/js/test_casr_libfuzzer_jazzer_js_xml2js.js casr/tests/tmp_tests_casr/xml2js_fuzzer_out/xml2js_fuzzer.js$ sudo npm install xml2js$ sudo npm install --save-dev @jazzer.js/core$ casr-libfuzzer -i ./xml2js -o casr/tests/tmp_tests_casr/xml2js_fuzzer_out/out -- npx jazzer casr/tests/tmp_tests_casr/xml2js_fuzzer_out/xml2js_fuzzer.js

Triage luzer crashes with casr-libfuzzer:

$ unzip casr/tests/casr_tests/lua/xml2lua.zip && cd xml2lua && luarocks --local build && cd .. && rm -rf xml2lua$ git clone https://github.com/ligurio/luzer.git && cd luzer && luarocks --local build && cd .. && rm -rf luzer$ eval $(luarocks path)$ casr-libfuzzer -i casr/tests/casr_tests/casrep/luzer_crashes_xml2lua -o casr/tests/tmp_tests_casr/casr_libfuzzer_luzer_out -- casr/tests/casr_tests/lua/stdin_parse_xml.lua

Triage LibAFL crashes with casr-libfuzzer:

$ casr-libfuzzer -i casr/tests/casr_tests/casrep/test_libafl_crashes -o casr/tests/tmp_tests_casr/casr_libafl_out -- casr/tests/casr_tests/bin/test_libafl_fuzzer @@

Upload new and unique CASR reports toDefectDojo:

$ echo '[product]' > dojo.toml$ echo 'name = "xlnt"' >> dojo.toml$ echo '[engagement]' >> dojo.toml$ echo "name = \"load_fuzzer $(date -Isec)\"" >> dojo.toml$ echo '[test]' >> dojo.toml$ echo 'test_type = "CASR DAST Report"' >> dojo.toml$ casr-dojo -i casr/tests/casr_tests/casrep/test_clustering_san -u http://localhost:8080 -t 382f5dfdf2a339f7c3bb35442f9deb9b788a98d5 dojo.toml

Fuzzing Crash Triage Pipeline

When you have crashes from fuzzing you may do the following steps:

  1. Create reports for all crashes viacasr-san,casr-gdb (if no sanitizersare present),casr-python,casr-java,casr-js, orcasr-csharp.
  2. Deduplicate collected crash reports viacasr-cluster -d.
  3. Cluster deduplicated crash reports viacasr-cluster -c.
  4. Create reports and deduplicate them for all UBSAN errors viacasr-ubsan.
  5. View reports from clusters usingcasr-cli or upload them toDefectDojo withcasr-dojo.

If you useAFL++ or AFL-basedfuzzerSharpfuzz, the pipeline(withoutcasr-ubsan andcasr-dojo) could be done automatically bycasr-afl.

If you uselibFuzzer based fuzzer(C/C++/go-fuzz/Atheris/Jazzer/Jazzer.js/jsfuzz) orLibAFL based fuzzer,the pipeline (withoutcasr-ubsan andcasr-dojo) could be done automatically bycasr-libfuzzer.

Contributing

Feel free to openissues orPRs (especially pay attention tohelp wanted issues)! We appreciate your support!

Please follow the next recommendations for your pull requests:

  • compile withstable rust
  • usecargo fmt
  • check the output ofcargo clippy --all-features --all --tests
  • run testscargo test
  • if you have updated usage of any casr tool, you could simply runupdate_usage.py to change thedocs/usage.md file properly

Cite Us

Savidov G., Fedotov A. Casr-Cluster: Crash Clustering for Linux Applications. 2021 Ivannikov ISPRAS Open Conference (ISPRAS), IEEE, 2021, pp. 47-51. DOI:10.1109/ISPRAS53967.2021.00012 [paper] [slides]

@inproceedings{savidov2021casr,title ={{{Casr-Cluster}}: Crash Clustering for Linux Applications},author ={Savidov, Georgy and Fedotov, Andrey},booktitle ={2021 Ivannikov ISPRAS Open Conference (ISPRAS)},pages ={47--51},year ={2021},organization ={IEEE},doi ={10.1109/ISPRAS53967.2021.00012},}

Andrey Fedotov, Alexey Vishnyakov. CASR: Your Life Vest in a Sea of Crashes. OFFZONE 2023. [slides] [russian video]

Yegorov I., Savidov G. Crash Report Accumulation During Continuous Fuzzing with CASR. Ivannikov Memorial Workshop 2024, IEEE, 2024. [paper] [slides] [russian video]

@inproceedings{yegorov2024accum,title ={Crash Report Accumulation During Continuous Fuzzing},author ={Yegorov, Ilya and Savidov, Georgy},booktitle ={Ivannikov Memorial Workshop 2024},publisher ={IEEE},year ={2024},url ={https://arxiv.org/abs/2405.18174},}

License

Licensed underApache-2.0.

[8]ページ先頭
©2009-2025 Movatter.jp