AFLTriage is a tool to triage crashing input files using a debugger. It is designed to be portable and not require any run-time dependencies, besides libc and an external debugger. It supports triaging crashes generated by any program, not just AFL, but recognizes AFL directories specially, hence the name.
Some notable features include:
- Multiple report formats: text, JSON, and raw debugger JSON
- Parallel crash triage
- Crash deduplication
- Sanitizer report parsing
- Supports binary targets with or without symbols/debugging information
- Source code and variables will be annotated in reports for context
Currently AFLTriage only supports GDB and has only been tested on Linux C/C++ targets. Note that AFLTriage does not classify crashes by potential exploitablity. Accurate exploitability classification is very target and scenario specific and is best left to specialized tools and expert analysts.
Usage of AFLTriage is quite straightforward. You need your inputs to triage, an output directory for reports, and the binary and its arguments to triage.
$ afltriage -i fuzzing_directory -o reports ./target_binary --option-one @@AFLTriage v1.0.0[+] GDB is working (GNU gdb (Ubuntu 8.1.1-0ubuntu1) 8.1.1 - Python 3.6.9 (default, Jan 26 2021, 15:33:00))[+] Image triage cmdline: "./target_binary --option-one @@"[+] Reports will be output to directory "reports"[+] Triaging AFL directory fuzzing_directory/ (41 files)[+] Triaging 41 testcases[+] Using 24 threads to triage[+] Triaging [41/41 00:00:02] [####################] CRASH: ASAN detected heap-buffer-overflow in buggy_function after a READ leading to SIGABRT (si_signo=6) / SI_TKILL (si_code=-6)[+] Triage stats [Crashes: 25 (unique 12), No crash: 16, Errored: 0]
Similar to AFL the
@@ is replaced with the path of the file to be triaged. AFLTriage will take care of the rest.
Building and Running
You will need a working Rust build environment. Once you have cargo and rust installed, building and running is simple:
cd afltriage-rs/cargo run --help<compilation> Finished dev [unoptimized + debuginfo] target(s) in 0.33s Running `target/debug/afltriage --help`<AFLTriage usage>...
afltriage 1.0.0Quickly triage and summarize crashing testcasesUSAGE: afltriage -i <input>... -o <output> <command>...OPTIONS: -i <input>... A list of paths to a testcase, directory of testcases, AFL directory, and/or directory of AFL directories to be triaged. Note that this arg takes multiple inputs in a row (e.g. -i input1 input2...) so it cannot be the last argument passed to AFLTriage -- this is reserved for the command. -o <output> The output directory for triage report files. Use '-' to print entire reports to console. -t, --timeout <timeout> The timeout in milliseconds for each testcase to triage. [default: 60000] -j, --jobs <jobs> How many threads to use during triage. --report-formats <report_format s>... The triage report output formats. Multiple values allowed: e.g. text,json. [default: text] [possible values: text, json, rawjson] --bucket-strategy <bucket_strategy> The crash deduplication strategy to use. [default: afltriage] [possible values: none, afltriage, first_frame, first_frame_raw, first_5_frames, function_names, first_function_name] --child-output Include child output in triage reports. --child-output-lines <child_output_lines> How many lines of program output from the target to include in reports. Use 0 to mean unlimited lines (not recommended). [default: 25] --stdin Provide testcase input to the target via stdin instead of a file. --profile-only Perform environment chec ks, describe the inputs to be triaged, and profile the target binary. --skip-profile Skip target profiling before input processing. --debug Enable low-level debugging output of triage operations. -h, --help Prints help information -V, --version Prints version informationARGS: <command>... The binary executable and args to execute. Use '@@' as a placeholder for the path to the input file or --stdin. Optionally use -- to delimit the start of the command.