AFLTriage : Tool To Triage Crashing Input Files Using A Debugger

AFLTriage is a tool to triage crashing input files using a debugger. It is designed to be portable and not require any run-time dependencies, besides libc and an external debugger. It supports triaging crashes generated by any program, not just AFL, but recognizes AFL directories specially, hence the name.

Some notable features include:

• Multiple report formats: text, JSON, and raw debugger JSON
• Parallel crash triage
• Crash deduplication
• Sanitizer report parsing
• Supports binary targets with or without symbols/debugging information
• Source code and variables will be annotated in reports for context

Currently AFLTriage only supports GDB and has only been tested on Linux C/C++ targets. Note that AFLTriage does not classify crashes by potential exploitablity. Accurate exploitability classification is very target and scenario specific and is best left to specialized tools and expert analysts.

Usage

Usage of AFLTriage is quite straightforward. You need your inputs to triage, an output directory for reports, and the binary and its arguments to triage.

Example:

$ afltriage -i fuzzing_directory –o reports ./target_binary –option-one @@
AFLTriage v1.0.0
[+] GDB is working (GNU gdb (Ubuntu 8.1.1-0ubuntu1) 8.1.1 – Python 3.6.9 (default, Jan 26 2021, 15:33:00))
[+] Image triage cmdline: “./target_binary –option-one @@”
[+] Reports will be output to directory “reports”
[+] Triaging AFL directory fuzzing_directory/ (41 files)
[+] Triaging 41 testcases
[+] Using 24 threads to triage
[+] Triaging [41/41 00:00:02] [####################] CRASH: ASAN detected heap-buffer-overflow in buggy_function after a READ leading to SIGABRT (si_signo=6) / SI_TKILL (si_code=-6)
[+] Triage stats [Crashes: 25 (unique 12), No crash: 16, Errored: 0]

Similar to AFL the @@ is replaced with the path of the file to be triaged. AFLTriage will take care of the rest.

Building and Running

You will need a working Rust build environment. Once you have cargo and rust installed, building and running is simple:

cd afltriage-rs/
cargo run –help
<compilation>
Finished dev [unoptimized + debuginfo] target(s) in 0.33s
Running target/debug/afltriage --help
AFLTriage usage>

Extended Usage

afltriage 1.0.0
Quickly triage and summarize crashing testcases
USAGE:
afltriage -i … -o …
OPTIONS:
-i …
A list of paths to a testcase, directory of testcases, AFL directory, and/or directory of AFL directories to
be triaged. Note that this arg takes multiple inputs in a row (e.g. -i input1 input2…) so it cannot be the
last argument passed to AFLTriage — this is reserved for the command.
-o
The output directory for triage report files. Use ‘-‘ to print entire reports to console.
-t, –timeout
The timeout in milliseconds for each testcase to triage. [default: 60000]
-j, –jobs
How many threads to use during triage.
–report-formats …
The triage report output formats. Multiple values allowed: e.g. text,json. [default: text] [possible
values: text, json, rawjson]
–bucket-strategy
The crash deduplication strategy to use. [default: afltriage] [possible values: none, afltriage,
first_frame, first_frame_raw, first_5_frames, function_names, first_function_name]
–child-output
Include child output in triage reports.
–child-output-lines
How many lines of program output from the target to include in reports. Use 0 to mean unlimited lines (not
recommended). [default: 25]
–stdin
Provide testcase input to the target via stdin instead of a file.
–profile-only
Perform environment checks, describe the inputs to be triaged, and profile the target binary.
–skip-profile
Skip target profiling before input processing.
–debug
Enable low-level debugging output of triage operations.
-h, –help
Prints help information
-V, –version
Prints version information
ARGS:
…
The binary executable and args to execute. Use ‘@@’ as a placeholder for the path to the input file or
–stdin. Optionally use — to delimit the start of the command.
…