-
Notifications
You must be signed in to change notification settings - Fork 144
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Crash triage tool for American Fuzzy Lop #368
Conversation
This is a tool which helps with analysis of crashes found by running "make fuzz FUZZ_BIN=..." First you run fuzzing tests and then you do ./tools/afl/analyze_crashes.sh and get a Markdown-formatted document with crash reports. If there are any crashes then the process exits with non-zero status, meaning that it can be easily plugged into a CI pipeline. If you wish more hands-on experience then you can pass "--interactive" flag and break into a debugger right when crashes happen. This tool is vaguely inspired by the one from AFL's standard issue. Our version is improved to support both Linux and macOS with their default debuggers. It is also tailored to our output format so that it provides more structured information. (Initially I just wanted to slightly tweak the original crash triage tool, but I ended up with so many modifications that it's basically a new one.)
I think it's useful to describe expected folder structure of stored crash files somewhere in readme:
On my machine fuzzler finds one crash really quickly, and this is the result of analyzing crash. It looks amazingly cool!
|
@vixentael makes sense. I've mentioned the tool in README and added an map of the build directory there. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
awesome!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
This is a tool which helps with analysis of crashes found by running
make fuzz FUZZ_BIN=...
First you run fuzzing tests and then you doand get a Markdown-formatted document with crash reports. If there are any crashes then the process exits with non-zero status, meaning that it can be easily plugged into a CI pipeline.
If you wish more hands-on experience then you can pass
--interactive
flag and break into a debugger right when crashes happen.This tool is vaguely inspired by the one from AFL's standard issue. Our version is improved to support both Linux and macOS with their default debuggers. It is also tailored to our output format so that it provides more structured information.
(Initially I just wanted to slightly tweak the original crash triage tool, but I ended up with so many modifications that it's basically a new one.)
Yes, I admit: it's NIH syndrome up-to-eleven and a Bash scripting exercise. Yes, I believe that Markdown output is more readable. Yes, I think macOS/LLDB support is needed as the devs use it.
Currently AFL tools do not produce any crashes as the fix has been merged into master. For testing try reverting to a previous commit first, then run the fuzzer, then checkout this branch back, and finally run the analyzer.