Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crash triage tool for American Fuzzy Lop #368

Merged
merged 3 commits into from
Feb 7, 2019
Merged

Crash triage tool for American Fuzzy Lop #368

merged 3 commits into from
Feb 7, 2019

Conversation

ilammy
Copy link
Collaborator

@ilammy ilammy commented Feb 6, 2019

This is a tool which helps with analysis of crashes found by running make fuzz FUZZ_BIN=... First you run fuzzing tests and then you do

./tools/afl/analyze_crashes.sh

and get a Markdown-formatted document with crash reports. If there are any crashes then the process exits with non-zero status, meaning that it can be easily plugged into a CI pipeline.

If you wish more hands-on experience then you can pass --interactive flag and break into a debugger right when crashes happen.

This tool is vaguely inspired by the one from AFL's standard issue. Our version is improved to support both Linux and macOS with their default debuggers. It is also tailored to our output format so that it provides more structured information.

(Initially I just wanted to slightly tweak the original crash triage tool, but I ended up with so many modifications that it's basically a new one.)

Yes, I admit: it's NIH syndrome up-to-eleven and a Bash scripting exercise. Yes, I believe that Markdown output is more readable. Yes, I think macOS/LLDB support is needed as the devs use it.

Currently AFL tools do not produce any crashes as the fix has been merged into master. For testing try reverting to a previous commit first, then run the fuzzer, then checkout this branch back, and finally run the analyzer.

@ilammy
Crash triage tool for American Fuzzy Lop
2a76603 
This is a tool which helps with analysis of crashes found by running
"make fuzz FUZZ_BIN=..." First you run fuzzing tests and then you do

    ./tools/afl/analyze_crashes.sh

and get a Markdown-formatted document with crash reports. If there are
any crashes then the process exits with non-zero status, meaning that
it can be easily plugged into a CI pipeline.

If you wish more hands-on experience then you can pass "--interactive"
flag and break into a debugger right when crashes happen.

This tool is vaguely inspired by the one from AFL's standard issue. Our
version is improved to support both Linux and macOS with their default
debuggers. It is also tailored to our output format so that it provides
more structured information.

(Initially I just wanted to slightly tweak the original crash triage
tool, but I ended up with so many modifications that it's basically
a new one.)
@ilammy ilammy added the infrastructure Automated building and packaging label Feb 6, 2019
@vixentael
Copy link
Contributor

I think it's useful to describe expected folder structure of stored crash files somewhere in readme:

${BUILD_PATH}/afl/output/<toolname>/<foldername>/crashes/<crashid>

On my machine fuzzler finds one crash really quickly, and this is the result of analyzing crash. It looks amazingly cool!

➜ ./tools/afl/analyze_crashes.sh -i
# scell_seal_decrypt -- 2019-02-07_01-11-53

## id:000000 -- SIGSEGV

Run:

    build/afl/scell_seal_decrypt build/afl/output/scell_seal_decrypt/2019-02-07_01-11-53/crashes/id:000000,sig:11,src:000000,op:flip1,pos:35

Debugger output:

(lldb) target create "build/afl/scell_seal_decrypt"
Current executable set to 'build/afl/scell_seal_decrypt' (x86_64).
(lldb) settings set -- target.run-args  "build/afl/output/scell_seal_decrypt/2019-02-07_01-11-53/crashes/id:000000,sig:11,src:000000,op:flip1,pos:35"
(lldb) run
Process 3463 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x1002fa2cc)
    frame #0: 0x0000000100112aa5 libcrypto.1.0.0.dylib`gcm_ghash_clmul + 101
libcrypto.1.0.0.dylib`gcm_ghash_clmul:
->  0x100112aa5 <+101>: movdqu 0x30(%rdx), %xmm3
    0x100112aaa <+106>: movdqu 0x20(%rdx), %xmm11
    0x100112ab0 <+112>: pshufb %xmm10, %xmm3
    0x100112ab6 <+118>: pshufb %xmm10, %xmm11
Target 0: (scell_seal_decrypt) stopped.

Process 3463 launched: '/build/afl/scell_seal_decrypt' (x86_64)

@ilammy
Copy link
Collaborator Author

ilammy commented Feb 7, 2019

@vixentael makes sense. I've mentioned the tool in README and added an map of the build directory there.

vixentael
vixentael approved these changes Feb 7, 2019
View reviewed changes
Copy link
Contributor

@vixentael vixentael left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

awesome!

Lagovas
Lagovas approved these changes Feb 7, 2019
View reviewed changes
Copy link
Collaborator

@Lagovas Lagovas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@ilammy ilammy merged commit 9fedbb8 into cossacklabs:master Feb 7, 2019
@ilammy ilammy deleted the crash-triage-tool branch February 9, 2019 18:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vixentael vixentael vixentael approved these changes

@Lagovas Lagovas Lagovas approved these changes

@shadinua shadinua Awaiting requested review from shadinua shadinua is a code owner

Assignees
No one assigned
Labels
infrastructure Automated building and packaging
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ilammy @vixentael @Lagovas