CASR – collect crash reports, triage, and estimate severity. It is based on ideas from exploitable and apport.
CASR is maintained by:
- Andrey Fedotov <fedotoff@ispras.ru>
- Alexey Vishnyakov <vishnya@ispras.ru>
- Georgy Savidov <avgor46@ispras.ru>
- Ilya Yegorov <Yegorov_Ilya@ispras.ru>
CASR is a set of tools that allows you to collect crash reports in different
ways. Use casr-core
binary to deal with coredumps. Use casr-san
to analyze ASAN
reports. Try casr-gdb
to get reports from gdb. Use casr-python
to analyze python reports and get report from Atheris.
Crash report contains many useful information: severity (like exploitable),
OS and package versions, command line, stack trace, register values,
disassembly, and even source code fragment where crash appeared. Reports are
stored in JSON format. casr-cli
is meant to provide TUI for viewing reports.
Reports triage (deduplication, clustering) is done by casr-cluster
.
Triage is based on stack trace comparison from gdb-command.
casr-afl
is used to triage crashes found by AFL++.
casr-libfuzzer
can triage crashes found by
libFuzzer based fuzzer
(C/C++/go-fuzz/Atheris).
Explanation of severity classes could be found here. You could take a closer look at usage details here.
LibCASR provides API for parsing stacktraces, collecting crash reports, triaging crashes (deduplication and clustering), and estimating severity of crashes.
It can analyze crashes from different sources:
- AddressSanitizer
- Gdb output
and program languages:
- C/C++
- Rust
- Go
- Python
It could be built with exploitable
feature for severity estimation crashes
collected from gdb. To save crash reports as json use serde
feature.
- Install Rust. Instructions can be found here.
- Clone CASR repository:
$ git clone https://github.com/ispras/casr
- Build CASR:
$ cargo build --release
- Install runtime dependencies:
$ sudo apt install gdb python3 python3-pip lsb-release
$ sudo -H python3 -m pip install numpy scipy
Instead of steps 2-3 you may just install Casr from crates.io:
$ cargo install casr
Create report from coredump:
$ casr-core -f casr/tests/casr_tests/bin/core.test_destAv -e casr/tests/casr_tests/bin/test_destAv -o destAv.casrep
Create report from sanitizers output:
$ clang++ -fsanitize=address -O0 -g casr/tests/casr_tests/test_asan_df.cpp -o test_asan_df
$ casr-san -o asan.casrep -- ./test_asan_df
Create report from gdb:
$ casr-gdb -o destAv.gdb.casrep -- casr/tests/casr_tests/bin/test_destAv $(printf 'A%.s' {1..200})
Create report from python:
$ casr-python -o python.casrep -- casr/tests/casr_tests/python/test_casr_python.py
View report:
$ casr-cli casr/tests/casr_tests/casrep/test_clustering_san/load_fuzzer_crash-120697a7f5b87c03020f321c8526adf0f4bcc2dc.casrep
View joint statistics about crash clusters:
$ casr-cli casr_reports
Create report for program that reads stdin:
$ casr-san --stdin seed -o san_bin.casrep -- ./san_bin
Deduplicate reports:
$ casr-cluster -d casr/tests/casr_tests/casrep/test_clustering_gdb out-dedup
Cluster reports:
$ casr-cluster -c out-dedup out-cluster
Triage crashes after AFL++ fuzzing with casr-afl:
$ cp casr/tests/casr_tests/bin/load_afl /tmp/load_afl
$ cp casr/tests/casr_tests/bin/load_sydr /tmp/load_sydr
$ casr-afl -i casr/tests/casr_tests/casrep/afl-out-xlnt -o casr/tests/tmp_tests_casr/casr_afl_out
Triage libFuzzer crashes with casr-libfuzzer:
$ casr-libfuzzer -i casr/tests/casr_tests/casrep/libfuzzer_crashes_xlnt -o casr/tests/tmp_tests_casr/casr_libfuzzer_out -- casr/tests/casr_tests/bin/load_fuzzer
Triage Atheris crashes with casr-libfuzzer:
$ unzip casr/tests/casr_tests/python/ruamel.zip
$ cp casr/tests/casr_tests/python/yaml_fuzzer.py .
$ casr-libfuzzer -i casr/tests/casr_tests/casrep/atheris_crashes_ruamel_yaml -o casr/tests/tmp_tests_casr/casr_libfuzzer_atheris_out -- ./yaml_fuzzer.py
When you have crashes from fuzzing you may do the following steps:
- Create reports for all crashes via
casr-san
orcasr-gdb
(if no sanitizers are present). - Deduplicate collected reports via
casr-cluster -d
. - Cluster deduplicated reports via
casr-cluster -c
. - View reports from clusters using
casr-cli
.
If you use AFL++, whole pipeline
could be done automatically by casr-afl
.
If you use libFuzzer based fuzzer
(C/C++/go-fuzz/Atheris),
whole pipeline could be done automatically by casr-libfuzzer
.
Feel free to open issues or PRs! We appreciate your support!
Please follow the next recommendations for your pull requests:
- compile with stable rust
- use
cargo fmt
- check the output of
cargo clippy --all
- run tests
cargo test
Savidov G., Fedotov A. Casr-Cluster: Crash Clustering for Linux Applications. 2021 Ivannikov ISPRAS Open Conference (ISPRAS), IEEE, 2021, pp. 47-51. DOI: 10.1109/ISPRAS53967.2021.00012 [paper] [slides]
@inproceedings{savidov2021casr,
title = {{{Casr-Cluster}}: Crash Clustering for Linux Applications},
author = {Savidov, Georgy and Fedotov, Andrey},
booktitle = {2021 Ivannikov ISPRAS Open Conference (ISPRAS)},
pages = {47--51},
year = {2021},
organization = {IEEE},
doi = {10.1109/ISPRAS53967.2021.00012},
}
Licensed under Apache-2.0.