CASR: Crash Analysis and Severity Report

CASR – collect crash reports, triage, and estimate severity. It is based on ideas from exploitable and apport.

CASR is maintained by:

Overview

CASR is a set of tools that allows you to collect crash reports in different ways. Use casr-core binary to deal with coredumps. Use casr-san to analyze ASAN reports. Try casr-gdb to get reports from gdb. Use casr-python to analyze python reports and get report from atheris.

Crash report contains many useful information: severity (like exploitable), OS and package versions, command line, stack trace, register values, disassembly, and even source code fragment where crash appeared. Reports are stored in JSON format. casr-cli is meant to provide TUI for viewing reports. Reports triage (deduplication, clustering) is done by casr-cluster. Triage is based on stack trace comparison from gdb-command. casr-afl is used to triage crashes found by AFL++.

Explanation of severity classes could be found here. You could take a closer look at usage details here.

casr_report

Getting started

Install Rust. Instructions can be found here.
Clone CASR repository:

$ git clone https://github.com/ispras/casr 3. Build CASR:

$ cargo build --release 4. Install runtime dependencies:

$ sudo apt install gdb python3 python3-pip lsb-release $ sudo -H python3 -m pip install numpy scipy

Instead of steps 2-3 you may just install Casr from crates.io:

$ cargo install casr

Usage

Create report from coredump:

$ casr-core -f tests/casr_tests/bin/core.test_destAv -e tests/casr_tests/bin/test_destAv -o destAv.casrep

Create report from sanitizers output:

$ clang++ -fsanitize=address -O0 -g tests/casr_tests/test_asan_df.cpp -o test_asan_df
$ casr-san -o asan.casrep -- ./test_asan_df

Create report from gdb:

$ casr-gdb -o destAv.gdb.casrep -- tests/casr_tests/bin/test_destAv $(printf 'A%.s' {1..200})

Create report from python:

$ casr-python -o python.casrep -- tests/casr_tests/python/test_casr_python.py

View report:

$ casr-cli tests/casr_tests/casrep/test_clustering_san/load_fuzzer_crash-120697a7f5b87c03020f321c8526adf0f4bcc2dc.casrep

Create report for program that reads stdin:

$ casr-san --stdin seed -o san_bin.casrep -- ./san_bin

Deduplicate reports:

$ casr-cluster -d tests/casr_tests/casrep/test_clustering_gdb out-dedup

Cluster reports:

$ casr-cluster -c out-dedup out-cluster

Triage crashes after AFL++ fuzzing with casr-afl:

$ cp tests/casr_tests/bin/load_afl /tmp/load_afl
$ cp tests/casr_tests/bin/load_sydr /tmp/load_sydr
$ casr-afl -i tests/casr_tests/bin/afl-out-xlnt -o tests/tmp_tests_casr/casr_afl_out

Fuzzing Crash Triage Pipeline

When you have crashes from fuzzing you may do the following steps:

Create reports for all crashes via casr-san or casr-gdb (if no sanitizers are present).
Deduplicate collected reports via casr-cluster -d.
Cluster deduplicated reports via casr-cluster -c.
View reports from clusters using casr-cli.

If you use AFL++ steps from 1 to 3 could be done automatically by casr-afl.

Contributing

Feel free to open issues or PRs! We appreciate your support!

Please follow the next recommendations for your pull requests:

compile with stable rust
use cargo fmt
check the output of cargo clippy --all
run tests cargo test

Cite Us

Savidov G., Fedotov A. Casr-Cluster: Crash Clustering for Linux Applications. 2021 Ivannikov ISPRAS Open Conference (ISPRAS), IEEE, 2021, pp. 47-51. DOI: 10.1109/ISPRAS53967.2021.00012 [paper] [slides]

bibtex @inproceedings{savidov2021casr, title = {{{Casr-Cluster}}: Crash Clustering for Linux Applications}, author = {Savidov, Georgy and Fedotov, Andrey}, booktitle = {2021 Ivannikov ISPRAS Open Conference (ISPRAS)}, pages = {47--51}, year = {2021}, organization = {IEEE}, doi = {10.1109/ISPRAS53967.2021.00012}, }

License

Licensed under Apache-2.0.