ispras / casr Goto Github PK
View Code? Open in Web Editor NEWCollect crash (or UndefinedBehaviorSanitizer error) reports, triage, and estimate severity.
License: Apache License 2.0
casr's People
Contributors
Stargazers
Watchers
Forkers
hkctkuy sweetvishnya anfedotoff asdyxcyxc antwy maxamin 3-24 hardik05 timb-machine-mirrors koltiradw iq-scm noorahsmith zenhumany addisoncrump kobrineli sunforgb tokatoka padarochek winston-zhang-orz bmikh0 gmh5225 headshog njelich avgor46casr's Issues
Support exporting to SARIF reports
The Static Analysis Results Interchange Format (SARIF) 123 is an industry standard format for the output of static analysis tools. Many code scanning tools support exporting to SARIF: CodeQL 4, PVS Studio 5, semgrep 6.
GitHub (and probably other platforms like Gitlab) allows importing SARIF report and show warnings in SARIF report as annotations in pull requests. It is quire convenient for PR authors: you don't need to scan text logs by eye, warnings reported as a review comment and annotations is attached to a code that triggered a warning, so you see context and warning together.
With code scanning tools/linters it is possible to make PR annotations using reviewdog, see a list of tools supported by reviewdog 7.
I believe it would be useful for casr users to have an ability to export reports to SARIF format or something other that allows making PR annotations in Github.
Footnotes
CI/CD for AARCH64
Support for additional fuzzing testing tools
casr-libfuzzer
Create a convenient way to use crash triage pipeline for libfuzzer based fuzzers.
Improve fuzzing in CI
We should add fuzz targets that parse exceptions and execution classes. Also, we may add archive with initial minimized corpus that was fuzzed over night.
Запрос на опцию casr-afl
День добрый!
Добавьте пожалуйста возможность через опцию командной строки задавать цель, отличную от считанной из конфигурации afl (чисто собранную без инструментации).
check_taint for RISCV
Support Jazzer.js for JavaScript fuzzing
As mentioned in #122 (comment) we may support JavaScript fuzzing with Jazzer.js based on current jazzer support.
Enable tests for RISC-V
odr-violation parsing error
Hello!
When using the CASR I ran into the problem that a report based on the sanitizer output isn't generated, if the error class is odr-violation. Instead the report is generated based on the casr-gdb. The reason seems to be that regex being used for the SUMMARY string parsing, which also takes ":" into account:
libcasr/src/asan.rs:176:
SUMMARY: *(AddressSanitizer|libFuzzer): (\S+)
In this case, if the line "odr-violation:" specified in the SUMMARY, then the check in libcasr/src/execution_class.rs:139 fails. Possible solution:
SUMMARY: *(AddressSanitizer|libFuzzer): ([\w \-\(\)\_]+)
Or check for string matches not entirely.
Attached the screenshot with a part of the problematic SUMMARY-line
Support UBSAN reports in casr-dojo
When we merge #79, we can support UBSAN reports in casr-dojo with crash line based deduplication.
Add test for `report.rs`
Add test for fmt from libcasr/report.rs
Add option for remove output directory
Add --force option for remove output directory if it is not empty
Add support for fileContent objects in SARIF export
SARIF may include full content of files via fileContent objects (section 3.2 in the specification). It would be good to add cmd line flag to enable this feature while exporting SARIF.
Including file content in SARIF would simplify importing data in other tool and provide visualization without the need of original source code.
Create workspace for libcasr and casr (binaries)
Add env variables to casr-san report
Publish v2.9.0 Release
Print progress in casr-afl and casr-libfuzzer
We should print progress like in casr-ubsan:
Progress: 10/323
Support specifying target for casr-gdb in casr-libfuzzer
Similar to casr-afl
Replace scipy/numpy hierarchical clustering with Rust equivalent
Now we use python script to perform stack trace clustering. We should get rid of python dependencies and use some rust package (like linfa-hierarchical) or rewrite scipy code in Rust.
[casr-libfuzzer] Convert -detect_leaks=0 libFuzzer option to ASAN_OPTIONS=detect_leaks=0
This option is ignored when launching on single input seed.
Support Honggfuzz
It would be great to support Honggfuzz fuzzer. It has different crash prefixes. Also, input seed is specified with ___FILE___. Moreover, it supports stdin input. I suppose we can create a separate tool called casr-honggfuzz. It's worth to wait for casr-afl/casr-libfuzzer refactoring in #128. Thus, we may reuse most of the code.
P.S. We should build xlnt with Honggfuzz for testing.
P.S.S. Usage examples and Honggfuzz output directory structure should be provided in this issue.
[casr-ubsan] Print progress in casr-ubsan
Filters for Python
Feature requestion: specify target for casr-afl
Hi guys,
little feature request by me that would help me in my projects:
a parameter to casr-afl that allows me to override the target being executed instead the one being gathered from fuzzer_setup.
thank you if you have time for that :)
Add contributing guideline
Severity estimation for AARCH64
[casr-gdb] Severity estimation for RISC-V
Process libFuzzer tree corpus directory
We should look into the problem where we have a libFuzzer tree corpus directory with repeating filenames. Is this possible and what should we do with duplicate filenames?
/proc/self/cwd get source code from crash line.
Sometimes, stack trace entries could start from /proc/self/cwd (/proc/self/cwd/tensorflow/core/lib/...). We need somehow to extract source code fragments, during casr-san/casr-gdb runs.
Support Go
Support crash triaging for jsfuzz
It would be nice to support Java Script fuzzer called jsfuzz in casr-libfuzzer similar to jazzer.
Dealing with timeouts and ooms with casr-afl/casr-libfuzzer
Use binary search to detect exact timeouts and ooms values
Support C# (SharpFuzz)
One day we should support C# crash triage. And add SharpFuzz support to casr-afl.
Filter out clerr in casr-dojo
Filter out recursive function calls from stack traces
[casr-afl] поддержка опции фаззера -f
Предусмотреть случай, когда мутирует конкретный файл, переданный afl-fuzz через опцию -f FILE_PATH/FILE_NAME, не передающийся через cmdline в цель.
Support convertion of SARIF reports into CASR reports.
[casr-cli] Deterministic output
We should sort paths in cluster directories.
casr-afl is unaware of out/default/crashes.DATE directories
when using casr-afl on an output directory that has restarts in it, it does not find saved crashes directories.
$ ls out3/default/
cmdline fuzz_bitmap hangs.2023-05-11-08:13:06
crashes fuzzer_setup hangs.2023-06-07-10:04:14
crashes.2023-05-11-08:13:06 fuzzer_stats plot_data
casr-afl needs not only to browse crashes/ but check all crashes*/ directories.
[casr-python] Support custom path for casr-san call
Add an option like --asan=PATH
casr-libfuzzer for Rust programs.
Hi all 👋
First, thanks for creating this project. I'm using casr-libfuzzer and it's very useful for deduplication.
I want to ask if it's possible to further extend casr's crash dedup & clustering algorithm for Rust programs.
When you run Rust programs (instrumented with cargo fuzz), the output will have two parts.
One is the backtrace from liffuzzer, the other is the Rust's backtrace.
For example ↓:
toka@host:/tmp/rust_fuzzer/aa/fuzz$ RUST_BACKTRACE=full ./fuzz_target_1 ./artifacts/fuzz_target_1/crash-da39a3ee5e6b4b0d3255bfef95601890afd80709
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 3806600727
INFO: Loaded 1 modules (1831 inline 8-bit counters): 1831 [0x557e25b2a300, 0x557e25b2aa27),
INFO: Loaded 1 PC tables (1831 PCs): 1831 [0x557e25b2aa28,0x557e25b31c98),
./fuzz_target_1: Running 1 inputs 1 time(s) each.
Running: ./artifacts/fuzz_target_1/crash-da39a3ee5e6b4b0d3255bfef95601890afd80709
thread '<unnamed>' panicked at fuzz_targets/fuzz_target_1.rs:6:9:
index out of bounds: the len is 0 but the index is 10
stack backtrace:
0: 0x557e259f793c - std::backtrace_rs::backtrace::libunwind::trace::h7d5a50c97105e9c9
at /rustc/59a8294849358a878a72358aa6d5fe5b9d312867/library/std/src/../../backtrace/src/backtrace/libunwind.rs:93:5
1: 0x557e259f793c - std::backtrace_rs::backtrace::trace_unsynchronized::hf283bd0ba71b8b19
at /rustc/59a8294849358a878a72358aa6d5fe5b9d312867/library/std/src/../../backtrace/src/backtrace/mod.rs:66:5
2: 0x557e259f793c - std::sys_common::backtrace::_print_fmt::hbc3f1af55ab433e1
at /rustc/59a8294849358a878a72358aa6d5fe5b9d312867/library/std/src/sys_common/backtrace.rs:67:5
3: 0x557e259f793c - <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt::h662df30e888949cd
at /rustc/59a8294849358a878a72358aa6d5fe5b9d312867/library/std/src/sys_common/backtrace.rs:44:22
4: 0x557e25a5b2fc - core::fmt::rt::Argument::fmt::hf59806e96303ebc5
at /rustc/59a8294849358a878a72358aa6d5fe5b9d312867/library/core/src/fmt/rt.rs:138:9
5: 0x557e25a5b2fc - core::fmt::write::hf7279be296576ae3
at /rustc/59a8294849358a878a72358aa6d5fe5b9d312867/library/core/src/fmt/mod.rs:1094:21
6: 0x557e259ebbae - std::io::Write::write_fmt::h1ecf2bec14816818
at /rustc/59a8294849358a878a72358aa6d5fe5b9d312867/library/std/src/io/mod.rs:1714:15
7: 0x557e259f7724 - std::sys_common::backtrace::_print::hceca1ed09536a7dd
at /rustc/59a8294849358a878a72358aa6d5fe5b9d312867/library/std/src/sys_common/backtrace.rs:47:5
8: 0x557e259f7724 - std::sys_common::backtrace::print::hb3d0e53175a9dc58
at /rustc/59a8294849358a878a72358aa6d5fe5b9d312867/library/std/src/sys_common/backtrace.rs:34:9
9: 0x557e259fa81a - std::panicking::panic_hook_with_disk_dump::{{closure}}::hb5593ac8317ecfc8
at /rustc/59a8294849358a878a72358aa6d5fe5b9d312867/library/std/src/panicking.rs:280:22
10: 0x557e259fa515 - std::panicking::panic_hook_with_disk_dump::hd03ff9ecbda8604b
at /rustc/59a8294849358a878a72358aa6d5fe5b9d312867/library/std/src/panicking.rs:314:9
11: 0x557e2596a26a - <alloc::boxed::Box<F,A> as core::ops::function::Fn<Args>>::call::h18a21e1a94673da8
at /rustc/59a8294849358a878a72358aa6d5fe5b9d312867/library/alloc/src/boxed.rs:2021:9
12: 0x557e2596a26a - libfuzzer_sys::initialize::{{closure}}::h8376bf2914730228
at /home/toka/.cargo/registry/src/index.crates.io-6f17d22bba15001f/libfuzzer-sys-0.4.7/src/lib.rs:90:9
13: 0x557e259fb073 - <alloc::boxed::Box<F,A> as core::ops::function::Fn<Args>>::call::h70ed5b57462ef04a
at /rustc/59a8294849358a878a72358aa6d5fe5b9d312867/library/alloc/src/boxed.rs:2021:9
14: 0x557e259fb073 - std::panicking::rust_panic_with_hook::h7bf02c396cdadbfd
at /rustc/59a8294849358a878a72358aa6d5fe5b9d312867/library/std/src/panicking.rs:757:13
15: 0x557e259fade1 - std::panicking::begin_panic_handler::{{closure}}::hecf382f929251efa
at /rustc/59a8294849358a878a72358aa6d5fe5b9d312867/library/std/src/panicking.rs:631:13
16: 0x557e259f7e66 - std::sys_common::backtrace::__rust_end_short_backtrace::hc87b776526608b83
at /rustc/59a8294849358a878a72358aa6d5fe5b9d312867/library/std/src/sys_common/backtrace.rs:170:18
17: 0x557e259fab22 - rust_begin_unwind
at /rustc/59a8294849358a878a72358aa6d5fe5b9d312867/library/std/src/panicking.rs:619:5
18: 0x557e258857b5 - core::panicking::panic_fmt::hab5931093cddd316
at /rustc/59a8294849358a878a72358aa6d5fe5b9d312867/library/core/src/panicking.rs:72:14
19: 0x557e25885969 - core::panicking::panic_bounds_check::he32d152932e65018
at /rustc/59a8294849358a878a72358aa6d5fe5b9d312867/library/core/src/panicking.rs:180:5
20: 0x557e259648d8 - fuzz_target_1::_::__libfuzzer_sys_run::h57dd03312252cd3c
at /tmp/rust_fuzzer/aa/fuzz/fuzz_targets/fuzz_target_1.rs:6:9
21: 0x557e25963ef1 - rust_fuzzer_test_input
at /home/toka/.cargo/registry/src/index.crates.io-6f17d22bba15001f/libfuzzer-sys-0.4.7/src/lib.rs:224:17
22: 0x557e25965059 - libfuzzer_sys::test_input_wrap::{{closure}}::h5f394bb52e995829
at /home/toka/.cargo/registry/src/index.crates.io-6f17d22bba15001f/libfuzzer-sys-0.4.7/src/lib.rs:61:9
23: 0x557e25965059 - std::panicking::try::do_call::hf66b1fd52e40ef81
at /rustc/59a8294849358a878a72358aa6d5fe5b9d312867/library/std/src/panicking.rs:526:40
24: 0x557e2596a498 - __rust_try
25: 0x557e25969662 - std::panicking::try::hd9beb82fa7bd0c0d
at /rustc/59a8294849358a878a72358aa6d5fe5b9d312867/library/std/src/panicking.rs:490:19
26: 0x557e25969662 - std::panic::catch_unwind::h7db6659f049817e5
at /rustc/59a8294849358a878a72358aa6d5fe5b9d312867/library/std/src/panic.rs:142:14
27: 0x557e25969662 - LLVMFuzzerTestOneInput
at /home/toka/.cargo/registry/src/index.crates.io-6f17d22bba15001f/libfuzzer-sys-0.4.7/src/lib.rs:59:22
28: 0x557e25970b26 - _ZN6fuzzer6Fuzzer15ExecuteCallbackEPKhm
at /home/toka/.cargo/registry/src/index.crates.io-6f17d22bba15001f/libfuzzer-sys-0.4.7/libfuzzer/FuzzerLoop.cpp:612:15
29: 0x557e25983c77 - _ZN6fuzzer10RunOneTestEPNS_6FuzzerEPKcm
at /home/toka/.cargo/registry/src/index.crates.io-6f17d22bba15001f/libfuzzer-sys-0.4.7/libfuzzer/FuzzerDriver.cpp:324:21
30: 0x557e2598bb43 - _ZN6fuzzer12FuzzerDriverEPiPPPcPFiPKhmE
at /home/toka/.cargo/registry/src/index.crates.io-6f17d22bba15001f/libfuzzer-sys-0.4.7/libfuzzer/FuzzerDriver.cpp:860:19
31: 0x557e258861b7 - main
at /home/toka/.cargo/registry/src/index.crates.io-6f17d22bba15001f/libfuzzer-sys-0.4.7/libfuzzer/FuzzerMain.cpp:20:30
32: 0x7ffbc33c6d90 - __libc_start_call_main
at ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
33: 0x7ffbc33c6e40 - __libc_start_main_impl
at ./csu/../csu/libc-start.c:392:3
34: 0x557e25886205 - _start
35: 0x0 - <unknown>
==220063== ERROR: libFuzzer: deadly signal
#0 0x557e2592aae1 (/tmp/rust_fuzzer/aa/fuzz/fuzz_target_1+0xdcae1) (BuildId: 96fbb986820f007790ddd8593e04cc4e46a76ac4)
#1 0x557e2599a79e (/tmp/rust_fuzzer/aa/fuzz/fuzz_target_1+0x14c79e) (BuildId: 96fbb986820f007790ddd8593e04cc4e46a76ac4)
#2 0x557e259705d9 (/tmp/rust_fuzzer/aa/fuzz/fuzz_target_1+0x1225d9) (BuildId: 96fbb986820f007790ddd8593e04cc4e46a76ac4)
#3 0x7ffbc33df51f (/lib/x86_64-linux-gnu/libc.so.6+0x4251f) (BuildId: 229b7dc509053fe4df5e29e8629911f0c3bc66dd)
#4 0x7ffbc3433a7b (/lib/x86_64-linux-gnu/libc.so.6+0x96a7b) (BuildId: 229b7dc509053fe4df5e29e8629911f0c3bc66dd)
#5 0x7ffbc33df475 (/lib/x86_64-linux-gnu/libc.so.6+0x42475) (BuildId: 229b7dc509053fe4df5e29e8629911f0c3bc66dd)
#6 0x7ffbc33c57f2 (/lib/x86_64-linux-gnu/libc.so.6+0x287f2) (BuildId: 229b7dc509053fe4df5e29e8629911f0c3bc66dd)
#7 0x557e25a07026 (/tmp/rust_fuzzer/aa/fuzz/fuzz_target_1+0x1b9026) (BuildId: 96fbb986820f007790ddd8593e04cc4e46a76ac4)
#8 0x557e25882626 (/tmp/rust_fuzzer/aa/fuzz/fuzz_target_1+0x34626) (BuildId: 96fbb986820f007790ddd8593e04cc4e46a76ac4)
#9 0x557e2596a274 (/tmp/rust_fuzzer/aa/fuzz/fuzz_target_1+0x11c274) (BuildId: 96fbb986820f007790ddd8593e04cc4e46a76ac4)
#10 0x557e259fb072 (/tmp/rust_fuzzer/aa/fuzz/fuzz_target_1+0x1ad072) (BuildId: 96fbb986820f007790ddd8593e04cc4e46a76ac4)
#11 0x557e259fade0 (/tmp/rust_fuzzer/aa/fuzz/fuzz_target_1+0x1acde0) (BuildId: 96fbb986820f007790ddd8593e04cc4e46a76ac4)
#12 0x557e259f7e65 (/tmp/rust_fuzzer/aa/fuzz/fuzz_target_1+0x1a9e65) (BuildId: 96fbb986820f007790ddd8593e04cc4e46a76ac4)
#13 0x557e259fab21 (/tmp/rust_fuzzer/aa/fuzz/fuzz_target_1+0x1acb21) (BuildId: 96fbb986820f007790ddd8593e04cc4e46a76ac4)
#14 0x557e258857b4 (/tmp/rust_fuzzer/aa/fuzz/fuzz_target_1+0x377b4) (BuildId: 96fbb986820f007790ddd8593e04cc4e46a76ac4)
#15 0x557e25885968 (/tmp/rust_fuzzer/aa/fuzz/fuzz_target_1+0x37968) (BuildId: 96fbb986820f007790ddd8593e04cc4e46a76ac4)
#16 0x557e259648d7 (/tmp/rust_fuzzer/aa/fuzz/fuzz_target_1+0x1168d7) (BuildId: 96fbb986820f007790ddd8593e04cc4e46a76ac4)
#17 0x557e25963ef0 (/tmp/rust_fuzzer/aa/fuzz/fuzz_target_1+0x115ef0) (BuildId: 96fbb986820f007790ddd8593e04cc4e46a76ac4)
#18 0x557e25965058 (/tmp/rust_fuzzer/aa/fuzz/fuzz_target_1+0x117058) (BuildId: 96fbb986820f007790ddd8593e04cc4e46a76ac4)
#19 0x557e2596a497 (/tmp/rust_fuzzer/aa/fuzz/fuzz_target_1+0x11c497) (BuildId: 96fbb986820f007790ddd8593e04cc4e46a76ac4)
#20 0x557e25969661 (/tmp/rust_fuzzer/aa/fuzz/fuzz_target_1+0x11b661) (BuildId: 96fbb986820f007790ddd8593e04cc4e46a76ac4)
#21 0x557e25970b25 (/tmp/rust_fuzzer/aa/fuzz/fuzz_target_1+0x122b25) (BuildId: 96fbb986820f007790ddd8593e04cc4e46a76ac4)
#22 0x557e25983c76 (/tmp/rust_fuzzer/aa/fuzz/fuzz_target_1+0x135c76) (BuildId: 96fbb986820f007790ddd8593e04cc4e46a76ac4)
#23 0x557e2598bb42 (/tmp/rust_fuzzer/aa/fuzz/fuzz_target_1+0x13db42) (BuildId: 96fbb986820f007790ddd8593e04cc4e46a76ac4)
#24 0x557e258861b6 (/tmp/rust_fuzzer/aa/fuzz/fuzz_target_1+0x381b6) (BuildId: 96fbb986820f007790ddd8593e04cc4e46a76ac4)
#25 0x7ffbc33c6d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 229b7dc509053fe4df5e29e8629911f0c3bc66dd)
#26 0x7ffbc33c6e3f (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 229b7dc509053fe4df5e29e8629911f0c3bc66dd)
#27 0x557e25886204 (/tmp/rust_fuzzer/aa/fuzz/fuzz_target_1+0x38204) (BuildId: 96fbb986820f007790ddd8593e04cc4e46a76ac4)
NOTE: libFuzzer has rudimentary signal handlers.
Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
The first part is the backtrace from Rust, the second is from libfuzzer.
Now the idea is when fuzzing Rust targets the Rust's backtrace would also be useful for deduplicating the crashes.
I read the clustering & distance-calculating algorithm in the casr paper
and I think we could potentially,
- Calculate another similarity matrix, .. but not with libfuzzer's output, we can use calculate it by seeing how different the Rust's each backtrace frame is. (we can assume it's a match if filename and the line number is the same)
- Then calculate the similarity_metric_rust for Rust's metric.
- Combine this
similarity_metric_rustwith the metric computed using libfuzzer's bactrace and do the clustring.
Do you think it would be a good idea and it's doable to apply the same algorithm for the backtrace of Rust?
Add coverage workflow
Add workflow for test coverage and add coverage badge
Increase `gdb/exploitable.rs` coverage
We need to code coverage of gdb/exploitable.rs in libcasr by tests
https://app.codecov.io/github/ispras/casr/blob/master/libcasr%2Fsrc%2Fgdb%2Fexploitable.rs
[casr] Move to clap 4.1
casr-java
Support support JAVA in casr-libFuzzer
Refactor init_ignored_frames! macro
I think, it's better to have separate macros for each language. Now we need to import all the constants, regardless of whether we need all languages or just one.
CI for RISC-V
[casr-cli] Support compact summary for UBSAN reports
We should print less info in casr-cli for UBSAN reports: path to .casrep, crash line, error type (maybe, also message????).
Support timeout for target execution in casr-afl and casr-libfuzzer
Similar to casr-ubsan
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.