Usenix Security 2021 - AURORA: Statistical Crash Analysis for Automated Root Cause Explanation
Aurora: Statistical Crash Analysis for Automated Root Cause Explanation
Aurora is a tool for automated root cause analysis. It is based on our paper (slides, recording):
This repository is structured as follows:
Crash exploration (AFL): Our patch for AFL's crash exploration mode.
Tracer (Pin): Our tracer to extract information such as register values for inputs.
Root Cause Analysis: Our Rust-based tooling to identify the root cause.
Crash Exploration
We rely on AFL's crash exploration mode. We patch AFL such that inputs not crashing anymore (so-called non-crashes) are saved. Download AFL 2.52b and apply our patch patch -p1 < crash_exploration.patch
before running AFL's crash exploration mode as usual.
Our tracer is implemented as a pintool. Install Pin 3.15 and then compile our tool with make obj-intel64/
. We provide scripts to trace one input (tracing/scripts/ or multiple inputs (tracing/scripts/
Root Cause Analysis
Our RCA component is written in Rust. It expects an evaluation folder (organized as in our example folder) and a folder containing traces.
The tool rca
performs the predicate analysis, monitoring and ranking; addr2line
enriches the predicates with debug symbols (if existing).
# build project
cargo build --release
# run root cause analysis
cargo run --release --bin rca -- --eval-dir <path to eval dir> --trace-dir <path to trace dir> --monitor --rank-predicates
# enrich with debug symbols
cargo run --release --bin addr2line -- --eval-dir <path to eval dir>
The following commands show how to use Aurora for the type confusion in mruby
Setup directories:
# set directories
# Clone this repository and make AURORA_GIT_DIR point to it
mkdir evaluation
cd evaluation
mkdir -p $EVAL_DIR/inputs/crashes
mkdir -p $EVAL_DIR/inputs/non_crashes
To prepare fuzzing, perform the following as root:
echo core >/proc/sys/kernel/core_pattern
cd /sys/devices/system/cpu
echo performance | tee cpu*/cpufreq/scaling_governor
# disable ASLR
echo 0 | tee /proc/sys/kernel/randomize_va_space
Build and install AFL
# download afl
wget -c
tar xvf afl-latest.tgz
# rename afl directory and cd
mv afl-2.52b afl-fuzz
cd afl-fuzz
# apply patch
patch -p1 < ${AURORA_GIT_DIR}/crash_exploration/crash_exploration.patch
# build afl
make -j
cd ..
Buld the mruby
# clone mruby
git clone
cd mruby
git checkout 88604e39ac9c25ffdad2e3f03be26516fe866038
# build afl version
CC=$AFL_DIR/afl-gcc make -e -j
mv ./bin/mruby ../mruby_fuzz
# clean
make clean
# build normal version for tracing/rca
CFLAGS="-ggdb -O0" make -e -j
mv ./bin/mruby ../mruby_trace
Place the initial crashing seed:
echo "@@" > arguments.txt
cp -r example/mruby_type_confusion/seed .
Crash Exploration
For crash exploration, perform the following operations in the evaluation directory:
# fuzzing
timeout 43200 $AFL_DIR/afl-fuzz -C -d -m none -i $EVAL_DIR/seed -o $AFL_WORKDIR -- $EVAL_DIR/mruby_fuzz @@
# move crashes to eval dir
cp $AFL_WORKDIR/queue/* $EVAL_DIR/inputs/crashes
# move non-rashes to eval dir
cp $AFL_WORKDIR/non_crashes/* $EVAL_DIR/inputs/non_crashes
To trace all inputs, install Pin (note our tool was originally designed to work with Pin 3.7 which is no longer available for download from the official site; we've adapted the tool to Pin 3.15)
wget -c
tar -xzf pin*.tar.gz
export PIN_ROOT="$(pwd)/pin-3.15-98253-gb56e429b1-gcc-linux"
mkdir -p "${PIN_ROOT}/source/tools/AuroraTracer"
cp -r ${AURORA_GIT_DIR}/tracing/* ${PIN_ROOT}/source/tools/AuroraTracer
cd ${PIN_ROOT}/source/tools/AuroraTracer
# requires PIN_ROOT to be set correctly
make obj-intel64/
cd -
With the tracer built, we must trace all crashing and non-crashing inputs found by the fuzzer's crash exploration mode.
mkdir -p $EVAL_DIR/traces
# requires at least python 3.6
cd $AURORA_GIT_DIR/tracing/scripts
python3 $EVAL_DIR/mruby_trace $EVAL_DIR/inputs $EVAL_DIR/traces
# extract stack and heap addr ranges from logfiles
python3 --eval_dir $EVAL_DIR $EVAL_DIR/traces
cd -
Root Cause Analysis
Once tracing completed, you can determine predicates as follows (requires Rust Nightly):
# go to directory
cd $AURORA_GIT_DIR/root_cause_analysis
# Build components
cargo build --release --bin monitor
cargo build --release --bin rca
# run root cause analysis
cargo run --release --bin rca -- --eval-dir $EVAL_DIR --trace-dir $EVAL_DIR --monitor --rank-predicates
# (Optional) enrich with debug symbols
cargo run --release --bin addr2line -- --eval-dir $EVAL_DIR
Your predicates are in ranked_predicates_verbose.txt
Aurora provides you with predicates structured as follows (in ranked_predicates_verbose.txt
0x0000555555569c5a -- rax min_reg_val_less 0x11 -- 1 -- mov eax, dword ptr [rbp-0x48] (path rank: 0.9690633497239973) //mrb_exc_set at error.c:277
address -- predicate explanation -- score -- disassembly at addr (path rank) // addr2line (if applied)
We provide a dockerfile setting up the example for you.
Then, build and run the docker image:
In docker, you can find the following scripts in /home/user/aurora/docker/example_scripts
# Run AFL in crash exploration mode (modify timeout before)
# Trace all inputs found in the previous step
# Run root cause analysis on the traced inputs
For more information, contact mrphrazer (@mr_phrazer) or m_u00d8 (@m_u00d8).