The utility pastis-triton enables launching a TritonDSE. It can be launched in an alert driven manner in ALERT_ONLY or in independent manner with CHECK_ALL. Also, it can be run in two modes, online to interact with a pastis-broker server or offline to run locally on its own.


The online mode only requires an IP and a port to run as all subsequent parameters will be provided by the broker. The default IP and port are localhost on 5555.

If the broker is running on the same machine pastis-triton can be launched with:

$ pastis-triton online

If the broker runs on a different machine it can then be launched with:

$ pastis-triton online -h -p 5555

The utility will then automatically receive the parameters, the binary to test and will start performing its coverage.


Running locally, all parameters normally through the network then have to be provided on the commande line. The help message is the following:

Usage: pastis-triton offline [OPTIONS] PROGRAM [PARGVS]...

  -r, --sast-report FILE          SAST report to use
  -c, --count INTEGER             Number of execution  [default: 0]
  --config FILE                   Triton configuration file
  -s, --seed PATH                 Seed or directory of seeds to give to the
                                  Execution mode  [default: SINGLE_EXEC]
                                  Fuzz mode  [default: BINARY_ONLY]
  -chk, --chkmode [CHECK_ALL|ALERT_ONLY|ALERT_ONE]
                                  Check mode  [default: CHECK_ALL]
  -cov, --covmode [block|edge|path|PREFIXED_EDGE]
                                  Coverage strategy  [default: edge]
  -i, --seedinj [STDIN|ARGV]      Location where to inject input  [default:
  -n, --name TEXT                 Name of the executable if program is an
                                  archive containing multiple files
  -t, --target TEXT               Target alert address in case of ALERT_ONE
  -p, --probe TEXT                Probe to load as a python module (should
                                  contain a ProbeInterface)
  -w, --workspace TEXT            Path to TritonDSE workspace
  --debug                         Enable debug logs
  --debug-pp                      Enable debugging path predicate
  --trace                         Show execution trace in debug logging


  • --sast-report SAST report if any

  • --count limit the number of iterations to perform (number of program execution)

  • --config tritondse configuration file to use

  • --seed initial seed file or directory to use as initial corpus

  • --exmode only SINGLE_EXEC is supported at the moment

  • --fuzzmod only BINARY_ONLY applies for TritonDSE

  • --chkmode change the running mode

  • --covmode coverage strategy to apply

  • --seedinj location where to inject the input file.

  • --name name of the executable of the PROGRAM provided is an archive

  • --target target address to try reaching when launched in ALERT_ONE

  • --probe External Probe module that should be attached to the exploration

  • --workspace workspace directory (if not provided in the configuration file)

  • --debug show debug logs

  • --debug-pp Enable debugging the path predicate (debugging only)

  • --trace Log the complete execution trace in a file (to be combined with --count 1)

Configuration & Results

The project handles PASTIS parameters and translate them in their counterpart in tritondse. For instance the running mode CHECK_ALL and ALERT_ONLY are PASTIS parameters. That parameter will be put in practice by register different callbacks. As such, ALERT_ONLY will only register a callback on the intrinsic function while CHECK_ALL requires registering callbacks on many more events.


The configuration file, and workspace uses the tritondse mechanism. Thus, one must refers to tritondse documentation for additional information about the configuration file or the workspace organization.