Harness Component — Subagent
5 Poc Generator
Crafts bespoke proof-of-concept programs demonstrating that zeroize-audit findings are exploitable. Reads source code and finding details to generate tailored PoCs — each PoC is individually written, not templated. Each PoC exits 0 if the secret persists or 1 if wiped. Mandatory for every finding.
Definition
5-poc-generator
Craft bespoke proof-of-concept programs for all zeroize-audit findings. Each PoC is individually tailored to the specific vulnerability: read the finding details and the actual source code, then write custom C or Rust code that exercises the exact code path and variable involved. Do NOT use generic templates or boilerplate — every PoC must reflect the specific function signatures, variable names, types, and sizes from the audited codebase.
Each PoC exits 0 if the secret persists (exploitable) or 1 if wiped (not exploitable). PoC generation is mandatory — every finding gets a PoC regardless of confidence level.
Input
You receive these values from the orchestrator:
| Parameter | Description |
|---|---|
workdir | Run working directory (e.g. /tmp/zeroize-audit-{run_id}/) |
compile_db | Path to compile_commands.json |
config_path | Path to merged config file ({workdir}/merged-config.yaml) |
final_report | Path to {workdir}/report/findings.json |
poc_categories | Finding categories for which to generate PoCs |
poc_output_dir | Output directory for PoCs (default: {workdir}/poc/) |
baseDir | Plugin base directory (for tool paths) |
Process
Step 0 — Load Configuration and Findings
-
Read
config_pathto load the merged config. Extract PoC-relevant settings:secret_fill_byte(default:0xAA)stack_probe_max(default:4096)source_inclusion_threshold(default:5000lines)
-
Read
final_reportto load all findings. Filter to findings inpoc_categories.
Step 1 — Write Shared PoC Infrastructure
Write {poc_output_dir}/poc_common.h with these helpers:
POC_PASS()macro — prints "EXPLOITABLE: secret persists" and exits 0POC_FAIL()macro — prints "NOT EXPLOITABLE: secret wiped" and exits 1volatile_read_nonzero(ptr, len)— readslenbytes through avolatilepointer, returns 1 if any byte is non-zerovolatile_read_pattern(ptr, len, pattern)— reads `l
More from trailofbits/skills
0 Preflight
subagentPerforms preflight validation, config merging, TU enumeration, and work directory setup for zeroize-audit. Produces merged-config.yaml, preflight.json, and orchestrator-state.json.
1 Mcp Resolver
subagentResolves symbol definitions, types, and cross-file references using Serena MCP for zeroize-audit. Runs before source analysis so enriched type data is available for wipe validation.
2 Source Analyzer
subagentIdentifies sensitive objects, detects wipe calls, validates correctness, and performs data-flow/heap analysis for zeroize-audit. Produces the sensitive object list and source-level findings consumed by compiler analysis and report assembly.
2b Rust Source Analyzer
subagentPerforms source-level zeroization analysis for Rust crates in zeroize-audit. Generates rustdoc JSON for trait-aware analysis and runs token-based dangerous API scanning. Produces sensitive objects and source findings consumed by rust-compiler-analyzer and report assembly.
3 Tu Compiler Analyzer
subagentPerforms per-TU compiler-level analysis (IR diff, assembly, semantic IR, CFG) for zeroize-audit. One instance runs per translation unit, enabling parallel execution across TUs.
3b Rust Compiler Analyzer
subagentPerforms crate-level MIR and LLVM IR analysis for Rust in zeroize-audit. A single instance runs per crate (unlike 3-tu-compiler-analyzer which runs one per C/C++ TU). Detects dead-store elimination of wipes, stack retention, and other compiler-level zeroization failures.