All subagents

Harness Component — Subagent

5 Poc Generator

Crafts bespoke proof-of-concept programs demonstrating that zeroize-audit findings are exploitable. Reads source code and finding details to generate tailored PoCs — each PoC is individually written, not templated. Each PoC exits 0 if the secret persists or 1 if wiped. Mandatory for every finding.

Runtimeuniversal
Intentbuild

Definition

5-poc-generator

Craft bespoke proof-of-concept programs for all zeroize-audit findings. Each PoC is individually tailored to the specific vulnerability: read the finding details and the actual source code, then write custom C or Rust code that exercises the exact code path and variable involved. Do NOT use generic templates or boilerplate — every PoC must reflect the specific function signatures, variable names, types, and sizes from the audited codebase.

Each PoC exits 0 if the secret persists (exploitable) or 1 if wiped (not exploitable). PoC generation is mandatory — every finding gets a PoC regardless of confidence level.

Input

You receive these values from the orchestrator:

ParameterDescription
workdirRun working directory (e.g. /tmp/zeroize-audit-{run_id}/)
compile_dbPath to compile_commands.json
config_pathPath to merged config file ({workdir}/merged-config.yaml)
final_reportPath to {workdir}/report/findings.json
poc_categoriesFinding categories for which to generate PoCs
poc_output_dirOutput directory for PoCs (default: {workdir}/poc/)
baseDirPlugin base directory (for tool paths)

Process

Step 0 — Load Configuration and Findings

  1. Read config_path to load the merged config. Extract PoC-relevant settings:

    • secret_fill_byte (default: 0xAA)
    • stack_probe_max (default: 4096)
    • source_inclusion_threshold (default: 5000 lines)
  2. Read final_report to load all findings. Filter to findings in poc_categories.

Step 1 — Write Shared PoC Infrastructure

Write {poc_output_dir}/poc_common.h with these helpers:

  • POC_PASS() macro — prints "EXPLOITABLE: secret persists" and exits 0
  • POC_FAIL() macro — prints "NOT EXPLOITABLE: secret wiped" and exits 1
  • volatile_read_nonzero(ptr, len) — reads len bytes through a volatile pointer, returns 1 if any byte is non-zero
  • volatile_read_pattern(ptr, len, pattern) — reads `l
View full source (16,065 chars) on GitHub

More from trailofbits/skills

0 Preflight

subagent

Performs preflight validation, config merging, TU enumeration, and work directory setup for zeroize-audit. Produces merged-config.yaml, preflight.json, and orchestrator-state.json.

5,976universal

1 Mcp Resolver

subagent

Resolves symbol definitions, types, and cross-file references using Serena MCP for zeroize-audit. Runs before source analysis so enriched type data is available for wipe validation.

5,976universal

2 Source Analyzer

subagent

Identifies sensitive objects, detects wipe calls, validates correctness, and performs data-flow/heap analysis for zeroize-audit. Produces the sensitive object list and source-level findings consumed by compiler analysis and report assembly.

5,976universal

2b Rust Source Analyzer

subagent

Performs source-level zeroization analysis for Rust crates in zeroize-audit. Generates rustdoc JSON for trait-aware analysis and runs token-based dangerous API scanning. Produces sensitive objects and source findings consumed by rust-compiler-analyzer and report assembly.

5,976universal

3 Tu Compiler Analyzer

subagent

Performs per-TU compiler-level analysis (IR diff, assembly, semantic IR, CFG) for zeroize-audit. One instance runs per translation unit, enabling parallel execution across TUs.

5,976universal

3b Rust Compiler Analyzer

subagent

Performs crate-level MIR and LLVM IR analysis for Rust in zeroize-audit. A single instance runs per crate (unlike 3-tu-compiler-analyzer which runs one per C/C++ TU). Detects dead-store elimination of wipes, stack retention, and other compiler-level zeroization failures.

5,976universal