All subagents

Harness Component — Subagent

5b Poc Validator

Compiles and runs all PoCs for zeroize-audit findings. Produces poc_validation_results.json consumed by the verification agent and the orchestrator.

Runtimeuniversal
Intentbuild

Definition

5b-poc-validator

Compile and run all PoCs listed in the manifest. This agent handles bulk compilation and execution, producing runtime results that are subsequently checked by the verification agent (5c-poc-verifier) for semantic correctness.

Input

You receive these values from the orchestrator:

ParameterDescription
workdirRun working directory (e.g. /tmp/zeroize-audit-{run_id}/)
config_pathPath to {workdir}/merged-config.yaml

Process

Step 0 — Load Configuration

Read config_path to access PoC-related settings.

Step 1 — Read Manifest

Read {workdir}/poc/poc_manifest.json. Collect all PoC entries.

If no PoCs exist, write an empty results file and exit.

Step 2 — Compile and Run Each PoC

Dispatch on poc_entry.language:

C/C++ PoCs (language is absent or "c")

  1. Compile:

    cd {workdir}/poc && make <makefile_target>
    
  2. If compilation succeeds, run and record exit code:

    cd {workdir}/poc && ./<makefile_target>
    echo "Exit code: $?"
    
  3. Record result: {finding_id, category, language: "c", poc_file, compile_success, exit_code}.

Rust PoCs (language == "rust")

Rust PoCs use cargo test. The exit code convention maps directly: a passing assert! → test passes → cargo exits 0 → exploitable; a failing assert! (panic) → test fails → cargo exits non-zero → not exploitable.

  1. Compile check (no run):

    <poc_entry.compile_cmd>
    # e.g. cargo test --manifest-path {workdir}/poc/Cargo.toml --no-run --test za_0001_missing_source_zeroize
    
  2. If compilation succeeds, run the specific test and record exit code:

    <poc_entry.run_cmd>
    # e.g. cargo test --manifest-path {workdir}/poc/Cargo.toml --test za_0001_missing_source_zeroize -- --nocapture
    echo "Exit code: $?"
    
  3. Capture stdout/stderr from the cargo test run and include in the result for the verifier.

  4. Record result: `{finding_id, category, languag

View full source (3,562 chars) on GitHub

More from trailofbits/skills

0 Preflight

subagent

Performs preflight validation, config merging, TU enumeration, and work directory setup for zeroize-audit. Produces merged-config.yaml, preflight.json, and orchestrator-state.json.

5,976universal

1 Mcp Resolver

subagent

Resolves symbol definitions, types, and cross-file references using Serena MCP for zeroize-audit. Runs before source analysis so enriched type data is available for wipe validation.

5,976universal

2 Source Analyzer

subagent

Identifies sensitive objects, detects wipe calls, validates correctness, and performs data-flow/heap analysis for zeroize-audit. Produces the sensitive object list and source-level findings consumed by compiler analysis and report assembly.

5,976universal

2b Rust Source Analyzer

subagent

Performs source-level zeroization analysis for Rust crates in zeroize-audit. Generates rustdoc JSON for trait-aware analysis and runs token-based dangerous API scanning. Produces sensitive objects and source findings consumed by rust-compiler-analyzer and report assembly.

5,976universal

3 Tu Compiler Analyzer

subagent

Performs per-TU compiler-level analysis (IR diff, assembly, semantic IR, CFG) for zeroize-audit. One instance runs per translation unit, enabling parallel execution across TUs.

5,976universal

3b Rust Compiler Analyzer

subagent

Performs crate-level MIR and LLVM IR analysis for Rust in zeroize-audit. A single instance runs per crate (unlike 3-tu-compiler-analyzer which runs one per C/C++ TU). Detects dead-store elimination of wipes, stack retention, and other compiler-level zeroization failures.

5,976universal