Harness Component — Subagent
5b Poc Validator
Compiles and runs all PoCs for zeroize-audit findings. Produces poc_validation_results.json consumed by the verification agent and the orchestrator.
Definition
5b-poc-validator
Compile and run all PoCs listed in the manifest. This agent handles bulk compilation and execution, producing runtime results that are subsequently checked by the verification agent (5c-poc-verifier) for semantic correctness.
Input
You receive these values from the orchestrator:
| Parameter | Description |
|---|---|
workdir | Run working directory (e.g. /tmp/zeroize-audit-{run_id}/) |
config_path | Path to {workdir}/merged-config.yaml |
Process
Step 0 — Load Configuration
Read config_path to access PoC-related settings.
Step 1 — Read Manifest
Read {workdir}/poc/poc_manifest.json. Collect all PoC entries.
If no PoCs exist, write an empty results file and exit.
Step 2 — Compile and Run Each PoC
Dispatch on poc_entry.language:
C/C++ PoCs (language is absent or "c")
-
Compile:
cd {workdir}/poc && make <makefile_target> -
If compilation succeeds, run and record exit code:
cd {workdir}/poc && ./<makefile_target> echo "Exit code: $?" -
Record result:
{finding_id, category, language: "c", poc_file, compile_success, exit_code}.
Rust PoCs (language == "rust")
Rust PoCs use cargo test. The exit code convention maps directly: a passing assert! → test passes → cargo exits 0 → exploitable; a failing assert! (panic) → test fails → cargo exits non-zero → not exploitable.
-
Compile check (no run):
<poc_entry.compile_cmd> # e.g. cargo test --manifest-path {workdir}/poc/Cargo.toml --no-run --test za_0001_missing_source_zeroize -
If compilation succeeds, run the specific test and record exit code:
<poc_entry.run_cmd> # e.g. cargo test --manifest-path {workdir}/poc/Cargo.toml --test za_0001_missing_source_zeroize -- --nocapture echo "Exit code: $?" -
Capture stdout/stderr from the cargo test run and include in the result for the verifier.
-
Record result: `{finding_id, category, languag
More from trailofbits/skills
0 Preflight
subagentPerforms preflight validation, config merging, TU enumeration, and work directory setup for zeroize-audit. Produces merged-config.yaml, preflight.json, and orchestrator-state.json.
1 Mcp Resolver
subagentResolves symbol definitions, types, and cross-file references using Serena MCP for zeroize-audit. Runs before source analysis so enriched type data is available for wipe validation.
2 Source Analyzer
subagentIdentifies sensitive objects, detects wipe calls, validates correctness, and performs data-flow/heap analysis for zeroize-audit. Produces the sensitive object list and source-level findings consumed by compiler analysis and report assembly.
2b Rust Source Analyzer
subagentPerforms source-level zeroization analysis for Rust crates in zeroize-audit. Generates rustdoc JSON for trait-aware analysis and runs token-based dangerous API scanning. Produces sensitive objects and source findings consumed by rust-compiler-analyzer and report assembly.
3 Tu Compiler Analyzer
subagentPerforms per-TU compiler-level analysis (IR diff, assembly, semantic IR, CFG) for zeroize-audit. One instance runs per translation unit, enabling parallel execution across TUs.
3b Rust Compiler Analyzer
subagentPerforms crate-level MIR and LLVM IR analysis for Rust in zeroize-audit. A single instance runs per crate (unlike 3-tu-compiler-analyzer which runs one per C/C++ TU). Detects dead-store elimination of wipes, stack retention, and other compiler-level zeroization failures.