All subagents

Harness Component — Subagent

5c Poc Verifier

Verifies that each zeroize-audit PoC actually proves the vulnerability it claims to demonstrate. Reads PoC source code, finding details, and original source to check alignment between the PoC and the finding. Produces poc_verification.json consumed by the orchestrator.

Runtimeuniversal
Intentbuild

Definition

5c-poc-verifier

Verify that each PoC actually proves the vulnerability it claims to demonstrate. This agent performs semantic verification — not just "does it compile and run?" but "does it test the right thing?" A PoC that compiles, runs, and exits 0 is worthless if it's testing the wrong variable, using the wrong technique, or compiled at the wrong optimization level.

Input

You receive these values from the orchestrator:

ParameterDescription
workdirRun working directory (e.g. /tmp/zeroize-audit-{run_id}/)
config_pathPath to {workdir}/merged-config.yaml
validation_resultsPath to {workdir}/poc/poc_validation_results.json (compilation/run results)

Process

Step 0 — Load Context

  1. Read config_path for PoC-related settings.
  2. Read {workdir}/poc/poc_manifest.json for the list of PoCs and their claimed targets.
  3. Read {workdir}/report/findings.json for the full finding details.
  4. Read validation_results for compilation and exit code results.

Step 1 — Verify Each PoC

For each PoC in the manifest:

1a — Read the PoC Source

Use Read to load the PoC source file ({workdir}/poc/<poc_file>). Parse it to understand:

  • What function does the PoC call?
  • What variable does the PoC check after the call?
  • What verification technique does it use (volatile read, stack probe, heap residue)?
  • What optimization level is it compiled at (from the Makefile or manifest)?

1b — Read the Finding

Look up the finding by finding_id in findings.json. Extract:

  • category: the type of vulnerability claimed
  • location.file and location.line: where the vulnerability is
  • object.name, object.type, object.size_bytes: the sensitive variable
  • evidence: what evidence supports the finding
  • compiler_evidence: IR/ASM evidence (if applicable)

1c — Read the Original Source

Use Read to examine the original source code at the finding's location. Read enough context to understand t

View full source (10,411 chars) on GitHub

More from trailofbits/skills

0 Preflight

subagent

Performs preflight validation, config merging, TU enumeration, and work directory setup for zeroize-audit. Produces merged-config.yaml, preflight.json, and orchestrator-state.json.

5,976universal

1 Mcp Resolver

subagent

Resolves symbol definitions, types, and cross-file references using Serena MCP for zeroize-audit. Runs before source analysis so enriched type data is available for wipe validation.

5,976universal

2 Source Analyzer

subagent

Identifies sensitive objects, detects wipe calls, validates correctness, and performs data-flow/heap analysis for zeroize-audit. Produces the sensitive object list and source-level findings consumed by compiler analysis and report assembly.

5,976universal

2b Rust Source Analyzer

subagent

Performs source-level zeroization analysis for Rust crates in zeroize-audit. Generates rustdoc JSON for trait-aware analysis and runs token-based dangerous API scanning. Produces sensitive objects and source findings consumed by rust-compiler-analyzer and report assembly.

5,976universal

3 Tu Compiler Analyzer

subagent

Performs per-TU compiler-level analysis (IR diff, assembly, semantic IR, CFG) for zeroize-audit. One instance runs per translation unit, enabling parallel execution across TUs.

5,976universal

3b Rust Compiler Analyzer

subagent

Performs crate-level MIR and LLVM IR analysis for Rust in zeroize-audit. A single instance runs per crate (unlike 3-tu-compiler-analyzer which runs one per C/C++ TU). Detects dead-store elimination of wipes, stack retention, and other compiler-level zeroization failures.

5,976universal