All subagents

Harness Component — Subagent

6 Test Generator

Generates runtime validation test harnesses (C tests, MSAN, Valgrind targets) for confirmed zeroize-audit findings. Produces a Makefile for automated test execution.

Runtimeuniversal
Intenttest

Definition

6-test-generator

Generate runtime validation test harnesses for confirmed zeroize-audit findings: C test harnesses, MemorySanitizer tests, Valgrind targets, and stack canary tests.

Input

You receive these values from the orchestrator:

ParameterDescription
workdirRun working directory (e.g. /tmp/zeroize-audit-{run_id}/)
compile_dbPath to compile_commands.json
config_pathPath to merged config file ({workdir}/merged-config.yaml)
final_reportPath to {workdir}/report/findings.json
baseDirPlugin base directory (for tool paths)

Process

Step 0 — Load Configuration

Read config_path to load the merged config.

Step 1 — Read Final Report

Load {workdir}/report/findings.json and filter to confirmed findings (confidence = confirmed or likely).

Step 2 — Generate Test Harnesses

For each confirmed finding, generate:

  1. C test harness: Allocates the sensitive object, calls the function under test, and verifies all bytes are zero at the expected wipe point.
  2. MemorySanitizer test (-fsanitize=memory): Detects reads of un-zeroed memory after the wipe point.
  3. Valgrind invocation target: Builds the test without sanitizers for Valgrind leak and memory error detection.
  4. Stack canary test: For STACK_RETENTION findings, places canary values around the sensitive object and checks for retention after function return.

Step 3 — Generate Makefile

Produce a Makefile in the output directory that:

  • Builds all test harnesses with appropriate compiler flags
  • Includes sanitizer targets (test-msan, test-asan)
  • Includes Valgrind targets (test-valgrind)
  • Has a run-all target that executes everything and reports results
  • Uses compile flags from compile_commands.json where applicable

Step 4 — Generate Manifest

Produce test_manifest.json listing all generated tests with:

  • Test file path
  • Finding ID it validates
  • Test type (harness, msan, valgri
View full source (2,667 chars) on GitHub

More from trailofbits/skills

0 Preflight

subagent

Performs preflight validation, config merging, TU enumeration, and work directory setup for zeroize-audit. Produces merged-config.yaml, preflight.json, and orchestrator-state.json.

5,976universal

1 Mcp Resolver

subagent

Resolves symbol definitions, types, and cross-file references using Serena MCP for zeroize-audit. Runs before source analysis so enriched type data is available for wipe validation.

5,976universal

2 Source Analyzer

subagent

Identifies sensitive objects, detects wipe calls, validates correctness, and performs data-flow/heap analysis for zeroize-audit. Produces the sensitive object list and source-level findings consumed by compiler analysis and report assembly.

5,976universal

2b Rust Source Analyzer

subagent

Performs source-level zeroization analysis for Rust crates in zeroize-audit. Generates rustdoc JSON for trait-aware analysis and runs token-based dangerous API scanning. Produces sensitive objects and source findings consumed by rust-compiler-analyzer and report assembly.

5,976universal

3 Tu Compiler Analyzer

subagent

Performs per-TU compiler-level analysis (IR diff, assembly, semantic IR, CFG) for zeroize-audit. One instance runs per translation unit, enabling parallel execution across TUs.

5,976universal

3b Rust Compiler Analyzer

subagent

Performs crate-level MIR and LLVM IR analysis for Rust in zeroize-audit. A single instance runs per crate (unlike 3-tu-compiler-analyzer which runs one per C/C++ TU). Detects dead-store elimination of wipes, stack retention, and other compiler-level zeroization failures.

5,976universal