{"id":13641485,"url":"https://github.com/BinaryAnalysisPlatform/bap","last_synced_at":"2025-04-20T07:33:51.123Z","repository":{"id":22626292,"uuid":"25968851","full_name":"BinaryAnalysisPlatform/bap","owner":"BinaryAnalysisPlatform","description":"Binary Analysis Platform","archived":false,"fork":false,"pushed_at":"2024-08-14T06:50:04.000Z","size":8484,"stargazers_count":2067,"open_issues_count":48,"forks_count":273,"subscribers_count":93,"default_branch":"master","last_synced_at":"2024-10-29T15:34:36.869Z","etag":null,"topics":["arm","bap","binary-analysis","disassembler","dynamic-analysis","emulator","instruction-semantics","lifter","mips","ocaml","powerpc","program-analysis","program-verification","reverse-engineering","security","static-analysis","symbolic-execution","taint-analysis","x86"],"latest_commit_sha":null,"homepage":"","language":"OCaml","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/BinaryAnalysisPlatform.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGES.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2014-10-30T11:59:43.000Z","updated_at":"2024-10-25T15:35:22.000Z","dependencies_parsed_at":"2024-10-09T13:40:42.573Z","dependency_job_id":"9e2a167a-5204-4c0c-8a17-435e62b36c0e","html_url":"https://github.com/BinaryAnalysisPlatform/bap","commit_stats":null,"previous_names":[],"tags_count":25,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BinaryAnalysisPlatform%2Fbap","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BinaryAnalysisPlatform%2Fbap/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BinaryAnalysisPlatform%2Fbap/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BinaryAnalysisPlatform%2Fbap/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/BinaryAnalysisPlatform","download_url":"https://codeload.github.com/BinaryAnalysisPlatform/bap/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223066687,"owners_count":17082134,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["arm","bap","binary-analysis","disassembler","dynamic-analysis","emulator","instruction-semantics","lifter","mips","ocaml","powerpc","program-analysis","program-verification","reverse-engineering","security","static-analysis","symbolic-execution","taint-analysis","x86"],"created_at":"2024-08-02T01:01:21.123Z","updated_at":"2025-04-20T07:33:51.116Z","avatar_url":"https://github.com/BinaryAnalysisPlatform.png","language":"OCaml","readme":"# Binary Analysis Platform\n[![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/BinaryAnalysisPlatform/bap/blob/master/LICENSE)\n[![Join the chat at https://gitter.im/BinaryAnalysisPlatform/bap](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/BinaryAnalysisPlatform/bap?utm_source=badge\u0026utm_medium=badge\u0026utm_campaign=pr-badge\u0026utm_content=badge)\n[![docs](https://img.shields.io/badge/doc-master-green.svg)][docs]\n[![docs](https://img.shields.io/badge/doc-2.5.0-green.svg)][docs]\n\n## Table of contents\n*   [Overview](#overview)\n*   [Installation](#installation)\n*   [Using](#using)\n*   [Learning](#learning)\n*   [Contributing](#contributing)\n*   [Sponsors](#sponsors)\n\n## Overview\n\nThe Carnegie Mellon University Binary Analysis Platform (CMU BAP) is a suite of utilities and libraries that enables analysis of binary programs. BAP supports x86, x86-64, ARM, MIPS, PowerPC and new architectures can be added using plugins. BAP includes various analyses, standard interpreter, microexecution interpreter, and a symbolic executor. BAP features its own domain-specific language, [Primus Lisp][primus-lisp], that is used for implementing analyses, specifying verification conditions, modeling functions (writing stubs), and even interfacing with the SMT solver. The [toolkit][toolkit] repository includes various examples of program analysis tools that could be implemented with BAP and can be used as the starting point (in addition to the [tutorial][bap-tutorial]) for implementing custom analyses. BAP can be used as a framework with a single [bap][demo] utility that is [extended with plugins][extending] or it can be used as a library [embedded][embedding] in a user application, which could be written in OCaml or, in any other language, using [C bindings][bap-bindings]. We also provide some [minimal support for Python][bap-python] to make it easier to start learning BAP.\n\nBAP was developed in [CMU, Cylab](https://www.cylab.cmu.edu/) and is sponsored by grants from the United States Department of Defense, Siemens, Boeing, ForAllSecure, and the Korea government, see [sponsors](#Sponsors) for more information. BAP is used in various institutions and serves as a backbone for many interesting projects, some are highlighted below:\n*   [The CGC winner][cgc] [ForAllSecure Mayhem][mayhem]\n*   [Draper's Laboratory CBAT Tools][cbat]\n*   [Fraunhofer FKIE CWE Checker][cwe-checker]\n\n## Installation\n\n### Using pre-build packages\n\nWe provide binary packages packed for Debian and Red Hat derivatives. For other distributions we provide tgz archives. To install bap on a Debian derivative:\n\n```bash\nwget https://github.com/BinaryAnalysisPlatform/bap/releases/download/v2.5.0/{bap,libbap,libbap-dev}_2.5.0.deb\nsudo dpkg -i {bap,libbap,libbap-dev}_2.5.0.deb\n```\n\n### From sources\n\nOur binary packages do not include the OCaml development environment. If you are going to write an analysis in OCaml you need to install BAP from the source code using either [opam][opam-install] or by cloning and building this repository directly. The opam method is the recommended one. Once it is installed the following three commands should install the platform in a newly created switch.\n\n```bash\nopam init --comp=4.14.1   # inits opam and install the OCaml compiler\nopam install bap          # installs bap and its dependencies\neval $(opam env)`         # activates opam environment\n```\n\nOr, if you already have a switch where you would like install bap, then just do\n```\nopam install bap\n```\n\nThe `opam install bap` command will also try to install the system dependencies of BAP using your operating system package manager. If it fails due to a missing system dependency, try installing it manually and then repeat the `opam install bap` command. If it still doesn't work, do not hesitate to drop by our [chat][gitter] and seek help there. It is manned with friendly people that will be happy to help.\n\nThe instruction above will get you the latest stable release of BAP. If you're interested in our rolling releases, which are automatically updated every time a commit to the master branch happens, then you can create a new switch that uses our testing repository\n```bash\nopam switch create bap-testing --repos \\\n    default,bap=git+https://github.com/BinaryAnalysisPlatform/opam-repository#testing 4.14.1\nopam install bap\n```\n\nAfter it is added, the `bap` repository will take precedence over the stable repository and you will get the freshly picked BAP packages straight from the farm.\n\nIf you want to build BAP manually or just want to tackle with BAP internals, then you can clone this repository and build it manually. We suggest your starting with a fresh environment without BAP being installed, to prevent clashes, or even better to use a local switch, e.g.,\n```bash\ngit clone git@github.com:BinaryAnalysisPlatform/bap.git \u0026\u0026 cd bap\nopam switch create . --deps-only\ndune build \u0026\u0026 dune install\n```\n\nThe snippet above will clone bap, create a fresh local switch, install the necessary dependencies, including the system one, and, finally, build and install bap with dune. Alternatively, if you already have a switch where you want to build and install bap, you can use\n```\ngit clone git@github.com:BinaryAnalysisPlatform/bap.git \u0026\u0026 cd bap\nopam install . --deps-only\ndune build \u0026\u0026 dune install\n```\nto install bap and its dependencies into the currently selected switch.\n\nThe above command will build all packages available in bap, including experimental packages like Ghidra or Radare (included in the bap-extra) meta-package. To prepare development envionment that excludes these packages (or any other packages) just remove corresponding .opam files (don't worry, opam will regenerate them later), before creating a switch e.g.,\n```\nrm bap-{extra,radare2,ghidra,primus-symbolic-executor,ida}.opam\nopam switch create . --deps-only\ndune build \u0026\u0026 dune install\n```\n\n## Using\n\nBAP, like Docker or Git, is driven by a single command-line utility called [bap][man-bap]. Just type `bap` in your shell and it will print a message which shows BAP capabilities. The `disassemble` command will take a binary program, disassemble it, lift it into the intermediate architecture agnostic representation, build a control flow graph, and finally apply staged user-defined analysis in a form of disassembling passes. Finally, the `--dump` option (`-d` in short) will output the resulting program in the specified format. This is the default command, so you don't even need to specify it, e.g., the following will disassembled and dump the `/bin/echo` binary on your machine:\n```bash\nbap /bin/echo -d\n```\n\nNote, that unlike `objdump` this command will build the control flow graph of a program. If you just want to dump each instruction of a binary one after another (the so-called linear sweep disassembler mode), then you can use the `objdump` command, e.g.,\n\n```bash\nbap objdump /bin/echo --show-{insn=asm,bil}\n```\n\nIf your input is a blob of machine code, not an executable, then you can use the `raw` loader, e.g.,\n\n```bash\nbap objdump /bin/echo --loader=raw --raw-base=0x400000 --show-{insn=asm,bil}\n```\n\nThe raw loader takes a few parameters, like offsets, lengths, and base addresses, which makes it a swiss-knife that you can use as a can opener for formats that are not known to BAP. The raw loader works for all commands that open files, e.g., if the `raw` loader is used together with the `disassemble` command, BAP will still automatically identify function starts and build a suitable CFG without even knowing where the code is in the binary,\n\n```bash\nbap /bin/echo --loader=raw --raw-base=0x400000 -d\n```\n\nIf you would like to play manually with bytes, e.g., type the instruction encoding manually and see how BAP disassembles it and what semantics it has, then `mc` is the command you're looking for. It is named for the corresponding utility in LLVM and stands for machine code and has the same interface as the `objdump` command except that it takes an ASCII encoding of instruction instead of a binary file, e.g.,\n\n```bash\nbap mc --show-{insn=asm,bil} -- 48 83 ec 08\n```\nor\n```\nbap mc --show-{insn=asm,bil} \"\\x48\\x83\\xec\\x08\"\n```\n\nIt recognizes a few input formats (including `llvm-mc` is using for its `-show-encoding` option). Consult the documentation for more detailed information.\n\n## Extending\n\n### Writing your own analysis\n\nBAP is a plugin-based framework and if you want to develop a new analysis you can write a plugin, build it, install, and it will work with the rest of the BAP without any recompilation. There are many extension points that you could use to add new analysis, change existing, or even build your own applications. We will start with a simple example, that registers a disassembling pass to the disassemble command. Suppose that we want to write an analysis that estimates the ratio of jump instructions to the total number of instructions in the binary. We will start by creating an empty file named `jmp.ml` in an empty folder (the folder name doesn't matter). Next, using our favorite text [editor][emacs] we will put the following code into it:\n\n```ocaml\nopen Core_kernel\nopen Bap_main\nopen Bap.Std\n\nlet counter = object\n  inherit [int * int] Term.visitor\n  method! enter_term _ _ (jmps,total) = jmps,total+1\n  method! enter_jmp _ (jmps,total) = jmps+1,total\nend\n\nlet main proj =\n  let jmps,total = counter#run (Project.program proj) (0,0) in\n  printf \"ratio = %d/%d = %g\\n\" jmps total (float jmps /. float total)\n\nlet () = Extension.declare @@ fun _ctxt -\u003e\n   Project.register_pass' main;\n   Ok ()\n```\nNow we can build, install, and run our analysis using the following commands:\n```\nbapbuild jmp.plugin\nbapbundle install jmp.plugin\nbap /bin/echo --pass=jmp\n```\n\nLet's briefly go through the code. The `counter` object is a visitor that has the state consisting of a pair of counters. The first counter keeps track of the number of jmp terms, and the second counter is incremented every time we enter any term.  The `main` function just runs the counter and prints the output. We declare our extension use the [Extension.declare][extension-declare] function from the [Bap_main][bap-main] library. An extension is just a function that receives the context (which could be used to obtain configuration parameters). In this function, we register our `main` function as a pass using the `Project.register_pass` function.\n\nA little bit more complex example, as well as an example that uses Python, can be found in our [tutorial][bap-tutorial].\n\n\n### Building a plugin with dune\n\nYou can also build and install bap plugins using dune. For that, you need to define a library and use the `plugin` stanza that uses this library. Below is the template `dune` file,\n```\n(library\n (name FOO)\n (public_name OUR-FOO.plugin)\n (libraries bap bap-main))\n\n(plugin\n (name FOO)\n (package OUR-FOO)\n (libraries OUR-FOO.plugin)\n (site (bap-common plugins)))\n```\n\nEveything that is capitalized in the above snippet is a placeholder that you shall substitute with appropriate private and public names for your plugin. Notice, that the `.plugin` extension is not necessary, but is percieved as a good convention.\n\n### Interactive REPL\n\nBAP also ships an interactive toplevel utility `baptop`. This is a shell-like utility that interactively evaluates OCaml expressions and prints their values. It will load BAP libraries and initialize all plugins for you, so you can interactively explore the vast world of BAP. The `baptop` utility can also serve as a non-interactive interpreter, so that you can run your OCaml scripts, e.g., `baptop myscript.ml` or you can even specify it using sha-bang at the top of your file, e.g., `#!/usr/bin/env baptop`. We built `baptop` using UTop, but you can easily use any other OCaml toplevel, including `ocaml` itself, just load the `bap.top` library, e.g., for vanilla `ocaml` toplevel use the following directives\n\n```ocaml\n#use \"topfind\";;\n#require \"bap.top\";;\n```\n\n## Learning\n\nWe understand that BAP is huge and it is easy to get lost. We're working constantly on improving documentation ensuring that every single function in [BAP API][docs] is thoroughly documented. But writing higher-level guidelines in the form of manuals or [tutorials][bap-tutorial] is much harder and very time consuming, especially given how different the goals of our fellow researchers and users. Therefore we employ a backward-chaining approach and prefer to answer real questions rather than prematurely trying to address all possible questions. We will be happy to see you in your [chat][gitter] that features searchable, indexed by Google, archive.\n\nWe are writing, occasionally, to our [blog][blog] and [wiki][wiki] and are encouraging everyone to contribute to both of them. You can also post your questions on [stackoverflow][so-ocaml] or discuss BAP on the [OCaml][discuss-bap] board. We also have a cute [discord][discord-bap] channel, which has much less traffic than our [gitter][gitter].\n\n## Contributing\n\nBAP is built by the community and we're welcome all contributions from authors that are willing to share them under the MIT license. If you don't think that your analysis or tool suits this repository (e.g., it has a limited use, not fully ready, doesn't meet our standards, etc), then you can consider contributing to our [bap-plugins][bap-plugins] repository that is a collection of useful BAP plugins that are not mature enough to be included in the main distribution. Alternatively, you can consider extending our [toolkit][toolkit] with your tool.\n\nOf course, there is no need to submit your work to one of our repositories. BAP is a plugin-based framework and your code could be hosted anywhere and have any license (including proprietary). If you want to make your work available to the community it would be a good idea to release it via [opam][opam-packaging].\n\n## Sponsors\n*   [ForAllSecure][fas]\n\n*   [Boeing][boeing]\n\n*   [DARPA VET Project](https://www.darpa.mil/program/vetting-commodity-it-software-and-firmware)\n\n*   [Siemens AG](https://www.siemens.com/us/en/home.html)\n\n*   Institute for Information \u0026 communications Technology Promotion(IITP) grant funded by the Korea government(MSIT) (No.2015-0-00565, Development of Vulnerability Discovery Technologies for IoT Software Security)\n\nPlease, [contact us][contact-us] if you would like to become a sponsor or are seeking a deeper collaboration.\n\n[toolkit]: https://github.com/BinaryAnalysisPlatform/bap-toolkit\n[bap-plugins]: https://github.com/BinaryAnalysisPlatform/bap-plugins\n[bap-bindings]: https://github.com/BinaryAnalysisPlatform/bap-bindings\n[bap-tutorial]: https://github.com/BinaryAnalysisPlatform/bap-tutorial\n[bap-python]: https://github.com/BinaryAnalysisPlatform/bap-python\n[primus-lisp]: https://binaryanalysisplatform.github.io/bap/api/master/bap-primus/Bap_primus/Std/Primus/Lisp/index.html\n[extending]: https://binaryanalysisplatform.github.io/bap/api/master/bap-main/Bap_main/index.html#extending-bap\n[embedding]: https://binaryanalysisplatform.github.io/bap/api/master/bap-main/Bap_main/index.html#embedding-bap\n[demo]: https://binaryanalysisplatform.github.io/assets/playfull.svg\n[mayhem]: https://forallsecure.com/solutions/devsecops/\n[fas]: https://forallsecure.com/\n[boeing]: https://www.boeing.com\n[cbat]: https://github.com/draperlaboratory/cbat_tools\n[cwe-checker]: https://github.com/fkie-cad/cwe_checker\n[cgc]: https://www.darpa.mil/program/cyber-grand-challenge\n[opam-install]: https://opam.ocaml.org/doc/Install.html\n[contact-us]: https://www.cylab.cmu.edu/partners/index.html\n[gitter]: https://gitter.im/BinaryAnalysisPlatform/bap\n[travis]: https://travis-ci.org/BinaryAnalysisPlatform/bap\n[wiki]: https://github.com/BinaryAnalysisPlatform/bap/wiki\n[blog]: https://binaryanalysisplatform.github.io/\n[so-ocaml]: https://stackoverflow.com/questions/tagged/ocaml\n[discuss-bap]: https://discuss.ocaml.org/tags/bap\n[discord-bap]: https://discord.gg/bwJ3p7q\n[emacs]: https://github.com/BinaryAnalysisPlatform/bap/wiki/Emacs\n[opam-packaging]: https://opam.ocaml.org/doc/Packaging.html\n[bap-main]: http://binaryanalysisplatform.github.io/bap/api/master/bap-main/Bap_main/index.html\n[extension-declare]: http://binaryanalysisplatform.github.io/bap/api/master/bap-main/Bap_main/Extension/index.html#val-declare\n\n[docs]: https://binaryanalysisplatform.github.io/bap/api/master/index.html\n[man-bap]: http://binaryanalysisplatform.github.io/bap/api/man/bap.1.html\n","funding_links":[],"categories":["OCaml","Debugging and Reverse Engineering","Decompilation Pipeline","Resources","\u003ca name=\"OCaml\"\u003e\u003c/a\u003eOCaml","Binary Analysis","Tools","Program analysis"],"sub_categories":["Other Resources","Intermediate Representation","By Purpose","Binaries"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FBinaryAnalysisPlatform%2Fbap","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FBinaryAnalysisPlatform%2Fbap","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FBinaryAnalysisPlatform%2Fbap/lists"}