{"id":27953798,"url":"https://github.com/binaryanalysisplatform/bap-toolkit","last_synced_at":"2025-08-10T08:48:58.114Z","repository":{"id":84483385,"uuid":"148638260","full_name":"BinaryAnalysisPlatform/bap-toolkit","owner":"BinaryAnalysisPlatform","description":"A collection of ready to use binary analysis tools","archived":false,"fork":false,"pushed_at":"2024-02-20T16:19:16.000Z","size":538,"stargazers_count":57,"open_issues_count":7,"forks_count":14,"subscribers_count":9,"default_branch":"master","last_synced_at":"2025-05-07T17:14:59.847Z","etag":null,"topics":["bap"],"latest_commit_sha":null,"homepage":"","language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/BinaryAnalysisPlatform.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2018-09-13T13:00:48.000Z","updated_at":"2025-04-01T04:58:51.000Z","dependencies_parsed_at":"2025-05-08T06:00:34.623Z","dependency_job_id":null,"html_url":"https://github.com/BinaryAnalysisPlatform/bap-toolkit","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/BinaryAnalysisPlatform/bap-toolkit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BinaryAnalysisPlatform%2Fbap-toolkit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BinaryAnalysisPlatform%2Fbap-toolkit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BinaryAnalysisPlatform%2Fbap-toolkit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BinaryAnalysisPlatform%2Fbap-toolkit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/BinaryAnalysisPlatform","download_url":"https://codeload.github.com/BinaryAnalysisPlatform/bap-toolkit/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BinaryAnalysisPlatform%2Fbap-toolkit/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":269699255,"owners_count":24461213,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-10T02:00:08.965Z","response_time":71,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bap"],"created_at":"2025-05-07T17:14:56.621Z","updated_at":"2025-08-10T08:48:58.061Z","avatar_url":"https://github.com/BinaryAnalysisPlatform.png","language":"HTML","funding_links":[],"categories":[],"sub_categories":[],"readme":"![](https://github.com/BinaryAnalysisPlatform/bap-toolkit/workflows/Daily%20test/badge.svg)\n\n# Introduction\n\nThis repository provides a collection of ready to use binary analysis tools,\nas well as a framework and a conventional repository structure for developing\nnew tools. Think of it as BAP on Rails. This repository should be seen as a collaboration\nplatform encouraging everyone to fork it, implement an analysis, and share it back with\nthe community. PRs are very welcomed and accepted with no questions asked.\n\n# Table of Contents\n\n- [Installation](#installation) - how to install all or some tools\n- [Usage](#usage) - how to run tools and analyze results\n- [Developing](#developing) - how to develop a new tool\n- [Contributing](#contributing) - how to contribute a new tool\n- Tools\n - checks from the [Joint Strike Fighter coding standards](http://stroustrup.com/JSF-AV-rules.pdf)\n - [av-rule-3](av-rule-3/descr) - all functions have a cyclomatic complexity less than 20\n - [av-rule-17](av-rule-17/descr) - `errno` is not used as an error indicator\n - [av-rule-19](av-rule-19/descr) - `setlocale` et all functions are not be used\n - [av-rule-20](av-rule-20/descr) - `setjmp`/`longjmp` are not be used\n - [av-rule-21](av-rule-21/descr) - signal handling facilities of `\u003csignal.h\u003e` are not be used\n - [av-rule-22](av-rule-22/descr) - The input/output library `\u003cstdio.h\u003e` shall not be used\n - [av-rule-23](av-rule-23/descr) - `atof`, `atoi`, and `atol` are not be used\n - [av-rule-24](av-rule-24/descr) - `abort`, `exit`, `getenv` and `system` are not be used\n - [av-rule-25](av-rule-25/descr) - the `\u003ctime.h\u003e` interface is not used\n - [av-rule-174](av-rule-174/descr) - potential null pointer dereferencings\n - [av-rule-189](av-rule-189/descr) - `goto` statements are not used\n - checks from the [JPL Institutional Coding Standard](http://bsivko.pbworks.com/w/file/fetch/68132300/JPL_Coding_Standard_C.pdf)\n - [jpl-rule-4](jpl-rule-4/descr) - no recursive functions\n - [jpl-rule-11](jpl-rule-11/descr) - `goto` statements are not used\n - [jpl-rule-14](jpl-rule-14/descr) - return values of all non-void functions are used\n - [forbidden-symbols](forbidden-symbol/descr) - detects all forbidden symbols from the av-rule-{17,19,20,21,22,23,24,25}\n - [defective-symbols](defective-symbol/descr) - detects all defective symbols from the av-rule-{3,189} and jpl-rule-4\n - [untrusted-argument](untrusted-argument/descr) - checks that certain functions never use untrusted data\n - [must-check-value](must-check-value/descr) - detects an unchecked return value of certain functions\n - [use-after-free](use-after-free/descr) - detects a usage of a pointer that was freed before\n - [double-free](double-free/descr) - detects a pointer that is freed twice\n - [restrictness-check](restrictness-check/descr) - detects an incorrect invocation of a function with strictness requirement\n - [warn-unused](warn-unused/descr) - detects an unused value returned by a function with warn-unused attribute\n - [primus-checks](primus-checks/descr) - an all-in-one analysis that uses Primus to identify the following CWE:\n - CWE-122 (Buffer Overwrite)\n - CWE-125 (Buffer Overread)\n - CWE-416 (Use after free)\n - CWE-415 (Double free)\n - CWE-798 (Use of Hard-coded Credentials)\n - CWE-259 (Use of Hard-coded Password)\n - CWE-822 (Untrusted Pointer Dereference)\n - CWE-291 (Relience on IP Address for Authentication)\n - CWE-170 (Improper Null Termination)\n - CWE-138 (Improper Neutralization)\n - CWE-74 (Command Injection)\n - CWE-476 (NULL pointer dereference)\n - CWE-690 (Unchecked Return Value to NULL Pointer Dereference)\n - CWE-252 (Unchecked Return Value)\n\n# Usage\n\nYou need to install the toolkit before using it. You can either use [docker](#using-bap-toolkit-with-docker) and [install](#installation) it directly on your host machine.\n\nThe tools in bap-toolkit are packed as BAP recipes, therefore to run a tool just pass its name to the `--recipe` option, e.g.,\n\n bap ./exe --recipe=av-rule-3\n\nTo get a detailed description of a recipe, use the `--show-recipe` option, e.g.,\n\n bap --show-recipe=av-rule-3\n\nYou can also list all available using the `--list-recipes` option,\n\n bap --list-recipes\n\n\n## Using bap-toolkit with docker\n\nYou don't need to install bap or OCaml to use and develop bap-toolkit if you have deocker installed on your machine.\n\n1. Clone this repository and enter the directory:\n```\ngit clone https://github.com/BinaryAnalysisPlatform/bap-toolkit.git\ncd bap-toolkit\n```\n\n2. Build the image (do not miss the dot at the end of the command)\n```\ndocker build -t bap-toolkit .\n```\n\n3. Now we have the `bap-toolkit` container that we can use to run any tool. Let's chekc that it works, the default command is to run the `defective-symbol` tool on `/usr/bin/arch`, which should produce one FAIL and two PASSes, e.g.,\n```\n$ docker run bap-toolkit\nCheck Status\nnon structural cfg FAIL\nrecursive function OK\ncomplex function OK\n```\n\n\n## Running an arbitrary tool on an arbitrary file\n\nIf you want to run a tool on your binary, the easiest option is to mount the current working directory (that contains your binary) to the `/bap-toolkit` folder, which is the working directory of the container. Let's assume that your binary is called `tests` and that you want to run the `spectre` tool,\n```\ndocker run -it --rm -v $(pwd):/bap-toolkit bap-toolkit bap test --recipe=spectre\n```\n\nAfter analysis finishes, you will then find the `incindents` file in your host current folder, in which you can find all reported spectre vulnerabilities, e.g.,\n```\n\n$ grep spectre-path incidents\n(spectre-path (1:63u#3439 (7 (S3 (cond 4005c8) (load 4005cf) (last 4005de)))))\n```\n\n### Developing tools with docker\n\nYou can modify any existing file (including `*.ml` files) in the bap-toolkit folder or [develop an new tool](#developing) and then just rebuild the image with,\n```\ndocker build -t bap-toolkit .\n```\n\nRinse and repeat!\n\n## Installation\n\nTo build the toolkit you need to activate opam,\n\n eval $(opam env)\n\nNext, to install all tools in the repository to the default share folder just do\n\n\n make\n make install\n\nTo install a specific tool, run the same commands but pass the tool name to them, e.g.,\n\n make TARGET=primus-checks\n make install TARGET=primus-checks\n\n# Results\n\nThe results of the checks from this repository applied to [bap-artifacts](https://github.com/BinaryAnalysisPlatform/bap-artifacts) can\nbe seen [here](http://htmlpreview.github.io/?https://github.com/BinaryAnalysisPlatform/bap-toolkit/blob/master/results.html)\n\n\n# Developing\n\n## Creating a new tool\n\nTo create a new tool clone this repository,\n\n https://github.com/BinaryAnalysisPlatform/bap-toolkit.git\n\nThen create a new folder inside the newly cloned `bap-toolkit` folder,\n\n cd bap-toolkit\n mkdir my-first-tool\n cd my-first-tool\n\nAll files in this folder will form the body of your tool. They may contain input\nfiles, scripts for pre and post processing, BAP plugins and libraries, etc. The only\nrequired file is the `recipe.scm` file which is the entry point of your tool. This\nfile contains a list of options which are passed to `bap`, for example, to create a\ntool that just dumps a file in multiple formats, create a `recipe.scm` file with the\nfollowing contents\n\n (option dump asm:out.asm)\n (option dump bir:out.bir)\n\nAfter the tool is [built and installed](#installation), you can run it with\n\n bap ./test-file --recipe=my-first-tool\n\nAnd this would essentially the same as running bap with the following command line arguments\n\n bap ./test-file --dump=asm:out.asm --dump=bir:out.bir\n\nNot a big deal so far, but typical bap invocation may contain lots of command line option.\nYou may also need to pass files, header files, BAP Lisp scripts, etc. This is where the recipe\nsystem shines. In general, the recipe specification contains a list of recipe items in\nan arbitrary order. Each item is either a command line option, a parameter, or a reference to\nanother recipe. All items share the same syntax - they are flat s-expressions, i.e., a whitespace\nseparated list of strings enclosed in parentheses. The first string in the list denotes the type\nof the item, e.g.,\n\n (option run-entry-points malloc calloc free)\n\n\nThe `option` command requires one mandatory parameter, the option name,\nand an arbitrary number of arguments that will be passed to the\ncorresponding command line option. If there are more than one argument\nthen they will be concatenated with the comman symbol, e.g.,\n\n (option opt a b c d)\n\nwill be translated to\n\n --opt=a,b,c,d\n\nOption arguments may contain _substitution symbols_. A subsitution\nsymbol starts with the dollar sign, that is followed by a named\n(optionally delimited with curly braces, to disambiguate it from the\nrest of the argument). There is one built in parameter `prefix`,\nthat is substituted with the path to the recipe top folder.\n\nThe `parameter` command introduces a parameter to the recipe, i.e., a\nvariable ingredient that could be changed when the recipe is used. The\n`parameter` command has 3 arguments, all required. The first argument is\nthe parameter name, the second is the default value, that is used if\nthe parameter wasn't set, and the last argument is the parameter\ndescription. The substitution symbol will be replaced with the default\nvalue of a parameter, if a value of the parameter wasn't passed through\nthe command line. Example,\n\n (parameter depth 128 \"maximum depth of analysis\")\n (option analysis-depth $depth)\n\n\nIf the parameter is not set through the command line, then it will be\nsubstituted with `128` otherwise it will receive whatever value a user\nhas passed.\n\nFinally, the `extend` command is like the `#include` statement in the C\npreprocessor as it includes all the ingredients from another\nrecipe. (Make sure that you're not introducing loops!). The command\nhas one mandatory argument, the name of the recipe to include.\n\n## The recipe file grammar\n\nThe grammar is specified below, but for the details and up-to-date information,\nplease refer to `bap recipe --help`\n\n recipe ::= {\u003crecipe-item\u003e}\n recipe-item ::= \u003coption\u003e | \u003cparameter\u003e | \u003cextend\u003e | \u003ccommand\u003e\n option ::= (option \u003catom\u003e {\u003catom\u003e})\n parameter ::= (parameter \u003catom\u003e \u003catom\u003e \u003catom\u003e)\n extend ::= (extend \u003catom\u003e)\n command ::= (command \u003catom\u003e)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbinaryanalysisplatform%2Fbap-toolkit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbinaryanalysisplatform%2Fbap-toolkit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbinaryanalysisplatform%2Fbap-toolkit/lists"}