The Carnegie Mellon University Binary Analysis Platform (CMU BAP) is a suite of utilities and libraries that enables analysis of programs in their machine representation. BAP is written in OCaml, relies on dynamically loaded plugins for extensibility, and is widely used for security analysis, program verification, and reverse engineering.
The framework consists of a bunch of libraries, plugins and frontends. The libraries provide code reusability, plugins facilitate extensibility and frontends serve as entry points.
Frontends come with comprehensive manuals, that can be accessed by using
--help command line options, or via the
man command, if the manpath is configured correctly. Finally, you can access a man page for a plugin using
--<PLUGIN>-help command line option of a frontend, e.g.,
Hardware Specific Libraries
Language and API/ABI Specific Libraries
Analyses and Auxiliary Libraries
abi apply abi information to a project analyze implements the analyze command api add parameters to subroutines based on known API arm provide ARM lifter beagle microx powered obfuscated string solver bil Provides bil optimizations byteweight find function starts using Byteweight algorithm cache provide caching services callgraph-collator Collates programs based on their callgraphs callsites annotate callsites with subroutine's arguments constant-tracker Constant Tracking Analysis based on Primus core-theory provides core theory rules cxxfilt provide c++filt based demangler demangle demangle subroutine names dependencies analyses the binary dependencies disassemble implements the disassemble command dump-symbols dump symbol information as a list of blocks elf-loader read ELF and DWARF formats in a pure OCaml emit-ida-script extract a IDA python script from bap flatten flattens (unrolls) BIR expressions into a trivial form frontc-parser parse c files with FrontC ghidra provide loader and disassembler using GHIDRA library glibc-runtime detects main and libc_start_main functions ida use ida to provide rooter, symbolizer and reconstructor llvm provide loader and disassembler using LLVM library map-terms map terms using BML DSL mc BAP Core Library mips provide MIPS lifter objdump use objdump to provide a symbolizer optimization automatically removes dead code and propagates consts patterns implements the byte patterns analysis plugin phoenix output project information in a phoenix format powerpc provide PowerPC lifter primus-dictionary provides a key-value storage primus-exploring evaluates all machines, prioritizing the least visited primus-greedy evaluates all machines in the DFS order primus-limit ensures termination by limiting Primus machines primus-lisp install and load Primus lisp libraries primus-loader generic program loader for Primus primus-mark-visited registers the bap:mark-visited component primus-powerpc powerpc support package primus-print prints Primus states and observations primus-promiscuous enables the promiscuous mode of execution primus-propagate-taint a compatibility layer between different taint analysis frameworks primus-random primus randomization components primus-region interval sets primus-round-robin evaluates all machines in the BFS order primus-symbolic-executor Enables symbolic execution in Primus primus-systems installs, parses, and loads Primus systems primus-taint a taint analysis control interface primus-test Primus Program Testing and Verification Kit primus-wandering evaluates all machines while primus-x86 x86 support package print print project in various formats propagate-taint propagate taints through a program radare2 use radare2 to provide a symbolizer raw BAP Core Library read-symbols read symbol information from file recipe-command manipulates bap recipes relocatable provides facility to load relocatable files report reports program status riscv provide Riscv target run a pass that will run a program specification prints the specification of the binary (like readelf) ssa translates a program into the SSA form strings find strings of characters stub-resolver Substitutes calls to stubs with calls to real functions systemz provide Systemz lifter taint taint specified terms thumb provide Thumb lifter trace manage execution traces trivial-condition-form eliminates complex conditionals in branches warn-unused warn about unused results of certain functions x86 provide x86 lifter