Introduction

The Carnegie Mellon University Binary Analysis Platform (CMU BAP) is a suite of utilities and libraries that enables analysis of programs in their machine representation. BAP is written in OCaml, relies on dynamically loaded plugins for extensibility, and is widely used for security analysis, program verification, and reverse engineering.

The framework consists of a bunch of libraries, plugins and frontends. The libraries provide code reusability, plugins facilitate extensibility and frontends serve as entry points.

Frontends come with comprehensive manuals, that can be accessed by using --help command line options, or via the man command, if the manpath is configured correctly. Finally, you can access a man page for a plugin using --<PLUGIN>-help command line option of a frontend, e.g., bap --map-terms-help.

Libraries

Core libraries

• Bap_main - the entry point to BAP
• Bap_knowledge - The Knowledge Representation library
• Bap_core_theory - The Core Theory Library
• Bap.Std - The Standard Library
• Bap_taint - The Taint Analysis Framework
• Bap_primus - The Microexecution Framework

Foundation Libraries

• Monads - The Monads library
• Regular - Regular Data Library
• Graphlib - Algorithms on graphs
• Bitvec - Bitvectors and modular arithmetic
• Bitvec_binprot - Provides Binprot serialization for bitvectors
• Bitvec_sexp - Provides s-exp serialization for bitvectors
• Bitvec_order - Implements Janestreet comparators for bitvectors
• Bap_future - Futures and Streams
• Ogre - A sexp-based NoSQL database

Hardware Specific Libraries

• ARM - ARM definitions
• X86_cpu - x86/x86-64 definitions
• Bap_mips_target - MIPS definitions
• Bap_powerpc_target - PowerPC definitions
• Bap_riscv_target - RISCV definitions
• Bap_systemz_target - SystemZ definitions

Language and API/ABI Specific Libraries

• Bap_abi - Interface for specifying ABI
• Bap_api - Interface for defining API
• Bap_c - Basic definitions of the C language

Analyses and Auxiliary Libraries

• Bap_primus_track_visited - The interface to the Primus coverage monitoring component
• Bap_beagle_prey - An interface to the Beagle string deobfuscation analysis

Utility Libraries

• Bap_bml - writing term transformations
• Bare - writing rules for matching for Primus observations
• Bap_bundle - creating and opening bundles
• Bap_build - building bapbuild plugins
• Bap_byteweight - interface to the Byteweight subsystem
• Bap_demangle - writing name demanglers
• Bap_dwarf - a native DWARF parser
• Bap_elf - a native ELF parser
• Bap_ida - an interface to IDA Pro
• Bap_llvm - an inteface to LLVM disassemblers and loaders
• Bap_ghidra - an inteface to Ghidra
• Bap_plugins - loading plugins
• Bap_recipe - loading recipes (packs of command line arguments)
• Bap_strings - various text utilities
• Bap_relation - A representation of relations between two sets
• Bap_traces - working with execution traces
• Text_tags - Extension of Format's semantic tags

Plugins

abi                      apply abi information to a project
analyze                  implements the analyze command
api                      add parameters to subroutines based on known API
arm                      provide ARM lifter
beagle                   microx powered obfuscated string solver
bil                      Provides bil optimizations
byteweight               find function starts using Byteweight algorithm
cache                    provide caching services
callgraph-collator       Collates programs based on their callgraphs
callsites                annotate callsites with subroutine's arguments
constant-tracker         Constant Tracking Analysis based on Primus
core-theory              provides core theory rules
cxxfilt                  provide c++filt based demangler
demangle                 demangle subroutine names
dependencies             analyses the binary dependencies
disassemble              implements the disassemble command
dump-symbols             dump symbol information as a list of blocks
elf-loader               read ELF and DWARF formats in a pure OCaml
emit-ida-script          extract a IDA python script from bap
flatten                  flattens (unrolls) BIR expressions into a trivial form
frontc-parser            parse c files with FrontC
ghidra                   provide loader and disassembler using GHIDRA library
glibc-runtime            detects main and libc_start_main functions
ida                      use ida to provide rooter, symbolizer and reconstructor
llvm                     provide loader and disassembler using LLVM library
map-terms                map terms using BML DSL
mc                       BAP Core Library
mips                     provide MIPS lifter
objdump                  use objdump to provide a symbolizer
optimization             automatically removes dead code and propagates consts
patterns                 implements the byte patterns analysis plugin
phoenix                  output project information in a phoenix format
powerpc                  provide PowerPC lifter
primus-dictionary        provides a key-value storage
primus-exploring         evaluates all machines, prioritizing the least visited
primus-greedy            evaluates all machines in the DFS order
primus-limit             ensures termination by limiting Primus machines
primus-lisp              install and load Primus lisp libraries
primus-loader            generic program loader for Primus
primus-mark-visited      registers the bap:mark-visited component
primus-powerpc           powerpc support package
primus-print             prints Primus states and observations
primus-promiscuous       enables the promiscuous mode of execution
primus-propagate-taint   a compatibility layer between different taint analysis frameworks
primus-random            primus randomization components
primus-region            interval sets
primus-round-robin       evaluates all machines in the BFS order
primus-symbolic-executor Enables symbolic execution in Primus
primus-systems           installs, parses, and loads Primus systems
primus-taint             a taint analysis control interface
primus-test              Primus Program Testing and Verification Kit
primus-wandering         evaluates all machines while
primus-x86               x86 support package
print                    print project in various formats
propagate-taint          propagate taints through a program
radare2                  use radare2 to provide a symbolizer
raw                      BAP Core Library
read-symbols             read symbol information from file
recipe-command           manipulates bap recipes
relocatable              provides facility to load relocatable files
report                   reports program status
riscv                    provide Riscv target
run                      a pass that will run a program
specification            prints the specification of the binary (like readelf)
ssa                      translates a program into the SSA form
strings                  find strings of characters
stub-resolver            Substitutes calls to stubs with calls to real functions
systemz                  provide Systemz lifter
taint                    taint specified terms
thumb                    provide Thumb lifter
trace                    manage execution traces
trivial-condition-form   eliminates complex conditionals in branches
warn-unused              warn about unused results of certain functions
x86                      provide x86 lifter