BAP: A Binary Analysis Platform

  • David Brumley
  • Ivan Jager
  • Thanassis Avgerinos
  • Edward J. Schwartz
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6806)


BAP is a publicly available infrastructure for performing program verification and analysis tasks on binary (i.e., executable) code. In this paper, we describe BAP as well as lessons learned from previous incarnations of binary analysis platforms. BAP explicitly represents all side effects of instructions in an intermediate language (IL), making syntaxdirected analysis possible. We have used BAP to routinely generate and solve verification conditions that are hundreds of megabytes in size and encompass 100,000’s of assembly instructions.


Binary Code Symbolic Execution Strongly Connect Component Binary Analysis Intermediate Language 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Appel, A.: Modern Compiler Implementation in ML. Cambridge University Press, Cambridge (1998)zbMATHGoogle Scholar
  2. 2.
    Balakrishnan, G.: WYSINWYX: What You See Is Not What You eXecute. PhD thesis, Computer Science Department, University of Wisconsin at Madison (August 2007)Google Scholar
  3. 3.
    Balakrishnan, G., Gruian, R., Reps, T., Teitelbaum, T.: Codesurfer/x86 - a platform for analyzing x86 executables. In: Proceedings of the International Conference on Compiler Construction (April 2005)Google Scholar
  4. 4.
    Binary Analysis Platform (BAP),
  5. 5.
    BitBlaze binary analysis project (2007),
  6. 6.
  7. 7.
    Ganesh, V., Dill, D.L.: A decision procedure for bit-vectors and arrays. In: Proceedings of the Conference on Computer Aided Verification, pp. 524–536 (July 2007)Google Scholar
  8. 8.
    Jager, I., Brumley, D.: Efficient directionless weakest preconditions. Technical Report CMU-CyLab-10-002, Carnegie Mellon University, CyLab (February 2010)Google Scholar
  9. 9.
    Kinder, J., Veith, H.: Jakstab: A static analysis platform for binaries. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 423–427. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  10. 10.
    Lee, J., Avgerinos, T., Brumley, D.: TIE: Principled reverse engineering of types in binary programs. In: Proceedings of the Network and Distributed System Security Symposium (February 2011)Google Scholar
  11. 11.
    Microsoft. Phoenix framework, (url checked April 21, 2011)
  12. 12.
    Nethercote, N., Seward, J.: Valgrind: A program supervision framework. In: Proceedings of the Third Workshop on Runtime Verification, Boulder, Colorado, USA (July 2003)Google Scholar
  13. 13.
    Paradyn/Dyninst. Dyninst: An application program interface for runtime code generation, (url checked April 21, 2011)
  14. 14.
    Schwartz, E.J., Avgerinos, T., Brumley, D.: All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 317–331 (May 2010)Google Scholar
  15. 15.
    Thakur, A., Lim, J., Lal, A., Burton, A., Driscoll, E., Elder, M., Andersen, T., Reps, T.: Directed proof generation for machine code. In: Touili, T., Cook, B., Jackson, P. (eds.) CAV 2010. LNCS, vol. 6174, pp. 288–305. Springer, Heidelberg (2010)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • David Brumley
    • 1
  • Ivan Jager
    • 1
  • Thanassis Avgerinos
    • 1
  • Edward J. Schwartz
    • 1
  1. 1.Carnegie Mellon UniversityPittsburghUSA

Personalised recommendations