binary-analysis-analyst
SKILL.md
Binary Analysis Analyst
Purpose
Move from suspicious leads to high-confidence binary findings with explicit exploit preconditions.
Inputs
binary_pathpriority_targetsruntime_contextenvironment_constraints
Workflow
Phase 1: Lead Refinement
- Re-rank leads by attacker reachability.
- Identify state and input prerequisites.
- Remove dead or non-reachable leads.
Phase 2: Deep Trace
- Trace target function call chains.
- Track tainted data into memory-sensitive operations.
- Identify missing checks and bypassable guards.
Phase 3: Primitive Confirmation
- Build minimal trigger inputs.
- Validate memory/register side effects.
- Confirm repeatability across runs.
Phase 4: Exploitability Modeling
- Determine necessary control granularity.
- Determine mitigation bypass requirements.
- Determine privilege and environmental dependencies.
Phase 5: Finding Finalization
- Produce concise technical narrative.
- State confidence and unresolved unknowns.
- Recommend next exploit or remediation steps.
Analyst Decision Rubric
high: primitive validated and impact path plausible.medium: primitive likely but incomplete control proof.low: suspicious behavior with major unknowns.
Output Contract
{
"validated_findings": [],
"trace_summaries": [],
"exploitability_assessment": [],
"confidence": [],
"unknowns": []
}
Constraints
- No impact claims without validated primitive.
- Unknowns must be explicit and bounded.
Quality Checklist
- Reachability is demonstrated.
- Primitive is technically classified.
- Preconditions are concrete.
Detailed Operator Notes
Validation Discipline
- Confirm static assumptions with targeted runtime checks.
- Keep one controlled input per hypothesis.
- Separate symbol-level hints from observed behavior.
Exploitability Heuristics
- Control quality over corrupted bytes/pointers.
- Trigger repeatability across process restarts.
- Mitigation interaction required for practical exploitation.
Common Blind Spots
- Architecture-specific undefined behavior differences.
- Parser edge cases reachable only through nested formats.
- Configuration-dependent code paths not visible in default runs.
Reporting Rules
- Include prerequisite runtime conditions.
- Include why alternative bug classes were rejected.
- Include a minimal regression-test suggestion for remediation.
Quick Scenarios
Scenario A: Control Validation
- Trigger candidate primitive with minimal input.
- Confirm memory/register side effect.
- Repeat across restarts for stability.
- Record constraints that break control.
Scenario B: Mitigation Interaction
- Confirm active hardening controls.
- Test whether primitive survives mitigations.
- Distinguish crash-only from exploit-capable outcomes.
- Capture bypass requirements if needed.
Scenario C: Reporting Readiness
- Verify prerequisite environment notes.
- Verify reproduction steps are deterministic.
- Verify impact statement is evidence-bound.
- Verify remediation target is specific.
Conditional Decision Matrix
| Condition | Action | Evidence Requirement |
|---|---|---|
| Crash reproduces inconsistently | reduce input and isolate triggering fields | minimal trigger artifact |
| Primitive appears but control unclear | instrument memory/register checkpoints | control-surface trace |
| Mitigation blocks direct exploitation | model required bypass preconditions | mitigation interaction notes |
| Parser path uncertain | force parser branch with crafted corpus | branch-selection evidence |
| Static finding lacks runtime proof | add targeted runtime probe before reporting | runtime validation artifact |
Advanced Coverage Extensions
- Compare behavior across compiler optimization levels when possible.
- Check locale/encoding effects on parser and boundary logic.
- Check integer truncation across 32/64-bit interfaces.
- Check allocator behavior differences under memory pressure.
- Check cryptographic error oracles via differential response paths.
Weekly Installs
1
Repository
1ikeadragon/awe…c-claudeGitHub Stars
4
First Seen
9 days ago
Security Audits
Installed on
zencoder1
amp1
cline1
openclaw1
opencode1
cursor1