Department of Computer Science and Technology


SOAAP currently supports the following command-line flags (see soaap --help):

Comma-separated list of vendors whose code should be treated as vulnerable.
Emulate sandboxing performance.
Don't use context-sensitive analysis.
List all sandboxed functions.
List all function-pointer calls.
Automatically infer function-pointer targets by tracking assignments.
List all function-pointer targets.
List all functions in the input program.
Output all warnings.
Output call-stack traces for system call warnings
Summarise call-stack traces so that atmost the specified number of calls are shown from the top and the same number from the bottom of the trace.
Dump RPC graph in both text and DOT formats. This will produce an file.
Sandbox platform to model. Accepted values are "none", "annotated", "capsicum" and "seccomp". Currently, SOAAP only models the system call semantics. "none" means that no protection exists. "Annotated" tells SOAAP to use the restrictions annotated using the __soaap_limit_syscalls, __soaap_limit_fd_syscalls and __soaap_limit_fd_key_syscalls annotations.
Output SOAAP's report in the specified format(s). "console" is the traditional output. Multiple output formats can be specified as a comma-separated list.
File prefix for report output files. A suffix relevant to the output format will be added to this (e.g. .json).
--soaap-debug-module=<regex of SOAAP module name>
Output debug info for the specified SOAAP module pattern. This will only work with a debug build of SOAAP.
--soaap-debug-function=<regex of function name>
Only output debug info for the specified SOAAP function pattern. This will only work with a debug build of SOAAP.
Level of debug verbosity of the aforementioned two flags.