auditor

An aarch64 constant-time memory access auditing tool.
git clone git://git.ppad.tech/auditor.git
Log | Files | Refs | README | LICENSE

commit b9de77630868522fb609abfb0d418b98bae84677
parent 6dd91fa69d98bf078cf11ec505c236699993bd5d
Author: Jared Tobin <jared@jtobin.io>
Date:   Thu, 26 Feb 2026 17:32:57 +0400

fix: clarify isSecretViolation and add comment for reg-offset handling

- NonConstOffset is a structural violation, not secret-derived; return
  False from isSecretViolation to avoid inflating secret violation counts
- Add comment explaining why register-offset modes fall through to
  coarse heap handling (dynamic offset prevents refined slot tracking)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Diffstat:
Mlib/Audit/AArch64/Taint.hs | 3+++
Mtest/Main.hs | 4++--
2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/lib/Audit/AArch64/Taint.hs b/lib/Audit/AArch64/Taint.hs @@ -851,6 +851,9 @@ loadFromStack dst addr st = case addr of | isPublicPointer base st -> setTaintLoadHeapSlot dst base (fromInteger imm) st -- Secret data pointer with register offset: [base, xM] variants + -- Note: Register-offset modes don't support refined heap slots because + -- the offset is dynamic - we can't determine which slot is being accessed. + -- These fall through to coarse heap handling if not secret data pointers. BaseReg base _idx | isSecretDataPointer base st -> setTaintProvKind dst Secret ProvUnknown KindScalar st diff --git a/test/Main.hs b/test/Main.hs @@ -15,14 +15,14 @@ import qualified Data.Text as T import Test.Tasty import Test.Tasty.HUnit --- | Check if a violation reason is secret (not unknown). +-- | Check if a violation is secret-derived (not unknown or structural). isSecretViolation :: ViolationReason -> Bool isSecretViolation r = case r of SecretBase _ -> True SecretIndex _ -> True UnknownBase _ -> False UnknownIndex _ -> False - NonConstOffset -> True + NonConstOffset -> False -- Structural violation, not secret-derived main :: IO () main = defaultMain $ testGroup "ppad-auditor" [