auditor

Types.hs (16938B)

---

 {-# OPTIONS_HADDOCK prune #-}
 {-# LANGUAGE DeriveAnyClass #-}
 {-# LANGUAGE DeriveGeneric #-}
 {-# LANGUAGE OverloadedStrings #-}
 
 -- |
 -- Module: Audit.AArch64.Types
 -- Copyright: (c) 2025 Jared Tobin
 -- License: MIT
 -- Maintainer: jared@ppad.tech
 --
 -- Core types for AArch64 assembly analysis.
 
 module Audit.AArch64.Types (
     -- * Registers
     Reg(..)
   , regName
   , regFromText
 
     -- * Operands and addressing
   , Shift(..)
   , Extend(..)
   , Operand(..)
   , AddrMode(..)
 
     -- * Instructions
   , Instr(..)
   , Line(..)
 
     -- * Taint lattice
   , Taint(..)
   , joinTaint
 
     -- * Provenance
   , Provenance(..)
   , joinProvenance
 
     -- * Register kind
   , RegKind(..)
   , joinKind
 
     -- * Analysis results
   , Violation(..)
   , ViolationReason(..)
 
     -- * Non-constant-time findings
   , NctReason(..)
   , NctFinding(..)
   , LineMap
 
     -- * Taint configuration
   , TaintConfig(..)
   , defaultTaintConfig
   , ArgPolicy(..)
   , emptyArgPolicy
   ) where
 
 import Control.DeepSeq (NFData)
 import Data.Aeson (ToJSON(..), FromJSON(..), (.=), (.:?), object, withObject)
 import Data.IntMap.Strict (IntMap)
 import Data.Map.Strict (Map)
 import qualified Data.Map.Strict as Map
 import Data.Set (Set)
 import qualified Data.Set as Set
 import Data.Text (Text)
 import qualified Data.Text as T
 import GHC.Generics (Generic)
 
 -- | AArch64 registers (64-bit, 32-bit views, and SIMD).
 data Reg
   -- 64-bit general purpose
   = X0  | X1  | X2  | X3  | X4  | X5  | X6  | X7
   | X8  | X9  | X10 | X11 | X12 | X13 | X14 | X15
   | X16 | X17 | X18 | X19 | X20 | X21 | X22 | X23
   | X24 | X25 | X26 | X27 | X28 | X29 | X30
   -- 32-bit views
   | W0  | W1  | W2  | W3  | W4  | W5  | W6  | W7
   | W8  | W9  | W10 | W11 | W12 | W13 | W14 | W15
   | W16 | W17 | W18 | W19 | W20 | W21 | W22 | W23
   | W24 | W25 | W26 | W27 | W28 | W29 | W30
   -- Special
   | SP   -- ^ Stack pointer
   | XZR  -- ^ Zero register (64-bit)
   | WZR  -- ^ Zero register (32-bit)
   -- SIMD/FP (64-bit double)
   | D0  | D1  | D2  | D3  | D4  | D5  | D6  | D7
   | D8  | D9  | D10 | D11 | D12 | D13 | D14 | D15
   | D16 | D17 | D18 | D19 | D20 | D21 | D22 | D23
   | D24 | D25 | D26 | D27 | D28 | D29 | D30 | D31
   -- SIMD/FP (32-bit single)
   | S0  | S1  | S2  | S3  | S4  | S5  | S6  | S7
   | S8  | S9  | S10 | S11 | S12 | S13 | S14 | S15
   | S16 | S17 | S18 | S19 | S20 | S21 | S22 | S23
   | S24 | S25 | S26 | S27 | S28 | S29 | S30 | S31
   -- SIMD/FP (128-bit quad)
   | Q0  | Q1  | Q2  | Q3  | Q4  | Q5  | Q6  | Q7
   | Q8  | Q9  | Q10 | Q11 | Q12 | Q13 | Q14 | Q15
   | Q16 | Q17 | Q18 | Q19 | Q20 | Q21 | Q22 | Q23
   | Q24 | Q25 | Q26 | Q27 | Q28 | Q29 | Q30 | Q31
   deriving (Eq, Ord, Show, Generic, NFData)
 
 instance ToJSON Reg where
   toJSON = toJSON . regName
 
 -- | Canonical lowercase register name.
 regName :: Reg -> Text
 regName r = T.toLower (T.pack (show r))
 
 -- | Parse a register from text (case-insensitive).
 regFromText :: Text -> Maybe Reg
 regFromText t = Map.lookup (T.toUpper t) regMap
   where
     regMap :: Map Text Reg
     regMap = Map.fromList
       [ ("X0", X0), ("X1", X1), ("X2", X2), ("X3", X3)
       , ("X4", X4), ("X5", X5), ("X6", X6), ("X7", X7)
       , ("X8", X8), ("X9", X9), ("X10", X10), ("X11", X11)
       , ("X12", X12), ("X13", X13), ("X14", X14), ("X15", X15)
       , ("X16", X16), ("X17", X17), ("X18", X18), ("X19", X19)
       , ("X20", X20), ("X21", X21), ("X22", X22), ("X23", X23)
       , ("X24", X24), ("X25", X25), ("X26", X26), ("X27", X27)
       , ("X28", X28), ("X29", X29), ("X30", X30)
       , ("W0", W0), ("W1", W1), ("W2", W2), ("W3", W3)
       , ("W4", W4), ("W5", W5), ("W6", W6), ("W7", W7)
       , ("W8", W8), ("W9", W9), ("W10", W10), ("W11", W11)
       , ("W12", W12), ("W13", W13), ("W14", W14), ("W15", W15)
       , ("W16", W16), ("W17", W17), ("W18", W18), ("W19", W19)
       , ("W20", W20), ("W21", W21), ("W22", W22), ("W23", W23)
       , ("W24", W24), ("W25", W25), ("W26", W26), ("W27", W27)
       , ("W28", W28), ("W29", W29), ("W30", W30)
       , ("SP", SP), ("XZR", XZR), ("WZR", WZR)
       , ("D0", D0), ("D1", D1), ("D2", D2), ("D3", D3)
       , ("D4", D4), ("D5", D5), ("D6", D6), ("D7", D7)
       , ("D8", D8), ("D9", D9), ("D10", D10), ("D11", D11)
       , ("D12", D12), ("D13", D13), ("D14", D14), ("D15", D15)
       , ("D16", D16), ("D17", D17), ("D18", D18), ("D19", D19)
       , ("D20", D20), ("D21", D21), ("D22", D22), ("D23", D23)
       , ("D24", D24), ("D25", D25), ("D26", D26), ("D27", D27)
       , ("D28", D28), ("D29", D29), ("D30", D30), ("D31", D31)
       , ("S0", S0), ("S1", S1), ("S2", S2), ("S3", S3)
       , ("S4", S4), ("S5", S5), ("S6", S6), ("S7", S7)
       , ("S8", S8), ("S9", S9), ("S10", S10), ("S11", S11)
       , ("S12", S12), ("S13", S13), ("S14", S14), ("S15", S15)
       , ("S16", S16), ("S17", S17), ("S18", S18), ("S19", S19)
       , ("S20", S20), ("S21", S21), ("S22", S22), ("S23", S23)
       , ("S24", S24), ("S25", S25), ("S26", S26), ("S27", S27)
       , ("S28", S28), ("S29", S29), ("S30", S30), ("S31", S31)
       , ("Q0", Q0), ("Q1", Q1), ("Q2", Q2), ("Q3", Q3)
       , ("Q4", Q4), ("Q5", Q5), ("Q6", Q6), ("Q7", Q7)
       , ("Q8", Q8), ("Q9", Q9), ("Q10", Q10), ("Q11", Q11)
       , ("Q12", Q12), ("Q13", Q13), ("Q14", Q14), ("Q15", Q15)
       , ("Q16", Q16), ("Q17", Q17), ("Q18", Q18), ("Q19", Q19)
       , ("Q20", Q20), ("Q21", Q21), ("Q22", Q22), ("Q23", Q23)
       , ("Q24", Q24), ("Q25", Q25), ("Q26", Q26), ("Q27", Q27)
       , ("Q28", Q28), ("Q29", Q29), ("Q30", Q30), ("Q31", Q31)
       ]
 
 -- | Shift operations for indexed addressing.
 data Shift
   = LSL !Int  -- ^ Logical shift left
   | LSR !Int  -- ^ Logical shift right
   | ASR !Int  -- ^ Arithmetic shift right
   deriving (Eq, Show, Generic, NFData)
 
 instance ToJSON Shift
 
 -- | Extend operations.
 data Extend
   = UXTW  -- ^ Unsigned extend word
   | SXTW  -- ^ Signed extend word
   | UXTX  -- ^ Unsigned extend doubleword
   | SXTX  -- ^ Signed extend doubleword
   deriving (Eq, Show, Generic, NFData)
 
 instance ToJSON Extend
 
 -- | Instruction operand.
 data Operand
   = OpReg !Reg                     -- ^ Register operand
   | OpImm !Integer                 -- ^ Immediate value
   | OpShiftedReg !Reg !Shift       -- ^ Shifted register
   | OpExtendedReg !Reg !Extend     -- ^ Extended register
   | OpLabel !Text                  -- ^ Label reference
   | OpAddr !AddrMode               -- ^ Memory address
   deriving (Eq, Show, Generic, NFData)
 
 instance ToJSON Operand
 
 -- | Memory addressing modes.
 data AddrMode
   = BaseImm !Reg !Integer           -- ^ [xN, #imm] or [xN]
   | BaseReg !Reg !Reg               -- ^ [xN, xM]
   | BaseRegShift !Reg !Reg !Shift   -- ^ [xN, xM, lsl #k]
   | BaseRegExtend !Reg !Reg !Extend -- ^ [xN, xM, sxtw]
   | BaseSymbol !Reg !Text           -- ^ [xN, symbol@PAGEOFF]
   | PreIndex !Reg !Integer          -- ^ [xN, #imm]!
   | PostIndex !Reg !Integer         -- ^ [xN], #imm
   | Literal !Text                   -- ^ =label or PC-relative
   deriving (Eq, Show, Generic, NFData)
 
 instance ToJSON AddrMode
 
 -- | Parsed assembly instruction.
 data Instr
   -- Data movement
   = Mov !Reg !Operand
   | Movz !Reg !Integer !(Maybe Shift)
   | Movk !Reg !Integer !(Maybe Shift)
   | Movn !Reg !Integer !(Maybe Shift)
   -- Arithmetic
   | Add !Reg !Reg !Operand
   | Sub !Reg !Reg !Operand
   | Adds !Reg !Reg !Operand
   | Subs !Reg !Reg !Operand
   | Adc !Reg !Reg !Reg
   | Adcs !Reg !Reg !Reg
   | Sbc !Reg !Reg !Reg
   | Neg !Reg !Operand
   | Negs !Reg !Operand
   | Mul !Reg !Reg !Reg
   | Mneg !Reg !Reg !Reg
   | Madd !Reg !Reg !Reg !Reg
   | Msub !Reg !Reg !Reg !Reg
   | Umulh !Reg !Reg !Reg
   | Smulh !Reg !Reg !Reg
   | Udiv !Reg !Reg !Reg
   | Sdiv !Reg !Reg !Reg
   -- Logical
   | And !Reg !Reg !Operand
   | Orr !Reg !Reg !Operand
   | Eor !Reg !Reg !Operand
   | Bic !Reg !Reg !Operand
   | Mvn !Reg !Operand
   | Tst !Reg !Operand
   -- Shifts
   | Lsl !Reg !Reg !Operand
   | Lsr !Reg !Reg !Operand
   | Asr !Reg !Reg !Operand
   | Ror !Reg !Reg !Operand
   -- Bit manipulation
   | Ubfx !Reg !Reg !Int !Int
   | Sbfx !Reg !Reg !Int !Int
   | Bfi !Reg !Reg !Int !Int
   | Extr !Reg !Reg !Reg !Int
   -- Address generation
   | Adr !Reg !Text
   | Adrp !Reg !Text
   -- Load/Store
   | Ldr !Reg !AddrMode
   | Ldrb !Reg !AddrMode
   | Ldrh !Reg !AddrMode
   | Ldrsb !Reg !AddrMode
   | Ldrsh !Reg !AddrMode
   | Ldrsw !Reg !AddrMode
   | Ldur !Reg !AddrMode
   | Str !Reg !AddrMode
   | Strb !Reg !AddrMode
   | Strh !Reg !AddrMode
   | Stur !Reg !AddrMode
   | Ldp !Reg !Reg !AddrMode
   | Stp !Reg !Reg !AddrMode
   -- Acquire/release loads and stores
   | Ldar !Reg !AddrMode
   | Ldarb !Reg !AddrMode
   | Ldarh !Reg !AddrMode
   | Stlr !Reg !AddrMode
   | Stlrb !Reg !AddrMode
   | Stlrh !Reg !AddrMode
   -- Exclusive loads and stores
   | Ldxr !Reg !AddrMode
   | Ldxrb !Reg !AddrMode
   | Ldxrh !Reg !AddrMode
   | Stxr !Reg !Reg !AddrMode   -- status, src, addr
   | Stxrb !Reg !Reg !AddrMode
   | Stxrh !Reg !Reg !AddrMode
   -- Acquire-exclusive loads and release-exclusive stores
   | Ldaxr !Reg !AddrMode
   | Ldaxrb !Reg !AddrMode
   | Ldaxrh !Reg !AddrMode
   | Stlxr !Reg !Reg !AddrMode  -- status, src, addr
   | Stlxrb !Reg !Reg !AddrMode
   | Stlxrh !Reg !Reg !AddrMode
   -- Compare and select
   | Cmp !Reg !Operand
   | Cmn !Reg !Operand
   | Csel !Reg !Reg !Reg !Text  -- condition code
   | Csinc !Reg !Reg !Reg !Text
   | Csinv !Reg !Reg !Reg !Text
   | Csneg !Reg !Reg !Reg !Text
   | Cset !Reg !Text
   | Cinc !Reg !Reg !Text
   -- Branches
   | B !Text
   | BCond !Text !Text  -- condition, target
   | Bl !Text
   | Blr !Reg
   | Br !Reg
   | Ret !(Maybe Reg)
   | Cbz !Reg !Text
   | Cbnz !Reg !Text
   | Tbz !Reg !Int !Text
   | Tbnz !Reg !Int !Text
   -- System
   | Nop
   | Svc !Integer
   -- Other (unparsed but recorded)
   | Other !Text ![Text]
   deriving (Eq, Show, Generic, NFData)
 
 instance ToJSON Instr
 
 -- | A line of assembly (with source location).
 data Line = Line
   { lineNum   :: !Int
   , lineLabel :: !(Maybe Text)
   , lineInstr :: !(Maybe Instr)
   } deriving (Eq, Show, Generic, NFData)
 
 instance ToJSON Line
 
 -- | Taint lattice for register publicness.
 data Taint
   = Public   -- ^ Known to be public (derived from stack/heap pointers)
   | Secret   -- ^ Known or assumed to be secret
   | Unknown  -- ^ Not yet determined
   deriving (Eq, Ord, Show, Generic, NFData)
 
 instance ToJSON Taint
 
 -- | Join operation for taint lattice (least upper bound).
 -- For CT safety: Public only if both are Public.
 -- Order: Public < Unknown < Secret
 joinTaint :: Taint -> Taint -> Taint
 joinTaint Public Public   = Public
 joinTaint Secret _        = Secret
 joinTaint _ Secret        = Secret
 joinTaint _ _             = Unknown  -- Public+Unknown or Unknown+Unknown
 
 -- | Provenance: tracks whether a value derives from known-public sources.
 -- Used to upgrade Unknown taint to Public when provenance can prove safety.
 data Provenance
   = ProvPublic      -- ^ Derived from public root or constant
   | ProvUnknown     -- ^ Unknown origin (e.g., loaded from memory)
   | ProvSecretData  -- ^ Pointer to secret data (loads through it produce Secret)
   deriving (Eq, Ord, Show, Generic, NFData)
 
 instance ToJSON Provenance
 
 -- | Join provenance: ProvPublic only if both are ProvPublic.
 -- ProvSecretData dominates ProvPublic (conservative: might point to secrets).
 -- ProvUnknown dominates everything (can't prove anything).
 joinProvenance :: Provenance -> Provenance -> Provenance
 joinProvenance ProvPublic ProvPublic           = ProvPublic
 joinProvenance ProvSecretData ProvSecretData   = ProvSecretData
 joinProvenance ProvSecretData ProvPublic       = ProvSecretData
 joinProvenance ProvPublic ProvSecretData       = ProvSecretData
 joinProvenance _ _                             = ProvUnknown
 
 -- | Register kind: distinguishes pointers from scalars.
 -- Used to restrict provenance upgrades to pointer-kind registers only.
 data RegKind
   = KindPtr     -- ^ Known to be a pointer (from adr/adrp or pointer arithmetic)
   | KindScalar  -- ^ Known to be a scalar (from loads or arithmetic)
   | KindUnknown -- ^ Unknown kind
   deriving (Eq, Ord, Show, Generic, NFData)
 
 instance ToJSON RegKind
 
 -- | Join register kinds: Ptr only if both are Ptr.
 joinKind :: RegKind -> RegKind -> RegKind
 joinKind KindPtr KindPtr = KindPtr
 joinKind KindScalar _    = KindScalar
 joinKind _ KindScalar    = KindScalar
 joinKind _ _             = KindUnknown
 
 -- | Reason for a violation.
 data ViolationReason
   = SecretBase !Reg      -- ^ Base register is secret
   | SecretIndex !Reg     -- ^ Index register is secret
   | UnknownBase !Reg     -- ^ Base register taint unknown
   | UnknownIndex !Reg    -- ^ Index register taint unknown
   | NonConstOffset       -- ^ Non-constant offset without masking
   deriving (Eq, Show, Generic, NFData)
 
 instance ToJSON ViolationReason where
   toJSON (SecretBase r) =
     object ["type" .= ("secret_base" :: Text), "register" .= r]
   toJSON (SecretIndex r) =
     object ["type" .= ("secret_index" :: Text), "register" .= r]
   toJSON (UnknownBase r) =
     object ["type" .= ("unknown_base" :: Text), "register" .= r]
   toJSON (UnknownIndex r) =
     object ["type" .= ("unknown_index" :: Text), "register" .= r]
   toJSON NonConstOffset =
     object ["type" .= ("non_const_offset" :: Text)]
 
 -- | A memory access violation.
 data Violation = Violation
   { vSymbol :: !Text
   , vLine   :: !Int
   , vInstr  :: !Instr
   , vReason :: !ViolationReason
   } deriving (Eq, Show, Generic, NFData)
 
 instance ToJSON Violation where
   toJSON v = object
     [ "symbol" .= vSymbol v
     , "line"   .= vLine v
     , "instr"  .= show (vInstr v)
     , "reason" .= vReason v
     ]
 
 -- | Reason for flagging an instruction as non-constant-time.
 data NctReason
   = CondBranch      -- ^ Conditional branch
   | IndirectBranch  -- ^ Indirect branch (br, blr)
   | Div             -- ^ Division (udiv, sdiv)
   | RegIndexAddr    -- ^ Register-indexed memory access
   deriving (Eq, Ord, Show, Generic, NFData)
 
 -- | A non-constant-time finding.
 data NctFinding = NctFinding
   { nctLine   :: !Int       -- ^ Source line number
   , nctInstr  :: !Instr     -- ^ The flagged instruction
   , nctReason :: !NctReason -- ^ Why it was flagged
   } deriving (Eq, Show, Generic, NFData)
 
 -- | Line number to Line map for efficient lookup.
 type LineMap = IntMap Line
 
 -- | Per-function argument taint policy.
 -- Specifies which registers and STG stack slots should be seeded.
 data ArgPolicy = ArgPolicy
   { apSecret        :: !(Set Reg)
     -- ^ Registers to mark as Secret (scalar values)
   , apPublic        :: !(Set Reg)
     -- ^ Registers to mark as Public
   , apSecretPointee :: !(Set Reg)
     -- ^ Registers that are pointers to secret data.
     -- The pointer itself is public, but loads through it produce Secret values.
   , apStgSecret     :: !(Set Int)
     -- ^ STG stack offsets (x20-relative) to mark Secret
   , apStgPublic     :: !(Set Int)
     -- ^ STG stack offsets (x20-relative) to mark Public
   } deriving (Eq, Show)
 
 -- | Empty argument policy (no overrides).
 emptyArgPolicy :: ArgPolicy
 emptyArgPolicy = ArgPolicy Set.empty Set.empty Set.empty Set.empty Set.empty
 
 instance FromJSON ArgPolicy where
   parseJSON = withObject "ArgPolicy" $ \o -> do
     secretTexts <- o .:? "secret"
     publicTexts <- o .:? "public"
     secretPointeeTexts <- o .:? "secret_pointee"
     stgSecretInts <- o .:? "stg_secret"
     stgPublicInts <- o .:? "stg_public"
     let parseRegs :: Maybe [Text] -> Either Text (Set Reg)
         parseRegs Nothing = Right Set.empty
         parseRegs (Just ts) =
           let parsed = map (\t -> (t, regFromText t)) ts
               bad = [t | (t, Nothing) <- parsed]
           in  case bad of
                 []    -> Right $ Set.fromList [r | (_, Just r) <- parsed]
                 (b:_) -> Left $ "invalid register: " <> b
         parseInts :: Maybe [Int] -> Set Int
         parseInts Nothing = Set.empty
         parseInts (Just is) = Set.fromList is
     case (parseRegs secretTexts, parseRegs publicTexts, parseRegs secretPointeeTexts) of
       (Left e, _, _) -> fail (T.unpack e)
       (_, Left e, _) -> fail (T.unpack e)
       (_, _, Left e) -> fail (T.unpack e)
       (Right s, Right p, Right sp) -> pure $ ArgPolicy s p sp
         (parseInts stgSecretInts) (parseInts stgPublicInts)
 
 -- | Taint configuration: maps function symbols to argument policies.
 -- Also controls global analysis assumptions.
 data TaintConfig = TaintConfig
   { tcPolicies        :: !(Map Text ArgPolicy)
     -- ^ Per-function argument taint policies
   , tcAssumeStgPublic :: !Bool
     -- ^ Assume untracked STG stack slots are public pointers (default: True).
     -- GHC's STG stack holds closure pointers and return addresses, which are
     -- inherently public. Set to False for paranoid mode.
   } deriving (Eq, Show)
 
 -- | Default taint config with no policies and STG-public assumption on.
 defaultTaintConfig :: TaintConfig
 defaultTaintConfig = TaintConfig
   { tcPolicies        = Map.empty
   , tcAssumeStgPublic = True
   }
 
 instance FromJSON TaintConfig where
   parseJSON v = do
     policies <- parseJSON v
     pure $ TaintConfig policies True