ARCH18.md (1144B)
1 # ARCH18: STG Stack Slot Seeding via Taint Config 2 3 ## Goal 4 5 Allow taint configuration to seed STG stack slots (x20-relative offsets) 6 so secrets passed on the STG stack can be introduced into the analysis. 7 8 ## Scope 9 10 - Extend taint config JSON schema with optional STG stack slot lists. 11 - Apply seeding at function entry alongside register seeding. 12 13 ## Config Model 14 15 Example: 16 17 { 18 "_mul_wnaf_info": { 19 "secret": ["X23"], 20 "stg_secret": [8, 152], 21 "stg_public": [24] 22 } 23 } 24 25 Semantics: 26 27 - `stg_secret`: mark `tsStgStack` at those offsets as Secret. 28 - `stg_public`: mark `tsStgStack` at those offsets as Public. 29 - If an offset appears in both, secret wins. 30 - Offsets are signed integers (bytes) relative to `x20`. 31 32 ## Integration Points 33 34 - Extend `ArgPolicy` to include STG stack slot lists. 35 - Update JSON parsing and validation. 36 - Update `seedArgs` (or add `seedStgStack`) to apply slot seeding. 37 - Apply seeding at function entry for config-aware runs. 38 39 ## Risks 40 41 - Incorrect offsets cause false positives or missed findings. 42 - Stack slot tracking assumes `x20` is stable until modified; SP-like 43 clearing already handles `x20` updates.