ARCH2.md (1384B)
1 # ARCH2: Inter-Block Taint Propagation 2 3 ## Problem 4 5 Current analysis is intra-block only, so taint does not flow across 6 basic block boundaries. This causes false positives at block entries 7 and reduces precision. 8 9 ## Goal 10 11 Propagate taint across basic blocks using a forward dataflow analysis on 12 the CFG, computing a stable taint-in/taint-out state per block. 13 14 ## Approach 15 16 - Build a CFG with explicit successor lists per block. 17 - Perform a classic forward fixpoint analysis: 18 - Each block has IN and OUT taint maps. 19 - IN[b] = join of OUT[p] for all predecessors p. 20 - OUT[b] = transfer(b, IN[b]). 21 - Use the existing per-instruction transfer logic already used within a 22 block; extend to operate on a block sequence. 23 - Use the existing taint lattice (Public < Unknown < Secret) and join. 24 25 ## Key Decisions 26 27 - **Initialization**: entry block IN seeded with register whitelist 28 (public roots), all others Unknown; other blocks start Unknown. 29 - **Join**: use `joinTaint` per-register across predecessors. 30 - **Termination**: iterate to fixpoint with a worklist. 31 32 ## Reporting 33 34 - Violations should be checked while walking instructions using the 35 per-instruction taint state derived from IN and transfer. 36 - Keep current output format; improved precision only. 37 38 ## Risks 39 40 - CFG correctness for fallthrough/branch targets. 41 - Proper handling of block labels that are only jump targets.