auditor

An aarch64 constant-time memory access auditing tool.
git clone git://git.ppad.tech/auditor.git
Log | Files | Refs | README | LICENSE

ARCH21.md (1961B)

      1 # ARCH21: Static Non-Constant-Time Instruction Scanner
      2 
      3 ## Goal
      4 
      5 Add a parser-only scan mode that flags non-constant-time instructions
      6 in AArch64 assembly and groups findings by function symbol.
      7 
      8 ## Motivation
      9 
     10 When full taint tracking is too complex or under-specified, a coarse
     11 instruction-level scanner still provides actionable signals. This mode
     12 should be fast, require no dataflow, and rely only on the existing
     13 parser and symbol labeling.
     14 
     15 ## Scope
     16 
     17 - New scan pass over parsed `Line` list.
     18 - Group results by function label (symbol) using the same label
     19   heuristics as CFG (`isFunctionLabel`).
     20 - No CFG or taint analysis; strictly syntactic inspection.
     21 
     22 ## Heuristic: Non-Constant-Time Instruction Set
     23 
     24 Flag instructions that typically introduce secret-dependent control
     25 flow or memory timing when operands are data-dependent. Proposed set:
     26 
     27 - Conditional branches: `b.<cond>`, `cbz`, `cbnz`, `tbz`, `tbnz`
     28 - Indirect branches: `br`, `blr` (control flow depends on register)
     29 - Variable-latency arithmetic:
     30   - `udiv`, `sdiv`
     31   - `mul`, `madd`, `msub`, `umull`, `smull`, `umulh`, `smulh`
     32 - Variable-latency shift/rotate when shift amount is register:
     33   - `lsl`, `lsr`, `asr`, `ror` with `OpReg`/`OpShiftedReg` operands
     34 - Table/indirect memory access patterns:
     35   - Any load/store with `BaseReg`/`BaseRegShift`/`BaseRegExtend`
     36     (indexing by register rather than immediate)
     37 
     38 Note: This is deliberately conservative and does not prove
     39 non-constant-time behavior; it highlights likely sources.
     40 
     41 ## Output
     42 
     43 - A summary listing count of flagged instructions per function.
     44 - Optional detail mode listing line numbers and instruction text.
     45 
     46 ## Integration
     47 
     48 - Add a new CLI flag: `--scan-nct` (or `--nct`) to run this mode.
     49 - Implement scanner in a new module `Audit.AArch64.NCT`.
     50 - Reuse `isFunctionLabel` to group by symbol while traversing lines.
     51 
     52 ## Risks
     53 
     54 - High false positive rate by design.
     55 - Requires maintenance of the opcode list as parser expands.