ARCH5.md (1424B)
1 # ARCH5: Provenance-Aware Auto-Suppression 2 3 ## Goal 4 5 Reduce "unknown base" false positives by automatically proving more 6 bases as public, using local provenance and simple stack-slot tracking. 7 This is entirely automatic; no manual intervention required. 8 9 ## Features 10 11 1) **Def-use backtrace** 12 - Track last definition of each register within a block (and across 13 blocks when taint is known). 14 - If a base register is derived from a public root via simple 15 arithmetic/moves, reclassify it as Public. 16 17 2) **Stack slot taint** 18 - Track `sp + imm` slots for `str/ldr` with constant offsets. 19 - If a slot is written with a Public value, then a later load from the 20 same slot yields Public. 21 22 3) **GOT/constant pool address patterns** 23 - Recognize `adrp` + `ldr [xN, symbol@GOTPAGEOFF]` (and similar) 24 patterns as public address derivations. 25 - Mark the destination register as Public. 26 27 ## Design 28 29 - Extend the taint state with a small auxiliary provenance map: 30 - last-def register source (simple ops only) 31 - stack-slot taint map for `[sp, #imm]` 32 - Apply these enhancements during taint transfer, so violations see a 33 more precise taint state without a second pass. 34 35 ## Conservatism 36 37 - Only upgrade to Public on explicit, safe patterns. 38 - Unknown/Secret never upgrade unless a safe pattern proves it. 39 40 ## Deliverables 41 42 - Fewer Unknown base violations on GHC dumps. 43 - Optional `--explain` output that shows the provenance chain.