IMPL13.md (1075B)
1 # IMPL13: Implement Register Kind Tracking (Stage 1) 2 3 ## Summary 4 5 Add register kind tracking and restrict provenance upgrades to pointer 6 kinds, improving detection of secret-indexed memory access. 7 8 ## Steps 9 10 1) Add kind type 11 - Introduce `RegKind` (Ptr/Scalar/Unknown) in `Types.hs`. 12 - Add ToJSON if required. 13 14 2) Extend TaintState 15 - Add `tsKind :: Map Reg RegKind`. 16 - Initialize public roots with `Ptr` (or a subset if needed). 17 18 3) Transfer updates 19 - For pointer-preserving ops, propagate `Ptr`. 20 - For loads and general arithmetic/logic, set `Scalar`. 21 - Keep `Unknown` when no information. 22 23 4) Provenance upgrade rules 24 - In `checkBase`, only treat `ProvPublic` as safe if `RegKind == Ptr`. 25 - In `checkIndex`, disallow provenance upgrades (or require Ptr). 26 27 5) Tests 28 - Add tests that previously upgraded a scalar index via provenance and 29 now emit a violation. 30 31 ## Files to Touch 32 33 - `lib/Audit/AArch64/Types.hs` 34 - `lib/Audit/AArch64/Taint.hs` 35 - `lib/Audit/AArch64/Check.hs` 36 - `test/` 37 38 ## Validation 39 40 - `cabal test` 41 - Run auditor on known vulnerable asm to confirm detection.