auditor

An aarch64 constant-time memory access auditing tool.
git clone git://git.ppad.tech/auditor.git
Log | Files | Refs | README | LICENSE

IMPL17.md (1011B)

      1 # IMPL17: Implement Heap Taint Propagation
      2 
      3 ## Summary
      4 
      5 Add heap taint propagation so non-stack loads/stores transfer taint and
      6 kind information, enabling detection of secret-indexed memory access.
      7 
      8 ## Steps
      9 
     10 Stage 1 (coarse heap bucket):
     11 
     12 1) Extend TaintState
     13 - Add `tsHeapTaint`, `tsHeapProv`, `tsHeapKind`.
     14 
     15 2) Update load/store logic
     16 - In `loadFromStack` fallback path (non-stack), set dst taint/prov/kind
     17   from heap bucket.
     18 - In store helpers, when address is not SP/X20-based, join source into
     19   heap bucket.
     20 
     21 3) Preserve public roots
     22 - If dst is a public root, continue to set it to Public/KindPtr.
     23 
     24 4) Tests
     25 - Add a test where a secret store to heap taints a later load.
     26 - Add a test where secret-loaded value used as index triggers violation.
     27 
     28 Stage 2 (refined map) is optional and can follow once Stage 1 is stable.
     29 
     30 ## Files to Touch
     31 
     32 - `lib/Audit/AArch64/Taint.hs`
     33 - `test/`
     34 
     35 ## Validation
     36 
     37 - `cabal test`
     38 - Run auditor on `mul_wnaf` with secret seed; expect secret-indexed
     39   access to be flagged.