IMPL17.md (1011B)
1 # IMPL17: Implement Heap Taint Propagation 2 3 ## Summary 4 5 Add heap taint propagation so non-stack loads/stores transfer taint and 6 kind information, enabling detection of secret-indexed memory access. 7 8 ## Steps 9 10 Stage 1 (coarse heap bucket): 11 12 1) Extend TaintState 13 - Add `tsHeapTaint`, `tsHeapProv`, `tsHeapKind`. 14 15 2) Update load/store logic 16 - In `loadFromStack` fallback path (non-stack), set dst taint/prov/kind 17 from heap bucket. 18 - In store helpers, when address is not SP/X20-based, join source into 19 heap bucket. 20 21 3) Preserve public roots 22 - If dst is a public root, continue to set it to Public/KindPtr. 23 24 4) Tests 25 - Add a test where a secret store to heap taints a later load. 26 - Add a test where secret-loaded value used as index triggers violation. 27 28 Stage 2 (refined map) is optional and can follow once Stage 1 is stable. 29 30 ## Files to Touch 31 32 - `lib/Audit/AArch64/Taint.hs` 33 - `test/` 34 35 ## Validation 36 37 - `cabal test` 38 - Run auditor on `mul_wnaf` with secret seed; expect secret-indexed 39 access to be flagged.