IMPL2.md (1382B)
1 # IMPL2: Implement Inter-Block Taint Propagation 2 3 ## Summary 4 5 Implement forward dataflow over the CFG so taint flows across basic 6 blocks, eliminating the intra-block limitation. 7 8 ## Steps 9 10 1) Inspect CFG and block representation 11 - Confirm block structure in `Audit.AArch64.CFG` and how successors are 12 computed. 13 - Ensure each block has a stable label and list of lines/instructions. 14 15 2) Add dataflow driver 16 - Implement a worklist fixpoint over blocks: 17 - Maintain IN/OUT taint maps per block. 18 - Initialize entry IN with whitelist; others Unknown. 19 - Recompute OUT via existing per-instruction transfer. 20 - Propagate OUT to successors; repeat until stable. 21 22 3) Integrate with checking 23 - When emitting violations, use the per-instruction taint state from 24 the dataflow walk within each block. 25 - Preserve existing output and JSON shapes. 26 27 4) Tests 28 - Add a fixture with two blocks where taint is set in block A and used 29 in block B; confirm no false positive at B entry. 30 - Add a fixture where taint becomes Secret in A and is used in B; ensure 31 violation is reported in B. 32 33 ## Files to Touch 34 35 - `lib/Audit/AArch64/CFG.hs` 36 - `lib/Audit/AArch64/Taint.hs` 37 - `lib/Audit/AArch64/Check.hs` 38 - `test/` fixtures and unit tests 39 40 ## Validation 41 42 - Run tests. 43 - Re-run audit on a known GHC dump and compare violation count before 44 and after; expect fewer false positives at block entries.