auditor

An aarch64 constant-time memory access auditing tool.
git clone git://git.ppad.tech/auditor.git
Log | Files | Refs | README | LICENSE

IMPL4.md (1977B)

      1 # IMPL4: Whole-Program Inter-Procedural Fixpoint
      2 
      3 ## Summary
      4 
      5 Implement an opt-in inter-procedural analysis by computing function
      6 summaries and iterating to a fixpoint across the call graph.
      7 
      8 ## Steps
      9 
     10 1) Partition into functions
     11 - Identify function entry labels (top-level labels preceding blocks).
     12 - Assign each basic block to a function based on entry labels.
     13 - Build a per-function CFG (or a block index list per function).
     14 
     15 2) Call graph construction
     16 - For each function, scan instructions to find `bl target`.
     17 - Resolve `target` to a known function label (if present).
     18 - Build a call graph adjacency list.
     19 
     20 3) Define summary type
     21 - Summary should at minimum include `outTaint :: Map Reg Taint`.
     22 - Provide a join operation for summaries.
     23 - Encode a conservative initial summary.
     24 
     25 4) Per-function analysis with call summaries
     26 - Extend taint transfer for `bl` to apply summary if `--interproc`
     27   and summary exists for the target.
     28 - For `blr` or unresolved `bl`, fall back to caller-saved invalidation.
     29 
     30 5) Fixpoint loop
     31 - Iterate: analyze each function using current summaries of callees,
     32   update its summary, repeat until no summary changes.
     33 - Use a worklist keyed by function label for efficiency.
     34 
     35 6) Integrate with reporting
     36 - Use the stabilized summaries for taint propagation during checking.
     37 - Ensure inter-proc mode does not alter output format.
     38 
     39 7) Tests
     40 - Add fixtures with two functions where taint is set in caller and
     41   used in callee, verifying inter-proc mode suppresses false positives.
     42 - Add fixtures where callee taints caller-saved and check caller uses.
     43 - Ensure default mode retains current behavior.
     44 
     45 ## Files to Touch
     46 
     47 - `lib/Audit/AArch64/CFG.hs` (function partitioning utilities)
     48 - `lib/Audit/AArch64/Taint.hs` (call-summary application)
     49 - `lib/Audit/AArch64/Check.hs` (mode switch + analysis driver)
     50 - `app/Main.hs` (CLI flag)
     51 - `test/`
     52 
     53 ## Validation
     54 
     55 - Run test suite in default and inter-proc modes.
     56 - Compare violation counts on known dumps.