IMPL5.md (1670B)
1 # IMPL5: Implement Provenance-Aware Auto-Suppression 2 3 ## Summary 4 5 Implement automatic provenance tracking to reclassify Unknown bases as 6 Public when safe patterns are detected (def-use, stack slots, GOT). 7 8 ## Steps 9 10 1) Extend taint state 11 - Add `RegProvenance` map (Reg -> simple origin) and 12 `StackSlots` map (Int offset -> Taint). 13 - Keep maps minimal: only track cases needed for auto-suppression. 14 15 2) Def-use tracking 16 - For simple ops (`mov`, `add/sub` with imm, `adr/adrp`, `orr` with 17 zero, etc.), record that dst is derived from a public root. 18 - When base reg is Unknown, consult provenance: if provenance chain 19 resolves to Public, upgrade taint. 20 21 3) Stack slot tracking 22 - On `str/strb/strh/stp` to `[sp, #imm]`, store taint of source in slot. 23 - On `ldr/ldrb/ldrh/ldp` from `[sp, #imm]`, restore slot taint into dst. 24 - Only handle constant offsets; ignore indexed addressing. 25 26 4) GOT/constant pool patterns 27 - When seeing `adrp r, sym@GOTPAGE` then `ldr r, [r, sym@GOTPAGEOFF]`, 28 mark `r` Public (and record provenance). 29 - Same for `adrp` + `add` + `ldr` patterns as needed. 30 31 5) Integrate with inter-proc 32 - Ensure provenance and stack-slot maps are per-function analysis state. 33 - Preserve summaries as taint-only; do not export provenance across 34 function boundaries. 35 36 6) Tests 37 - Add fixtures for: 38 - register derived from public root via mov/add 39 - stack spill/reload from `sp, #imm` 40 - GOTPAGE+GOTPAGEOFF pattern 41 - Verify violations are suppressed where expected. 42 43 ## Files to Touch 44 45 - `lib/Audit/AArch64/Taint.hs` 46 - `lib/Audit/AArch64/Check.hs` (if explanation is emitted) 47 - `test/` 48 49 ## Validation 50 51 - Re-run on `etc/Curve.s` and compare violation count.