IMPL6.md (1534B)
1 # IMPL6: Implement Def-Use Provenance 2 3 ## Summary 4 5 Track simple provenance chains for registers and use them to upgrade 6 Unknown bases to Public when derived from public roots or constants. 7 8 ## Steps 9 10 1) Extend taint state 11 - Add `tsProv :: Map Reg Provenance` to `TaintState`. 12 - Define `Provenance` type (Root/Const/Derive/Unknown). 13 14 2) Populate provenance 15 - `adr/adrp` -> `ProvConst` + Public taint. 16 - `mov dst, src` -> copy provenance from src. 17 - `add/sub dst, src, #imm` -> copy provenance from src. 18 - `add/sub dst, src1, src2` -> keep provenance only if both proven 19 public and compatible; else clear. 20 - `orr/eor/and` with `xzr/wzr` -> preserve provenance. 21 - Loads -> clear provenance (unless GOT/stack rule sets Public). 22 - Calls -> clear provenance for caller-saved regs (same as taint). 23 24 3) Use provenance to upgrade taint 25 - When a base reg is Unknown, check provenance chain: 26 if it resolves to public, treat as Public for address checks. 27 - Do not upgrade Secret. 28 29 4) Stack map interaction 30 - When storing to stack, optionally store provenance alongside taint. 31 - When loading from stack slot, restore provenance if known. 32 33 5) Tests 34 - Add fixtures for simple provenance chains: 35 - adrp/add -> base used in ldr (should be public) 36 - mov/add #imm from public root -> base used in ldr 37 - provenance cleared after load from unknown memory 38 39 ## Files to Touch 40 41 - `lib/Audit/AArch64/Taint.hs` 42 - `lib/Audit/AArch64/Types.hs` (if new types exposed) 43 - `test/` 44 45 ## Validation 46 47 - Re-run on `etc/Curve.s`; expect fewer Unknown base hits.