IMPL7.md (1468B)
1 # IMPL7: Implement Sidecar Arg Taint Config 2 3 ## Summary 4 5 Add a JSON sidecar file that assigns secret/public taint to argument 6 registers per function, then seed entry taint states accordingly. 7 8 ## Steps 9 10 1) Define config types 11 - Add a `TaintConfig` type (Map Text ArgPolicy). 12 - `ArgPolicy` holds `secret :: Set Reg` and `public :: Set Reg`. 13 - Add FromJSON instances; parse registers by name with validation. 14 15 2) CLI integration 16 - Extend `app/` CLI to accept `--taint-config PATH`. 17 - Load JSON with aeson; on error, print message and exit non-zero. 18 - Store parsed config in the analysis options. 19 20 3) Seed entry taint 21 - Add helper `seedArgs :: ArgPolicy -> TaintState -> TaintState`. 22 - Apply at function entry for both intra-proc and inter-proc analysis. 23 - Secret overrides public when both are present. 24 25 4) Function lookup 26 - When analyzing a function, lookup symbol in config map. 27 - If present, apply `seedArgs` to the entry state before dataflow. 28 - Optionally warn if config has a symbol not found in CFG. 29 30 5) Tests 31 - Add tests for JSON parsing (valid/invalid regs, overlap rules). 32 - Add an asm fixture where X0 is secret -> secret-index violation. 33 - Add a fixture where X0 is public -> no violation. 34 35 ## Files to Touch 36 37 - `app/` CLI entrypoint 38 - `lib/Audit/AArch64/Taint.hs` 39 - `lib/Audit/AArch64/Types.hs` (if new types exported) 40 - `test/` 41 42 ## Validation 43 44 - `cabal test` 45 - Run auditor on known vulnerable asm with config; expect a violation 46 on secret-indexed loads.