All skills
Skillintermediate

Zeroize Audit Report

**Run ID:** `<run_id>` **Timestamp:** `<ISO-8601>` **Repository:** `<path>` **Compile DB:** `<compile_db>`

Claude Code Knowledge Pack7/10/2026

Overview

Zeroize Audit Report

Run ID: <run_id> Timestamp: <ISO-8601> Repository: <path> Compile DB: <compile_db>

Configuration:

SettingValue
Optimization levelsO0, O1, O2
MCP modeprefer
MCP availableyes / no
Assembly analysisenabled / disabled
Semantic IR analysisenabled / disabled
CFG analysisenabled / disabled
Runtime testsenabled / disabled
PoC validationmandatory

Executive Summary

MetricCount
Files scanned0
Translation units analyzed0
Total findings0

By Severity

SeverityCount
High0
Medium0

By Confidence

ConfidenceCount
Confirmed0
Likely0
Needs review0

PoC Validation

MetricCount
PoCs generated0
PoCs validated0
Exploitable (confirmed)0
Not exploitable0
Compile failures0
No PoC generated0

By Category

CategoryCount
MISSING_SOURCE_ZEROIZE0
PARTIAL_WIPE0
NOT_ON_ALL_PATHS0
OPTIMIZED_AWAY_ZEROIZE0
SECRET_COPY0
INSECURE_HEAP_ALLOC0
STACK_RETENTION0
REGISTER_SPILL0
MISSING_ON_ERROR_PATH0
NOT_DOMINATING_EXITS0
LOOP_UNROLLED_INCOMPLETE0

Sensitive Objects Inventory

IDNameTypeLocationConfidenceHeuristicHas Wipe
SO-0001keyuint8_t[32]path/to/file.c:45lowname patternno
SO-0002session_keyuint8_t[16]path/to/file.c:89mediumtype hintyes

Findings

High Severity

ZA-0002: STACK_RETENTION — high (confirmed)

Location: path/to/file.c:89 Object: secret_function (stack_frame, 192 bytes)

Evidence:

  • [asm] Stack frame (192 bytes) allocated at function entry; no red-zone clearing before ret at line 112.
  • [asm] sub $0xc0, %rsp at entry; no corresponding zeroing sequence before ret.

Compiler Evidence:

  • Opt levels analyzed: O0, O2
  • O2: Stack allocated 192 bytes; ret reached without clearing red-zone below %rsp.
  • Summary: Stack frame persists with uncleared secret bytes after function return.

Recommended Fix: Add explicit_bzero() across the full stack frame, or use a compiler barrier and volatile wipe loop covering the red-zone.


ZA-0003: REGISTER_SPILL — high (confirmed)

Location: path/to/file.c:156 Object: encrypt (stack_slot, 8 bytes)

Evidence:

  • [asm] movq %r12, -48(%rsp) at line 156 spills key fragment to stack; no corresponding zero-store before ret.

Compiler Evidence:

  • Opt levels analyzed: O0, O2
  • O2: movq %r12, -48(%rsp) without corresponding cleanup of spill slot.
  • Summary: Register spill at -48(%rsp) contains key fragment; slot not cleared before return.

Recommended Fix: Use inline assembly with register constraints to prevent spilling, or add explicit zero-store covering the spill slot before return.


ZA-0005: INSECURE_HEAP_ALLOC — high (confirmed)

Location: path/to/file.c:67 Object: private_key (uint8_t *)

Evidence:

  • [source] malloc() at line 67 allocates buffer for private_key. No mlock() or madvise(MADV_DONTDUMP) found for this allocation.

Recommended Fix: Replace malloc() with OPENSSL_secure_malloc() or sodium_malloc(). Add mlock() and madvise(MADV_DONTDUMP) if using standard allocator.


Medium Severity

ZA-0001: MISSING_SOURCE_ZEROIZE — medium (likely)

Location: path/to/file.c:123 Object: key (uint8_t[32], 32 bytes)

Evidence:

  • [source] Sensitive buffer key matches name pattern; no approved wipe call found before return at line 130.

Recommended Fix: Use explicit_bzero(key, sizeof(key)) on all exit paths.


ZA-0006: OPTIMIZED_AWAY_ZEROIZE — medium (confirmed)

Location: path/to/file.c:88 Object: nonce (uint8_t[12], 12 bytes)

Evidence:

  • [ir] O0 IR contains llvm.memset call zeroing nonce at line 88; absent in O1 IR — dead-store elimination.

Compiler Evidence:

  • Opt levels analyzed: O0, O1, O2
  • O0: llvm.memset(nonce, 0, 12) present at line 88.
  • O1: llvm.memset call removed — dead store eliminated.
  • O2: llvm.memset call absent.
  • Summary: Wipe disappears at O1; cause: dead-store elimination of memset with no subsequent read.

Recommended Fix: Replace memset() with explicit_bzero() or add a volatile compiler barrier after the wipe to prevent elimination.


Needs Review

ZA-0004: SECRET_COPY — high (needs_review)

Location: path/to/file.c:203 Object: session_key (uint8_t[16], 16 bytes)

Evidence:

  • [source] memcpy() at line 203 copies session_key to tmp_key (line 199). No approved wipe tracked for destination tmp_key before it goes out of scope at line 218.

Recommended Fix: Ensure both session_key and tmp_key are zeroized on all exit paths using explicit_bzero().


PoC Validation Results

FindingCategoryPoC FileExit CodeResultImpact
ZA-0001MISSING_SOURCE_ZEROIZEpoc_za_0001_missing_source_zeroize.c0exploitableConfirmed
ZA-0002STACK_RETENTIONpoc_za_0002_stack_retention.c1not_exploitableDowngraded to low (informational)
ZA-0003REGISTER_SPILLpoc_za_0003_register_spill.ccompile_failureNo change

Superseded Findings

No findings were superseded in this run.


Confidence Gate Summary

FindingActionReason
ZA-0004 (SECRET_COPY)Downgraded to needs_reviewMCP unavailable; only 1 non-MCP signal (source pattern match)

Analysis Coverage

MetricValue
TUs in compile DB0
TUs analyzed0
TUs with sensitive objects0
Agent 1 (MCP resolver)success / skipped / failed
Agent 2 (source analyzer)success / failed
Agent 3 (compiler analyzer)N/N TUs succeeded
Agent 4 (report assembler)success
Agent 5 (PoC generator)success / failed
Agent 6 (test generator)success / skipped / failed

Appendix: Evidence Files

FindingEvidence FileDescription
ZA-0002compiler-analysis/a1b2/asm-findings.jsonAssembly analysis output
ZA-0006compiler-analysis/c3d4/ir-findings.jsonIR diff analysis output