We are presented with a big zip file of SML code, which implements an interpreter for a small ML-like language with a form of taint analysis in its type checker, called Wolf. Concretely, every type in Wolf’s type system has an associated secrecy: it is either “private” or “public”, and in theory, the type system makes it impossible to do any computation on private data to get a public result.

In pupper, however, the taint analysis for if statements is too lax, so we can use it to exfiltrate bits of the flag.

https://blog.vero.site/post/doggo