partly or unimplemented features - now implemented
This commit is contained in:
master
@@ -1,37 +0,0 @@
|
||||
# Cross-Distro Golden Set for Backport Validation
|
||||
|
||||
## Module
|
||||
BinaryIndex
|
||||
|
||||
## Status
|
||||
PARTIALLY_IMPLEMENTED
|
||||
|
||||
## Description
|
||||
Golden set infrastructure exists in BinaryIndex with analysis pipeline and API. The advisory's detailed curated test cases (OpenSSL Heartbleed, sudo Baron Samedit, etc.) and specific database schema may not be fully populated yet.
|
||||
|
||||
## What's Implemented
|
||||
- **Golden Set Infrastructure**: `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.GoldenSet/` - full authoring, validation, storage, serialization
|
||||
- `GoldenSetExtractor`, `NvdGoldenSetExtractor` - extraction from NVD data
|
||||
- `GoldenSetEnrichmentService` - enriches golden sets with function hints
|
||||
- `GoldenSetValidator`, `ICveValidator` - validation pipeline
|
||||
- `PostgresGoldenSetStore` - PostgreSQL storage
|
||||
- `GoldenSetYamlSerializer` - YAML serialization
|
||||
- **Analysis Pipeline**: `GoldenSetAnalysisPipeline` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Analysis/`) - runs analysis against golden set definitions
|
||||
- **API Controller**: `GoldenSetController` (`src/BinaryIndex/StellaOps.BinaryIndex.WebService/Controllers/`) - CRUD and listing endpoints
|
||||
- **Corpus Connectors**: Alpine (`AlpineCorpusConnector`), Debian (`DebianCorpusConnector`), RPM (`RpmCorpusConnector`) for cross-distro support
|
||||
- **Validation Harness**: `ValidationHarness` and `ValidationHarnessService` for running golden set tests
|
||||
|
||||
## What's Missing
|
||||
- Curated cross-distro test cases for high-impact CVEs (OpenSSL Heartbleed CVE-2014-0160, sudo Baron Samedit CVE-2021-3156, etc.) may not be fully populated in the golden set database
|
||||
- Cross-distro coverage matrix (Alpine vs Debian vs RHEL backport variations for same CVE) may need population
|
||||
- Automated golden set population pipeline from NVD for new CVEs
|
||||
|
||||
## Implementation Plan
|
||||
- Populate golden set database with curated cross-distro test cases for high-impact CVEs
|
||||
- Validate backport detection accuracy across Alpine, Debian, and RHEL for each curated CVE
|
||||
- Build automated pipeline to generate cross-distro golden set entries from NVD advisories
|
||||
- Add cross-distro regression test suite using existing `ValidationHarness` infrastructure
|
||||
|
||||
## Related Documentation
|
||||
- Golden set schema: `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.GoldenSet/Models/GoldenSetDefinition.cs`
|
||||
- Authoring workflow: `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.GoldenSet/Authoring/`
|
||||
@@ -1,41 +0,0 @@
|
||||
# ELF Normalization and Delta Hashing
|
||||
|
||||
## Module
|
||||
BinaryIndex
|
||||
|
||||
## Status
|
||||
PARTIALLY_IMPLEMENTED
|
||||
|
||||
## Description
|
||||
Low-entropy delta signatures over ELF segments with normalization (relocation zeroing, NOP canonicalization, jump table rewriting). Not yet implemented.
|
||||
|
||||
## What's Implemented
|
||||
- **Delta Signature Infrastructure**: `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.DeltaSig/` - function-level delta signatures with V1 and V2 predicates exist
|
||||
- `DeltaSignatureGenerator` - generates delta signatures (function-level, not ELF-segment-level)
|
||||
- `DeltaSignatureMatcher` - matches delta signatures
|
||||
- `CfgExtractor` - extracts control flow graphs
|
||||
- `IrDiffGenerator` - IR-level diff generation
|
||||
- **Binary Diff Engine**: `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Diff/PatchDiffEngine.cs` - byte-level and function-level diffing
|
||||
- **ELF Feature Extraction**: `ElfFeatureExtractor` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Core/Services/`) - extracts Build-ID and section info from ELF binaries
|
||||
- **Disassembly**: `B2R2DisassemblyPlugin`, `HybridDisassemblyService` - multi-backend disassembly infrastructure
|
||||
|
||||
## What's Missing
|
||||
- ELF segment-level normalization (relocation zeroing to eliminate position-dependent bytes)
|
||||
- NOP canonicalization (normalizing NOP sled variations across compilers)
|
||||
- Jump table rewriting (normalizing indirect jump table entries)
|
||||
- Low-entropy delta hashing over normalized ELF segments (currently delta-sig operates at function level, not segment level)
|
||||
- Segment-aware normalization that handles .text, .rodata, .data sections separately
|
||||
|
||||
## Implementation Plan
|
||||
- Add ELF segment normalization pass to `ElfFeatureExtractor` or new `ElfNormalizer` class
|
||||
- Implement relocation zeroing: identify and zero-out position-dependent bytes (GOT/PLT entries, absolute addresses)
|
||||
- Implement NOP canonicalization: normalize all NOP variants to canonical form
|
||||
- Implement jump table rewriting: normalize indirect jump table entries
|
||||
- Add segment-level delta hashing on normalized output
|
||||
- Integrate with existing `DeltaSignatureGenerator` for hybrid function+segment signatures
|
||||
- Add tests using known ELF binaries with position-dependent variations
|
||||
|
||||
## Related Documentation
|
||||
- Current delta-sig: `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.DeltaSig/`
|
||||
- ELF extraction: `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Core/Services/ElfFeatureExtractor.cs`
|
||||
- Disassembly: `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Disassembly.B2R2/`
|
||||
Reference in New Issue
Block a user