new two advisories and sprints work on them

2026-01-16 18:39:36 +02:00
parent 9daf619954
commit c3a6269d55
72 changed files with 15540 additions and 18 deletions
--- a/docs/modules/binary-index/semantic-diffing.md
+++ b/docs/modules/binary-index/semantic-diffing.md
@@ -589,7 +589,120 @@ Pre-computed test cases with known results:

 ---

-## 15. References
+## 15. Delta-Sig Predicate Attestation
+
+**Sprint Reference**: `SPRINT_20260117_003_BINDEX_delta_sig_predicate`
+
+Delta-sig predicates provide a supply chain attestation format for binary patches, enabling policy-gated releases based on function-level change scope.
+
+### 15.1 Predicate Structure
+
+```jsonc
+{
+  "_type": "https://in-toto.io/Statement/v1",
+  "predicateType": "https://stellaops.io/delta-sig/v1",
+  "subject": [
+    {
+      "name": "libexample-1.1.so",
+      "digest": {
+        "sha256": "abc123..."
+      }
+    }
+  ],
+  "predicate": {
+    "before": {
+      "name": "libexample-1.0.so",
+      "digest": { "sha256": "def456..." }
+    },
+    "after": {
+      "name": "libexample-1.1.so",
+      "digest": { "sha256": "abc123..." }
+    },
+    "diff": [
+      {
+        "function": "process_input",
+        "changeType": "modified",
+        "beforeHash": "sha256:old...",
+        "afterHash": "sha256:new...",
+        "bytesDelta": 48,
+        "semanticSimilarity": 0.87
+      },
+      {
+        "function": "new_handler",
+        "changeType": "added",
+        "afterHash": "sha256:new...",
+        "bytesDelta": 256
+      }
+    ],
+    "summary": {
+      "functionsAdded": 1,
+      "functionsRemoved": 0,
+      "functionsModified": 1,
+      "totalBytesChanged": 304
+    },
+    "timestamp": "2026-01-16T12:00:00Z"
+  }
+}
+```
+
+### 15.2 Policy Gate Integration
+
+The `DeltaScopePolicyGate` enforces limits on patch scope:
+
+```yaml
+policy:
+  deltaSig:
+    maxAddedFunctions: 10
+    maxRemovedFunctions: 5
+    maxModifiedFunctions: 20
+    maxBytesChanged: 50000
+    minSemanticSimilarity: 0.5
+    requireSemanticAnalysis: false
+```
+
+### 15.3 Attestor Integration
+
+Delta-sig predicates integrate with the Attestor module:
+
+1. **Generate** - Create predicate from before/after binary analysis
+2. **Sign** - Create DSSE envelope with cosign/fulcio signature
+3. **Submit** - Log to Rekor transparency log
+4. **Verify** - Validate signature and inclusion proof
+
+### 15.4 CLI Commands
+
+```bash
+# Generate delta-sig predicate
+stella binary diff --before old.so --after new.so --output delta.json
+
+# Generate and attest in one step
+stella binary attest --before old.so --after new.so --sign --rekor
+
+# Verify attestation
+stella binary verify --predicate delta.json --signature sig.dsse
+
+# Check against policy gate
+stella binary gate --predicate delta.json --policy policy.yaml
+```
+
+### 15.5 Semantic Similarity Scoring
+
+When `requireSemanticAnalysis` is enabled, the gate also checks:
+
+| Threshold | Meaning |
+|-----------|---------|
+| > 0.9 | Near-identical (cosmetic changes) |
+| 0.7 - 0.9 | Similar (refactoring, optimization) |
+| 0.5 - 0.7 | Moderate changes (significant logic) |
+| < 0.5 | Major rewrite (requires review) |
+
+### 15.6 Evidence Storage
+
+Delta-sig predicates are stored in the Evidence Locker and can be included in portable bundles for air-gapped verification.
+
+---
+
+## 16. References

 ### Internal

@@ -604,8 +717,10 @@ Pre-computed test cases with known results:
 - [ghidriff Tool](https://github.com/clearbluejar/ghidriff)
 - [SemDiff Paper (arXiv)](https://arxiv.org/abs/2308.01463)
 - [SEI Semantic Equivalence Research](https://www.sei.cmu.edu/annual-reviews/2022-research-review/semantic-equivalence-checking-of-decompiled-binaries/)
+- [in-toto Attestation Framework](https://in-toto.io/)
+- [SLSA Provenance Spec](https://slsa.dev/provenance/v1)

 ---

-*Document Version: 1.0.1*
-*Last Updated: 2026-01-14*
+*Document Version: 1.1.0*
+*Last Updated: 2026-01-16*