stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
docs/features/checked/attestor/call-stack-reachability-analysis.md Normal file
View File

@@ -0,0 +1,40 @@
# Call-Stack Reachability Analysis
## Module
Attestor
## Status
VERIFIED
## Description
Multi-language call-stack reachability analysis with symbol matching and canonicalization supporting .NET, Java, native (ELF), and scripting languages, plus benchmarking infrastructure with ground-truth validation.
## Implementation Details
- **Reachability Witness Payload**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/ReachabilityWitnessPayload.cs` (with `.Path` partial) -- captures call-stack paths from entry points to vulnerable functions.
- **Witness Call Path Node**: `Statements/WitnessCallPathNode.cs` -- individual node in a call-stack path with function name, module, and language.
- **Witness Path Node**: `Statements/WitnessPathNode.cs` -- simplified path node for witness evidence.
- **Witness Evidence Metadata**: `Statements/WitnessEvidenceMetadata.cs` -- metadata about the analysis tool and language used.
- **Witness Gate Info**: `Statements/WitnessGateInfo.cs` -- gate configuration for policy evaluation of reachability evidence.
- **Reachability Witness Statement**: `Statements/ReachabilityWitnessStatement.cs` -- wraps payload as in-toto statement.
- **Path Witness Predicate Types**: `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/PathWitnessPredicateTypes.cs` -- predicate type URIs for different path witness types.
- **Micro-Witness Function Evidence**: `Predicates/MicroWitnessFunctionEvidence.cs` -- function-level evidence from call-stack analysis.
- **Note**: Actual call-graph analysis and symbol matching lives in `src/ReachGraph/` and `src/Scanner/`; Attestor provides the attestation wrapper.
## E2E Test Plan
- [ ] Create a `ReachabilityWitnessPayload` with a call-stack path containing 5 nodes (entry -> intermediate -> intermediate -> intermediate -> vulnerable function) and verify all nodes are captured
- [ ] Create `WitnessCallPathNode` entries with .NET namespaced symbols and verify symbol canonicalization preserves full type qualification
- [ ] Create path nodes with Java package-style symbols and verify correct representation
- [ ] Create `WitnessEvidenceMetadata` specifying the analysis tool and language, wrap in statement, and verify metadata persists
- [ ] Verify `WitnessGateInfo` correctly captures policy gate thresholds for reachability evidence
- [ ] Create `MicroWitnessFunctionEvidence` linking a specific function to call-stack evidence and verify the reference chain
- [ ] Wrap a reachability witness in an in-toto statement and verify the predicate type matches `PathWitnessPredicateTypes`
## Verification
| Check | Result |
|-------|--------|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |