save checkpoint

2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
--- a/docs/features/checked/attestor/patch-oracle.md
+++ b/docs/features/checked/attestor/patch-oracle.md
@@ -0,0 +1,43 @@
+# Patch Oracle (Binary Diff for CVE Function Identification)
+
+## Module
+Attestor
+
+## Status
+VERIFIED
+
+## Description
+Patch verification orchestration with patch signature storage and binary diff predicate building is implemented, enabling CVE function identification through patch comparison.
+
+## Implementation Details
+- **Binary Diff Predicate Builder**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/BinaryDiff/BinaryDiffPredicateBuilder.cs` (with `.Build`) -- builds binary diff predicates comparing patched vs unpatched binaries to identify CVE-affected functions. Implements `IBinaryDiffPredicateBuilder.cs`.
+- **Binary Diff Predicate Serializer**: `BinaryDiff/BinaryDiffPredicateSerializer.cs` (with `.Normalize`) -- serializes binary diff predicates with deterministic normalization. Implements `IBinaryDiffPredicateSerializer.cs`.
+- **Binary Diff Finding**: `BinaryDiff/BinaryDiffFinding.cs` -- individual diff finding (function added/removed/changed, offset, size).
+- **Binary Diff Section Models**: `BinaryDiff/BinaryDiffSectionModels.cs` -- section-level diff models (text, data, rodata sections).
+- **Binary Diff Metadata Builder**: `BinaryDiff/BinaryDiffMetadataBuilder.cs` -- builds metadata for binary diff comparisons (tool version, binary architecture, compiler info).
+- **Binary Diff Schema**: `BinaryDiff/BinaryDiffSchema.SchemaJson.cs` -- embedded JSON schema for binary diff predicates.
+- **Binary Diff Schema Validation**: `BinaryDiff/BinaryDiffSchemaValidationResult.cs` -- validation result model.
+- **Binary Diff DSSE Verifier**: `BinaryDiff/BinaryDiffDsseVerifier.cs` (with `.Helpers`) -- verifies DSSE-signed binary diff attestations. Implements `IBinaryDiffDsseVerifier.cs`.
+- **Backport Tier 3 Signature**: `__Libraries/StellaOps.Attestor.ProofChain/Generators/BackportProofGenerator.Tier3Signature.cs` -- uses binary diff/HunkSig for backport detection.
+- **Binary Fingerprint Evidence**: `Generators/BinaryFingerprintEvidenceGenerator.cs` (with `.Helpers`) -- generates fingerprint evidence for binary comparison.
+- **Tests**: `__Tests/StellaOps.Attestor.StandardPredicates.Tests/BinaryDiffTests.cs`
+
+## E2E Test Plan
+- [ ] Build a binary diff predicate via `BinaryDiffPredicateBuilder` comparing a patched and unpatched binary; verify the diff identifies changed functions
+- [ ] Verify `BinaryDiffFinding` entries capture function name, offset, and change type (added/removed/modified)
+- [ ] Serialize a binary diff predicate via `BinaryDiffPredicateSerializer` and verify deterministic output (same diff = same bytes)
+- [ ] Validate a binary diff predicate against `BinaryDiffSchema` and verify schema compliance
+- [ ] Sign a binary diff predicate into a DSSE envelope and verify it via `BinaryDiffDsseVerifier`
+- [ ] Build metadata via `BinaryDiffMetadataBuilder` and verify tool version, architecture, and compiler info are captured
+- [ ] Tamper with a signed binary diff attestation and verify `BinaryDiffDsseVerifier` rejects it
+- [ ] Verify `BinaryDiffSectionModels` captures diffs at the section level (text, data, rodata)
+
+## Verification
+
+| Check | Result |
+|-------|--------|
+| Tier 0 - Source Verification | PASS |
+| Tier 1 - Build + Code Review | PASS |
+| Tier 2 - Behavioral Verification | PASS |
+| Verified Date | 2026-02-13 |
+| Run ID | run-001 |