# Binary Micro-Witness Golden Demo

This bundle demonstrates binary-level patch verification using StellaOps micro-witnesses.

## Overview

Binary micro-witnesses provide cryptographic proof that a specific binary contains (or doesn't contain) a security fix. This enables auditors and procurement teams to verify patch status without source code access.

## Contents

```
binary-micro-witness/
├── README.md                    # This file
├── witnesses/
│   ├── openssl-cve-2024-0567.json    # Sample witness for OpenSSL CVE
│   └── libcurl-cve-2023-38545.json   # Sample witness for curl CVE
├── verify.ps1                   # PowerShell verification script
├── verify.sh                    # Bash verification script
└── CHECKSUMS.sha256             # Deterministic checksums for all files
```

## Quick Start

### Windows (PowerShell)
```powershell
.\verify.ps1 -WitnessPath witnesses\openssl-cve-2024-0567.json
```

### Linux/macOS (Bash)
```bash
chmod +x verify.sh
./verify.sh witnesses/openssl-cve-2024-0567.json
```

## Threat Model & Scope

### What Micro-Witnesses Prove
- A specific binary (identified by SHA-256) was analyzed
- The analysis compared function-level signatures against known vulnerable/patched versions
- A confidence score indicates how certain the verdict is

### What Micro-Witnesses Do NOT Prove
- That the binary came from a trusted source (that's what SBOM + attestations are for)
- That the analysis is 100% accurate (confidence scores indicate uncertainty)
- That other vulnerabilities don't exist (only the specified CVE is verified)

### Limitations
- Function-level matching can be affected by heavy compiler optimizations
- Inlined functions may not be detected
- Obfuscated binaries may yield "inconclusive" verdicts

## Offline Verification

This bundle is designed for air-gapped environments:
1. No network access required
2. All verification logic is self-contained
3. Checksums allow integrity verification

## Predicate Schema

Witnesses follow the `https://stellaops.dev/predicates/binary-micro-witness@v1` schema:

```json
{
  "schemaVersion": "1.0.0",
  "binary": {
    "digest": "sha256:...",
    "filename": "libssl.so.3",
    "arch": "linux-amd64"
  },
  "cve": {
    "id": "CVE-2024-0567",
    "advisory": "https://..."
  },
  "verdict": "patched|vulnerable|inconclusive",
  "confidence": 0.95,
  "evidence": [
    {
      "function": "SSL_CTX_new",
      "state": "patched",
      "score": 0.97,
      "method": "semantic_ksg"
    }
  ],
  "tooling": {
    "binaryIndexVersion": "2.1.0",
    "lifter": "b2r2",
    "matchAlgorithm": "semantic_ksg"
  },
  "computedAt": "2026-01-28T12:00:00Z"
}
```

## Reproduction

To regenerate witnesses using the StellaOps CLI:

```bash
# Generate a witness
stella witness generate /path/to/libssl.so.3 --cve CVE-2024-0567 --output witness.json

# Verify a witness
stella witness verify witness.json --offline

# Create an air-gapped bundle
stella witness bundle witness.json --output ./bundle
```

## Version Information

- **Demo Version**: 1.0.0
- **Schema Version**: binary-micro-witness@v1
- **Generated**: 2026-01-28
- **Sprint**: SPRINT_0128_001_BinaryIndex_binary_micro_witness