stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
main
git.stella-ops.org/docs/features/checked/attestor/attestable-reachability-slices.md
master 5bca406787 save checkpoint: save features
2026-02-12 10:27:23 +02:00

3.7 KiB
Raw Permalink Blame History

Attestable reachability slices (DSSE/in-toto signed evidence)

Module

Attestor

Status

VERIFIED

Description

Reachability witness payloads wrapped in DSSE-signed attestations provide verifiable evidence slices for triage decisions.

Implementation Details

  • Reachability Witness Payload: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/ReachabilityWitnessPayload.cs (with .Path partial) -- defines the witness payload containing call paths from entry points to vulnerable functions.
  • Witness Path Nodes: WitnessPathNode.cs, WitnessCallPathNode.cs -- model individual nodes in the reachability call path.
  • Witness Evidence Metadata: WitnessEvidenceMetadata.cs -- metadata about the evidence source (scanner, analysis tool, timestamp).
  • Witness Gate Info: WitnessGateInfo.cs -- gate information for policy evaluation of witness data.
  • Reachability Witness Statement: ReachabilityWitnessStatement.cs -- wraps witness payload as an in-toto statement with subject and predicate.
  • Reachability Subgraph: ReachabilitySubgraphStatement.cs -- subgraph attestation for minimal reachability evidence. ReachabilitySubgraphPredicate.cs defines the subgraph predicate.
  • DSSE Signing: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/ProofChainSigner.cs (with .Verification partial) signs statements. DsseEnvelope.cs, DsseSignature.cs model the envelope.
  • Path Witness Predicate Types: src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/PathWitnessPredicateTypes.cs -- defines predicate type URIs for path witnesses.
  • Proof Emitter: IProofEmitter.cs -- interface for emitting signed proofs including reachability slices.

E2E Test Plan

  • Create a ReachabilityWitnessPayload with a call path containing 3+ nodes from entry point to vulnerable function, wrap in ReachabilityWitnessStatement, and verify the statement structure
  • Sign the witness statement via ProofChainSigner and verify the DSSE envelope contains valid signature and payload
  • Verify the signed reachability slice via ProofChainSigner.Verification and confirm signature validation passes
  • Create a ReachabilitySubgraphPredicate with a minimal subgraph (entry point -> intermediate -> sink) and verify it serializes with correct predicate type
  • Modify the signed envelope payload and verify that signature verification fails (tamper detection)
  • Create witness payloads with WitnessEvidenceMetadata from different analysis tools and verify metadata is preserved in the signed attestation

Verification

  • Verified on 2026-02-11 via run-001.
  • Tier 1 and Tier 2 feature-scoped xUnit class-filtered execution passed (5/5) in:
    • src/Attestor/__Tests/StellaOps.Attestor.ProofChain.Tests/Statements/ReachabilityWitnessAttestationBehaviorTests.cs
  • Full ProofChain suite remains baseline-red on unrelated failures (35), but feature-scoped reachability verification passed and includes fresh behavioral evidence.
  • Behavior confirmed:
    • ReachabilityWitnessPayload + ReachabilityWitnessStatement structure with 3-node call path and witness metadata
    • DSSE signing and verification through ProofChainSigner
    • tamper detection on modified DSSE payload
    • ReachabilitySubgraphStatement serialization with predicate type reachability-subgraph.stella/v1
    • witness evidence metadata preservation across signed payload serialization/deserialization
  • Evidence:
    • docs/qa/feature-checks/runs/attestor/attestable-reachability-slices/run-001/tier0-source-check.json
    • docs/qa/feature-checks/runs/attestor/attestable-reachability-slices/run-001/tier1-build-check.json
    • docs/qa/feature-checks/runs/attestor/attestable-reachability-slices/run-001/tier2-integration-check.json