stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
main
git.stella-ops.org/docs/features/unimplemented/binaryindex/binary-call-graph-extraction-and-reachability-analysis.md
master 5bca406787 save checkpoint: save features
2026-02-12 10:27:23 +02:00

38 lines
2.8 KiB
Markdown
Raw Permalink Blame History

# Binary Call-Graph Extraction and Reachability Analysis
## Module
BinaryIndex
## Status
PARTIALLY_IMPLEMENTED
## Description
Binary call-graph extraction with BinaryCallGraphExtractor, reachability lifting via BinaryReachabilityLifter, dedicated BinaryIndex analysis module, and CLI binary commands.
## Implementation Details
- **Modules**: `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Analysis/`, `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Semantic/`, `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.DeltaSig/`
- **Key Classes**:
- `ReachGraphBinaryReachabilityService` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Analysis/ReachGraphBinaryReachabilityService.cs`) - binary-level reachability integration with ReachGraph
- `TaintGateExtractor` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Analysis/TaintGateExtractor.cs`) - extracts taint gates (bounds checks, null checks, auth checks, permission checks, type checks) from binary call paths
- `CfgExtractor` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.DeltaSig/CfgExtractor.cs`) - control flow graph extraction from disassembled binaries
- `CallNgramGenerator` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Semantic/CallNgramGenerator.cs`) - generates call-sequence n-grams from lifted IR for call graph analysis
- `CallGraphMatcherAdapter` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Validation/Matchers/MatcherAdapters.cs`) - adapter for call graph matching in validation harness
- **Interfaces**: `ICallNgramGenerator`, `IBinaryFeatureExtractor`
## E2E Test Plan
- [ ] Submit an ELF binary and verify call-graph extraction produces a valid set of function nodes and edges
- [ ] Verify `TaintGateExtractor` classifies conditions correctly (bounds check, null check, auth check, permission check, type check)
- [ ] Verify `CfgExtractor` produces control flow graphs from disassembled functions
- [ ] Verify `CallNgramGenerator` generates n-grams (n=2,3,4) from lifted function IR and computes Jaccard similarity
- [ ] Verify `ReachGraphBinaryReachabilityService` integrates with the ReachGraph module for function-level exploitability assessment
- [ ] Verify call-graph-based reachability results feed into the ensemble decision engine
## Verification Outcome (run-001)
- Tier 0/1/2 artifacts: docs/qa/feature-checks/runs/binaryindex/binary-call-graph-extraction-and-reachability-analysis/run-001/
- Result: not implemented at claim parity.
- Missing behavior:
- TaintGateExtractor.ExtractAsync returns empty output and does not perform binary/disassembly path extraction.
- CallGraphMatcherAdapter is placeholder logic with fixed score and TODO comments.
- ReachGraphBinaryReachabilityService.FindPathsAsync currently constructs simplified placeholder paths.
- No focused behavioral tests prove call-graph matcher/reachability adapter semantics end-to-end.
Reference in New Issue View Git Blame Copy Permalink