stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
main
git.stella-ops.org/docs/features/unimplemented/binaryindex/delta-signature-matching-and-patch-coverage-analysis.md
master 5bca406787 save checkpoint: save features
2026-02-12 10:27:23 +02:00

2.9 KiB
Raw Permalink Blame History

Delta signature matching and patch coverage analysis

Module

BinaryIndex

Status

PARTIALLY_IMPLEMENTED

Description

Delta signature matching traces symbol-level changes between vulnerable and fixed builds. PatchCoverageController exposes an API for patch coverage assessment.

Implementation Details

  • Modules: src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.DeltaSig/, src/BinaryIndex/StellaOps.BinaryIndex.WebService/Controllers/
  • Key Classes:
    • DeltaSignatureMatcher (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.DeltaSig/DeltaSignatureMatcher.cs) - matches delta signatures against target binaries
    • DeltaSignatureGenerator (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.DeltaSig/DeltaSignatureGenerator.cs) - generates delta signatures from binary pairs
    • DeltaSigService / DeltaSigServiceV2 (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.DeltaSig/) - service layer for delta signature operations (V2 adds IR diffs)
    • PatchCoverageController (src/BinaryIndex/StellaOps.BinaryIndex.WebService/Controllers/PatchCoverageController.cs) - REST API for patch coverage queries using IDeltaSignatureRepository
    • SymbolChangeTracer (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.DeltaSig/SymbolChangeTracer.cs) - traces symbol-level changes between builds
    • DeltaScopePolicyGate (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.DeltaSig/Policy/DeltaScopePolicyGate.cs) - policy gate for delta scope enforcement
  • Interfaces: IDeltaSigService, IDeltaSignatureGenerator, IDeltaSignatureMatcher, ISymbolChangeTracer
  • IR Diff: IrDiffGenerator (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.DeltaSig/IrDiff/) - generates IR-level diffs between function versions

E2E Test Plan

  • Generate a delta signature from known vulnerable/fixed binary pair and verify signature captures changed functions
  • Match the generated delta signature against a target binary and verify correct patch status detection
  • Query PatchCoverageController API for patch coverage and verify coverage percentage
  • Verify SymbolChangeTracer identifies added, removed, and modified symbols
  • Verify DeltaScopePolicyGate enforces delta scope policies
  • Verify IR-level diff generation captures semantic function changes beyond byte-level diffs

Verification

  • Run: run-002 (2026-02-11 UTC).
  • Tier 1 build/test projects passed after remediation, including new PatchCoverageController behavior tests and deterministic IDeltaSignatureRepository fallback wiring in WebService.
  • Tier 2 API checks now pass for positive and negative flows on /api/v1/stats/patch-coverage* endpoints.
  • Claim parity remains incomplete for this feature because IrDiffGenerator still uses placeholder diff payload generation (GenerateSingleDiffAsync) instead of real lifted-IR semantic diff extraction, so the full advertised IR-diff capability is not implemented.