stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
110cb43e4d8fb135b1a2a9f690a5c9477f1d96a9
git.stella-ops.org/docs/features/unchecked/binaryindex/binary-reachability-analysis.md

1.7 KiB
Raw Blame History

Binary Reachability Analysis

Module

BinaryIndex

Status

IMPLEMENTED

Description

Binary-level reachability analysis integrating with the ReachGraph and taint gate extraction for function-level exploitability assessment.

Implementation Details

  • Modules: src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Analysis/
  • Key Classes:
    • ReachGraphBinaryReachabilityService (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Analysis/ReachGraphBinaryReachabilityService.cs) - connects binary analysis to the ReachGraph module for function-level reachability
    • TaintGateExtractor (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Analysis/TaintGateExtractor.cs) - identifies taint gate types (BoundsCheck, NullCheck, AuthCheck, PermissionCheck, TypeCheck) from condition strings
    • SignatureMatcher (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Analysis/SignatureMatcher.cs) - matches vulnerability signatures at the binary level
  • Models: AnalysisResultModels, FingerprintModels, SignatureIndexModels (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Analysis/Models/)
  • Interfaces: defined in Interfaces.cs, implementations in Implementations.cs

E2E Test Plan

  • Submit a binary with a known vulnerable function and verify reachability analysis identifies it as reachable from entry points
  • Verify TaintGateExtractor correctly classifies all gate types (bounds, null, auth, permission, type checks)
  • Verify that unreachable vulnerable functions reduce the exploitability score
  • Verify integration between ReachGraphBinaryReachabilityService and the ReachGraph module
  • Verify that taint gate presence between entry point and vulnerable function is reflected in the analysis result