stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
1995883476a039b09015e703dfd42d53cdb87c0a
git.stella-ops.org/docs/marketing/hybrid-reachability.md
Vladimir Moushkov 1995883476
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Add Decision Capsules, hybrid reachability, and evidence-linked VEX docs 
Introduces new marketing bridge documents for Decision Capsules, Hybrid Reachability, and Evidence-Linked VEX. Updates product vision, README, key features, moat, reachability, and VEX consensus docs to reflect four differentiating capabilities: signed reachability (hybrid static/runtime), deterministic replay, explainable policy with evidence-linked VEX, and sovereign/offline operation. All scan decisions are now described as sealed, reproducible, and audit-grade, with explicit handling of 'Unknown' states and hybrid reachability evidence.
2025-12-11 14:15:07 +02:00

240 lines
9.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Hybrid Reachability — Static + Runtime Analysis
> Status: Marketing Bridge Document · December 2025
> Audience: Technical buyers, security architects, compliance teams
<!-- TODO: Review for separate approval - new marketing bridge doc -->
## Executive Summary
Stella Ops isn't just another scanner—it's a different product category: **deterministic, evidence-linked vulnerability decisions** that survive auditors, regulators, and supply-chain propagation.
**Hybrid Reachability** is how we achieve accurate impact analysis: combining static call-graph analysis with runtime process tracing to determine whether vulnerable code is actually reachable. Both edge types are separately attestable with DSSE signatures, providing true hybrid analysis with cryptographic proof.
**Key message**: "True hybrid reachability—static and runtime signals share one verdict."
---
## What is Hybrid Reachability?
Traditional reachability analysis uses either:
- **Static analysis**: Examines code without executing it (call graphs, data flow)
- **Runtime analysis**: Observes actual execution (method hits, stack traces)
Stella Ops uses **both** and reconciles them into a unified reachability decision:
```
┌─────────────────────────────────────────────────────────────┐
│ Hybrid Reachability │
├────────────────────────┬────────────────────────────────────┤
│ Static Analysis │ Runtime Analysis │
├────────────────────────┼────────────────────────────────────┤
│ • IL/bytecode walkers │ • .NET EventPipe │
│ • ASP.NET routing │ • JVM JFR │
│ • Call-graph edges │ • Node inspector │
│ • Entry-point prox. │ • Go/Rust probes │
├────────────────────────┴────────────────────────────────────┤
│ │
│ Lattice Engine │
│ ┌─────────────────────────────────────┐ │
│ │ Merge signals → Score → VEX status │ │
│ └─────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────┐ │
│ │ DSSE Attestation (Graph + Edges) │ │
│ └─────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
```
---
## Why Hybrid Matters
### Limitations of Static-Only Analysis
| Issue | Description | Impact |
|-------|-------------|--------|
| **Over-reporting** | Reports paths that never execute | Alert fatigue |
| **Dynamic dispatch** | Misses reflection, DI, runtime binding | False negatives |
| **Framework magic** | ASP.NET/Spring routing not fully modeled | Incomplete coverage |
| **Configuration** | Doesn't account for runtime config | Context-blind |
### Limitations of Runtime-Only Analysis
| Issue | Description | Impact |
|-------|-------------|--------|
| **Coverage gaps** | Only sees executed paths | Misses rare paths |
| **Environment-specific** | Results vary by test coverage | Non-deterministic |
| **No proactive detection** | Requires traffic to observe | Reactive, not preventive |
| **Attack surface** | May miss dormant vulnerabilities | Security risk |
### Hybrid Solution
| Signal Type | Strength | Weakness | Hybrid Benefit |
|-------------|----------|----------|----------------|
| Static | Comprehensive coverage | Over-reports | Runtime filters false positives |
| Runtime | Ground truth | Incomplete | Static catches unexercised paths |
**Result**: Higher confidence with lower false positive/negative rates.
---
## Reachability Lattice
Stella Ops uses a **confidence lattice** with explicit states:
```
UNOBSERVED (09)
< POSSIBLE (1029)
< STATIC_PATH (3059)
< DYNAMIC_SEEN (6079)
< DYNAMIC_USER_TAINTED (8099)
< EXPLOIT_CONSTRAINTS_REMOVED (100)
```
| State | Evidence Required | VEX Mapping |
|-------|-------------------|-------------|
| UNOBSERVED | None | under_investigation |
| POSSIBLE | Lockfile-only | under_investigation |
| STATIC_PATH | Static call-graph edge | under_investigation |
| DYNAMIC_SEEN | Runtime method hit | affected |
| DYNAMIC_USER_TAINTED | User input reaches vuln | affected |
| EXPLOIT_CONSTRAINTS_REMOVED | Full exploit chain | affected |
**Key feature**: The `under_investigation` state explicitly handles incomplete data—Stella never marks something "safe" without sufficient evidence.
---
## Attestation Model
Both static and runtime edges are attestable:
### Graph-Level Attestation (Required)
```yaml
level: 0
payload: richgraph-v1
signature: DSSE
storage: cas://reachability/graphs/{blake3}
rekor: always
```
### Edge-Bundle Attestation (Selective)
```yaml
level: 1
payload: edge-bundle (≤512 edges)
criteria:
- source: runtime
- source: init_array/constructors
- status: contested/quarantined
signature: DSSE
storage: cas://reachability/edges/{graph_hash}/{bundle_id}
rekor: configurable
```
This enables:
- **Prove specific paths**: Attest individual runtime-observed edges
- **Dispute resolution**: Quarantine/revoke specific edges
- **Offline verification**: Verify without network access
---
## Competitive Differentiation
| Capability | Stella Ops | Competitors |
|------------|------------|-------------|
| **Analysis type** | Hybrid (static + runtime) | Usually one or the other |
| **Attestation** | DSSE for both edge types | None or graph-only |
| **Unknown handling** | Explicit `under_investigation` | Binary yes/no |
| **Edge-level proof** | Selective edge-bundle DSSE | Not available |
**Battlecard one-liner**: "Static analysis sees code paths; runtime sees execution. Stella sees both—and proves it."
---
## Signal Sources
### Static Analysis Signals
| Signal | Source | Evidence Kind |
|--------|--------|---------------|
| Call-graph edges | Roslyn/IL walkers | `StaticCallEdge` |
| Entry-point proximity | Framework routing models | `StaticEntryPointProximity` |
| Package declarations | Lockfile/manifest | `StaticPackageDeclaredOnly` |
### Runtime Analysis Signals
| Signal | Source | Evidence Kind |
|--------|--------|---------------|
| Method hits | .NET EventPipe | `RuntimeMethodHit` |
| Stack samples | JVM JFR | `RuntimeStackSample` |
| HTTP routes | ASP.NET/Spring routing | `RuntimeHttpRouteHit` |
| User input | Taint analysis | `UserInputSource` |
### Mitigation Signals
| Signal | Source | Effect |
|--------|--------|--------|
| WAF rules | WAF connectors | Score reduction |
| Config flags | Config snapshot | Score reduction |
| Network isolation | Container policy | Score reduction |
---
## Integration with Four Capabilities
Hybrid Reachability is **Capability #1** of four:
1. **Signed Reachability** ← This document
2. **Deterministic Replay** → Reachability evidence in Decision Capsules
3. **Explainable Policy** → Reachability feeds the lattice VEX engine
4. **Sovereign Offline** → All analysis verifiable without network
---
## Customer Scenarios
### Scenario 1: False Positive Reduction
"We're drowning in vulnerability alerts."
→ Hybrid analysis shows 70% of reported CVEs have no reachable path; focus on the 30% that matter.
### Scenario 2: Runtime Validation
"Static analysis says this is reachable—is it really?"
→ Runtime probes observed 0 hits over 30 days; downgrade to `under_investigation`.
### Scenario 3: Audit Proof
"Prove the vulnerable code path is not reachable."
→ Show the signed reachability graph with static call-graph (no path) + runtime traces (no hits).
### Scenario 4: Contested Edge
"We disagree with this reachability finding."
→ Mark the edge as disputed; policy excludes it; recompute reachability; surface the delta.
---
## CLI Integration
```bash
# Scan with hybrid reachability
stella scan --image reg/app@sha256:... --reachability hybrid
# Verify reachability graph
stella graph verify --graph blake3:abc123
# Show reachability decision for a CVE
stella reach show --cve CVE-2025-1234 --component pkg:nuget/Example@1.2.3
# Export edge bundles for audit
stella reach export --graph blake3:abc123 --bundles-only
```
---
## Related Documentation
- `docs/reachability/hybrid-attestation.md` — Attestation technical details
- `docs/reachability/lattice.md` — Scoring model
- `docs/marketing/decision-capsules.md` — Decision Capsules overview
- `docs/marketing/evidence-linked-vex.md` — Evidence-linked VEX
Reference in New Issue View Git Blame Copy Permalink