stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
1bf6bbf3955ecbd8d20f5eeb767da5c7f8324b57
git.stella-ops.org/docs/features/unchecked/attestor/attestable-reachability-slices.md

2.5 KiB
Raw Blame History

Attestable reachability slices (DSSE/in-toto signed evidence)

Module

Attestor

Status

IMPLEMENTED

Description

Reachability witness payloads wrapped in DSSE-signed attestations provide verifiable evidence slices for triage decisions.

Implementation Details

  • Reachability Witness Payload: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/ReachabilityWitnessPayload.cs (with .Path partial) -- defines the witness payload containing call paths from entry points to vulnerable functions.
  • Witness Path Nodes: WitnessPathNode.cs, WitnessCallPathNode.cs -- model individual nodes in the reachability call path.
  • Witness Evidence Metadata: WitnessEvidenceMetadata.cs -- metadata about the evidence source (scanner, analysis tool, timestamp).
  • Witness Gate Info: WitnessGateInfo.cs -- gate information for policy evaluation of witness data.
  • Reachability Witness Statement: ReachabilityWitnessStatement.cs -- wraps witness payload as an in-toto statement with subject and predicate.
  • Reachability Subgraph: ReachabilitySubgraphStatement.cs -- subgraph attestation for minimal reachability evidence. ReachabilitySubgraphPredicate.cs defines the subgraph predicate.
  • DSSE Signing: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/ProofChainSigner.cs (with .Verification partial) signs statements. DsseEnvelope.cs, DsseSignature.cs model the envelope.
  • Path Witness Predicate Types: src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/PathWitnessPredicateTypes.cs -- defines predicate type URIs for path witnesses.
  • Proof Emitter: IProofEmitter.cs -- interface for emitting signed proofs including reachability slices.

E2E Test Plan

  • Create a ReachabilityWitnessPayload with a call path containing 3+ nodes from entry point to vulnerable function, wrap in ReachabilityWitnessStatement, and verify the statement structure
  • Sign the witness statement via ProofChainSigner and verify the DSSE envelope contains valid signature and payload
  • Verify the signed reachability slice via ProofChainSigner.Verification and confirm signature validation passes
  • Create a ReachabilitySubgraphPredicate with a minimal subgraph (entry point -> intermediate -> sink) and verify it serializes with correct predicate type
  • Modify the signed envelope payload and verify that signature verification fails (tamper detection)
  • Create witness payloads with WitnessEvidenceMetadata from different analysis tools and verify metadata is preserved in the signed attestation