stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
44cd1827c23f37e4fc31f6cd89a57efcb3dd1fb8
git.stella-ops.org/docs/features/checked/attestor/binary-diff-predicate-dsse-attestation-for-patch-detection.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

3.0 KiB
Raw Blame History

Binary Diff Predicate / DSSE Attestation for Patch Detection

Module

Attestor

Status

VERIFIED

Description

Complete BinaryDiff predicate implementation with DSSE signing/verification, schema validation, normalization, and serialization for patch detection attestations.

Implementation Details

  • BinaryDiff Predicate Builder: src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/BinaryDiff/BinaryDiffPredicateBuilder.cs (with .Build partial) -- implements IBinaryDiffPredicateBuilder to construct binary diff predicates from diff findings.
  • BinaryDiff Predicate Serializer: BinaryDiffPredicateSerializer.cs (with .Normalize partial) -- implements IBinaryDiffPredicateSerializer for deterministic serialization with normalization.
  • DSSE Signing: BinaryDiffDsseSigner.cs -- signs binary diff predicates as DSSE envelopes.
  • DSSE Verification: BinaryDiffDsseVerifier.cs (with .Helpers partial) -- implements IBinaryDiffDsseVerifier for verifying signed binary diff attestations.
  • Schema Validation: BinaryDiffSchema.cs (with .SchemaJson partial) -- JSON schema for binary diff predicates. BinaryDiffSchemaValidationResult.cs -- validation result model.
  • Models: BinaryDiffModels.cs -- core diff models. BinaryDiffSectionModels.cs -- section-level diff models (ELF/PE sections). BinaryDiffFinding.cs -- individual diff finding. BinaryDiffOptions.cs -- configuration.
  • Metadata: BinaryDiffMetadataBuilder.cs -- builds metadata for diff predicates.
  • DI Registration: ServiceCollectionExtensions.cs -- registers all BinaryDiff services.
  • Tests: __Tests/StellaOps.Attestor.StandardPredicates.Tests/BinaryDiff/ -- BinaryDiffPredicateBuilderTests.cs, BinaryDiffPredicateSerializerTests.cs, BinaryDiffDsseSignerTests.cs, BinaryDiffSchemaValidationTests.cs

E2E Test Plan

  • Build a binary diff predicate from a set of BinaryDiffFinding entries via BinaryDiffPredicateBuilder and verify the predicate contains all findings
  • Serialize the predicate via BinaryDiffPredicateSerializer and verify normalization produces deterministic output (serialize twice, compare bytes)
  • Sign the serialized predicate via BinaryDiffDsseSigner and verify the DSSE envelope is well-formed
  • Verify the signed envelope via BinaryDiffDsseVerifier and confirm verification passes
  • Tamper with the signed envelope payload and verify BinaryDiffDsseVerifier returns failure
  • Validate a predicate against the JSON schema via BinaryDiffSchema and verify it passes
  • Create a predicate with section-level diffs (BinaryDiffSectionModels) for ELF .text and .rodata sections and verify section details are preserved
  • Create a predicate missing required fields and verify schema validation catches the error

Verification

Check Result
Tier 0 - Source Verification PASS
Tier 1 - Build + Code Review PASS
Tier 2 - Behavioral Verification PASS
Verified Date 2026-02-13
Run ID run-001