35 lines
2.4 KiB
Markdown
35 lines
2.4 KiB
Markdown
# Binary Reachability Analysis
|
|
|
|
## Module
|
|
BinaryIndex
|
|
|
|
## Status
|
|
PARTIALLY_IMPLEMENTED
|
|
|
|
## Description
|
|
Binary-level reachability analysis integrating with the ReachGraph and taint gate extraction for function-level exploitability assessment.
|
|
|
|
## Implementation Details
|
|
- **Modules**: `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Analysis/`
|
|
- **Key Classes**:
|
|
- `ReachGraphBinaryReachabilityService` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Analysis/ReachGraphBinaryReachabilityService.cs`) - connects binary analysis to the ReachGraph module for function-level reachability
|
|
- `TaintGateExtractor` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Analysis/TaintGateExtractor.cs`) - identifies taint gate types (BoundsCheck, NullCheck, AuthCheck, PermissionCheck, TypeCheck) from condition strings
|
|
- `SignatureMatcher` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Analysis/SignatureMatcher.cs`) - matches vulnerability signatures at the binary level
|
|
- **Models**: `AnalysisResultModels`, `FingerprintModels`, `SignatureIndexModels` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Analysis/Models/`)
|
|
- **Interfaces**: defined in `Interfaces.cs`, implementations in `Implementations.cs`
|
|
|
|
## E2E Test Plan
|
|
- [ ] Submit a binary with a known vulnerable function and verify reachability analysis identifies it as reachable from entry points
|
|
- [ ] Verify `TaintGateExtractor` correctly classifies all gate types (bounds, null, auth, permission, type checks)
|
|
- [ ] Verify that unreachable vulnerable functions reduce the exploitability score
|
|
- [ ] Verify integration between `ReachGraphBinaryReachabilityService` and the ReachGraph module
|
|
- [ ] Verify that taint gate presence between entry point and vulnerable function is reflected in the analysis result
|
|
|
|
## Verification Outcome (run-001)
|
|
- Tier 0/1/2 artifacts: docs/qa/feature-checks/runs/binaryindex/binary-reachability-analysis/run-001/
|
|
- Result: not implemented at claim parity.
|
|
- Missing behavior:
|
|
- Implementations.cs still contains NotImplementedException stubs for fingerprint extraction and related reachability pipeline contracts.
|
|
- Service registration defaults to stub/null analysis components (FingerprintExtractor, ReachabilityAnalyzer, NullBinaryReachabilityService) rather than full production reachability wiring.
|
|
- ReachGraphBinaryReachabilityService.FindPathsAsync uses simplified two-node path construction, not full graph-path tracing semantics claimed by the feature.
|