stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
89befce20f573b3ccc2d5fa724251d28f3d645c3
git.stella-ops.org/demos/binary-micro-witness/README.md

3.1 KiB
Raw Blame History

Binary Micro-Witness Golden Demo

This bundle demonstrates binary-level patch verification using StellaOps micro-witnesses.

Overview

Binary micro-witnesses provide cryptographic proof that a specific binary contains (or doesn't contain) a security fix. This enables auditors and procurement teams to verify patch status without source code access.

Contents

binary-micro-witness/
├── README.md                    # This file
├── witnesses/
│   ├── openssl-cve-2024-0567.json    # Sample witness for OpenSSL CVE
│   └── libcurl-cve-2023-38545.json   # Sample witness for curl CVE
├── verify.ps1                   # PowerShell verification script
├── verify.sh                    # Bash verification script
└── CHECKSUMS.sha256             # Deterministic checksums for all files

Quick Start

Windows (PowerShell)

.\verify.ps1 -WitnessPath witnesses\openssl-cve-2024-0567.json

Linux/macOS (Bash)

chmod +x verify.sh
./verify.sh witnesses/openssl-cve-2024-0567.json

Threat Model & Scope

What Micro-Witnesses Prove

  • A specific binary (identified by SHA-256) was analyzed
  • The analysis compared function-level signatures against known vulnerable/patched versions
  • A confidence score indicates how certain the verdict is

What Micro-Witnesses Do NOT Prove

  • That the binary came from a trusted source (that's what SBOM + attestations are for)
  • That the analysis is 100% accurate (confidence scores indicate uncertainty)
  • That other vulnerabilities don't exist (only the specified CVE is verified)

Limitations

  • Function-level matching can be affected by heavy compiler optimizations
  • Inlined functions may not be detected
  • Obfuscated binaries may yield "inconclusive" verdicts

Offline Verification

This bundle is designed for air-gapped environments:

  1. No network access required
  2. All verification logic is self-contained
  3. Checksums allow integrity verification

Predicate Schema

Witnesses follow the https://stellaops.dev/predicates/binary-micro-witness@v1 schema:

{
  "schemaVersion": "1.0.0",
  "binary": {
    "digest": "sha256:...",
    "filename": "libssl.so.3",
    "arch": "linux-amd64"
  },
  "cve": {
    "id": "CVE-2024-0567",
    "advisory": "https://..."
  },
  "verdict": "patched|vulnerable|inconclusive",
  "confidence": 0.95,
  "evidence": [
    {
      "function": "SSL_CTX_new",
      "state": "patched",
      "score": 0.97,
      "method": "semantic_ksg"
    }
  ],
  "tooling": {
    "binaryIndexVersion": "2.1.0",
    "lifter": "b2r2",
    "matchAlgorithm": "semantic_ksg"
  },
  "computedAt": "2026-01-28T12:00:00Z"
}

Reproduction

To regenerate witnesses using the StellaOps CLI:

# Generate a witness
stella witness generate /path/to/libssl.so.3 --cve CVE-2024-0567 --output witness.json

# Verify a witness
stella witness verify witness.json --offline

# Create an air-gapped bundle
stella witness bundle witness.json --output ./bundle

Version Information

  • Demo Version: 1.0.0
  • Schema Version: binary-micro-witness@v1
  • Generated: 2026-01-28
  • Sprint: SPRINT_0128_001_BinaryIndex_binary_micro_witness