115 lines
3.1 KiB
Markdown
115 lines
3.1 KiB
Markdown
# Binary Micro-Witness Golden Demo
|
|
|
|
This bundle demonstrates binary-level patch verification using StellaOps micro-witnesses.
|
|
|
|
## Overview
|
|
|
|
Binary micro-witnesses provide cryptographic proof that a specific binary contains (or doesn't contain) a security fix. This enables auditors and procurement teams to verify patch status without source code access.
|
|
|
|
## Contents
|
|
|
|
```
|
|
binary-micro-witness/
|
|
├── README.md # This file
|
|
├── witnesses/
|
|
│ ├── openssl-cve-2024-0567.json # Sample witness for OpenSSL CVE
|
|
│ └── libcurl-cve-2023-38545.json # Sample witness for curl CVE
|
|
├── verify.ps1 # PowerShell verification script
|
|
├── verify.sh # Bash verification script
|
|
└── CHECKSUMS.sha256 # Deterministic checksums for all files
|
|
```
|
|
|
|
## Quick Start
|
|
|
|
### Windows (PowerShell)
|
|
```powershell
|
|
.\verify.ps1 -WitnessPath witnesses\openssl-cve-2024-0567.json
|
|
```
|
|
|
|
### Linux/macOS (Bash)
|
|
```bash
|
|
chmod +x verify.sh
|
|
./verify.sh witnesses/openssl-cve-2024-0567.json
|
|
```
|
|
|
|
## Threat Model & Scope
|
|
|
|
### What Micro-Witnesses Prove
|
|
- A specific binary (identified by SHA-256) was analyzed
|
|
- The analysis compared function-level signatures against known vulnerable/patched versions
|
|
- A confidence score indicates how certain the verdict is
|
|
|
|
### What Micro-Witnesses Do NOT Prove
|
|
- That the binary came from a trusted source (that's what SBOM + attestations are for)
|
|
- That the analysis is 100% accurate (confidence scores indicate uncertainty)
|
|
- That other vulnerabilities don't exist (only the specified CVE is verified)
|
|
|
|
### Limitations
|
|
- Function-level matching can be affected by heavy compiler optimizations
|
|
- Inlined functions may not be detected
|
|
- Obfuscated binaries may yield "inconclusive" verdicts
|
|
|
|
## Offline Verification
|
|
|
|
This bundle is designed for air-gapped environments:
|
|
1. No network access required
|
|
2. All verification logic is self-contained
|
|
3. Checksums allow integrity verification
|
|
|
|
## Predicate Schema
|
|
|
|
Witnesses follow the `https://stellaops.dev/predicates/binary-micro-witness@v1` schema:
|
|
|
|
```json
|
|
{
|
|
"schemaVersion": "1.0.0",
|
|
"binary": {
|
|
"digest": "sha256:...",
|
|
"filename": "libssl.so.3",
|
|
"arch": "linux-amd64"
|
|
},
|
|
"cve": {
|
|
"id": "CVE-2024-0567",
|
|
"advisory": "https://..."
|
|
},
|
|
"verdict": "patched|vulnerable|inconclusive",
|
|
"confidence": 0.95,
|
|
"evidence": [
|
|
{
|
|
"function": "SSL_CTX_new",
|
|
"state": "patched",
|
|
"score": 0.97,
|
|
"method": "semantic_ksg"
|
|
}
|
|
],
|
|
"tooling": {
|
|
"binaryIndexVersion": "2.1.0",
|
|
"lifter": "b2r2",
|
|
"matchAlgorithm": "semantic_ksg"
|
|
},
|
|
"computedAt": "2026-01-28T12:00:00Z"
|
|
}
|
|
```
|
|
|
|
## Reproduction
|
|
|
|
To regenerate witnesses using the StellaOps CLI:
|
|
|
|
```bash
|
|
# Generate a witness
|
|
stella witness generate /path/to/libssl.so.3 --cve CVE-2024-0567 --output witness.json
|
|
|
|
# Verify a witness
|
|
stella witness verify witness.json --offline
|
|
|
|
# Create an air-gapped bundle
|
|
stella witness bundle witness.json --output ./bundle
|
|
```
|
|
|
|
## Version Information
|
|
|
|
- **Demo Version**: 1.0.0
|
|
- **Schema Version**: binary-micro-witness@v1
|
|
- **Generated**: 2026-01-28
|
|
- **Sprint**: SPRINT_0128_001_BinaryIndex_binary_micro_witness
|