2.7 KiB
2.7 KiB
Binary Reachability Proofs / Binary Diff Analysis
Module
Attestor
Status
VERIFIED
Description
Full binary diff analysis pipeline with schema validation, DSSE-verified predicates, normalization, and fingerprint evidence generation.
Implementation Details
- BinaryDiff Pipeline:
src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/BinaryDiff/-- complete pipeline:IBinaryDiffPredicateBuilder.cs/BinaryDiffPredicateBuilder.cs(with.Build) -- constructs diff predicatesIBinaryDiffPredicateSerializer.cs/BinaryDiffPredicateSerializer.cs(with.Normalize) -- deterministic serializationIBinaryDiffDsseVerifier.cs/BinaryDiffDsseVerifier.cs(with.Helpers) -- DSSE verificationBinaryDiffDsseSigner.cs-- DSSE signingBinaryDiffSchema.cs(with.SchemaJson) -- JSON schema validationBinaryDiffSectionModels.cs-- section-level models (ELF/PE)BinaryDiffFinding.cs-- individual findingsBinaryDiffMetadataBuilder.cs-- metadata construction
- Fingerprint Evidence:
src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/BinaryFingerprintEvidenceGenerator.cs(with.Helpers) -- generates reachability-aware fingerprint evidence. - Reachability Integration: Binary diff evidence feeds into
ReachabilityWitnessPayload(statements) andBinaryMicroWitnessPredicate(predicates) for reachability proof chains. - Tests:
__Tests/StellaOps.Attestor.StandardPredicates.Tests/BinaryDiff/-- builder, serializer, signer, schema validation tests.__Tests/StellaOps.Attestor.ProofChain.Tests/BinaryMicroWitnessPredicateTests.cs
E2E Test Plan
- Run the full binary diff pipeline: build predicate from findings, normalize/serialize, sign with DSSE, verify signature, validate against schema
- Create diff findings for a patched vulnerability (binary changed in .text section) and verify the predicate captures the patch as a security-relevant change
- Normalize the same diff predicate twice and verify byte-for-byte output equality
- Validate a well-formed predicate against
BinaryDiffSchemaand verify it passes - Validate a predicate missing required fields and verify schema validation fails with specific error
- Generate fingerprint evidence from a binary diff result and verify it links to the diff attestation
- Feed binary diff evidence into a
BinaryMicroWitnessPredicateand verify the reachability proof chain includes the diff evidence
Verification
| Check | Result |
|---|---|
| Tier 0 - Source Verification | PASS |
| Tier 1 - Build + Code Review | PASS |
| Tier 2 - Behavioral Verification | PASS |
| Verified Date | 2026-02-13 |
| Run ID | run-001 |