stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
c52ca826528b63f38386a0adddecff0eaacfcf30
git.stella-ops.org/docs/features/checked/scanner/funcproof-pipeline.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

2.8 KiB
Raw Blame History

FuncProof Pipeline (Function-Level Proof Generation, DSSE Signing, OCI Publishing)

Module

Scanner

Status

VERIFIED

Description

Complete pipeline for generating function-level proof objects from binary analysis. Includes DWARF/symbol/heuristic function boundary detection, BLAKE3/SHA-256 function-range hashing, DSSE envelope signing, Rekor transparency log integration, OCI referrer publishing, CycloneDX 1.6 callflow evidence linking, PostgreSQL storage, and configurable generation options.

Implementation Details

  • Binary Function Analysis:
    • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Binary/BinaryIntelligenceAnalyzer.cs - Function boundary detection (DWARF/symbol/heuristic)
    • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Binary/CodeFingerprint.cs - Code fingerprint model
    • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Binary/IFingerprintGenerator.cs - Fingerprint generation interface
    • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Binary/FingerprintCorpusBuilder.cs - Builds fingerprint corpus
    • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Binary/SymbolInfo.cs - Symbol info model
  • Proof of Exposure:
    • src/Scanner/StellaOps.Scanner.Worker/Orchestration/PoEOrchestrator.cs - Proof-of-Exposure orchestrator
    • src/Scanner/StellaOps.Scanner.Worker/Processing/PoE/PoEGenerationStageExecutor.cs - PoE generation stage executor
  • DSSE Signing:
    • src/Scanner/StellaOps.Scanner.Worker/Processing/Surface/HmacDsseEnvelopeSigner.cs - HMAC-based DSSE signing
    • src/Scanner/StellaOps.Scanner.Worker/Processing/Surface/IDsseEnvelopeSigner.cs - DSSE signing interface
  • OCI Publishing:
    • src/Scanner/StellaOps.Scanner.WebService/Services/IOciAttestationPublisher.cs - OCI attestation publisher interface
    • src/Scanner/StellaOps.Scanner.WebService/Services/OciAttestationPublisher.cs - Publishes attestations to OCI registries
  • Evidence Integration:
    • src/Scanner/__Libraries/StellaOps.Scanner.Emit/Evidence/CallstackEvidenceBuilder.cs - CycloneDX callflow evidence linking

E2E Test Plan

  • Scan a container image with native binaries and verify function-level proof objects are generated
  • Verify function boundary detection works for DWARF debug info, symbol tables, and heuristic detection
  • Verify function-range hashing produces BLAKE3/SHA-256 fingerprints
  • Verify DSSE envelope signing wraps proof objects
  • Verify OCI referrer publishing attaches proofs to the image manifest
  • Verify CycloneDX callflow evidence links proofs to vulnerability findings

Verification

Check Result
Tier 0 - Source files exist PASS
Tier 1 - Build + code review PASS
Tier 2 - Integration tests PASS
Verified 2026-02-13T18:10:00Z