stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/attestor/four-tier-backport-detection-system.md

2.2 KiB
Raw Blame History

Four-Tier Backport Detection System

Module

Attestor

Status

IMPLEMENTED

Description

A four-tier evidence collection system for backport detection: Tier 1 (Distro Advisories, 0.98 confidence), Tier 2 (Changelog Mentions, 0.80), Tier 3 (Patch Headers + HunkSig, 0.85-0.90), Tier 4 (Binary Fingerprints, 0.55-0.85). BackportProofService orchestrates queries across all tiers and combines evidence into cryptographic ProofBlobs.

Implementation Details

  • BackportProofGenerator: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/BackportProofGenerator.cs -- orchestrator for multi-tier detection with partials:
    • .Tier1 -- Distro advisory matching (0.98 confidence)
    • .Tier2 -- Advisory-level evidence (0.90-0.95)
    • .Tier3 -- Changelog/patch header matching (0.80-0.85)
    • .Tier3Signature -- HunkSig binary signature matching
    • .Tier4 -- Binary fingerprint comparison (0.55-0.85)
    • .Confidence -- confidence scoring with multi-source bonus
    • .CombineEvidence -- evidence aggregation across tiers
    • .Status -- detection status tracking
    • .VulnerableUnknown -- unknown vulnerability handling
  • Evidence Summary: Generators/EvidenceSummary.cs -- aggregated evidence from all tiers.
  • Proof Blob: Models/ProofBlob.cs -- cryptographic proof container with SHA-256 hash.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/BackportProofGeneratorTests.cs

E2E Test Plan

  • Run Tier 1 detection with a known distro advisory match and verify 0.98 confidence
  • Run Tier 2 detection with changelog evidence and verify 0.80 confidence
  • Run Tier 3 detection with patch header matching and verify 0.85-0.90 confidence
  • Run Tier 3 Signature detection with HunkSig binary comparison and verify confidence range
  • Run Tier 4 detection with binary fingerprint comparison and verify 0.55-0.85 confidence
  • Run all four tiers and verify CombineEvidence produces an aggregated result with multi-source bonus
  • Verify the combined evidence is wrapped in a cryptographic ProofBlob with valid SHA-256 hash
  • Test with a package having no backport evidence across all tiers and verify appropriate VulnerableUnknown handling