stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/attestor/patch-oracle.md

3.0 KiB
Raw Blame History

Patch Oracle (Binary Diff for CVE Function Identification)

Module

Attestor

Status

IMPLEMENTED

Description

Patch verification orchestration with patch signature storage and binary diff predicate building is implemented, enabling CVE function identification through patch comparison.

Implementation Details

  • Binary Diff Predicate Builder: src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/BinaryDiff/BinaryDiffPredicateBuilder.cs (with .Build) -- builds binary diff predicates comparing patched vs unpatched binaries to identify CVE-affected functions. Implements IBinaryDiffPredicateBuilder.cs.
  • Binary Diff Predicate Serializer: BinaryDiff/BinaryDiffPredicateSerializer.cs (with .Normalize) -- serializes binary diff predicates with deterministic normalization. Implements IBinaryDiffPredicateSerializer.cs.
  • Binary Diff Finding: BinaryDiff/BinaryDiffFinding.cs -- individual diff finding (function added/removed/changed, offset, size).
  • Binary Diff Section Models: BinaryDiff/BinaryDiffSectionModels.cs -- section-level diff models (text, data, rodata sections).
  • Binary Diff Metadata Builder: BinaryDiff/BinaryDiffMetadataBuilder.cs -- builds metadata for binary diff comparisons (tool version, binary architecture, compiler info).
  • Binary Diff Schema: BinaryDiff/BinaryDiffSchema.SchemaJson.cs -- embedded JSON schema for binary diff predicates.
  • Binary Diff Schema Validation: BinaryDiff/BinaryDiffSchemaValidationResult.cs -- validation result model.
  • Binary Diff DSSE Verifier: BinaryDiff/BinaryDiffDsseVerifier.cs (with .Helpers) -- verifies DSSE-signed binary diff attestations. Implements IBinaryDiffDsseVerifier.cs.
  • Backport Tier 3 Signature: __Libraries/StellaOps.Attestor.ProofChain/Generators/BackportProofGenerator.Tier3Signature.cs -- uses binary diff/HunkSig for backport detection.
  • Binary Fingerprint Evidence: Generators/BinaryFingerprintEvidenceGenerator.cs (with .Helpers) -- generates fingerprint evidence for binary comparison.
  • Tests: __Tests/StellaOps.Attestor.StandardPredicates.Tests/BinaryDiffTests.cs

E2E Test Plan

  • Build a binary diff predicate via BinaryDiffPredicateBuilder comparing a patched and unpatched binary; verify the diff identifies changed functions
  • Verify BinaryDiffFinding entries capture function name, offset, and change type (added/removed/modified)
  • Serialize a binary diff predicate via BinaryDiffPredicateSerializer and verify deterministic output (same diff = same bytes)
  • Validate a binary diff predicate against BinaryDiffSchema and verify schema compliance
  • Sign a binary diff predicate into a DSSE envelope and verify it via BinaryDiffDsseVerifier
  • Build metadata via BinaryDiffMetadataBuilder and verify tool version, architecture, and compiler info are captured
  • Tamper with a signed binary diff attestation and verify BinaryDiffDsseVerifier rejects it
  • Verify BinaryDiffSectionModels captures diffs at the section level (text, data, rodata)