stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
d4530b2ae8797982ed994a08108b59467959a115
git.stella-ops.org/docs/features/unimplemented/binaryindex/binary-call-graph-extraction-and-reachability-analysis.md
master 5bca406787 save checkpoint: save features
2026-02-12 10:27:23 +02:00

2.8 KiB
Raw Blame History

Binary Call-Graph Extraction and Reachability Analysis

Module

BinaryIndex

Status

PARTIALLY_IMPLEMENTED

Description

Binary call-graph extraction with BinaryCallGraphExtractor, reachability lifting via BinaryReachabilityLifter, dedicated BinaryIndex analysis module, and CLI binary commands.

Implementation Details

  • Modules: src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Analysis/, src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Semantic/, src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.DeltaSig/
  • Key Classes:
    • ReachGraphBinaryReachabilityService (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Analysis/ReachGraphBinaryReachabilityService.cs) - binary-level reachability integration with ReachGraph
    • TaintGateExtractor (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Analysis/TaintGateExtractor.cs) - extracts taint gates (bounds checks, null checks, auth checks, permission checks, type checks) from binary call paths
    • CfgExtractor (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.DeltaSig/CfgExtractor.cs) - control flow graph extraction from disassembled binaries
    • CallNgramGenerator (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Semantic/CallNgramGenerator.cs) - generates call-sequence n-grams from lifted IR for call graph analysis
    • CallGraphMatcherAdapter (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Validation/Matchers/MatcherAdapters.cs) - adapter for call graph matching in validation harness
  • Interfaces: ICallNgramGenerator, IBinaryFeatureExtractor

E2E Test Plan

  • Submit an ELF binary and verify call-graph extraction produces a valid set of function nodes and edges
  • Verify TaintGateExtractor classifies conditions correctly (bounds check, null check, auth check, permission check, type check)
  • Verify CfgExtractor produces control flow graphs from disassembled functions
  • Verify CallNgramGenerator generates n-grams (n=2,3,4) from lifted function IR and computes Jaccard similarity
  • Verify ReachGraphBinaryReachabilityService integrates with the ReachGraph module for function-level exploitability assessment
  • Verify call-graph-based reachability results feed into the ensemble decision engine

Verification Outcome (run-001)

  • Tier 0/1/2 artifacts: docs/qa/feature-checks/runs/binaryindex/binary-call-graph-extraction-and-reachability-analysis/run-001/
  • Result: not implemented at claim parity.
  • Missing behavior:
    • TaintGateExtractor.ExtractAsync returns empty output and does not perform binary/disassembly path extraction.
    • CallGraphMatcherAdapter is placeholder logic with fixed score and TODO comments.
    • ReachGraphBinaryReachabilityService.FindPathsAsync currently constructs simplified placeholder paths.
    • No focused behavioral tests prove call-graph matcher/reachability adapter semantics end-to-end.