stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
e716bc6adca8d1a3ac5a24ad491e5fa99e31cf1c
git.stella-ops.org/docs/features/unchecked/attestor/binary-fingerprint-evidence-for-reachability-proofs.md

2.7 KiB
Raw Blame History

Binary Fingerprint Evidence for Reachability Proofs

Module

Attestor

Status

IMPLEMENTED

Description

Binary fingerprint evidence generation with identity info, vulnerability match info, and micro-witness binary references provides cryptographic evidence for binary reachability claims.

Implementation Details

  • BinaryFingerprintEvidenceGenerator: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/BinaryFingerprintEvidenceGenerator.cs (with .Helpers partial) -- generates attestable fingerprint evidence segments from binary vulnerability findings.
  • BinaryFingerprintEvidencePredicate: __Libraries/StellaOps.Attestor.ProofChain/Predicates/BinaryFingerprintEvidencePredicate.cs -- predicate type for binary fingerprint evidence in proof bundles.
  • BinaryIdentityInfo: Predicates/BinaryIdentityInfo.cs -- captures binary identity (path, hash, format, architecture).
  • BinaryVulnMatchInfo: Predicates/BinaryVulnMatchInfo.cs -- vulnerability match details linking binary to CVE.
  • Micro-Witness Models: MicroWitnessBinaryRef.cs -- binary reference within micro-witness. MicroWitnessCveRef.cs -- CVE reference. MicroWitnessFunctionEvidence.cs -- function-level evidence. MicroWitnessSbomRef.cs -- SBOM cross-reference. MicroWitnessTooling.cs -- analysis tool info. MicroWitnessVerdicts.cs -- micro-witness verdicts.
  • Binary Micro-Witness Predicate: BinaryMicroWitnessPredicate.cs -- complete micro-witness predicate combining binary evidence with reachability data.
  • Statement: __Libraries/StellaOps.Attestor.ProofChain/Statements/BinaryMicroWitnessStatement.cs -- in-toto statement wrapper.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/BinaryMicroWitnessPredicateTests.cs

E2E Test Plan

  • Generate binary fingerprint evidence via BinaryFingerprintEvidenceGenerator for a binary with known vulnerabilities and verify the output contains BinaryIdentityInfo with correct hash and format
  • Verify BinaryVulnMatchInfo correctly links a binary identity to a specific CVE with match confidence
  • Create a BinaryMicroWitnessPredicate with MicroWitnessBinaryRef, MicroWitnessCveRef, and MicroWitnessFunctionEvidence and verify all cross-references are populated
  • Verify MicroWitnessSbomRef correctly links the binary evidence to an SBOM component entry
  • Wrap the micro-witness predicate in BinaryMicroWitnessStatement and verify it produces a valid in-toto statement
  • Generate evidence for a binary with no vulnerability matches and verify the generator produces an empty/clean evidence set
  • Verify MicroWitnessTooling captures the analysis tool name and version used to generate the evidence