stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
e716bc6adca8d1a3ac5a24ad491e5fa99e31cf1c
git.stella-ops.org/docs/features/unchecked/attestor/patch-aware-backport-detection-with-proof-carrying-vex.md

3.0 KiB
Raw Blame History

Patch-Aware Backport Detection with Proof-Carrying VEX (Tier1-4)

Module

Attestor

Status

IMPLEMENTED

Description

Full backport proof pipeline from extractors through tiered proof generation (Tier1: advisory match, Tier2: source proof, Tier3: binary proof, Tier4: signature match) with VEX integration. Patch verification orchestrator handles distro backports correctly.

Implementation Details

  • BackportProofGenerator: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/BackportProofGenerator.cs -- orchestrator for multi-tier backport detection with partials:
    • .Tier1 -- distro advisory matching (0.98 confidence)
    • .Tier2 -- advisory-level evidence (0.90-0.95 confidence)
    • .Tier3 -- changelog/patch header matching (0.80-0.85 confidence)
    • .Tier3Signature -- HunkSig binary signature matching
    • .Tier4 -- binary fingerprint comparison (0.55-0.85 confidence)
    • .Confidence -- confidence scoring with multi-source bonus
    • .CombineEvidence -- evidence aggregation across all tiers
    • .Status -- detection status tracking
    • .VulnerableUnknown -- unknown vulnerability handling
  • Evidence Summary: Generators/EvidenceSummary.cs -- aggregated evidence from all tiers with confidence and tier breakdown.
  • VEX Proof Integrator: Generators/VexProofIntegrator.cs (with .Helpers, .Metadata) -- integrates backport detection evidence into VEX decisions, producing proof-carrying VEX.
  • VEX Verdict Proof Payload: Generators/VexVerdictProofPayload.cs -- combined VEX verdict + backport proof payload.
  • Binary Fingerprint Evidence Generator: Generators/BinaryFingerprintEvidenceGenerator.cs (with .Helpers) -- generates Tier 4 binary fingerprint evidence.
  • Fix Status Info: Predicates/FixStatusInfo.cs -- tracks fix application status (patched, backported, unpatched).
  • FixChain Attestation: __Libraries/StellaOps.Attestor.FixChain/FixChainAttestationService.cs -- creates attestations for confirmed fix applications.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/BackportProofGeneratorTests.cs

E2E Test Plan

  • Run Tier 1 detection with a known distro advisory (e.g., Debian DSA) and verify 0.98 confidence result
  • Run Tier 3 detection with patch header + HunkSig and verify 0.85-0.90 confidence
  • Run Tier 4 detection with binary fingerprint comparison and verify 0.55-0.85 confidence range
  • Run all four tiers and verify CombineEvidence produces an aggregated EvidenceSummary with multi-source bonus
  • Integrate backport evidence into a VEX decision via VexProofIntegrator with status "not_affected" (backport confirmed) and verify the VexVerdictProofPayload
  • Test VulnerableUnknown handling: run detection with no evidence across all tiers and verify appropriate unknown status
  • Create a FixChainAttestationService attestation for a confirmed backport and verify it links to the backport proof
  • Verify confidence scoring with multi-source bonus: Tier1 + Tier3 evidence together produces higher confidence than either alone