stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
e716bc6adca8d1a3ac5a24ad491e5fa99e31cf1c
git.stella-ops.org/docs/features/unchecked/attestor/reachability-witness-proofs.md

2.7 KiB
Raw Blame History

Reachability Witness Proofs (Attestation Predicates, Call-Graph Evidence, UI Panels)

Module

Attestor

Status

IMPLEMENTED

Description

Full attestation predicates for reachability witness payloads including call paths, drift detection, and gate metadata. Entrypoint-to-vulnerable-symbol evidence trails as proof chain statements. UI evidence panels with E2E tests showing visual proof of reachability.

Implementation Details

  • Reachability Witness Payload: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/ReachabilityWitnessPayload.cs (with .Path) -- witness payload with complete call path data.
  • Reachability Witness Statement: Statements/ReachabilityWitnessStatement.cs -- in-toto statement for DSSE signing.
  • Witness Call Path Node: Statements/WitnessCallPathNode.cs -- node in the call path (function, file, line, module).
  • Witness Path Node: Statements/WitnessPathNode.cs -- generic path node with position metadata.
  • Witness Gate Info: Statements/WitnessGateInfo.cs -- security gate along the path (sanitizer, validator, auth check).
  • Witness Evidence Metadata: Statements/WitnessEvidenceMetadata.cs -- metadata about analysis tool, language, confidence, and assumptions.
  • Reachability Drift: Predicates/ReachabilityDriftPredicate.cs -- drift detection predicate. Statements/ReachabilityDriftStatement.cs -- drift statement.
  • Drift Metadata: Predicates/DriftAnalysisMetadata.cs, DriftPredicateSummary.cs, DriftedSinkPredicateSummary.cs -- drift analysis models.
  • Micro-Witness: Predicates/BinaryMicroWitnessPredicate.cs -- function-level witness. Predicates/MicroWitnessFunctionEvidence.cs -- function evidence.
  • DSSE Signing: Signing/ProofChainSigner.cs -- signs witness attestations.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/ReachabilityWitnessTests.cs

E2E Test Plan

  • Create a ReachabilityWitnessPayload with a 6-node call path from entrypoint to vulnerable symbol and verify path structure
  • Add WitnessGateInfo entries (input validation gate, authentication gate) and verify gates are captured with pass/fail conditions
  • Sign the witness as ReachabilityWitnessStatement and verify the DSSE envelope is valid
  • Create a drift detection witness showing a new call path to a previously unreachable vulnerability and verify drift metadata
  • Verify WitnessEvidenceMetadata captures analysis confidence (e.g., 0.95 for static analysis, 0.70 for heuristic)
  • Create micro-witness function evidence for each node in the call path and verify call-stack depth tracking
  • Build a complete evidence trail: SBOM -> call graph -> witness -> VEX verdict and verify the chain is traversable