stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
e9aeadc04084353889b1c9dbf4487f5316f4421e
git.stella-ops.org/docs/features/checked/attestor/binary-fingerprint-evidence-generation.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

2.7 KiB
Raw Blame History

Binary Fingerprint Evidence Generation

Module

Attestor

Status

VERIFIED

Description

Extensive binary fingerprinting with disassembly, delta signatures, fingerprint indexing, and attestable proof generation covering ELF/PE analysis.

Implementation Details

  • Evidence Generator: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/BinaryFingerprintEvidenceGenerator.cs (with .Helpers partial) -- generates attestable proof segments from binary fingerprint analysis. Produces BinaryFingerprintEvidencePredicate payloads.
  • Binary Identity: __Libraries/StellaOps.Attestor.ProofChain/Predicates/BinaryIdentityInfo.cs -- binary identity (path, hash, format: ELF/PE/Mach-O, architecture).
  • Vulnerability Matching: BinaryVulnMatchInfo.cs -- links binary identity to CVE matches with confidence.
  • Micro-Witness Evidence: MicroWitnessBinaryRef.cs, MicroWitnessFunctionEvidence.cs -- function-level evidence linking fingerprints to reachability. MicroWitnessTooling.cs -- tool metadata.
  • Binary Diff Integration: src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/BinaryDiff/ -- BinaryDiffPredicateBuilder.cs, BinaryDiffSectionModels.cs handle section-level diffing for delta signature computation.
  • Content-Addressed Storage: fingerprint evidence is content-addressed via ContentAddressedIdGenerator from __Libraries/StellaOps.Attestor.ProofChain/Identifiers/.
  • Note: Actual binary disassembly and fingerprint indexing lives in src/BinaryIndex/ module; Attestor provides the attestation layer wrapping those results.

E2E Test Plan

  • Generate fingerprint evidence from a binary analysis result containing ELF section hashes and verify BinaryFingerprintEvidencePredicate captures all section fingerprints
  • Generate fingerprint evidence from PE binary analysis and verify format-specific sections (.text, .rdata, .rsrc) are represented
  • Verify the evidence generator produces content-addressed IDs for each fingerprint evidence artifact
  • Create delta signatures by running the generator on two binary versions and verify the diff captures added/removed/changed sections
  • Verify MicroWitnessFunctionEvidence links specific functions to their fingerprint evidence
  • Run the generator twice on identical inputs and verify deterministic output (same evidence IDs)
  • Verify the generated evidence can be embedded in a DSSE-signed attestation via the proof chain signing infrastructure

Verification

Check Result
Tier 0 - Source Verification PASS
Tier 1 - Build + Code Review PASS
Tier 2 - Behavioral Verification PASS
Verified Date 2026-02-13
Run ID run-001