stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
e9aeadc04084353889b1c9dbf4487f5316f4421e
git.stella-ops.org/docs/features/checked/attestor/four-tier-backport-detection-system.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

2.4 KiB
Raw Blame History

Four-Tier Backport Detection System

Module

Attestor

Status

VERIFIED

Description

A four-tier evidence collection system for backport detection: Tier 1 (Distro Advisories, 0.98 confidence), Tier 2 (Changelog Mentions, 0.80), Tier 3 (Patch Headers + HunkSig, 0.85-0.90), Tier 4 (Binary Fingerprints, 0.55-0.85). BackportProofService orchestrates queries across all tiers and combines evidence into cryptographic ProofBlobs.

Implementation Details

  • BackportProofGenerator: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/BackportProofGenerator.cs -- orchestrator for multi-tier detection with partials:
    • .Tier1 -- Distro advisory matching (0.98 confidence)
    • .Tier2 -- Advisory-level evidence (0.90-0.95)
    • .Tier3 -- Changelog/patch header matching (0.80-0.85)
    • .Tier3Signature -- HunkSig binary signature matching
    • .Tier4 -- Binary fingerprint comparison (0.55-0.85)
    • .Confidence -- confidence scoring with multi-source bonus
    • .CombineEvidence -- evidence aggregation across tiers
    • .Status -- detection status tracking
    • .VulnerableUnknown -- unknown vulnerability handling
  • Evidence Summary: Generators/EvidenceSummary.cs -- aggregated evidence from all tiers.
  • Proof Blob: Models/ProofBlob.cs -- cryptographic proof container with SHA-256 hash.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/BackportProofGeneratorTests.cs

E2E Test Plan

  • Run Tier 1 detection with a known distro advisory match and verify 0.98 confidence
  • Run Tier 2 detection with changelog evidence and verify 0.80 confidence
  • Run Tier 3 detection with patch header matching and verify 0.85-0.90 confidence
  • Run Tier 3 Signature detection with HunkSig binary comparison and verify confidence range
  • Run Tier 4 detection with binary fingerprint comparison and verify 0.55-0.85 confidence
  • Run all four tiers and verify CombineEvidence produces an aggregated result with multi-source bonus
  • Verify the combined evidence is wrapped in a cryptographic ProofBlob with valid SHA-256 hash
  • Test with a package having no backport evidence across all tiers and verify appropriate VulnerableUnknown handling

Verification

Check Result
Tier 0 - Source Verification PASS
Tier 1 - Build + Code Review PASS
Tier 2 - Behavioral Verification PASS
Verified Date 2026-02-13
Run ID run-001