stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
e9aeadc04084353889b1c9dbf4487f5316f4421e
git.stella-ops.org/docs/features/checked/attestor/minimal-reachability-subgraph-attestation.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

2.8 KiB
Raw Blame History

Minimal Reachability Subgraph Attestation

Module

Attestor

Status

VERIFIED

Description

Stores minimal call/data/control edge subgraphs connecting entrypoints to vulnerable sinks as attested evidence.

Implementation Details

  • Reachability Subgraph Predicate: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/ReachabilitySubgraphPredicate.cs -- predicate containing the minimal subgraph (nodes and edges) connecting entrypoints to vulnerable sinks.
  • Reachability Subgraph Statement: Statements/ReachabilitySubgraphStatement.cs -- in-toto statement wrapping the subgraph predicate for DSSE signing.
  • Witness Path Nodes: Statements/WitnessPathNode.cs -- individual node in the subgraph (function name, file, line, module).
  • Witness Call Path Nodes: Statements/WitnessCallPathNode.cs -- call-graph node with caller/callee relationship.
  • Witness Gate Info: Statements/WitnessGateInfo.cs -- gate (security check, validation) along the path.
  • Witness Evidence Metadata: Statements/WitnessEvidenceMetadata.cs -- metadata about the analysis that produced the subgraph.
  • Proof Graph Subgraph: Graph/ProofGraphSubgraph.cs -- generic subgraph extraction from the proof graph (used to extract minimal subgraphs).
  • Proof Graph Path: Graph/ProofGraphPath.cs -- traversal path through the graph.
  • Reachability Witness Payload: Statements/ReachabilityWitnessPayload.cs (with .Path) -- payload with the full witness including call path.
  • DSSE Signing: Signing/ProofChainSigner.cs -- signs subgraph attestations into DSSE envelopes.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/ReachabilitySubgraphTests.cs

E2E Test Plan

  • Create a ReachabilitySubgraphPredicate with a minimal subgraph (entrypoint -> intermediate -> vulnerable sink) and verify all nodes and edges are present
  • Build a ReachabilitySubgraphStatement and sign it via ProofChainSigner; verify the DSSE envelope is valid
  • Create a subgraph with a WitnessGateInfo (e.g., input validation) along the path and verify the gate is captured
  • Verify WitnessEvidenceMetadata captures the analysis tool, language, and confidence for the subgraph
  • Extract a minimal subgraph from a larger InMemoryProofGraphService graph using ProofGraphSubgraph and verify it contains only the relevant path
  • Create a subgraph with multiple paths to the same sink and verify all paths are captured
  • Verify the subgraph predicate content-addressed ID is deterministic: same subgraph produces the same ID

Verification

Check Result
Tier 0 - Source Verification PASS
Tier 1 - Build + Code Review PASS
Tier 2 - Behavioral Verification PASS
Verified Date 2026-02-13
Run ID run-001