stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
f24d49ddeb365cf643c2fe19a43d7f491c28c25b
git.stella-ops.org/docs/features/unimplemented/binaryindex/binary-reachability-analysis.md
master 5bca406787 save checkpoint: save features
2026-02-12 10:27:23 +02:00

2.4 KiB
Raw Blame History

Binary Reachability Analysis

Module

BinaryIndex

Status

PARTIALLY_IMPLEMENTED

Description

Binary-level reachability analysis integrating with the ReachGraph and taint gate extraction for function-level exploitability assessment.

Implementation Details

  • Modules: src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Analysis/
  • Key Classes:
    • ReachGraphBinaryReachabilityService (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Analysis/ReachGraphBinaryReachabilityService.cs) - connects binary analysis to the ReachGraph module for function-level reachability
    • TaintGateExtractor (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Analysis/TaintGateExtractor.cs) - identifies taint gate types (BoundsCheck, NullCheck, AuthCheck, PermissionCheck, TypeCheck) from condition strings
    • SignatureMatcher (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Analysis/SignatureMatcher.cs) - matches vulnerability signatures at the binary level
  • Models: AnalysisResultModels, FingerprintModels, SignatureIndexModels (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Analysis/Models/)
  • Interfaces: defined in Interfaces.cs, implementations in Implementations.cs

E2E Test Plan

  • Submit a binary with a known vulnerable function and verify reachability analysis identifies it as reachable from entry points
  • Verify TaintGateExtractor correctly classifies all gate types (bounds, null, auth, permission, type checks)
  • Verify that unreachable vulnerable functions reduce the exploitability score
  • Verify integration between ReachGraphBinaryReachabilityService and the ReachGraph module
  • Verify that taint gate presence between entry point and vulnerable function is reflected in the analysis result

Verification Outcome (run-001)

  • Tier 0/1/2 artifacts: docs/qa/feature-checks/runs/binaryindex/binary-reachability-analysis/run-001/
  • Result: not implemented at claim parity.
  • Missing behavior:
    • Implementations.cs still contains NotImplementedException stubs for fingerprint extraction and related reachability pipeline contracts.
    • Service registration defaults to stub/null analysis components (FingerprintExtractor, ReachabilityAnalyzer, NullBinaryReachabilityService) rather than full production reachability wiring.
    • ReachGraphBinaryReachabilityService.FindPathsAsync uses simplified two-node path construction, not full graph-path tracing semantics claimed by the feature.