stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
f4eb64fefcd7d2353b42aed44cb732780e861ea4
git.stella-ops.org/docs/features/checked/attestor/call-stack-reachability-analysis.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

2.7 KiB
Raw Blame History

Call-Stack Reachability Analysis

Module

Attestor

Status

VERIFIED

Description

Multi-language call-stack reachability analysis with symbol matching and canonicalization supporting .NET, Java, native (ELF), and scripting languages, plus benchmarking infrastructure with ground-truth validation.

Implementation Details

  • Reachability Witness Payload: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/ReachabilityWitnessPayload.cs (with .Path partial) -- captures call-stack paths from entry points to vulnerable functions.
  • Witness Call Path Node: Statements/WitnessCallPathNode.cs -- individual node in a call-stack path with function name, module, and language.
  • Witness Path Node: Statements/WitnessPathNode.cs -- simplified path node for witness evidence.
  • Witness Evidence Metadata: Statements/WitnessEvidenceMetadata.cs -- metadata about the analysis tool and language used.
  • Witness Gate Info: Statements/WitnessGateInfo.cs -- gate configuration for policy evaluation of reachability evidence.
  • Reachability Witness Statement: Statements/ReachabilityWitnessStatement.cs -- wraps payload as in-toto statement.
  • Path Witness Predicate Types: src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/PathWitnessPredicateTypes.cs -- predicate type URIs for different path witness types.
  • Micro-Witness Function Evidence: Predicates/MicroWitnessFunctionEvidence.cs -- function-level evidence from call-stack analysis.
  • Note: Actual call-graph analysis and symbol matching lives in src/ReachGraph/ and src/Scanner/; Attestor provides the attestation wrapper.

E2E Test Plan

  • Create a ReachabilityWitnessPayload with a call-stack path containing 5 nodes (entry -> intermediate -> intermediate -> intermediate -> vulnerable function) and verify all nodes are captured
  • Create WitnessCallPathNode entries with .NET namespaced symbols and verify symbol canonicalization preserves full type qualification
  • Create path nodes with Java package-style symbols and verify correct representation
  • Create WitnessEvidenceMetadata specifying the analysis tool and language, wrap in statement, and verify metadata persists
  • Verify WitnessGateInfo correctly captures policy gate thresholds for reachability evidence
  • Create MicroWitnessFunctionEvidence linking a specific function to call-stack evidence and verify the reference chain
  • Wrap a reachability witness in an in-toto statement and verify the predicate type matches PathWitnessPredicateTypes

Verification

Check Result
Tier 0 - Source Verification PASS
Tier 1 - Build + Code Review PASS
Tier 2 - Behavioral Verification PASS
Verified Date 2026-02-13
Run ID run-001