stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
fa4823f46c4bc090294580a9136fb6b0e11e50f9
git.stella-ops.org/docs/features/unchecked/attestor/binary-diff-with-deterministic-signatures.md

2.7 KiB
Raw Blame History

Binary Diff with Deterministic Signatures

Module

Attestor

Status

IMPLEMENTED

Description

Binary diff analysis with DSSE-signed evidence output is implemented. The system compares binaries, produces deterministic diff signatures, serializes predicates, and integrates with VEX evidence linking. While the advisory specifically mentions B2R2 IR lifting, the implemented approach uses binary section-level diffing with DSSE attestation.

Implementation Details

  • BinaryDiff Predicate System: src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/BinaryDiff/ -- full predicate lifecycle:
    • BinaryDiffPredicateBuilder.cs (with .Build) -- constructs predicates from diff findings
    • BinaryDiffPredicateSerializer.cs (with .Normalize) -- deterministic serialization via normalization
    • BinaryDiffDsseSigner.cs -- DSSE envelope signing for deterministic signatures
    • BinaryDiffDsseVerifier.cs (with .Helpers) -- signature verification
    • BinaryDiffSectionModels.cs -- section-level diff models for ELF/PE binaries
  • Evidence Integration: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/BinaryFingerprintEvidenceGenerator.cs (with .Helpers partial) -- generates fingerprint evidence from binary analysis.
  • Binary Identity: __Libraries/StellaOps.Attestor.ProofChain/Predicates/BinaryIdentityInfo.cs -- binary identity model. BinaryVulnMatchInfo.cs -- vulnerability match details.
  • Binary Fingerprint Predicate: BinaryFingerprintEvidencePredicate.cs -- predicate for fingerprint evidence.
  • VEX Integration: VexProofIntegrator.cs links binary diff evidence to VEX decisions.
  • Tests: __Tests/StellaOps.Attestor.StandardPredicates.Tests/BinaryDiff/ -- builder, serializer, signer, schema validation tests

E2E Test Plan

  • Perform a binary diff between two versions of a binary and produce a BinaryDiffPredicateBuilder output with section-level changes
  • Serialize the diff predicate via BinaryDiffPredicateSerializer.Normalize and verify byte-for-byte determinism across two invocations
  • Sign the normalized predicate via BinaryDiffDsseSigner and verify the DSSE envelope signature is valid
  • Verify the signed diff evidence via BinaryDiffDsseVerifier and confirm integrity
  • Generate binary fingerprint evidence via BinaryFingerprintEvidenceGenerator from a binary with known vulnerability matches and verify BinaryVulnMatchInfo is populated
  • Link binary diff evidence to a VEX decision via VexProofIntegrator and verify the proof chain includes the diff artifact
  • Create diff findings for both ELF and PE section types and verify BinaryDiffSectionModels handles both formats