Reachability as Evidence

Prove Whether Vulnerable Code is Actually Called

Three-layer analysis — static call graphs, binary symbol matching, runtime eBPF probes — produces signed DSSE proofs that cut 70-90% of false positives.

Get started See all features

Three-Layer Analysis

Each layer provides progressively stronger evidence that a vulnerable function is (or isn't) reachable from your application code.

Layer 1

Static Call-Graph Analysis

Extract call graphs from bytecode, AST, and source code. Trace paths from entrypoints to vulnerable symbols.

  • • Language support: Go, Rust, C#, Java, Python, JavaScript, C/C++
  • • Handles virtual dispatch, interface calls, reflection with conservative approximation
  • • Produces DAG with reachability state per node
Layer 2

Binary Symbol Analysis

Match vulnerable symbols against compiled binary exports. Confirms the code is actually linked.

  • • Symbol table extraction from ELF, PE, Mach-O
  • • Cross-references DWARF/PDB debug info when available
Layer 3

Runtime eBPF Probes

Optional production profiling. Captures actual function invocations during execution.

  • • Tetragon-based eBPF instrumentation
  • • Records symbol_id, code_id, hit_count, loader_base
  • • Privacy-preserving: no argument values captured

Result: 70-90% fewer false positives. Focus on 12 reachable CVEs instead of 487 theoretical ones.

Node Hash Joins

Reachability evidence is content-addressed for deduplication and verification. Node hashes enable efficient diffing between versions.

Node Hash

SHA256(normalize(purl) + ":" + normalize(symbol))

Path Hash

SHA256(entryNodeHash + ":" + joinedIntermediateHashes + ":" + sinkNodeHash)

Top-K significant paths are preserved in the evidence bundle. Paths are ranked by execution frequency (from runtime) or call depth (from static).

Unknowns as First-Class State

When analysis cannot determine reachability, the uncertainty is tracked explicitly — not hidden or silently assumed safe.

Reachability BucketDefault Weight
Entrypoint1.0
Direct call0.85
Runtime confirmed0.45
Unknown0.5
Unreachable0.0

Final score = max(bucket_weights) across all paths. Unknown nodes contribute to risk scoring rather than being ignored.

DSSE Signed Proofs

Every reachability analysis produces a cryptographically signed proof stored in content-addressed storage.

  • DSSE envelope with in-toto SLSA predicate format
  • Verifiable by auditors without network access
  • Deterministic replay produces bit-identical results
  • Graph and traces archived for offline verification

Content-Addressed Storage Paths

cas://reachability_graphs/<hh>/<sha>.tar.zst

cas://runtime_traces/<hh>/<sha>.tar.zst

eBPF Runtime Probes

Optional Tetragon-based instrumentation captures actual function executions in production, providing the highest-confidence reachability evidence.

Captured Probe Data

symbol_id: canonical symbol identifier

code_id: code section identifier

hit_count: execution frequency

loader_base: memory base address

cas_uri: content-addressed reference

Probes submit observations to /api/v1/observations in batches. Each observation includes the CAS URI for the underlying artifact.

Ready to cut false positives by 70-90%?

Install Stella Ops and start producing signed reachability proofs with three-layer analysis.

Get started Read docs