Reachability as Evidence

Prove Whether Vulnerable Code is Actually Called

Three-layer analysis — static call graphs, binary symbol matching, runtime eBPF probes — produces signed DSSE proofs that meaningfully reduce false positives.

Start verified trial See all features

What this means for your business

Fix only vulnerabilities your app can actually hit — skip the rest. Stella proves which CVEs are reachable so your team focuses on real risk, not scanner noise. Reachability?Analysis that proves whether vulnerable code is actually called by your application — filtering out false positives from scanner noise

30-Second Executive Summary

Up to 70-90%

Typical Noise Reduction

Observed range varies by stack and coverage.

Analysis Layers

Static call graphs, binary symbols, runtime eBPF probes

100%

Signed & Replayable

Every reachability verdict is DSSE-signed evidence

Three-Layer Analysis

Each layer provides progressively stronger evidence that a vulnerable function is (or isn't) reachable from your application code. CVE?Common Vulnerabilities and Exposures - a unique identifier for a publicly known security vulnerability

Layer 1

Static Call-Graph Analysis

Extract call graphs from bytecode, AST, and source code. Trace paths from entrypoints to vulnerable symbols.

• Language support: Go, Rust, C#, Java, Python, JavaScript, C/C++
• Handles virtual dispatch, interface calls, reflection with conservative approximation
• Produces DAG with reachability state per node

Layer 2

Binary Symbol Analysis

Match vulnerable symbols against compiled binary exports. Confirms the code is actually linked.

• Symbol table extraction from ELF, PE, Mach-O
• Cross-references DWARF/PDB debug info when available

Layer 3

Runtime eBPF Probes

Optional production profiling. Captures actual function invocations during execution.

• Tetragon-based eBPF?Extended Berkeley Packet Filter — a Linux kernel technology that runs sandboxed programs for high-performance observability and runtime analysis without kernel modules instrumentation
• Records symbol_id, code_id, hit_count, loader_base
• Privacy-preserving: no argument values captured

Result: Significantly fewer false positives. Focus on reachable CVEs instead of hundreds of theoretical ones.

Implementation: node hash joins

evidence is content-addressed for deduplication and verification. Node hashes enable efficient diffing between versions. Node Hash SHA256(normalize(purl) + ":" + normalize(symbol)) Path Hash SHA256(entryNodeHash + ":" + joinedIntermediateHashes + ":" + sinkNodeHash) Top-K significant paths are preserved in the evidence bundle. Paths are ranked by execution frequency (from runtime) or call depth (from static).

Reachability evidence is content-addressed for deduplication and verification. Node hashes enable efficient diffing between versions.

Node Hash

SHA256(normalize(purl) + ":" + normalize(symbol))

Path Hash

SHA256(entryNodeHash + ":" + joinedIntermediateHashes + ":" + sinkNodeHash)

Top-K significant paths are preserved in the evidence bundle. Paths are ranked by execution frequency (from runtime) or call depth (from static).

Unknowns as First-Class State

When analysis cannot determine reachability, the uncertainty is tracked explicitly — not hidden or silently assumed safe.

`Reachability?Analysis that proves whether vulnerable code is actually called by your application — filtering out false positives from scanner noise` Bucket	Default Weight
Entrypoint	1.0
Direct call	0.85
Runtime confirmed	0.45
Unknown	0.5
Unreachable	0.0

Final score = max(bucket_weights) across all paths. Unknown nodes contribute to risk scoring rather than being ignored.

Reachability coverage matrix for policy gating

Before enabling hard blocking in production, validate coverage on your own code corpus. The matrix below describes how to evaluate each language/runtime path and how unknowns should be treated.

Language/runtime	Static call path	Binary/symbol evidence	Runtime evidence	Default gate when unknown
Go, Rust, C/C++	Validate direct and transitive call-path extraction	Validate symbol/build-id matching accuracy	Optional eBPF confirmation for high-risk services	Review or block on critical findings by policy
Java and JVM languages	Validate method-level reachability and dynamic dispatch cases	Validate bytecode/jar symbol mapping	Runtime traces recommended for reflective paths	Route unknowns to manual review lane
.NET	Validate IL call graph and package lineage	Validate PDB/symbol resolution in release builds	Runtime confirmation for trimmed/AOT scenarios	Review unknowns before allow decision
Node, Python, Ruby, PHP	Validate framework entrypoints and dynamic import boundaries	Symbol evidence is partial by design for dynamic dispatch	Runtime traces strongly recommended	Keep unknown as explicit state and require approval

Policy recommendation: treat unknown as a first-class verdict, set explicit thresholds per severity, and log reviewer override reasons in the evidence bundle.

Implementation: signed proofs

Every reachability analysis produces a cryptographically signed proof stored in content-addressed storage. DSSE?Dead Simple Signing Envelope - a simple, flexible standard for signing arbitrary data with cryptographic signatures envelope with predicate format Verifiable by auditors without network access Deterministic replay produces bit-identical results Graph and traces archived for offline verification Content-Addressed Storage Paths cas://reachability_graphs/<hh>/<sha>.tar.zst cas://runtime_traces/<hh>/<sha>.tar.zst

Every reachability analysis produces a cryptographically signed proof stored in content-addressed storage. DSSE?Dead Simple Signing Envelope - a simple, flexible standard for signing arbitrary data with cryptographic signatures

DSSE?Dead Simple Signing Envelope - a simple, flexible standard for signing arbitrary data with cryptographic signatures envelope with in-toto?A framework for securing the software supply chain by verifying that each step was carried out as planned and by authorized actors SLSA?Supply-chain Levels for Software Artifacts — a framework for ensuring the integrity of software artifacts throughout the supply chain predicate format
Verifiable by auditors without network access
Deterministic replay produces bit-identical results
Graph and traces archived for offline verification

Content-Addressed Storage Paths

cas://reachability_graphs/<hh>/<sha>.tar.zst

cas://runtime_traces/<hh>/<sha>.tar.zst

Implementation: eBPF probes

Optional Tetragon-based instrumentation captures actual function executions in production, providing the highest-confidence reachability evidence. Captured Probe Data symbol_id: canonical symbol identifier code_id: code section identifier hit_count: execution frequency loader_base: memory base address cas_uri: content-addressed reference Probes submit observations to /api/v1/observations in batches. Each observation includes the CAS URI for the underlying artifact.

Optional Tetragon-based instrumentation captures actual function executions in production, providing the highest-confidence reachability evidence.

Captured Probe Data

symbol_id: canonical symbol identifier

code_id: code section identifier

hit_count: execution frequency

loader_base: memory base address

cas_uri: content-addressed reference

Probes submit observations to /api/v1/observations in batches. Each observation includes the CAS URI for the underlying artifact.

Ready to reduce false positives?

Install Stella Ops and start producing signed reachability proofs with three-layer analysis.

Start verified trial Read technical docs