|
114 | 114 | (2)~\emph{contextual taint analysis via miniKanren}, which determines |
115 | 115 | whether a vulnerability class is actually reachable through |
116 | 116 | source-to-sink data flow tracking in the developer's code; and |
117 | | -(3)~\emph{three-way mitigation classification with formal proofs in |
118 | | -Idris2}, where every CVE is classified as \textsc{Mitigable} (with a |
119 | | -machine-checked soundness proof), \textsc{Unmitigable} (with a proof |
120 | | -that no candidate mitigation preserves application behaviour while |
121 | | -preventing exploitation), or \textsc{Concatenative} (where individually |
122 | | -insufficient mitigations compose to become sufficient, verified by a |
123 | | -compositional proof). Integrated as a pre-commit hook via the |
124 | | -\texttt{assail} subcommand, \textsc{Patch Bridge} reduces false positive |
125 | | -rates by 73\% through contextual reachability filtering while providing |
126 | | -the first formally verified mitigation lifecycle for software supply |
127 | | -chain vulnerabilities. Our implementation is open-source, written in Rust |
| 117 | +(3)~\emph{three-way mitigation classification with formal proof structure |
| 118 | +in Idris2}, where every CVE is classified as \textsc{Mitigable} (with an |
| 119 | +Idris2 proof obligation attesting mitigation soundness), \textsc{Unmitigable} |
| 120 | +(with a proof obligation that no candidate mitigation preserves application |
| 121 | +behaviour while preventing exploitation), or \textsc{Concatenative} (where |
| 122 | +individually insufficient mitigations compose to become sufficient, supported |
| 123 | +by a compositional argument). Integrated as a pre-commit hook via the |
| 124 | +\texttt{assail} subcommand, \textsc{Patch Bridge} substantially reduces |
| 125 | +false positive rates through contextual reachability filtering, providing |
| 126 | +the first formally structured mitigation lifecycle for software supply |
| 127 | +chain vulnerabilities with machine-checkable proof templates. Our implementation is open-source, written in Rust |
128 | 128 | with an embedded miniKanren engine and Idris2 proof obligations. |
129 | 129 | \end{abstract} |
130 | 130 |
|
@@ -620,13 +620,15 @@ \subsection{Classification Categories} |
620 | 620 | prevent exploitation, while preserving the application's required |
621 | 621 | behaviour. Examples include input validation, sandboxing, feature |
622 | 622 | disabling, configuration changes, and drop-in replacements from |
623 | | - verified repositories. The classification carries a |
624 | | - \emph{machine-checked soundness proof}. |
| 623 | + verified repositories. The classification carries an |
| 624 | + \emph{Idris2 proof obligation} (a proof template that is checked by |
| 625 | + the Idris2 type checker; full mechanised closure is future work). |
625 | 626 | \item[\textsc{Unmitigable}.] No feasible mitigation exists given the |
626 | 627 | application's constraints. The vulnerability is reachable, |
627 | 628 | exploitable, and every candidate mitigation either fails to prevent |
628 | 629 | exploitation or breaks required application behaviour. The |
629 | | - classification carries a \emph{machine-checked impossibility proof}. |
| 630 | + classification carries an \emph{Idris2 impossibility argument} |
| 631 | + (proof template; full mechanisation is future work). |
630 | 632 | The recommended actions are: replace the dependency, rearchitect |
631 | 633 | the affected component, or accept the risk with documented |
632 | 634 | justification. |
@@ -1306,12 +1308,19 @@ \subsection{False Positive Reduction} |
1306 | 1308 | additional 55.1\% by determining that the vulnerable code paths are |
1307 | 1309 | not reachable from any untrusted input source. |
1308 | 1310 |
|
1309 | | -The combined 73.2\% reduction transforms the developer's experience |
1310 | | -from ``127 CVEs to investigate'' to ``34 CVEs that actually matter |
1311 | | -in my code.'' Manual verification of the filtered CVEs confirmed |
| 1311 | +The combined 73.2\% reduction in this study transforms the developer's |
| 1312 | +experience from ``127 CVEs to investigate'' to ``34 CVEs that actually |
| 1313 | +matter in my code.'' Manual verification of the filtered CVEs confirmed |
1312 | 1314 | zero true positives among the filtered set---all 93 removed CVEs were |
1313 | 1315 | genuinely unreachable in their respective projects. |
1314 | 1316 |
|
| 1317 | +\textbf{Limitations of this evaluation.} This result is from a single |
| 1318 | +study across a small set of projects; the 73.2\% figure is |
| 1319 | +dataset-specific and should not be generalised without broader empirical |
| 1320 | +validation. The methodology (project selection, scanner configuration, |
| 1321 | +manual verification procedure) is described below and should be |
| 1322 | +replicated before the figure is treated as a general-case baseline. |
| 1323 | + |
1315 | 1324 | \subsection{Classification Breakdown} |
1316 | 1325 |
|
1317 | 1326 | Of the 34 contextually reachable CVEs: |
|
0 commit comments