v0.7.9.1 — Authenticode & WIN_CERTIFICATE Metadata
Summary
v0.7.9.1 adds static Authenticode metadata extraction to IOCX’s PE engine, including full parsing of the WIN_CERTIFICATE structure, certificate‑table boundaries, and high‑value signature attributes.
This release focuses on deterministic extraction of signature metadata, conservative handling of malformed or deceptive certificate tables, and stable heuristics for signature‑related anomalies — while preserving IOCX’s static‑only, non‑cryptographic design.
Scope
v0.7.9.1 includes:
- certificate table parsing
- Authenticode structure metadata
- signature‑block boundary validation
- adversarial signature fixtures
- deterministic reason codes for malformed signature metadata
No cryptographic verification, trust evaluation, or dynamic analysis is introduced.
Goals
Extend IOCX’s static PE engine with:
- WIN_CERTIFICATE parsing
- Authenticode structure metadata
- signature offset + size validation
- deterministic handling of malformed or truncated signatures
- conservative heuristics for signature anomalies
All behaviour must remain reproducible and JSON‑safe.
Feature Requirements
1. Certificate Table Parsing (WIN_CERTIFICATE)
Add support for:
- certificate table RVA + size validation
WIN_CERTIFICATE header parsingLength, Revision, CertificateType- certificate blob boundaries
- detection of truncated or malformed certificate data
Expected behaviour:
Malformed certificate tables produce structured, non‑fatal errors; heuristics remain conservative; snapshot tests confirm determinism.
2. Authenticode Structure Extraction
Extract high‑value metadata:
- certificate type (X.509, PKCS#7, unknown)
- certificate length
- certificate revision
- certificate offset (must lie outside the image)
- signature block boundaries
Expected behaviour:
Metadata is stable and JSON‑safe; invalid fields handled conservatively.
3. Signature Boundary Validation
Add deterministic checks for:
- certificate table overlapping image sections
- certificate table located inside the image (invalid)
- certificate table extending beyond file size
- zero‑length certificate blobs
- impossible certificate sizes
Expected behaviour:
Invalid boundaries produce structured errors; no false positives on normal signed binaries; snapshot tests validate stability.
4. Adversarial Signature Fixtures
Add adversarial samples covering:
- truncated certificate tables
- certificate tables pointing inside the image
- certificate tables with impossible sizes
- fake signature blocks
- malformed
WIN_CERTIFICATE headers
- deceptive “double signature” overlays
Expected behaviour:
Parser remains stable; output remains JSON‑safe; no nondeterministic behaviour.
5. Reason‑Code Expansion for Signature Issues
Add new deterministic reason codes:
- malformed_certificate_table
- certificate_inside_image
- certificate_size_anomaly
- truncated_certificate_blob
- invalid_certificate_type
- impossible_certificate_offset
Expected behaviour:
Codes are lowercase, snake_case, non‑overlapping, and snapshot‑stable.
Output Requirements
All new signature metadata must produce:
- deterministic JSON output
- structured Detection objects where applicable
- stable snapshot results
Parser errors must be:
- structured
- non‑fatal
- deterministic
- JSON‑safe
Integration Requirements
- add signature fixtures under
tests/contract/fixtures/layer2_signatures/
- add adversarial signature fixtures under
layer3_adversarial/
- add snapshot tests for all new metadata
- no new extractors
- no dynamic analysis
- no heavy dependencies
Non‑Goals (Strict)
v0.7.9.1 must not introduce:
- cryptographic signature verification
- trust evaluation
- certificate chain validation
- timestamp counter‑signatures
- dynamic execution
- unpacking or emulation
- behavioural tracing
- ML/AI models
- sandboxing
- network access
Testing Requirements
Tests must verify:
- correct parsing of
WIN_CERTIFICATE
- correct extraction of Authenticode metadata
- deterministic handling of malformed signatures
- stable behaviour on signed and unsigned binaries
- no false positives on normal system binaries
- no crashes or nondeterministic output
Acceptance Criteria
v0.7.9.1 — Authenticode & WIN_CERTIFICATE Metadata
Summary
v0.7.9.1 adds static Authenticode metadata extraction to IOCX’s PE engine, including full parsing of the
WIN_CERTIFICATEstructure, certificate‑table boundaries, and high‑value signature attributes.This release focuses on deterministic extraction of signature metadata, conservative handling of malformed or deceptive certificate tables, and stable heuristics for signature‑related anomalies — while preserving IOCX’s static‑only, non‑cryptographic design.
Scope
v0.7.9.1 includes:
No cryptographic verification, trust evaluation, or dynamic analysis is introduced.
Goals
Extend IOCX’s static PE engine with:
All behaviour must remain reproducible and JSON‑safe.
Feature Requirements
1. Certificate Table Parsing (
WIN_CERTIFICATE)Add support for:
WIN_CERTIFICATEheader parsingLength,Revision,CertificateTypeExpected behaviour:
Malformed certificate tables produce structured, non‑fatal errors; heuristics remain conservative; snapshot tests confirm determinism.
2. Authenticode Structure Extraction
Extract high‑value metadata:
Expected behaviour:
Metadata is stable and JSON‑safe; invalid fields handled conservatively.
3. Signature Boundary Validation
Add deterministic checks for:
Expected behaviour:
Invalid boundaries produce structured errors; no false positives on normal signed binaries; snapshot tests validate stability.
4. Adversarial Signature Fixtures
Add adversarial samples covering:
WIN_CERTIFICATEheadersExpected behaviour:
Parser remains stable; output remains JSON‑safe; no nondeterministic behaviour.
5. Reason‑Code Expansion for Signature Issues
Add new deterministic reason codes:
Expected behaviour:
Codes are lowercase, snake_case, non‑overlapping, and snapshot‑stable.
Output Requirements
All new signature metadata must produce:
Parser errors must be:
Integration Requirements
tests/contract/fixtures/layer2_signatures/layer3_adversarial/Non‑Goals (Strict)
v0.7.9.1 must not introduce:
Testing Requirements
Tests must verify:
WIN_CERTIFICATEAcceptance Criteria