Skip to content

v0.7.9 — Build Metadata, Compiler Fingerprinting & Timestamp Validation #37

Open
Open
v0.7.9 — Build Metadata, Compiler Fingerprinting & Timestamp Validation#37
@malx-labs

Description

@malx-labs
malx-labs
opened on May 26, 2026

v0.7.9 — Build Metadata, Compiler Fingerprinting & Timestamp Validation

Summary

v0.7.9 enhances IOCX’s static PE engine with build‑metadata extraction, compiler fingerprinting, and timestamp validation.
This release introduces deterministic extraction of linker metadata, conservative identification of compiler families (MSVC, MinGW, Clang), and structured validation of PE timestamps across multiple directories. It also adds adversarial fixtures for spoofed timestamps and deceptive compiler metadata.

The goal is to increase IOCX’s build‑intelligence — enabling richer metadata, stronger structural heuristics, and stable behaviour across binaries with unusual, corrupted, or adversarial build information — while preserving IOCX’s static‑only, deterministic design.

Scope

v0.7.9 focuses on:

  • PE timestamp extraction and validation
  • static compiler fingerprinting
  • linker metadata extraction
  • build‑time invariant checks
  • adversarial timestamp/compiler‑spoofing fixtures
  • deterministic reason codes for build‑metadata anomalies

No dynamic analysis, signature verification, or behavioural inference is introduced.

Goals

Extend IOCX’s static PE engine with:

  • timestamp extraction + sanity checks
  • compiler family identification (conservative heuristics only)
  • linker metadata extraction
  • build‑time invariant validation
  • deterministic handling of spoofed or malformed metadata

All behaviour must remain reproducible and JSON‑safe.

Feature Requirements

1. Timestamp Extraction & Validation

Extract and validate:

  • FileHeader.TimeDateStamp
  • LoadConfig.TimeDateStamp (if present)
  • Debug Directory timestamp
  • consistency across timestamp sources

Expected behaviour:
Invalid timestamps produce structured, non‑fatal errors; future timestamps are flagged conservatively; snapshot tests confirm determinism.

2. Compiler Fingerprinting (Static Heuristics Only)

Identify compiler families using:

  • section patterns
  • characteristic flags
  • debug directory types
  • load‑config fields
  • known MSVC/MinGW/Clang invariants

Expected behaviour:
Compiler identification is conservative; ambiguous cases return "unknown"; no behavioural inference; snapshot‑stable output.

3. Linker Metadata Extraction

Extract:

  • MajorLinkerVersion / MinorLinkerVersion
  • Subsystem
  • DLL characteristics
  • loader flags
  • build‑related Optional Header fields

Expected behaviour:
Metadata is stable and JSON‑safe; invalid fields handled conservatively.

4. Build‑Time Invariant Validation

Add deterministic checks for:

  • timestamp < PE header creation (impossible)
  • timestamp > current year + 1 (future anomaly)
  • inconsistent timestamps across directories
  • impossible linker version combinations
  • contradictory compiler/linker metadata

Expected behaviour:
Heuristics remain conservative; no false positives on normal system binaries; snapshot tests confirm determinism.

5. Adversarial Build‑Metadata Fixtures

Add adversarial samples covering:

  • spoofed timestamps
  • corrupted timestamps
  • contradictory timestamps across directories
  • fake compiler signatures
  • mixed compiler/linker metadata
  • malformed linker version fields

Expected behaviour:
Parser remains stable; output remains JSON‑safe; no nondeterministic behaviour.

6. Reason‑Code Expansion for Build‑Metadata Issues

Add new deterministic reason codes:

  • invalid_timestamp
  • inconsistent_timestamps
  • impossible_linker_version
  • compiler_fingerprint_conflict
  • malformed_build_metadata
  • suspicious_future_timestamp

Expected behaviour:
Codes are lowercase, snake_case, non‑overlapping, and snapshot‑stable.

Output Requirements

All new metadata must produce:

  • deterministic JSON output
  • structured Detection objects where applicable
  • stable snapshot results

Parser errors must be:

  • structured
  • non‑fatal
  • deterministic
  • JSON‑safe

Integration Requirements

  • add build‑metadata fixtures under tests/contract/fixtures/layer2_build/
  • add adversarial timestamp/compiler fixtures under layer3_adversarial/
  • add snapshot tests for all new metadata
  • no new extractors
  • no dynamic analysis
  • no heavy dependencies

Non‑Goals (Strict)

v0.7.9 must not introduce:

  • dynamic execution
  • signature verification
  • behavioural tracing
  • ML/AI models
  • sandboxing
  • network access
  • packer detection
  • disassembly or CFG reconstruction

Testing Requirements

Tests must verify:

  • correct extraction of timestamps
  • correct extraction of linker metadata
  • deterministic compiler fingerprinting
  • stable behaviour on malformed build metadata
  • no false positives on normal system binaries
  • no crashes or nondeterministic output

Acceptance Criteria

  • Timestamp extraction implemented
  • Timestamp validation implemented
  • Compiler fingerprinting implemented
  • Linker metadata extraction implemented
  • Build‑time invariant validation implemented
  • Adversarial build‑metadata fixtures added
  • Reason‑code expansion completed
  • Deterministic snapshot tests added
  • Parser remains stable and JSON‑safe
  • No dynamic analysis introduced

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions