overview
DETAILED EXPLANATIONS
Big-picture explanations, quick reference material, and definitive orientation docs.
Context Rail
Tags and Themes
On This Page
Detailed Security Explanations (Current Behavior)
This document explains the main security building blocks in simple language.
1. Policy-driven security
Mutant does not hardcode one response for all detections.
- A detector raises an event or signal.
- Policy decides action using mode/profile/env configuration.
- Action can be warn, delay, or terminate.
Why this is useful:
- Production can fail closed.
- Development can stay usable.
- Same detection logic works across environments.
2. Staged anti-reversing checks
Runner checks happen at two stages:
- pre-decode
- pre-execution
At each stage:
- anti-debug check
- sandbox check
- process-protection check (if probe gate and process-protection gate allow it)
This catches tampering both before decode and before VM execution.
3. Anti-tamper probes: signal model
Each probe returns:
- name
- detected
- confidence
- detail
Important idea:
- Probe signals are evidence.
- Enforcement is caller logic (runner path).
- Builtin diagnostics can request broader probes for visibility.
4. Process-protection logic
Runner process-protection uses a focused probe set and thresholding:
- process_injection
- trampoline
- iat_got
- module_integrity
- memory_page_anomaly
Enforcement trigger:
- detected=true and confidence >= 80
5. Polymorphic engine status
Current status is mixed by design:
- Engine integration exists.
- Mutation controls are wired.
- Marker/tagging is active.
- Advanced transforms are currently gated for safety and compatibility.
See full status and roadmap:
6. Memory hardening status
Current runtime path:
- VM uses object-level encryption/decryption utilities in storage/use path.
Additional primitives available:
- SecureGlobal
- SecureStack
- SecureConstantPool
These wrappers exist and are useful, but are not the only active runtime mechanism.
7. Why confidence matters
Single signals can be noisy.
Using confidence and detail together helps:
- reduce false positives
- explain why an action happened
- support incident triage and telemetry analysis