runtime
BINARY ARTIFACT SECURITY DEEP DIVE
Bytecode, VM, polymorphism, and execution internals.
Context Rail
Tags and Themes
On This Page
Binary Artifact Security Deep Dive
1. Scope
This deep dive covers binary artifact security for Mutant from generation to runtime load:
- Signed
.muenvelope format and trust model. - Standalone trailer V1/V2/V3 validation and provenance checks.
- Runtime mode and signer-auth behavior at load time.
- Failure paths and telemetry hooks.
Primary implementation anchors:
security/signatures.gosecurity/signing.gosecurity/key_bootstrap.gogenerator/writebinary.gorunner/runner.go
2. Signed Envelope Security
Mutant signed payload format:
MUT |-| ENCODED_DATA |-| SIGNATURE_HEX |-| PUBLIC_KEY_HEX |-| ANT
Verification paths:
VerifyCode
- Validates envelope structure and Ed25519 signature with embedded key.
- Used in compatibility mode.
VerifyCodeWithTrustedPublicKey
- Validates envelope and signature.
- Requires trusted key pinning material.
- Rejects if embedded key does not match trusted key (
ErrUntrustedSigner).
3. Signer Trust Resolution
Trusted key resolution order when signer-auth path is used:
- If
runtime settingis set, use it. - Otherwise bootstrap/load local keypair in keystore and trust local public key.
Key files:
ed25519_private_key.hexed25519_public_key.hex
Default key dir:
<home>/.mutant/keys
Override:
runtime setting
4. Runtime Signature Decision Matrix
The runner behavior is controlled by two switches:
secureMode(derived from CLI mode flags)enforceSignerAuth(derived from--signer-auth/--no-signer-auth)
Behavior:
secureMode=true,enforceSignerAuth=true
- Runs trusted-key signature verification.
- Signature errors go through tamper policy.
secureMode=true,enforceSignerAuth=false
- Skips signature verification path.
- Continues to anti-debug/sandbox/process protection and decode path.
secureMode=false
- Runs compatibility signature verification path.
- Signature failures are policy-driven (
warn|delay|terminate).
5. Standalone Trailer Attestation
Release binaries append a trailer after payload:
V3 format:
MUTANTBC | version | payload_len | payload_sha256 | canary | profile_code | provenance_sha256
Validation order in runner:
- Try V3 trailer.
- Fall back to V2.
- Fall back to V1.
Validation checks:
- Marker and version.
- Payload length bounds.
- Payload checksum.
- Canary (V2+).
- Profile code validity and provenance hash (V3).
Tamper outcomes:
- Mismatch returns explicit trailer error (checksum/canary/provenance/version).
- Runner rejects payload extraction on trailer validation failure.
6. Profile Binding and Provenance
Generation path binds runtime profile code into trailer:
generator/writebinary.gocallsResolveProtectionProfileCode.- Profile code is embedded as one byte.
- Provenance hash derives from payload + payload hash + profile code.
Security value:
- Build profile is auditable from artifact.
- Payload replay or profile mismatch changes provenance digest.
7. Policy and Telemetry Coupling
When signature verification runs and fails:
RecordSignatureFailure(stage)increments telemetry.ApplyTamperResponse(...)executes warn/delay/terminate policy.
Telemetry export:
- Optional on process exit via
runtime setting. - Optional audit stream via
runtime setting=1.
8. Operational Pitfalls
- Secure mode does not imply signer-auth unless
--signer-authis supplied. - Compatibility mode can continue past signature failures under warn/delay.
- Local key bootstrap is convenient but must be governed for production trust.
- Environment policy overrides can intentionally downgrade response severity.
9. Recommended Production Posture
- Use
--secure --signer-auth. - Set
runtime settingto approved release signer. - Set
runtime setting=terminate. - Enable
runtime setting=1and telemetry export.