security
SECURITY ANSWERS
Tamper resistance, sandboxing, remote scan policy, and security deep dives.
Context Rail
Tags and Themes
On This Page
- 1) Is encryption password-based or deterministic?
- 2) How is authenticity enforced?
- 3) What are secure/compat/dev modes?
- 4) Is anti-debugging implemented?
- 5) Is sandbox detection implemented?
- 6) Is process injection detection implemented?
- 7) Are polymorphic mutations fully active?
- 8) Is memory security implemented?
- 9) How does tamper policy work?
- 10) What telemetry is available?
- 11) What should students remember?
Security Answers (Current Code)
This FAQ is the student-friendly, code-accurate version of Mutant security behavior.
1) Is encryption password-based or deterministic?
Both are supported.
- If password is provided (
-passwordor-pwd), password-based KDF path is used. - If password is omitted, deterministic mode is used.
In both modes, runtime decrypts before execution and does not rely on plaintext bytecode files.
2) How is authenticity enforced?
Mutant signs and verifies artifacts using Ed25519-based signing flow.
Secure mode behavior:
- Secure mode is default.
- Signer-auth is optional and can be explicitly enforced with
--signer-auth. - Without
--signer-auth, secure mode keeps runtime hardening gates but does not run signer pinning verification. - Trusted key pinning uses
runtime setting.
Compatibility/dev behavior:
- More permissive by default.
- Still supports policy-driven handling through tamper response configuration.
3) What are secure/compat/dev modes?
- Secure mode (
--secure, default): fail-closed defaults. - Compat mode (
--compat): warn-oriented defaults. - Dev mode (
--dev): compat posture plus local convenience defaults.
CLI rule: last mode flag wins when multiple are passed.
4) Is anti-debugging implemented?
Yes.
- Platform-specific detection exists in
security/antidebug_*.go. - Runner enforces anti-debug checks at:
- pre-decode
- pre-execution
- Action is policy-driven (
warn,delay,terminate).
5) Is sandbox detection implemented?
Yes.
- Platform-specific detectors exist for Windows, Linux, and macOS with stubs where needed.
- Runner enforces sandbox checks at pre-decode and pre-execution.
- Builtin diagnostics can report sandbox type, confidence, and indicators.
6) Is process injection detection implemented?
Yes, as anti-tamper process-protection probes.
Important gates:
runtime setting=1must be set to run probes.runtime settingcontrols runner enforcement once probes are enabled.
Runner enforcement probes:
- process_injection
- trampoline
- iat_got
- module_integrity
- memory_page_anomaly
Threshold:
detected=truewithconfidence >= 80is treated as process protection event.
7) Are polymorphic mutations fully active?
Partially.
Current state:
- Polymorphic engine is integrated and marker/tagging is active.
- Mutation level and seed flags are wired through CLI paths.
- Advanced mutation transforms are currently gated off in the engine config.
Practical meaning: framework and controls exist, but not every planned transformation is active by default.
8) Is memory security implemented?
Partially, with two layers:
- Active VM path: object encryption/decryption via
mutil.EncryptObjectandmutil.DecryptObjectin runtime storage/use paths. - Additional wrappers:
object/secure_memory.goprovides SecureGlobal/SecureStack/SecureConstantPool primitives.
Important: secure_memory wrappers are available utilities, not the primary VM storage path today.
9) How does tamper policy work?
Policy input:
runtime setting=warn,delay, orterminateruntime settingfor delay moderuntime setting(minimal,standard,paranoid) for defaults
Precedence:
- Explicit env override wins.
- Profile controls defaults.
10) What telemetry is available?
Key counters include:
- debugger_detected
- sandbox_detected
- process_protection_detected
- integrity_failed
- signature_failed
- anti_tamper_probe_invoked
- anti_tamper_probe_error
- command_attempt, command_blocked, command_succeeded, command_failed
Export:
- Set
runtime settingto export JSON at process exit. - Set
runtime setting=1for stderr audit lines.
11) What should students remember?
- Mutant security is policy-driven, not hardcoded to always kill the process.
- Probes are evidence producers; runner decides enforcement.
- Mode/profile/env combinations matter as much as cryptography.
- Read confidence + detail together before drawing conclusions.