security
SECURITY ENHANCEMENTS
Tamper resistance, sandboxing, remote scan policy, and security deep dives.
Context Rail
Tags and Themes
On This Page
Security Enhancements Roadmap (Code-Synced)
This document tracks enhancement work from current implementation to future hardening.
Status tags:
- implemented
- partial
- planned
Canonical design references for this roadmap:
If roadmap wording and LLD differ, update this file to match LLD semantics.
1. Current Baseline
Implemented now:
- Signed artifact verification with trusted-key secure path.
- Tamper response policy (
warn,delay,terminate). - Protection profiles (
minimal,standard,paranoid). - Anti-debug checks in runner pre-decode and pre-execution.
- Sandbox checks in runner pre-decode and pre-execution.
- Anti-tamper probe framework with confidence-based signals.
- Windows process-protection probes (process injection, trampoline, iat/got, module markers, RWX anomalies).
- VM integrity probing and telemetry export.
- Remote process scan manager with config, correlator, telemetry, and runner observe/enforce policy integration.
Partial now:
- Polymorphic engine wiring exists, but advanced transformations are gated in current config.
- Memory-security wrappers exist (
object/secure_memory.go) but VM primarily uses mutil object encryption path.
2. Priority Enhancements
2.1 Anti-Tamper Quality
Status: partial (integration complete, detector depth pending)
Goals:
- Expand remote process scanner from scaffolding/no-op platform path to signal-rich inspectors.
- Keep weighted correlation tuning calibrated against false-positive datasets.
- Continue allowlist tuning for approved enterprise tooling.
Primary anchors:
security/antitamper_probe.gosecurity/antitamper_windows.gorunner/runner.go
2.2 Polymorphic Engine Completion
Status: partial
Current:
- Engine and marker pipeline are integrated.
- Mutation controls are exposed through CLI mutation level/seed.
Planned:
- Enable safe instruction-boundary aware transforms.
- Add reversible opcode remap path with VM/runtime compatibility guardrails.
- Add deterministic reproducibility tests per seed.
Primary anchors:
compiler/polymorphic.gocompiler/compiler.go
2.3 Memory Hardening Integration
Status: implemented for current release scope
Current:
- VM uses
mutil.EncryptObject/mutil.DecryptObjectfor runtime storage/use path. - Secure wrappers exist but are not the primary runtime path.
Planned:
- Formalize when to use wrapper-based storage in VM path.
- Add optional policy gate for higher memory hardening mode.
- Add benchmark guardrails to keep overhead bounded.
Decision (2026-07):
- Keep
runtimemode as default VM global storage path to preserve throughput. - Keep
wrappermode as opt-in hardening path behindruntime setting=wrapper. - Do not add new secure-memory helper types in this release beyond existing
wrappers (
SecureGlobal,SecureStack,SecureConstantPool). - Revisit additional helpers only if a new threat model requires object classes not covered by current runtime encryption path and optional wrapper mode.
Measured benchmark snapshot
(go test ./vm -run "^$" -bench "BenchmarkVMGlobalMemoryMode" -benchmem -count=1,
windows/amd64):
- Integer set/get: runtime
2104 ns/op, wrapper2172 ns/op. - Array set/get: runtime
2666 ns/op, wrapper2806 ns/op. - Runtime mode remains lower-overhead and is retained as default.
Primary anchors:
vm/vm.gomutil/util.goobject/secure_memory.go
2.4 Probe Enablement UX
Status: planned
Goal:
- Simplify understanding of probe gates and enforcement gates.
Planned:
- Keep current gates for compatibility.
- Add clearer docs and examples for production posture.
- Consider profile-based default for probe gate in future major release.
Primary anchors:
security/antitamper_probe.gorunner/runner.gosecurity/profile.go
3. Suggested Release Phasing
Phase A (near-term)
- Documentation sync and operator clarity.
- Add targeted tests for probe gate combinations.
- Add clearer telemetry explanations in runbook.
Phase B (mid-term)
- Complete safe polymorphic transforms rollout.
- Add stronger anti-tamper signal quality for remote scanner inspectors.
- Add processscan platform detector coverage beyond scaffolding.
Phase C (later)
- Controlled rollout expansion for remote-process enforcement confidence gates.
- Expanded policy controls and allowlist tuning.
- Optional deeper memory hardening mode for high-security deployments.
4. Student Summary
- Core security is already active and usable today.
- Most future work is quality and depth, not basic capability.
- The important engineering challenge is balancing security coverage, false positives, and runtime overhead.