security
SECURITY LLD TRACEABILITY
Tamper resistance, sandboxing, remote scan policy, and security deep dives.
Context Rail
Tags and Themes
On This Page
- 1. Purpose
- 2. Traceability Model
- 3. Security Control Matrix
- 4. Runtime Decision Trace
- 5. Environment and Flag Traceability
- 5.1 Execution Flags
- 5.2 runtime configuration settings
- 6. Test Coverage Map by Attack Scenario
- 7. Known Traceability Gaps
- 8. Recommended Validation Backlog
- 9. Quick Audit Checklist (Reviewer Use)
- 10. Probe and Process-Protection Traceability
- 10.1 Control Additions
- 10.2 Implementation Anchors
- 10.3 Operational Notes
- 11. 2026-07 Code Sync Addendum
- 11.1 Signer-Auth Runtime Semantics
- 11.2 Remote Process Scan Control Surface
- 11.3 Remote Scan Runtime Depth
1. Purpose
This document provides end-to-end traceability from security design intent to concrete implementation and validation.
It maps:
- Security requirements and controls
- Implementation anchors (functions/files)
- Runtime configuration surfaces (flags/env)
- Test coverage and CI enforcement
- Residual gaps and next validation actions
2. Traceability Model
Evidence levels used in this matrix:
I= implementedT= testedC= CI wiredP= partial / pending depth
3. Security Control Matrix
| ID | Control Requirement | LLD Area | Implementation Anchors | Config Surface | Tests / CI Evidence | Status |
|---|---|---|---|---|---|---|
| SEC-001 | Signed artifact envelope must be parsed and verified before execution | Artifact format + trust model | security/signatures.go, security/signatures.go, security/signatures.go, runner/runner.go | Mode-driven path: --secure / --compat / --dev |
security/security_test.go, runner/runner_test.go, .github/workflows/security-profile.yml | I/T/C |
| SEC-002 | Secure mode must pin signer identity to trusted key | Secure mode semantics | runner/runner.go, security/signatures.go, security/const.go | runtime setting |
security/security_test.go, runner/runner_test.go | I/T/C |
| SEC-003 | Signature failure handling must be policy-driven | Tamper response policy | runner/runner.go, runner/runner.go, security/response_policy.go | runtime setting |
security/security_test.go, runner/runner_test.go | I/T/C |
| SEC-004 | Payload confidentiality and integrity at rest must use AEAD | Crypto layer | security/crypto.go, security/crypto.go, security/const.go | Password input and metadata | indirect via runner decode path tests runner/runner_test.go | I/T/P |
| SEC-005 | Password-based key derivation must use bounded Argon2id params | KDF hardening | security/kdf.go, security/kdf.go, security/crypto.go | password mode + metadata fields | security/security_test.go | I/T |
| SEC-006 | Password quality policy required when explicit password mode is used | Password policy | security/kdf.go, generator/generate.go | -password / -pwd |
covered by generator path behavior and policy validation unit scope | I/P |
| SEC-007 | Runtime instruction decode must be offset-aware to reduce keystream reuse | VM decode hardening | vm/vm.go, code/code.go, code/code.go, security/secure_random.go | runtime password/seed context | security/security_test.go, security/security_test.go | I/T/C |
| SEC-008 | Runtime integrity checks must detect instruction tampering | VM integrity probes | vm/vm.go, vm/vm.go, vm/vm.go | policy + secure default behavior | vm/vm_security_policy_test.go | I/T/C |
| SEC-009 | Integrity failures must trigger telemetry and policy action | Telemetry + policy coupling | vm/vm.go, security/telemetry.go, security/response_policy.go | runtime setting |
vm/vm_security_policy_test.go, vm/vm_security_policy_test.go, vm/vm_security_policy_test.go | I/T/C |
| SEC-010 | Anti-debug checks must be staged before decode and before execution | Runtime gate enforcement | runner/runner.go, runner/runner.go, runner/runner.go | mode + tamper response env | policy behavior tests security/security_test.go | I/T/P |
| SEC-011 | Debugger detection must be platform-specific with weighted signal logic on Windows | Anti-debug platform design | security/antidebug.go, security/antidebug_windows.go, security/antidebug_weighting.go, security/antidebug_linux.go, security/antidebug_darwin.go | runtime OS selection | security/security_test.go | I/T/P |
| SEC-012 | Security telemetry must support atomic counters and secure export | Telemetry subsystem | security/telemetry.go, security/telemetry.go, security/telemetry.go | runtime setting, runtime setting |
security/security_test.go, security/security_test.go, CI export in .github/workflows/security-profile.yml | I/T/C |
| SEC-013 | CLI must clearly resolve secure/compat/dev mode and developer fallback semantics | CLI posture controls | main.go, main.go, main.go, main.go | --secure, --compat, --dev, -pwd |
operationally validated in local runtime use; no dedicated CLI parsing tests yet | I/P |
| SEC-014 | Generator must support stable signing identity via environment key | Signing workflow | generator/generate.go, generator/generate.go, security/const.go | runtime setting |
indirectly validated by signature verification tests | I/P |
| SEC-015 | Security-focused CI profile must run targeted hardening suites | CI control plane | .github/workflows/security-profile.yml, .github/workflows/security-profile.yml | CI env defaults and artifact upload | workflow itself + package tests invoked by CI | I/C |
| SEC-016 | Protection profile must define default tamper and builtin policy behavior | Runtime policy profile | security/profile.go, security/response_policy.go, builtin/capabilities.go | runtime setting |
security/security_test.go, builtin/capabilities_test.go | I/T |
| SEC-017 | Risky builtins must be capability-gated by explicit allow-list | Builtin capability gates | builtin/builtin.go, builtin/command_exec.go, builtin/fs.go, builtin/net.go, builtin/http.go | runtime setting |
builtin/command_exec_test.go, builtin/capabilities_test.go | I/T |
| SEC-018 | Standalone release artifacts must carry profile attestation and provenance | Release trailer attestation | generator/writebinary.go, runner/runner.go, security/profile.go, security/const.go | build profile + release generation path | runner/runner_test.go | I/T |
4. Runtime Decision Trace
5. Environment and Flag Traceability
5.1 Execution Flags
--secure/-secure
- default secure posture selector and explicit override
- anchor: main.go
--compat/-compat
- compatibility posture selector
- anchor: main.go
--dev/-dev
- compatibility posture + default local password fallback for
.muwhen password omitted - anchors: main.go, main.go
-password,-pwd,--password=,--pwd=
- explicit password extraction
- anchor: main.go
5.2 runtime configuration settings
runtime setting
- secure runtime signer pinning requirement
- anchors: security/const.go, runner/runner.go
runtime setting
- stable build-time signer private key source
- anchors: security/const.go, generator/generate.go
runtime setting
- central response mode selection
- anchor: security/response_policy.go
runtime setting
- delay mode sleep tuning
- anchor: security/response_policy.go
runtime setting
- audit stderr event toggle
- anchor: security/telemetry.go
runtime setting
- telemetry JSON export target path
- anchors: security/telemetry.go, runner/runner.go
6. Test Coverage Map by Attack Scenario
| Attack Scenario | Expected Security Behavior | Primary Tests |
|---|---|---|
malformed .mu envelope in secure mode |
reject before decode | runner/runner_test.go |
| malformed envelope in compat mode | policy may continue; fail later during decode | runner/runner_test.go |
| tampered signer identity | secure mode rejects untrusted signer | runner/runner_test.go, security/security_test.go |
| trusted signer valid but payload unusable | signature path passes, decode fails correctly | runner/runner_test.go |
integrity tamper under warn/delay/terminate |
policy-specific continue/fail behavior with telemetry increment | vm/vm_security_policy_test.go |
| response policy default/override correctness | secure default terminate, compat default warn, env override honored | security/security_test.go, security/security_test.go |
| stream-mask roundtrip and offset byte correctness | decryptability and offset-specific correctness | security/security_test.go, security/security_test.go |
| telemetry JSON/export correctness | counters and file export valid | security/security_test.go, security/security_test.go |
| windows weak/high-confidence weighting | threshold behavior stable | security/security_test.go |
7. Known Traceability Gaps
The following areas are represented in LLD but only partially evidenced at integration depth:
- Real Windows runner integration execution with genuine debugger signals (
Pdepth remains). - Full compile -> sign -> run -> tamper -> rerun lifecycle integration suite.
- Dedicated CLI flag parsing tests for secure/compat/dev precedence.
- Explicit unit coverage for generator password complexity rejection path.
- Signed-key rotation lifecycle tests (multi-key trust/rollover not yet implemented).
8. Recommended Validation Backlog
- Add
mainCLI parsing tests covering mixed mode flag order and dev fallback behavior. - Add e2e fixture tests that produce real
.muartifacts and validate tamper outcomes in all policies. - Add a Windows CI job for runtime anti-debug policy verification on hosted/self-hosted runner.
- Add negative tests for malformed
runtime settingandruntime settingvalues in integration context. - Add deterministic artifact compatibility tests to guard accidental secure/compat behavior drift.
9. Quick Audit Checklist (Reviewer Use)
- Secure mode launch path requires trusted key env and fails if absent.
- Any signature, debugger, or integrity event routes through policy layer.
- Telemetry increments occur before policy returns error on terminate.
- VM operand/opcode decode remains offset-aware.
- CI security profile still executes targeted suites with strict defaults.
- Dev mode remains explicit and does not silently alter secure mode defaults unless chosen.
10. Probe and Process-Protection Traceability
10.1 Control Additions
- Master anti-tamper probe gate:
runtime setting=1 - Runner process-protection gate:
runtime setting - Runner enforcement threshold: any probe signal with
detected=trueandconfidence >= 80
10.2 Implementation Anchors
- Probe gate and engine:
security/antitamper_probe.go - Probe routing:
security/antitamper_routing.go - Probe implementations:
security/antitamper_detectors.gosecurity/antitamper_windows.go
- Runner enforcement path:
runner/runner.go - Builtin diagnostics probe use:
builtin/security_status.go
10.3 Operational Notes
- Runner enforcement probe scope is intentionally narrower than builtin diagnostic scope.
- If master probe gate is disabled, runner process-protection enforcement will not execute probe logic even when process-protection gate is enabled.
11. 2026-07 Code Sync Addendum
This addendum captures code-accurate deltas that must be read together with the matrix above.
11.1 Signer-Auth Runtime Semantics
Current implementation:
- Secure mode selection and signer-auth are independent runtime switches.
- Trusted signer verification path runs only when
--signer-authis present. --no-signer-authkeeps secure-mode runtime gates but skips signature verification path in runner.
Anchors:
11.2 Remote Process Scan Control Surface
Current implementation:
- Remote scan manager is gated by
runtime setting. - Mode is controlled by
runtime setting=off|observe|enforce. - Runner blocks only on enforce-mode critical verdicts.
- Scan errors are non-blocking and telemetry-visible.
Anchors:
- security/processscan_config.go
- security/processscan_manager.go
- runner/runner.go
- runner/runner_test.go
11.3 Remote Scan Runtime Depth
Current implementation status:
- Types/config/correlator/manager/telemetry and runner integration are implemented.
- Windows scanner implementation currently returns empty verdicts (
nil, nil), so enforcement path is wired but detector depth is still scaffolding-first.
Anchors:
End of document.