Mudocs logo mu docs // next

security

SECURITY LLD TRACEABILITY

Tamper resistance, sandboxing, remote scan policy, and security deep dives.

Context Rail

Owner: docs Repo: aoiflux/mutant Ref: main Audience: integrator Source: docs/SECURITY_LLD_TRACEABILITY.md

Tags and Themes

tag: securitytag: traceabilitytag: requirements theme: signing

On This Page

1. Purpose

This document provides end-to-end traceability from security design intent to concrete implementation and validation.

It maps:

  1. Security requirements and controls
  2. Implementation anchors (functions/files)
  3. Runtime configuration surfaces (flags/env)
  4. Test coverage and CI enforcement
  5. Residual gaps and next validation actions

2. Traceability Model

Mermaid diagram

Evidence levels used in this matrix:

  • I = implemented
  • T = tested
  • C = CI wired
  • P = partial / pending depth

3. Security Control Matrix

ID Control Requirement LLD Area Implementation Anchors Config Surface Tests / CI Evidence Status
SEC-001 Signed artifact envelope must be parsed and verified before execution Artifact format + trust model security/signatures.go, security/signatures.go, security/signatures.go, runner/runner.go Mode-driven path: --secure / --compat / --dev security/security_test.go, runner/runner_test.go, .github/workflows/security-profile.yml I/T/C
SEC-002 Secure mode must pin signer identity to trusted key Secure mode semantics runner/runner.go, security/signatures.go, security/const.go runtime setting security/security_test.go, runner/runner_test.go I/T/C
SEC-003 Signature failure handling must be policy-driven Tamper response policy runner/runner.go, runner/runner.go, security/response_policy.go runtime setting security/security_test.go, runner/runner_test.go I/T/C
SEC-004 Payload confidentiality and integrity at rest must use AEAD Crypto layer security/crypto.go, security/crypto.go, security/const.go Password input and metadata indirect via runner decode path tests runner/runner_test.go I/T/P
SEC-005 Password-based key derivation must use bounded Argon2id params KDF hardening security/kdf.go, security/kdf.go, security/crypto.go password mode + metadata fields security/security_test.go I/T
SEC-006 Password quality policy required when explicit password mode is used Password policy security/kdf.go, generator/generate.go -password / -pwd covered by generator path behavior and policy validation unit scope I/P
SEC-007 Runtime instruction decode must be offset-aware to reduce keystream reuse VM decode hardening vm/vm.go, code/code.go, code/code.go, security/secure_random.go runtime password/seed context security/security_test.go, security/security_test.go I/T/C
SEC-008 Runtime integrity checks must detect instruction tampering VM integrity probes vm/vm.go, vm/vm.go, vm/vm.go policy + secure default behavior vm/vm_security_policy_test.go I/T/C
SEC-009 Integrity failures must trigger telemetry and policy action Telemetry + policy coupling vm/vm.go, security/telemetry.go, security/response_policy.go runtime setting vm/vm_security_policy_test.go, vm/vm_security_policy_test.go, vm/vm_security_policy_test.go I/T/C
SEC-010 Anti-debug checks must be staged before decode and before execution Runtime gate enforcement runner/runner.go, runner/runner.go, runner/runner.go mode + tamper response env policy behavior tests security/security_test.go I/T/P
SEC-011 Debugger detection must be platform-specific with weighted signal logic on Windows Anti-debug platform design security/antidebug.go, security/antidebug_windows.go, security/antidebug_weighting.go, security/antidebug_linux.go, security/antidebug_darwin.go runtime OS selection security/security_test.go I/T/P
SEC-012 Security telemetry must support atomic counters and secure export Telemetry subsystem security/telemetry.go, security/telemetry.go, security/telemetry.go runtime setting, runtime setting security/security_test.go, security/security_test.go, CI export in .github/workflows/security-profile.yml I/T/C
SEC-013 CLI must clearly resolve secure/compat/dev mode and developer fallback semantics CLI posture controls main.go, main.go, main.go, main.go --secure, --compat, --dev, -pwd operationally validated in local runtime use; no dedicated CLI parsing tests yet I/P
SEC-014 Generator must support stable signing identity via environment key Signing workflow generator/generate.go, generator/generate.go, security/const.go runtime setting indirectly validated by signature verification tests I/P
SEC-015 Security-focused CI profile must run targeted hardening suites CI control plane .github/workflows/security-profile.yml, .github/workflows/security-profile.yml CI env defaults and artifact upload workflow itself + package tests invoked by CI I/C
SEC-016 Protection profile must define default tamper and builtin policy behavior Runtime policy profile security/profile.go, security/response_policy.go, builtin/capabilities.go runtime setting security/security_test.go, builtin/capabilities_test.go I/T
SEC-017 Risky builtins must be capability-gated by explicit allow-list Builtin capability gates builtin/builtin.go, builtin/command_exec.go, builtin/fs.go, builtin/net.go, builtin/http.go runtime setting builtin/command_exec_test.go, builtin/capabilities_test.go I/T
SEC-018 Standalone release artifacts must carry profile attestation and provenance Release trailer attestation generator/writebinary.go, runner/runner.go, security/profile.go, security/const.go build profile + release generation path runner/runner_test.go I/T

4. Runtime Decision Trace

Mermaid diagram

5. Environment and Flag Traceability

5.1 Execution Flags

  1. --secure / -secure
  • default secure posture selector and explicit override
  • anchor: main.go
  1. --compat / -compat
  • compatibility posture selector
  • anchor: main.go
  1. --dev / -dev
  • compatibility posture + default local password fallback for .mu when password omitted
  • anchors: main.go, main.go
  1. -password, -pwd, --password=, --pwd=
  • explicit password extraction
  • anchor: main.go

5.2 runtime configuration settings

  1. runtime setting
  1. runtime setting
  1. runtime setting
  1. runtime setting
  1. runtime setting
  1. runtime setting

6. Test Coverage Map by Attack Scenario

Attack Scenario Expected Security Behavior Primary Tests
malformed .mu envelope in secure mode reject before decode runner/runner_test.go
malformed envelope in compat mode policy may continue; fail later during decode runner/runner_test.go
tampered signer identity secure mode rejects untrusted signer runner/runner_test.go, security/security_test.go
trusted signer valid but payload unusable signature path passes, decode fails correctly runner/runner_test.go
integrity tamper under warn/delay/terminate policy-specific continue/fail behavior with telemetry increment vm/vm_security_policy_test.go
response policy default/override correctness secure default terminate, compat default warn, env override honored security/security_test.go, security/security_test.go
stream-mask roundtrip and offset byte correctness decryptability and offset-specific correctness security/security_test.go, security/security_test.go
telemetry JSON/export correctness counters and file export valid security/security_test.go, security/security_test.go
windows weak/high-confidence weighting threshold behavior stable security/security_test.go

7. Known Traceability Gaps

The following areas are represented in LLD but only partially evidenced at integration depth:

  1. Real Windows runner integration execution with genuine debugger signals (P depth remains).
  2. Full compile -> sign -> run -> tamper -> rerun lifecycle integration suite.
  3. Dedicated CLI flag parsing tests for secure/compat/dev precedence.
  4. Explicit unit coverage for generator password complexity rejection path.
  5. Signed-key rotation lifecycle tests (multi-key trust/rollover not yet implemented).

  1. Add main CLI parsing tests covering mixed mode flag order and dev fallback behavior.
  2. Add e2e fixture tests that produce real .mu artifacts and validate tamper outcomes in all policies.
  3. Add a Windows CI job for runtime anti-debug policy verification on hosted/self-hosted runner.
  4. Add negative tests for malformed runtime setting and runtime setting values in integration context.
  5. Add deterministic artifact compatibility tests to guard accidental secure/compat behavior drift.

9. Quick Audit Checklist (Reviewer Use)

  1. Secure mode launch path requires trusted key env and fails if absent.
  2. Any signature, debugger, or integrity event routes through policy layer.
  3. Telemetry increments occur before policy returns error on terminate.
  4. VM operand/opcode decode remains offset-aware.
  5. CI security profile still executes targeted suites with strict defaults.
  6. Dev mode remains explicit and does not silently alter secure mode defaults unless chosen.

10. Probe and Process-Protection Traceability

10.1 Control Additions

  1. Master anti-tamper probe gate: runtime setting=1
  2. Runner process-protection gate: runtime setting
  3. Runner enforcement threshold: any probe signal with detected=true and confidence >= 80

10.2 Implementation Anchors

  1. Probe gate and engine: security/antitamper_probe.go
  2. Probe routing: security/antitamper_routing.go
  3. Probe implementations:
    • security/antitamper_detectors.go
    • security/antitamper_windows.go
  4. Runner enforcement path: runner/runner.go
  5. Builtin diagnostics probe use: builtin/security_status.go

10.3 Operational Notes

  1. Runner enforcement probe scope is intentionally narrower than builtin diagnostic scope.
  2. If master probe gate is disabled, runner process-protection enforcement will not execute probe logic even when process-protection gate is enabled.

11. 2026-07 Code Sync Addendum

This addendum captures code-accurate deltas that must be read together with the matrix above.

11.1 Signer-Auth Runtime Semantics

Current implementation:

  1. Secure mode selection and signer-auth are independent runtime switches.
  2. Trusted signer verification path runs only when --signer-auth is present.
  3. --no-signer-auth keeps secure-mode runtime gates but skips signature verification path in runner.

Anchors:

  1. main.go
  2. runner/runner.go
  3. runner/runner_test.go

11.2 Remote Process Scan Control Surface

Current implementation:

  1. Remote scan manager is gated by runtime setting.
  2. Mode is controlled by runtime setting=off|observe|enforce.
  3. Runner blocks only on enforce-mode critical verdicts.
  4. Scan errors are non-blocking and telemetry-visible.

Anchors:

  1. security/processscan_config.go
  2. security/processscan_manager.go
  3. runner/runner.go
  4. runner/runner_test.go

11.3 Remote Scan Runtime Depth

Current implementation status:

  1. Types/config/correlator/manager/telemetry and runner integration are implemented.
  2. Windows scanner implementation currently returns empty verdicts (nil, nil), so enforcement path is wired but detector depth is still scaffolding-first.

Anchors:

  1. security/processscan_windows.go
  2. security/processscan_manager_test.go

End of document.

Related Reading