save changes
This commit is contained in:
master
@@ -12,6 +12,7 @@ Product strategy, competitive analysis, and marketing bridge documents.
|
||||
| [decision-capsules.md](decision-capsules.md) | Decision Capsules concept (audit-grade evidence bundles) |
|
||||
| [evidence-linked-vex.md](evidence-linked-vex.md) | Evidence-linked VEX technical bridge |
|
||||
| [hybrid-reachability.md](hybrid-reachability.md) | Hybrid reachability feature positioning |
|
||||
| [ebpf-micro-witness-determinism.md](ebpf-micro-witness-determinism.md) | eBPF micro-witness deterministic replay profile and current implementation gaps |
|
||||
| [portable-audit-pack-plan.md](portable-audit-pack-plan.md) | Portable supply-chain audit pack rollout plan |
|
||||
| [reachability-benchmark-launch.md](reachability-benchmark-launch.md) | Reachability benchmark launch materials |
|
||||
|
||||
|
||||
36
docs/product/ebpf-micro-witness-determinism.md
Normal file
36
docs/product/ebpf-micro-witness-determinism.md
Normal file
@@ -0,0 +1,36 @@
|
||||
# eBPF Micro-Witness Determinism Profile
|
||||
|
||||
## Status
|
||||
- Advisory translated: 2026-02-16 (UTC)
|
||||
- Current implementation status: gaps confirmed
|
||||
- Implementation sprint: `docs/implplan/SPRINT_20260216_001_Signals_ebpf_micro_witness_determinism_profile.md`
|
||||
|
||||
## Purpose
|
||||
- Define what "replayable and deterministic micro-witnesses" means for Stella Ops runtime evidence.
|
||||
- Align Signals, Scanner, Attestor, and Evidence Locker on one verifiable output profile.
|
||||
- Ensure the same incident replay result across distros/toolchains and in offline mode.
|
||||
|
||||
## Required product behavior
|
||||
1. One CO-RE probe object must run unchanged across supported kernels when BTF is available.
|
||||
2. If kernel BTF is missing, the loader must use deterministic fallback selection and record exactly what BTF source was used.
|
||||
3. Runtime witnesses must include deterministic symbolization inputs (build identity + symbol/debug material + toolchain tuple).
|
||||
4. Witness evidence must be portable as DSSE plus a Sigstore bundle that can be verified offline.
|
||||
|
||||
## Verified current state (2026-02-16)
|
||||
- eBPF support check currently hard-requires `/sys/kernel/btf/vmlinux` with no split-BTF fallback path selection metadata in collector output.
|
||||
- `src/Signals/__Libraries/StellaOps.Signals.Ebpf/Services/RuntimeSignalCollector.cs`
|
||||
- Probe loader path is simulated for runtime attachment lifecycle and does not implement deterministic BTF source recording.
|
||||
- `src/Signals/__Libraries/StellaOps.Signals.Ebpf/Probes/CoreProbeLoader.cs`
|
||||
- Runtime witness model includes `build_id` but does not include symbol bundle pointers or symbolizer/libc/sysroot tuple required for cross-distro deterministic symbolization.
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/PathWitness.cs`
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/RuntimeObservation.cs`
|
||||
- Runtime witness generator is interface-defined but has no production implementation in Scanner.
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/IRuntimeWitnessGenerator.cs`
|
||||
- DSSE envelope support exists; end-to-end per-witness Sigstore bundle contract (`trace.sigstore.json`) is not standardized in witness storage/indexing.
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/WitnessDsseSigner.cs`
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/Migrations/013_witness_storage.sql`
|
||||
- `src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/Models/BundleManifest.cs`
|
||||
|
||||
## Decision
|
||||
- Advisory is accepted as implementation-required.
|
||||
- Contract and sprint tasks are created to close deterministic replay gaps.
|
||||
Reference in New Issue
Block a user