git.stella-ops.org/docs/product/ebpf-micro-witness-determinism.md

eBPF Micro-Witness Determinism Profile

Status

• Advisory translated: 2026-02-16 (UTC)
• Current implementation status: implementation complete (MWD-001 through MWD-005 complete)
• Implementation sprint: docs-archived/implplan/SPRINT_20260216_001_Signals_ebpf_micro_witness_determinism_profile.md

Purpose

• Define what "replayable and deterministic micro-witnesses" means for Stella Ops runtime evidence.
• Align Signals, Scanner, Attestor, and Evidence Locker on one verifiable output profile.
• Ensure the same incident replay result across distros/toolchains and in offline mode.

Required product behavior

1. One CO-RE probe object must run unchanged across supported kernels when BTF is available.
2. If kernel BTF is missing, the loader must use deterministic fallback selection and record exactly what BTF source was used.
3. Runtime witnesses must include deterministic symbolization inputs (build identity + symbol/debug material + toolchain tuple).
4. Witness evidence must be portable as DSSE plus a Sigstore bundle that can be verified offline.

Verified current state (2026-02-16)

• eBPF runtime collector now uses deterministic BTF selection order (/sys/kernel/btf/vmlinux -> configured external vmlinux -> split-BTF) and emits source metadata (source_kind, source_path, source_digest, selection_reason) into runtime summaries/results.
  • src/Signals/__Libraries/StellaOps.Signals.Ebpf/Services/RuntimeSignalCollector.cs
  • src/Signals/__Libraries/StellaOps.Signals.Ebpf/Services/RuntimeBtfSourceSelector.cs
• Probe loader path is simulated for runtime attachment lifecycle and does not implement deterministic BTF source recording.
  • src/Signals/__Libraries/StellaOps.Signals.Ebpf/Probes/CoreProbeLoader.cs
• Runtime witness model now includes deterministic symbolization tuple (build_id, debug/symbol pointers, symbolizer identity, libc variant, sysroot digest) and runtime witness signing/verification validation enforces required symbolization inputs.
  • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/PathWitness.cs
  • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/RuntimeWitnessRequest.cs
  • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/WitnessDsseSigner.cs
• Runtime witness generation pipeline is implemented with deterministic observation canonicalization, DSSE signing, and storage integration hook, and is wired into runtime collector flow through optional witness emission settings.
  • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/RuntimeWitnessGenerator.cs
  • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Runtime/EbpfRuntimeReachabilityCollector.cs
  • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Runtime/IRuntimeReachabilityCollector.cs
• Evidence Locker export manifest/index now supports runtime witness triplets (trace.json, trace.dsse.json, trace.sigstore.json) with witness identity linkage and deterministic lookup keys (build_id, kernel_release, probe_id, policy_run_id), and offline verifier checks can run using bundle-contained artifacts only.
  • src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/Models/BundleManifest.cs
  • src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/TarGzBundleExporter.cs
  • src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/RuntimeWitnessOfflineVerifier.cs
• Cross-distro deterministic replay matrix is validated in targeted tests (3 kernels: 5.15, 6.1, 6.6; libc variants: glibc, musl) with byte-identical replay-frame projection from fixed witness artifacts, and QA evidence includes artifact hashes and replay logs.
  • src/EvidenceLocker/__Tests/StellaOps.EvidenceLocker.Export.Tests/RuntimeWitnessOfflineVerifierTests.cs
  • docs/qa/feature-checks/runs/signals/ebpf-micro-witness-determinism/run-001/tier2-replay-matrix-summary.json

Decision

• Advisory is accepted as implementation-required.
• Contract and sprint tasks are created to close deterministic replay gaps.