stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/runtimeinstrumentation/tetragon-ebpf-runtime-instrumentation-bridge.md

2.5 KiB
Raw Blame History

Tetragon/eBPF Runtime Instrumentation Bridge (Runtime Witnesses, Build Correlation)

Module

RuntimeInstrumentation

Status

IMPLEMENTED

Description

Tetragon-based eBPF runtime instrumentation with event adaptation, witness bridging, frame canonicalization, privacy filtering, hot-symbol tracking, stack sampling, and runtime correlation to build artifacts for runtime reachability analysis.

Implementation Details

  • Runtime Traces Endpoints: src/Findings/StellaOps.Findings.Ledger.WebService/Endpoints/RuntimeTracesEndpoints.cs -- REST endpoints for ingesting runtime trace data from Tetragon/eBPF instrumentation.
  • Runtime Timeline Endpoints: src/Findings/StellaOps.Findings.Ledger.WebService/Endpoints/RuntimeTimelineEndpoints.cs -- endpoints for querying runtime event timelines correlated with build artifacts.
  • Runtime Traces Contracts: src/Findings/StellaOps.Findings.Ledger.WebService/Contracts/RuntimeTracesContracts.cs -- DTOs for runtime trace events including stack frames, symbol data, and correlation metadata.
  • Runtime Signal Ingester: src/Unknowns/__Libraries/StellaOps.Unknowns.Core/Services/RuntimeSignalIngester.cs -- ingests runtime signals from eBPF probes and correlates them with known vulnerability findings.
  • Null Runtime Traces Service: src/Findings/StellaOps.Findings.Ledger.WebService/Services/NullRuntimeTracesService.cs -- no-op implementation for environments without runtime instrumentation.
  • Signal Snapshot Builder: src/Findings/StellaOps.Findings.Ledger/Observations/SignalSnapshotBuilder.cs -- builds snapshots of runtime signals for replay and audit.

E2E Test Plan

  • Submit a runtime trace event from Tetragon (stack frames with symbol data) via the runtime traces endpoint and verify it is persisted and queryable
  • Correlate a runtime trace with a build artifact: submit trace data referencing a package and verify the timeline endpoint shows the runtime observation linked to the build artifact's SBOM entry
  • Verify privacy filtering: submit a trace with user-space memory addresses and confirm they are canonicalized or stripped before storage
  • Verify hot-symbol tracking: submit multiple traces for the same symbol and verify the timeline aggregates them with frequency counts
  • Verify the null runtime traces service handles requests without errors when runtime instrumentation is disabled
  • Query the runtime timeline for a time range and verify events are returned in chronological order with correct correlation metadata