2.1 KiB
2.1 KiB
eBPF Capture Abstraction
Module
Scanner
Status
IMPLEMENTED
Description
Platform-level eBPF capture adapter for Linux with runtime evidence aggregation, plus dedicated eBPF library at src/Signals/__Libraries/StellaOps.Signals.Ebpf/ with probe loaders, parsers, and air-gap support.
Implementation Details
- Runtime Capture Adapters (platform-specific):
src/Scanner/StellaOps.Scanner.Analyzers.Native/RuntimeCapture/IRuntimeCaptureAdapter.cs- Interface for platform-specific runtime capturesrc/Scanner/StellaOps.Scanner.Analyzers.Native/RuntimeCapture/LinuxEbpfCaptureAdapter.cs- Linux eBPF capture adaptersrc/Scanner/StellaOps.Scanner.Analyzers.Native/RuntimeCapture/MacOsDyldCaptureAdapter.cs- macOS dyld capture adaptersrc/Scanner/StellaOps.Scanner.Analyzers.Native/RuntimeCapture/WindowsEtwCaptureAdapter.cs- Windows ETW capture adapter
- Runtime Evidence:
src/Scanner/StellaOps.Scanner.Analyzers.Native/RuntimeCapture/RuntimeEvidence.cs- Runtime evidence modelsrc/Scanner/StellaOps.Scanner.Analyzers.Native/RuntimeCapture/RuntimeEvidenceAggregator.cs- Aggregates runtime evidence from capture adapterssrc/Scanner/StellaOps.Scanner.Analyzers.Native/RuntimeCapture/StackTraceCapture.cs- Stack trace capture model
- Capture Configuration:
src/Scanner/StellaOps.Scanner.Analyzers.Native/RuntimeCapture/RuntimeCaptureOptions.cs- Capture optionssrc/Scanner/StellaOps.Scanner.Analyzers.Native/RuntimeCapture/CaptureDurationTimer.cs- Duration timer for capture sessions
E2E Test Plan
- Configure eBPF capture on a Linux host and verify
LinuxEbpfCaptureAdaptercollects runtime library loading events - Verify
RuntimeEvidenceAggregatoraggregates captured events into structured runtime evidence - Verify stack trace capture captures function call chains from eBPF probes
- Verify capture duration timer correctly limits capture sessions
- Verify the capture adapter interface allows switching between eBPF (Linux), ETW (Windows), and dyld (macOS)
- Verify runtime evidence can be used to confirm/deny static reachability claims