e8537460a3
- Introduced AGENTS.md, README.md, TASKS.md, and implementation_plan.md for Vexer, detailing mission, responsibilities, key components, and operational notes. - Established similar documentation structure for Vulnerability Explorer and Zastava modules, including their respective workflows, integrations, and observability notes. - Created risk scoring profiles documentation outlining the core workflow, factor model, governance, and deliverables. - Ensured all modules adhere to the Aggregation-Only Contract and maintain determinism and provenance in outputs.
1.2 KiB
1.2 KiB
Entry-Point Runtime — C / C++
Signals to gather
- Dynamically linked ELF (
.dynamic) with GLIBC references (GLIBC,GLIBCXX,libstdc++). - Presence of
/lib64/ld-linux-*.so.*loaders. - Absence of Go/Rust-specific markers.
- Native supervisor binaries (
nginx,envoy, custom C services). - Config files adjacent to the binary (
/etc/app.conf, YAML/INI).
Implementation notes
- Treat this detector as the "native fallback": confirm no higher-priority language matched.
- Collect shared library list to attach as evidence; highlight unusual dependencies.
- Inspect
EXPOSEports and config directories to aid classification. - Normalise busybox-style symlinks (actual binary often
/bin/busyboxwith applet name).
Evidence & scoring
- Boost for ELF dynamic dependencies and loader presence.
- Add evidence for config files, service managers, or env variables.
- Penalise extremely small binaries without metadata (may be wrappers).
Edge cases
- Static C binaries may look like Go; rely on build ID absence and library fingerprints.
- When binary is part of a supervisor stack (e.g.,
s6-svscan), delegate classification toSupervisor. - Windows native services should be handled by PE analysis (
entrypoint-runtime-overview.md).