stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
fb46a927ad64cbae8b769da558e632b4c1b47dd7
git.stella-ops.org/docs/product/ebpf-micro-witness-determinism.md
master fb46a927ad save changes
2026-02-17 00:51:35 +02:00

2.6 KiB
Raw Blame History

eBPF Micro-Witness Determinism Profile

Status

  • Advisory translated: 2026-02-16 (UTC)
  • Current implementation status: gaps confirmed
  • Implementation sprint: docs/implplan/SPRINT_20260216_001_Signals_ebpf_micro_witness_determinism_profile.md

Purpose

  • Define what "replayable and deterministic micro-witnesses" means for Stella Ops runtime evidence.
  • Align Signals, Scanner, Attestor, and Evidence Locker on one verifiable output profile.
  • Ensure the same incident replay result across distros/toolchains and in offline mode.

Required product behavior

  1. One CO-RE probe object must run unchanged across supported kernels when BTF is available.
  2. If kernel BTF is missing, the loader must use deterministic fallback selection and record exactly what BTF source was used.
  3. Runtime witnesses must include deterministic symbolization inputs (build identity + symbol/debug material + toolchain tuple).
  4. Witness evidence must be portable as DSSE plus a Sigstore bundle that can be verified offline.

Verified current state (2026-02-16)

  • eBPF support check currently hard-requires /sys/kernel/btf/vmlinux with no split-BTF fallback path selection metadata in collector output.
    • src/Signals/__Libraries/StellaOps.Signals.Ebpf/Services/RuntimeSignalCollector.cs
  • Probe loader path is simulated for runtime attachment lifecycle and does not implement deterministic BTF source recording.
    • src/Signals/__Libraries/StellaOps.Signals.Ebpf/Probes/CoreProbeLoader.cs
  • Runtime witness model includes build_id but does not include symbol bundle pointers or symbolizer/libc/sysroot tuple required for cross-distro deterministic symbolization.
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/PathWitness.cs
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/RuntimeObservation.cs
  • Runtime witness generator is interface-defined but has no production implementation in Scanner.
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/IRuntimeWitnessGenerator.cs
  • DSSE envelope support exists; end-to-end per-witness Sigstore bundle contract (trace.sigstore.json) is not standardized in witness storage/indexing.
    • src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/WitnessDsseSigner.cs
    • src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/Migrations/013_witness_storage.sql
    • src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/Models/BundleManifest.cs

Decision

  • Advisory is accepted as implementation-required.
  • Contract and sprint tasks are created to close deterministic replay gaps.