leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity

docs: post-v0.7.1 surface sync (README + site + ROADMAP)

Browse Source 
Three stale surfaces refreshed after the v0.7.1 cut + arm64 release:

README.md — Status section was 'v0.6.0 cut 2026-05-23'; updated to
v0.7.1 with the new prebuilt-binary inventory (4 artifacts: x86_64 +
arm64, each dynamic + static-musl) and the CI hardening additions
(ASan/UBSan + clang-tidy).

docs/index.html — hero eyebrow chip and footer meta both showed v0.6.0;
both bumped to v0.7.1.

ROADMAP.md — entire v0.7.x phase added as 'Phase 9 — Empirical
verification + operator briefing (DONE 2026-05-23, v0.7.1)'. Captures
everything since Phase 7+/8 (which were the v0.5–v0.6 era): the VM
verifier, mainline kernel fetch, 22 of 26 CVEs verified, --explain
mode, OPSEC notes, CVE metadata pipeline (CISA KEV + NVD CWE), 119
detection rules, 88-test harness, arm64-static binary, arch_support
field, marketing site. Plus an explicit 'open follow-ups' list (arm64
verification sweep, SIEM query templates, install.sh smoke test,
PackageKit provisioner, custom <=4.4 kernel image for dirty_cow, 9
deferred drift findings) and the 'wait-for-upstream blockers' list
(vmwgfx, dirtydecrypt, fragnesia).
This commit is contained in:
KaraZajac
2026-05-23 21:27:23 -04:00
parent c12ee6055c
commit 4af82b82d9
3 changed files with 84 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+5 -3
View File
@@ -197,12 +197,14 @@ also compile (modules with Linux-only headers stub out gracefully).
## Status ## Status
**v0.6.0 cut 2026-05-23.** 31 modules across 26 CVEs, **22 empirically **v0.7.1 cut 2026-05-23.** 31 modules across 26 CVEs, **22 empirically
verified** against real Linux VMs (Ubuntu 18.04 / 20.04 / 22.04 + verified** against real Linux VMs (Ubuntu 18.04 / 20.04 / 22.04 +
Debian 11 / 12 + mainline kernels 5.15.5 / 6.1.10 from Debian 11 / 12 + mainline kernels 5.15.5 / 6.1.10 from
kernel.ubuntu.com). 88-test unit harness on every push. kernel.ubuntu.com). 88-test unit harness + ASan/UBSan + clang-tidy
on every push. 4 prebuilt binaries (x86_64 + arm64, each in dynamic
+ static-musl flavors).
Reliability + accuracy work in v0.6.0: Reliability + accuracy work in v0.7.x:
- Shared **host fingerprint** (`core/host.{h,c}`) populated once at - Shared **host fingerprint** (`core/host.{h,c}`) populated once at
startup — kernel/distro/userns gates/sudo+polkit versions — exposed startup — kernel/distro/userns gates/sudo+polkit versions — exposed
to every module via `ctx->host`. to every module via `ctx->host`.
ROADMAP.md
+77
View File
@@ -272,6 +272,83 @@ The 2 ported-but-unverified modules (`dirtydecrypt`, `fragnesia`) are
and pinned fix commits first (tracked under Phase 7+ above) before any and pinned fix commits first (tracked under Phase 7+ above) before any
full-chain work is meaningful. full-chain work is meaningful.
## Phase 9 — Empirical verification + operator briefing (DONE 2026-05-23, v0.7.1)
The largest single jump in trust signal: every claim in the corpus is
now backed by either a unit test (88-test harness) or a real-VM
verification record (22 of 26 CVEs), and the binary surfaces both.
- [x] **`tools/verify-vm/`** — Vagrant + Parallels scaffold. Boots
known-vulnerable kernels (stock distro + mainline via
`kernel.ubuntu.com/mainline/`), runs `--explain --active` per
module, emits JSONL verification records.
- [x] **Mainline kernel fetch** — `targets.yaml` `mainline_version`
field downloads vanilla mainline .debs from
`kernel.ubuntu.com/mainline/v<X.Y.Z>/amd64/`, dpkg-installs,
`update-grub`s, reboots. Unblocks pin-not-in-apt targets.
- [x] **22 of 26 CVEs verified** across Ubuntu 18.04 / 20.04 / 22.04 +
Debian 11 / 12 + mainline 5.15.5 / 6.1.10. Records in
`docs/VERIFICATIONS.jsonl`, baked into `core/verifications.{c,h}`,
surfaced in `--list` (VFY column), `--module-info`, `--explain`,
`--scan --json`.
- [x] **`--explain MODULE`** — one-page operator briefing. CVE / CWE /
MITRE ATT&CK / CISA KEV header, host fingerprint, live `detect()`
trace with verdict + interpretation, OPSEC footprint, detection-
rule coverage, verified-on records. Paste-into-ticket ready.
- [x] **Per-module `opsec_notes`** — every module struct ships a
runtime-footprint paragraph (file artifacts, dmesg, syscall
observables, network, persistence, cleanup). The inverse of the
detection rules.
- [x] **CVE metadata pipeline** — `tools/refresh-cve-metadata.py`
fetches CISA KEV + NVD CWE; 10 of 26 modules cover KEV-listed
CVEs. Hand-curated ATT&CK mapping (T1068 / T1611 / T1082).
Surfaced everywhere (`` markers, `triage` JSON sub-object).
- [x] **119 detection rules across all 4 SIEM formats** — auditd
30/31, sigma 31/31, yara 28/31, falco 30/31. Documented
intentional skips for the 3 modules without applicable rules
in each format (entrybleed: pure timing side-channel;
ptrace_traceme + sudo_samedit: pure-memory races, no on-disk
artifacts).
- [x] **88-test unit harness** — 33 kernel_range / host-fingerprint
boundary tests + 55 detect() integration tests. ASan + UBSan
+ clang-tidy on every push; weekly cron checks for CISA KEV
+ Debian security-tracker drift.
- [x] **arm64-static binary** — `skeletonkey-arm64-static` published
alongside x86_64-static. Built via `dockcross/linux-arm64-musl`
cross toolchain. `install.sh` auto-picks on aarch64 hosts.
- [x] **`arch_support` field** per module: `any` (4 — userspace
bugs), `x86_64` (1 — entrybleed by physics),
`x86_64+unverified-arm64` (26 — kernel modules whose arm64
exploit hasn't been empirically confirmed). Honest labels until
an arm64 verification sweep promotes them.
- [x] **Marketing-grade landing page** — animated hero with
`--explain` showcase, bento-grid features, KEV / verification
stat chips, open-graph card. karazajac.github.io/SKELETONKEY.
**Open follow-ups from v0.7.x (not yet started):**
- [ ] arm64 verification sweep — Vagrant arm64 box (e.g.
`generic/debian12-arm64` on M-series Mac via Parallels) → run
`verify.sh` against the 26 `x86_64+unverified-arm64` modules,
promote each to `any` where it works.
- [ ] SIEM query templates — full Splunk SPL / Elastic KQL / Sentinel
KQL queries per top-10 KEV-listed modules, embedded in
`docs/DETECTION_PLAYBOOK.md`.
- [ ] `install.sh` CI smoke test — boot fresh Ubuntu / Debian /
Alpine containers, run `curl ... | sh`, assert `--version`.
- [ ] PackageKit provisioner for pack2theroot VULNERABLE-path
verification on Debian 12.
- [ ] Custom ≤ 4.4 kernel image for dirty_cow VM verification.
- [ ] 9 deferred TOO_TIGHT kernel-range drift findings — per-commit
verification against git.kernel.org/linus.
**Wait-for-upstream blockers (out of our control):**
- vmwgfx verification — requires a VMware-Fusion-or-Workstation
guest exposing `/dev/dri/card*` from the vmwgfx driver.
- dirtydecrypt + fragnesia verification — both target Linux 7.0+,
which isn't shipping as any distro kernel yet.
## Non-goals ## Non-goals
- **No 0-day shipment.** Everything in SKELETONKEY is post-patch. - **No 0-day shipment.** Everything in SKELETONKEY is post-patch.
docs/index.html
+2 -2
View File
@@ -56,7 +56,7 @@
<div class="container hero-inner"> <div class="container hero-inner">
<div class="hero-eyebrow"> <div class="hero-eyebrow">
<span class="dot dot-pulse"></span> <span class="dot dot-pulse"></span>
v0.6.0 — released 2026-05-23 v0.7.1 — released 2026-05-23
</div> </div>
<h1 class="hero-title"> <h1 class="hero-title">
<span class="display-wordmark">SKELETONKEY</span> <span class="display-wordmark">SKELETONKEY</span>
@@ -598,7 +598,7 @@ uid=0(root) gid=0(root)</pre>
who found the bugs. who found the bugs.
</p> </p>
<p class="footer-meta"> <p class="footer-meta">
v0.6.0 · MIT · <a href="https://github.com/KaraZajac/SKELETONKEY">github.com/KaraZajac/SKELETONKEY</a> v0.7.1 · MIT · <a href="https://github.com/KaraZajac/SKELETONKEY">github.com/KaraZajac/SKELETONKEY</a>
</p> </p>
</div> </div>
</footer> </footer>