AegisBPF is in 0.x and follows a "current minor + previous minor" support window. Older minors receive no further fixes (security or otherwise) once they fall out of the window. When a new minor is released, the third-oldest minor moves to End of Life immediately.

Release notes for each minor live on the GitHub Releases page: https://github.com/ErenAri/Aegis-BPF-CO-RE-Enforcement-Prototype/releases

This table is the authoritative source for supportedness. If it ever disagrees with anything else in the repository, this table wins and the other location is a bug — please file an issue.

Preferred path (private):

1. Open GitHub Security tab -> Advisories
2. Click Report a vulnerability
3. Include impact, affected versions, and reproduction details

If private advisory reporting is unavailable, open a minimal public metadata issue using the Security report (public metadata only) issue template and do not include exploit details.

Initial triage target: acknowledgement within 48 hours.

Authoritative security scope is documented in docs/THREAT_MODEL.md.

At a high level:

• In scope: unprivileged process/container attempts to perform denied file/network operations.
• Out of scope: host root compromise, malicious kernel modules, and physical/firmware attacks.
• Important boundary: if BPF LSM is unavailable, AegisBPF degrades to audit-only behavior and cannot enforce file denial.

AegisBPF includes multiple security hardening features:

When running with --seccomp, the agent applies a strict seccomp-bpf filter that only allows necessary system calls. This limits the attack surface if the agent is compromised.

aegisbpf run --seccomp

An AppArmor profile is provided in packaging/apparmor/usr.bin.aegisbpf. To install:

sudo cp packaging/apparmor/usr.bin.aegisbpf /etc/apparmor.d/
sudo apparmor_parser -r /etc/apparmor.d/usr.bin.aegisbpf

SELinux policy files are provided in packaging/selinux/. To install:

cd packaging/selinux
make -f /usr/share/selinux/devel/Makefile aegisbpf.pp
sudo semodule -i aegisbpf.pp
sudo restorecon -Rv /usr/bin/aegisbpf /etc/aegisbpf /var/lib/aegisbpf

AegisBPF requires the following capabilities:

All releases are signed using Sigstore Cosign. To verify a release:

cosign verify-blob \
  --certificate aegisbpf-*.tar.gz.pem \
  --signature aegisbpf-*.tar.gz.sig \
  --certificate-identity-regexp 'https://github.com/aegisbpf/aegisbpf/*' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  aegisbpf-*.tar.gz

Use the dedicated runbook for key rotation and revocation:

• docs/KEY_MANAGEMENT.md
• scripts/sign_policy_external.sh (KMS/HSM-style external signer workflow)

In production, prefer signed policy bundles plus:

• aegisbpf policy apply --require-signature
• periodic key rotation
• revocation drills and incident evidence capture

All cryptographic comparisons in AegisBPF use constant-time algorithms to prevent timing side-channel attacks:

• BPF object integrity verification - SHA256 hash comparison uses constant_time_hex_compare()
• Policy hash verification - SHA256 integrity checks use constant-time comparison
• Signed bundle verification - Policy bundle SHA256 verification uses constant-time comparison

This prevents attackers from inferring valid hash values by measuring comparison timing.

AegisBPF verifies the integrity of the BPF object file before loading:

1. Computes SHA256 hash of the BPF object
2. Compares against expected hash from /etc/aegisbpf/aegis.bpf.sha256 or installed location
3. Rejects loading if hashes don't match

Important: The AEGIS_SKIP_BPF_VERIFY=1 environment variable bypass is disabled in Release builds. It is only available in Debug builds for development purposes.

• Bundle parsing: All numeric fields in signed bundles are validated with exception handling to prevent crashes on malformed input
• JSON escaping: All control characters are properly escaped in JSON log output to prevent log injection attacks
• Path validation: Null bytes, path traversal, and symlink attacks are mitigated through canonicalization

AegisBPF release artifacts are protected by layered supply-chain controls:

• SLSA v1.0 Build Track Level 3 provenance via actions/attest-build-provenance@v2 on GitHub-hosted runners. The release workflow self-verifies its own provenance before publishing.
• Sigstore keyless signing of every release blob (tar.gz, .deb, .rpm, SHA256SUMS.txt) and every container image.
• SBOMs in both SPDX 2.3 and CycloneDX 1.6 generated with Syft, themselves signed with cosign.
• SHA256 checksums (SHA256SUMS.txt) for all release payloads.
• Capability contract report generated and attested at release time.

Verification instructions for adopters live in docs/compliance/SLSA_PROVENANCE.md.

1. Run as a dedicated user: Create a dedicated system user for aegisbpf.
2. Use read-only root filesystem: In containers, mount the root filesystem read-only.
3. Limit network access: AegisBPF only needs local Unix socket access for journald.
4. Enable all hardening options: Use --seccomp in production.

1. Use SHA256 verification: When applying policies, use --sha256 to verify integrity.
2. Review policies before applying: Use policy lint to validate policies.
3. Keep policies minimal: Only deny what's necessary.
4. Monitor policy changes: Log all policy modifications.

1. Enable alerting: Use the Prometheus alerts in config/prometheus/alerts.yml.
2. Monitor for anomalies: High block rates may indicate attacks.
3. Review blocked events: Investigate BLOCK events to identify threats or misconfigurations.

The following environment variables affect security behavior. In production, avoid setting override variables unless absolutely necessary.

Production recommendations:

• Do not set AEGIS_SKIP_BPF_VERIFY (ineffective in Release builds anyway)
• Use default paths for BPF objects and keys
• Always use --sha256 or --require-signature for policy application

1. BPF LSM requirement: Full blocking requires BPF LSM to be enabled in the kernel. Without it, the agent degrades to audit-only and cannot block file or network operations.
2. Root namespace only: The agent must run in the host PID/cgroup namespace.
3. Namespace/path ambiguity: Path canonicalization occurs in the agent mount namespace; bind-mount and overlay paths can differ from workload-visible paths. Inode-based denies (deny_inode) avoid this class of confusion and are preferred when correctness matters.
4. No independent third-party security review: see docs/EXTERNAL_VALIDATION.md. Until that page lists a published review, assume none has been performed.
5. No head-to-head competitive performance evidence: see docs/PERFORMANCE_COMPARISON.md. Comparative micro-benchmarks against Falco / Tetragon / Tracee / KubeArmor have not been run on the same hardware in this repository. Estimated numbers were removed in 2026-04-08.

Vulnerability: Unbounded heap allocation in signature verification could lead to memory exhaustion DoS attacks.

Impact: HIGH - Availability impact via memory exhaustion

Status: FIXED

Details: See docs/SECURITY_FIX_TWEETNACL_MEMORY.md

Affected Versions: Pre-fix versions (< v0.1.1)

Fix Version: v0.1.1+

Changes:

• Replaced heap-based allocation with stack-based buffers (4KB limit)
• Added size validation before cryptographic operations
• Enhanced test coverage with 9 new security tests
• All 153 unit tests pass

Action Required: Update to latest version immediately