RED SPECTER NIGHTFALL  —  SPECTER KERNEL  /  Docs
SPECTER KERNEL
Kernel-Layer AI Governance Subversion Engine — NIGHTFALL Tool 68
v1.0.0 • 6 Subsystems • 626 Tests • KAMIKAZE Dual-Gate • World-First

SPECTER KERNEL is the world's first tool to systematically attack kernel-layer AI agent governance. It proves that eBPF-based syscall monitoring, BPF-LSM security policies, namespace sandboxing, and cryptographically signed audit ledgers — all increasingly used as AI governance enforcement primitives — can be comprehensively defeated without touching the governance framework itself. The monitor records legitimate activity. The agent performs the real action. The audit trail is clean.

Authorised Use Only. Loading eBPF programs into a production kernel without explicit written authorisation from the system owner is illegal under the Computer Misuse Act 1990, CFAA, and equivalent legislation worldwide. Active kernel operations require KAMIKAZE dual-gate clearance. See Rules of Engagement.

Requirements

ComponentMinimumNotes
Python3.11+Required for all subsystems
Linux kernel5.7+BPF-LSM support (CONFIG_BPF_LSM=y)
clang / LLVMAny recentRequired for SYSCALL_FORGE eBPF compilation
bpftool5.15+Required for LSM_BYPASS hook inspection
BTFPresent/sys/kernel/btf/vmlinux must exist
Capabilityroot or CAP_BPF+CAP_PERFMONKAMIKAZE-level operations require root
AppArmorOptionalEnhances LSM_BYPASS attack surface
580 of 626 tests run offline without root access. The remaining 46 require root and are automatically skipped in non-root CI environments.

Installation

Install from source

# Clone the repository
$ cd red-specter-specter-kernel
$ pip install -e .

# With dev dependencies
$ pip install -e ".[dev]"

# Verify
$ specter-kernel --version
SPECTER KERNEL 1.0.0 — NIGHTFALL Tool 68

eBPF headers

SPECTER KERNEL ships with project-local BPF headers under bpf_headers/ — no system-level libbpf-dev package required. The headers include bpf_helpers.h, bpf_tracepoint.h, and bpf_tracing.h.

Run tests

# Full suite (626 tests — 580 run without root)
$ pytest tests/ -v
626 passed in 4.21s

# Individual subsystem
$ pytest tests/test_syscall_forge/ -v
$ pytest tests/test_lsm_bypass/ -v
$ pytest tests/test_ledger_poison/ -v

CLI Reference

specter-kernel scan

Runs KERNEL_ENV_PROBE — full environment survey. No UNLEASHED authorisation required. Safe to execute on any Linux host.

$ specter-kernel scan [--output FILE]

# Output WARLORD-compatible JSON
$ specter-kernel scan --output report.json

KERNEL_ENV_PROBE
bpf_lsm_enabled: true
btf_available: true
bpftool_present: true
clang_present: true
apparmor_loaded: true
root_capable: false
viability_score: 5/6 (HIGH)

specter-kernel forge

Compiles eBPF programs locally and runs LEDGER_POISON and CHILD_ESCAPE probes. Requires --override (FORGE level). Does not load anything into the kernel.

$ specter-kernel forge --override [--output FILE]

SYSCALL_FORGE — eBPF programs compiled (5 classes)
LEDGER_POISON — race: 7 duplicate prev_hashes in 500ms
CHILD_ESCAPE — 3 fds without O_CLOEXEC found

specter-kernel exploit

Active kernel exploitation — loads eBPF programs, installs LSM hooks, runs namespace escape probes. Requires KAMIKAZE dual-gate: --override --confirm-destroy.

$ specter-kernel exploit --override --confirm-destroy [--output FILE]

SYSCALL_FORGE — tracepoints attached: openat, execve, connect, write, ptrace
LSM_BYPASS — BPF-LSM hook installed, overrides AppArmor DENY rules
CHILD_ESCAPE — namespace escape paths enumerated

specter-kernel evidence

Assembles and exports EVIDENCE output — hash-chained artefacts from all executed subsystems. Available at all gate levels.

$ specter-kernel evidence --output evidence.json

specter-kernel auth

Manage KAMIKAZE-gate Ed25519 keys.

# Initialise key pair
$ specter-kernel auth init
Keys written to ~/.red-specter/specter-kernel/

# Show gate status
$ specter-kernel auth status

# Create destroy-level scope file
$ specter-kernel auth create-scope [--expires-days 30]

specter-kernel modules

List all subsystems with gate level and MITRE ATT&CK mappings.

$ specter-kernel modules

KAMIKAZE Gate

SPECTER KERNEL uses the KAMIKAZE-class UNLEASHED dual-gate — the highest clearance level in the NIGHTFALL framework. This gate requires two independent Ed25519 keys to protect against single-key compromise. All active kernel operations are gated at KAMIKAZE level.

LevelFlagSubsystems ActiveRequirement
Open none KERNEL_ENV_PROBE, EVIDENCE None — safe passive enumeration
Forge --override + SYSCALL_FORGE (compile only), LEDGER_POISON, CHILD_ESCAPE Ed25519 UNLEASHED key at ~/.red-specter/specter-kernel/
Kamikaze --override --confirm-destroy + SYSCALL_FORGE (load), LSM_BYPASS (hook install), CHILD_ESCAPE (escape) Both UNLEASHED + OPERATOR keys signed, scope file present, not expired

Key Files

~/.red-specter/specter-kernel/
├── unleashed.key              # Ed25519 private key — UNLEASHED (mode 600)
├── operator.key               # Ed25519 private key — OPERATOR (mode 600)
└── authorized_scope.json       # Dual-signed scope file (KAMIKAZE level)
Both keys must sign the scope file independently. Tampering with any field — target host, expiry, tool identifier — invalidates both signatures. WARLORD automated campaign invocation is disabled for KAMIKAZE-class tools via skip_reason. Operator confirmation is always required.

Subsystem: KERNEL_ENV_PROBE

Open   Prerequisite enumeration — no kernel writes, no eBPF loads.

Surveys the target host for the full set of kernel capabilities required for attack viability. Each probe is independent and produces a binary result contributing to an overall viability score.

Probes

ProbeMethodSignificance
bpf_lsm_enabledParse /sys/kernel/security/lsmBPF-LSM must be in LSM stack for hook attacks
btf_availableCheck /sys/kernel/btf/vmlinuxCO-RE eBPF compilation requires BTF
bpftool_presentwhich bpftoolHook inspection and program listing
clang_presentwhich clangeBPF bytecode compilation from C source
apparmor_loadedaa-status --json (exit 0 or 1)AppArmor presence expands LSM_BYPASS attack surface
root_capableos.getuid() == 0Active kernel exploitation requires root

Viability scoring

{
  "subsystem": "KERNEL_ENV_PROBE",
  "bpf_lsm_enabled": true,
  "btf_available": true,
  "bpftool_present": true,
  "clang_present": true,
  "apparmor_loaded": true,
  "root_capable": false,
  "viability_score": 5,
  "viability_max": 6,
  "viability_grade": "HIGH",
  "attack_ready": true
}

Subsystem: SYSCALL_FORGE

Forge (compile)   Kamikaze (load)   ATT&CK: T1055 — Process Injection via eBPF

Generates and optionally loads eBPF tracepoint programs that rewrite syscall arguments in-flight. The monitoring layer records the decoy argument. The agent performs the real action. The divergence is confirmed by comparing what the monitor logged against what the kernel actually executed.

Syscall classes

ClassTracepointRewritten FieldDecoy → Real
openatsys_enter_openatfilename/tmp/harmless/etc/shadow
execvesys_enter_execveargv[0]/usr/bin/ls/usr/bin/id
connectsys_enter_connectdest addr127.0.0.1:443 → exfil IP
writesys_enter_writebuf contentbenign payload → malicious data
ptracesys_enter_ptracerequest codePTRACE_PEEKDATA → PTRACE_POKEDATA

Divergence evidence

Monitor records: openat('/tmp/harmless', O_RDONLY)
Agent performed: openat('/etc/shadow', O_RDONLY)
Divergence: CONFIRMED — governance monitor is blind to real action

Subsystem: LSM_BYPASS

Kamikaze   ATT&CK: T1562.001 — Impair Defenses: Disable Security Tools

Exploits BPF-LSM hook ordering. LSM hooks execute in registration order — an eBPF hook loaded after AppArmor executes last and can return ALLOW regardless of what AppArmor decided. This does not disable AppArmor; it adds a hook that silently overrides it.

Attack mechanics

LSM stack before attack:
  lockdown → capability → apparmor

After attacker BPF hook loads:
  lockdown → capability → apparmor → bpf

AppArmor: DENY file_open('/sensitive')
BPF hook: return ALLOW (executes last, result is final)
Result: file_open succeeds — AppArmor DENY overridden

Detection

KERNEL_ENV_PROBE detects whether BPF is listed in the LSM stack. If bpf is present and BPF-LSM is enabled, LSM_BYPASS is viable. The attack installs a minimal hook that returns 0 (ALLOW) for all file_open LSM decisions directed at the target path.

Subsystem: CHILD_ESCAPE

Forge (scan)   Kamikaze (escape)   ATT&CK: T1611 — Escape to Host

Two-phase attack. Phase 1 enumerates namespace boundaries and open file descriptors missing O_CLOEXEC. Phase 2 exploits the identified gaps to escape the container or namespace sandbox by inheriting file descriptors across exec().

FD gap scan

fd=3 (pipe, r--): no O_CLOEXEC — inherited across exec
fd=7 (socket, rw-): no O_CLOEXEC — inherited across exec
fd=11 (eventfd, r--): no O_CLOEXEC — inherited across exec
3 escape vectors identified

Namespace enumeration

Maps the target process's namespace membership against the host namespace via /proc/[pid]/ns/. Confirms whether any namespace boundary is actually enforced between the AI agent process and the host.

Subsystem: LEDGER_POISON

Forge   ATT&CK: T1565.001 — Stored Data Manipulation

Three independent attacks against hash-chain audit ledgers used to prove AI governance compliance. Each attack targets a different architectural weakness.

Attack 1: Hash-chain race condition (chain fork)

Spawns concurrent writer threads against a shared ledger. When two threads read the same prev_hash before either commits, they both produce valid entries with identical prev_hash values — creating an irreconcilable fork in the audit chain. The ledger appears intact but records two diverging histories.

Writers: 10 concurrent threads
Window: 500ms
Duplicate prev_hashes: 7 (chain fork confirmed — audit trail poisoned)

Attack 2: Signer queue overflow

Floods the signing queue faster than the signer can process. Signatures are dropped silently — events appear in the ledger unsigned. Defenders relying on "all events are signed" invariant cannot detect which unsigned events are legitimate versus attacker-injected.

Events generated: 100
Events signed: 87
Events dropped: 13 (unsigned gap in ledger)

Attack 3: Gap proof vs. SYSCALL_FORGE

Cross-references what SYSCALL_FORGE proved the agent executed against what the ledger actually recorded. Quantifies the governance visibility gap — the number of real agent actions that appear nowhere in the audit chain.

SYSCALL_FORGE events: 20
Ledger events: 7
Governance gap: 13 actions unrecorded — ledger is incomplete

Subsystem: EVIDENCE

Open   Available at all gate levels.

Assembles findings from all executed subsystems into a tamper-evident, hash-chained evidence bundle. Each artefact includes a SHA-256 chain link to the previous entry. The bundle is WARLORD-compatible and suitable for delivery as part of a penetration testing report.

Evidence bundle structure

{
  "tool": "SPECTER KERNEL",
  "version": "1.0.0",
  "timestamp": "2026-04-30T10:00:00Z",
  "unleashed_level": "kamikaze",
  "chain_head": "sha256:a3f2...",
  "summary": {
    "total_findings": 6,
    "critical": 3, "high": 2, "medium": 1,
    "governance_defeated": true,
    "monitor_blinded": true,
    "ledger_poisoned": true,
    "lsm_overridden": true
  },
  "artefacts": [
    { "id": "SK-001", "subsystem": "SYSCALL_FORGE", "prev_hash": "...", "hash": "...", ... },
    { "id": "SK-002", "subsystem": "LSM_BYPASS", "prev_hash": "...", "hash": "...", ... },
    ...
  ]
}

MITRE ATT&CK Cross-Reference

Technique IDNameSubsystemCVSS
T1055 Process Injection (eBPF) SYSCALL_FORGE 9.3
T1562.001 Impair Defenses: Disable Security Tools LSM_BYPASS 9.1
T1611 Escape to Host CHILD_ESCAPE 8.8
T1565.001 Stored Data Manipulation LEDGER_POISON 8.6
T1083 File and Directory Discovery CHILD_ESCAPE (FD scan) 5.5

MITRE ATLAS Cross-Reference

TTPNameSubsystems
AML.T0056LLM JailbreakLSM_BYPASS, SYSCALL_FORGE
AML.T0040ML Model Inference API AccessSYSCALL_FORGE (intercept AI inference syscalls)
AML.T0043Craft Adversarial DataLEDGER_POISON
AML.T0048External HarmsSYSCALL_FORGE, CHILD_ESCAPE

ARMORY Integration

SPECTER KERNEL contributes 20 payloads to NIGHTFALL ARMORY under the kernel_layer_exploitation category (PAY-2026-1012 to PAY-2026-1031). All payloads are Ed25519 signed and CVSS scored.

Sub-categoryPayloadsIDsMax CVSS
ebpf_syscall_forge5PAY-2026-1012 – 10169.3
bpf_lsm_bypass3PAY-2026-1017 – 10199.1
namespace_escape4PAY-2026-1020 – 10238.8
ledger_poison4PAY-2026-1024 – 10278.6
ebpf_hijack3PAY-2026-1028 – 10309.0
governance_chain1PAY-2026-10319.5
# Search kernel exploitation payloads
$ rs-armory search --category kernel_layer_exploitation

# Fetch a specific payload
$ rs-armory get PAY-2026-1012

WARLORD-Compatible Output

Use --output findings.json on any subcommand to export WARLORD-compatible findings. Each finding includes MITRE ATT&CK TTPs, CWE reference, kernel capability requirements, and CVSS score.

{
  "finding_id": "SK-SYSCALL-001",
  "tool": "SPECTER KERNEL",
  "severity": "critical",
  "score": 9.3,
  "title": "eBPF Syscall Argument Rewriting — Governance Monitor Blindness",
  "description": "eBPF tracepoint program rewrites openat filename in-flight. Monitor records decoy path. Agent performs real operation. Audit ledger records lie.",
  "evidence": "monitor_path=/tmp/harmless | kernel_path=/etc/shadow | divergence=CONFIRMED",
  "metadata": {
    "attack_ttps": ["T1055"],
    "atlas_ttps": ["AML.T0056", "AML.T0040"],
    "cwe": "CWE-693",
    "kernel_capability": "CAP_BPF",
    "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N"
  }
}
SPECTER KERNEL is registered in WARLORD as a KAMIKAZE-class tool. Automated campaign invocation is disabled via skip_reason — the dual-gate requires explicit operator confirmation before any active kernel operation.

NEMESIS Integration

SPECTER KERNEL is wrapped by NEMESIS Weapon 23: KERNEL_SUBVERSION. This weapon enables autonomous adversary simulation scenarios that include kernel-layer governance subversion as part of a multi-stage AI agent attack chain.

NEMESIS WeaponNameWraps
Weapon 22 SUPPLY_CHAIN_POISON Registry probe, typosquat, provenance gap, LoRA trust gap, substitution
Weapon 23 KERNEL_SUBVERSION SPECTER KERNEL subsystems — kernel env probe, syscall forge, LSM bypass, escape, ledger poison

Rules of Engagement

AUTHORISED USE ONLY. Loading eBPF programs into a kernel, installing LSM hooks, or manipulating audit ledgers without explicit written authorisation from the system owner is illegal under:
  • Computer Misuse Act 1990 (United Kingdom)
  • Computer Fraud and Abuse Act (United States)
  • Equivalent legislation in your jurisdiction
Even passive KERNEL_ENV_PROBE on a system you do not own constitutes unauthorised access in most jurisdictions.

Before running active kernel operations

  1. Obtain explicit written authorisation naming the target system and scope of kernel-level testing
  2. Confirm a maintenance window — active operations load eBPF programs that persist in the kernel until the session ends
  3. Initialise KAMIKAZE keys: specter-kernel auth init
  4. Create a signed scope file: specter-kernel auth create-scope (requires both keys)
  5. Run specter-kernel scan first to verify viability score before committing to KAMIKAZE-level operations

After engagement

  1. Unload any eBPF programs loaded during SYSCALL_FORGE and LSM_BYPASS — use bpftool prog list to confirm clean state
  2. Remove any modified ledger entries created during LEDGER_POISON validation
  3. Revoke the scope file: specter-kernel auth revoke
  4. Deliver EVIDENCE bundle output to the authorising party

© 2026 Red Specter Security Research Ltd (Company No. 17106988) • Apache License 2.0

OverviewNIGHTFALLRed Specter