RATS Working Group L. Melegassi Internet-Draft Catellix Intended status: Informational 3 June 2026 Expires: 5 December 2026 MVPS-Memory: Multi-Vantage Coherence Detection of Memory-Resident Malware, Anchored in Remote Attestation draft-melegassi-rats-mvps-memory-coherence-00 Abstract Memory-resident ("fileless", in-memory) malware -- reflective code injection, page-cache .text patching, process hollowing, RX->RWX permission flips, unbacked-memory thread starts, token theft, and patchless AMSI/ETW suppression -- leaves the on-disk image unchanged and is therefore structurally invisible to signature and file-integrity detectors. This document explains why, and what removes the blind spot, using the Multi-Vantage Path Synchrony (MVPS) observability model y = H x: each detection facility is a row (a projection) of one observation operator H over an interior runtime-memory state x, and a purely in-memory implant is an attack whose damage direction c lies in the NULL SPACE of any single on-disk vantage. The contribution uses no new mathematics. It (1) instantiates the already-proved MVPS results -- the Stealth-Manifold Lemma, the coordination-stealth duality, the Stealth Conservation Law max(0, k - rho), the reflexive tower, the data-processing ceiling, the non-blinding invariant (stealth + effect = ||a||^2), and the silent-effect ceiling (E < tau^2) -- verbatim on the runtime-memory surface; (2) anchors the meta-observer in the RATS architecture [RFC9334], whose Attester is defined to collect Claims by "taking measurements on code, memory, or other security related assets", with TPM-based Remote Integrity Verification [RFC9683], the Entity Attestation Token [RFC9711], the Concise Reference Integrity Manifest [I-D.ietf-rats-corim], and Concise Software Identification [RFC9393] as the evidence/reference-value layer; and (3) closes the vantage-forgery channel with post-quantum eye identity (ML-DSA, FIPS 204, via [I-D.ietf-cose-dilithium] and [I-D.ietf-lamps-dilithium-certificates]). A live threat anchor -- the 2025-2026 surge in BYOVD EDR-killers (e.g. CVE-2025-68947) and patchless AMSI/ETW suppression -- is shown to be a textbook instance of the eye-silencing law. All theorem-level claims carry a machine-checkable numerical receipt. Melegassi Expires 5 December 2026 [Page 1] Internet-Draft MVPS-Memory June 2026 Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 5 December 2026. Copyright Notice Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction ....................................................3 2. Terminology .....................................................3 3. Threat Anchor: BYOVD EDR-Killers and Patchless AMSI/ETW .........4 4. The Object: Runtime Memory as a Vantage Stack ...................5 5. Why a Single On-Disk Vantage Cannot See It (T-MEM-1) ............5 6. Coherent Cover Closes It (T-MEM-2) ..............................6 7. Spread Implants and the Coherent Ceiling (T-MEM-3) ..............6 8. Eye-Silencing and the Stealth Conservation Law (T-MEM-4) ........7 9. The Reflexive Tower: RATS as the Meta-Observer (T-MEM-5) ........7 10. The Data-Processing Ceiling (T-MEM-6) ..........................8 11. Non-Blinding Invariant and Silent-Effect Ceiling ...............8 12. Mapping to RATS Roles and Reference Values .....................9 13. Numerical Receipt .............................................10 14. Conjectures and Falsification Protocols .......................10 15. Operational Considerations ....................................10 16. Security Considerations .......................................11 Melegassi Expires 5 December 2026 [Page 2] Internet-Draft MVPS-Memory June 2026 17. IANA Considerations ...........................................12 18. References ....................................................12 18.1. Normative References .....................................12 18.2. Informative References ...................................12 1. Introduction A signature or file-integrity detector learns or hashes the bytes a program has ON DISK and alarms on deviation. A memory-resident implant never changes those bytes: it acts entirely in the live address space -- patching the in-memory copy of .text in the page cache, flipping a region from read-execute to read-write-execute, starting a thread at private/unbacked executable memory, stealing a token, or suppressing AMSI/ETW so the very telemetry that would report it goes quiet. Against an on-disk vantage this is not "hard to see"; it is structurally INVISIBLE. The Multi-Vantage Path Synchrony (MVPS) framework models a set of detection facilities as rows of one observation operator H acting on an interior state x, producing observations y = H x; an attack is a damage direction c with effect d = c^T x. In that model the claim of this document is exact: a purely in-memory implant is a c that lies in null(H) of any single on-disk vantage, and the remedy is not a cleverer classifier but ADDING vantages whose joint rowspace covers c -- "spend probes, not parameters". This is the same observability spine already applied to the Linux kernel surface [I-D.melegassi-opsawg-mvps-os-host]; here it is applied to runtime memory and, critically, the meta-observer that watches for silenced eyes is identified with the RATS architecture [RFC9334]. RFC 9334 defines an Attester that collects Claims by "reading system registers and variables, calling into subsystems, taking measurements on code, memory, or other security related assets of the Target Environment"; remote attestation of memory state is therefore already in scope of a standardised architecture, with TPM-based Remote Integrity Verification [RFC9683] and the Entity Attestation Token [RFC9711] supplying the evidence layer and the Concise Reference Integrity Manifest [I-D.ietf-rats-corim] / Concise Software Identification [RFC9393] supplying Reference Values. Claims are made at three maturity levels per the MVPS adversarial-audit methodology [I-D.melegassi-irtf-mvps-methodology]: [T] machine-checked theorems, [D] engineering designs, and [C] conjectures with falsification protocols. Every [T] claim here is exercised by scripts/validate_memory_coherence.py (Section 13). 2. Terminology Melegassi Expires 5 December 2026 [Page 3] Internet-Draft MVPS-Memory June 2026 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. Eye (vantage): one detection facility, a row of H, observing a projection of the runtime-memory state x (e.g. an in-memory code scanner, a VM-permission monitor, an ETW thread provider, a PMU counter, a TPM PCR). Damage direction c: the direction in state space that an attack perturbs; d = c^T x is its effect. null(H) is the set of c that no attached eye observes. Memory-resident implant: malware whose damage direction has zero component on the on-disk coordinate(s); a.k.a. fileless / in-memory. Eye redundancy rho: rho = m - n for an H with m independent eyes over an n-dimensional state; the overlap that absorbs silenced eyes. The MVPS terms Stealth-Manifold Lemma, coordination-stealth duality (T-CSD), Stealth Conservation Law, reflexive tower, data-processing ceiling, non-blinding invariant, and silent-effect ceiling are used as defined in [I-D.melegassi-irtf-mvps-methodology] and its companions. 3. Threat Anchor: BYOVD EDR-Killers and Patchless AMSI/ETW The eye-silencing law of Section 8 is not hypothetical; it is the dominant real-world defence-evasion technique. Public reporting in 2025-2026 describes: o Bring Your Own Vulnerable Driver (BYOVD): a campaign loads a legitimately SIGNED but vulnerable kernel driver, then exploits it from user space to gain kernel execution and TERMINATE EDR/AV processes, unregister kernel callbacks (process/thread/image-load), and wipe telemetry before the main payload runs. CVE-2025-68947 (NSecKrnl.sys, abused by the Reynolds ransomware, which bundles the driver in the payload) is one instance; a March 2026 analysis counted 54 distinct EDR-killers abusing 35 signed drivers. The Qilin EDR-killer can terminate 300+ EDR drivers and runs its loader entirely in memory. o Patchless AMSI/ETW suppression: Vectored Exception Handling and hardware breakpoints intercept and spoof scan results WITHOUT modifying in-memory code, silencing the scanning eye while leaving no .text patch. Melegassi Expires 5 December 2026 [Page 4] Internet-Draft MVPS-Memory June 2026 Two facts make this a textbook MVPS case: (a) The implant body and the EDR-killer loader are MEMORY-RESIDENT (MITRE ATT&CK T1055 Process Injection); the on-disk artefact is a signed, trusted driver. A signature/file-integrity vantage has the damage direction in its null space (T-MEM-1). The decisive move is then to silence the eyes (ATT&CK T1562.001 Impair Defenses; T1014 Rootkit) -- exactly the Stealth Conservation Law (T-MEM-4): k callbacks/providers silenced re-open max(0, k - rho) blind dimensions. (b) Crucially, attackers do NOT forge the driver's signature; they REUSE a valid one on a vulnerable driver (ATT&CK T1068). In MVPS terms the forgery channel is closed and the residual attack is the GEOMETRIC eye-silencing one (Section 11, T-MEM-7) -- which is precisely the channel a reflexive, attested meta-observer flags (T-MEM-5). This real-world fact corroborates the non-blinding split: defenders should spend their cryptographic budget on authenticated eye identity and their telemetry budget on redundant, diverse eyes, not on out-computing the attacker. The operator takeaway echoed in that reporting -- "EDR alone is no longer sufficient; layer kernel driver-load monitoring, immutable logging, and attestation" -- is the MVPS prescription stated informally: raise rho, add the driver-load eye, and terminate the tower in an attested root of trust. 4. The Object: Runtime Memory as a Vantage Stack Let x in R^n be the interior runtime-memory state of a host over one observation tick. The receipt uses n = 12 named coordinates, including on-disk image bytes, in-memory .text patch (page-cache writeback), RX->RWX permission flip, unbacked-memory exec thread, token/UID-0 transition, AMSI/ETW userland patch, per-region allocation, direct (unhooked) syscall, reflective module load, network C2 beacon, and the TPM PCR / measured-boot value. Each detection facility is a row of H observing the coordinates it can measure; y = H x is the union of what the attached eyes report. Every MVPS observability result holds on this surface without re-proof, because it is the same linear map. Sections 5-11 state the eight that bear on memory-resident malware. 5. Why a Single On-Disk Vantage Cannot See It (T-MEM-1) T-MEM-1 [T] (fileless blind subspace). For an on-disk-image-only operator H_disk and a memory-resident implant direction c with zero on-disk component, H_disk c = 0 and the entire damage lies in Melegassi Expires 5 December 2026 [Page 5] Internet-Draft MVPS-Memory June 2026 null(H_disk): the implant is invisible to that vantage yet damaging. This is the Stealth-Manifold Lemma instantiated on memory. Receipt witness: |H_disk c| = 0, |P_null c| = 1.715 (all damage hidden), on-disk component 0 by construction. CONSEQUENCE. No improvement to a signature engine -- larger hash sets, more rules, a bigger model -- can recover a direction its rows do not span (see T-MEM-6). The deficiency is geometric, not computational. 6. Coherent Cover Closes It (T-MEM-2) T-MEM-2 [T] (coherent cover). Adding runtime memory eyes in correlation order -- in-memory .text scan (page cache), VM-permission monitor, unbacked-thread provider, token/credential hook -- removes one dimension of attacker freedom at a time: the hideable fraction eta = dim(null H)/n is monotone non-increasing and the undetected-damage value ||P_null c||^2 falls to 0 once the eye-set covers c. Receipt witness (eyes added 1..5): eyes: 1(disk) 2(+pgc) 3(+vm) 4(+thr) 5(+tok) eta : 0.9167 0.8333 0.7500 0.6667 0.5833 value: 2.94 1.94 1.13 0.49 0.00 The in-memory (page-cache) eye is the decisive one and is correlated EARLY: three coherent eyes already strip the majority of the effect (2.94 -> 1.13), matching the operational heuristic that a small number of coherent behavioural signals suffices. The precise statement is "cover the damage direction", not "three is magic". 7. Spread Implants and the Coherent Ceiling (T-MEM-3) T-MEM-3 [T] (coordination-stealth duality on memory). An implant that spreads a fixed coherent effect E over N per-region or per-core vantages -- a low-and-slow injector touching many regions, a spread cryptominer pinning 1/N of its load per core -- keeps the COHERENT aggregate mean at sqrt(E), constant in N, while each single region or core sees only sqrt(E/N), which collapses toward the false-alarm rate. Receipt witness (E = 36, z-threshold tau = 4): N: 1 4 16 64 coherent power: 0.9772 0.9772 0.9772 0.9772 (flat) single power: 0.9772 0.1587 0.0062 0.0006 (collapse) coherent adv: 0.00 3.00 4.50 5.25 Melegassi Expires 5 December 2026 [Page 6] Internet-Draft MVPS-Memory June 2026 A fixed-seed Monte-Carlo corroborates the coherent power (0.9771). Spreading defeats every per-region threshold and never the coherent eye; a single-vantage memory scanner with a per-region budget is structurally evadable while a coherent aggregate is not. 8. Eye-Silencing and the Stealth Conservation Law (T-MEM-4) The last move of a capable implant is to SILENCE the detectors (Section 3): patch or spoof AMSI/ETW, unhook ntdll, unregister kernel callbacks via a BYOVD driver, or DKOM the EPROCESS / task list so enumeration lies. T-MEM-4 [T] (Stealth Conservation Law). Silencing k eyes re-opens a blind subspace of dimension exactly max(0, k - rho), where the eye redundancy rho = (number of independent eyes) - n. Receipt witness: rho = 0: k=1 -> dim 1, k=5 -> dim 5, k=6 -> dim 6 rho = 4: k=1 -> dim 0, k=5 -> dim 1, k=6 -> dim 2 DEFENSIVE READING. Provision overlapping, DIVERSE eyes so that rho is at least the implant's realistic silencing reach k; below that, redundancy absorbs the silencing and no blind dimension re-opens. A detector that watches whether its own sensors are reporting is implementing exactly this law, and the residual gap k - rho > 0 is the "known-blind" alarm a signature AV cannot raise. 9. The Reflexive Tower: RATS as the Meta-Observer (T-MEM-5) Detecting eye-silencing requires a META-observer of the eyes' mutual consistency. On real hosts this is the measured-boot chain: integrity measurements extended into a TPM Platform Configuration Register, appraised remotely. This is precisely the RATS architecture [RFC9334]: an Attester produces Evidence (measurements over code and memory), a Verifier appraises it against Reference Values ([I-D.ietf-rats-corim], [RFC9393]), and a Relying Party acts on the Attestation Result; TPM-based Remote Integrity Verification [RFC9683] and the Entity Attestation Token [RFC9711] supply the concrete evidence layer. T-MEM-5 [T] (reflexive tower). A meta-observer of the eyes catches silencing while the level-1 gap k <= rho (blind dim 0, caught). The SAME law governs the meta layer: forging the attestation evidence (k2 > rho2 at the meta level) re-opens a genuine blind dimension one level up. Security is keeping every rung's gap k_l - rho_l <= 0; the hardware root of trust is simply the last rung currently funded. Receipt witness: level-1 k=2=rho -> blind dim 0 (caught); meta layer Melegassi Expires 5 December 2026 [Page 7] Internet-Draft MVPS-Memory June 2026 k2=2 > rho2=1 -> blind dim 1 re-opened (genuine null, residual ~1.4e-15). Memory-resident detection that does NOT terminate in an attested root of trust is, in the limit, defeatable: the BYOVD class (Section 3) goes UNDERNEATH a user-mode EDR in the kernel, silences the eyes, and leaves no honest rung to notice -- unless an attested meta-observer is the next rung up. 10. The Data-Processing Ceiling (T-MEM-6) T-MEM-6 [T] (data-processing ceiling). An action taken in an UN-SCANNED memory region is a direction v in null(H_probes). Two realities x and x + v then produce IDENTICAL telemetry y = H_probes x, so by the data-processing inequality NO function g(y) -- no AI model, however large -- can separate them. Attaching one probe on that region (changing H) restores separability. Receipt witness: |y - y'| = 0 (identical to any classifier) while the damage gap = 5.078; after adding one memory probe on the blind region, separation = 2.500. This bounds the role of machine learning in memory-resident detection: ML is valuable for scoring WITHIN rowspace(H), but it cannot manufacture visibility into a region no eye measures. The investment that buys detection of fileless malware is INSTRUMENTATION of the live address space (memory scanning, VM-permission and thread telemetry, PMU, attestation), not a larger model over existing telemetry. 11. Non-Blinding Invariant and Silent-Effect Ceiling (T-MEM-7, T-MEM-8) These two results answer the question "can a faster attacker -- an AI agent, or a quantum computer -- simply out-compute the detector?" The answer is no, by type, because the quantities involved carry no computational term. T-MEM-7 [T] (non-blinding invariant). For any action a and any H, ||P_null(H) a||^2 + ||P_row(H) a||^2 = ||a||^2 stealth(a) + effect(a) = ||a||^2 This is the Pythagorean identity of the orthogonal split R^n = rowspace(H) (+) null(H): every unit of stealth is a unit of effect that LEAVES the observable space. With a full-rank, redundant eye-set (rho >= 1) the null space is empty, so an in-memory implant can hide NOTHING while keeping a nonzero effect; a SILENT blinding Melegassi Expires 5 December 2026 [Page 8] Internet-Draft MVPS-Memory June 2026 therefore requires either silencing k > rho eyes (which the Stealth Conservation gap reports -- "blind" implies "known-blind") or forging an eye's authenticated identity. Receipt witness: effect 2.940 + stealth 3.6e-15 = ||a||^2 2.940 (Pythagorean identity to 1e-9); with k <= rho the hidden effect stays 0 (caught), and only k > rho (gap 1) opens a hidden component. T-MEM-8 [T] (silent-effect ceiling + compute invariance). The largest coherent effect deliverable while the coherent detector stays quiet is E < tau^2, for ANY spread N and ANY strategy: the region {large effect, detector silent} is EMPTY. Moreover the ceiling tau^2 and the detectability ||P_row a||^2 / sigma^2 contain no computational variable; swept over a compute budget of 30 orders of magnitude they are literally constant. Receipt witness: E_silent_ceiling = tau^2 = 16.0 for N in {1, 4, 16, 64, 1024} (all equal); detectability constant = 10.81 across compute budget 1e0..1e30. CONSEQUENCE. A faster search (more FLOPs, a larger model, more qubits) moves attacker and defender along the SAME information frontier without moving the boundary. AI makes the attacker OPTIMAL, not omnipotent; the optimum still loses by a margin fixed by the geometry of H. The only non-information move left -- forging a vantage -- is a cryptographic problem addressed by post-quantum eye identity (Section 16). 12. Mapping to RATS Roles and Reference Values The receipt records the following mapping, offered so that an MVPS-Memory deployment can be described in standard RATS [RFC9334] terms: o Attesting Environment: the in-host memory/hardware eyes (in-memory code scan, VM-permission monitor, ETW thread provider, PMU, TPM) measuring code/memory. o Evidence: the per-tick coherence vector y = H x, conveyable as an EAT [RFC9711]. o Verifier: the MVPS coherent detector plus reflexive-integrity appraisal (joint D^2 vs single max-z; gap k - rho). o Attestation Result: COHERENT / INCOHERENT verdict plus the localised offending entity. o Relying Party: the response layer (alert | active), off by default. o Reference Values: the commissioning baseline plus signed CoMID/CoSWID reference values in a CoRIM [I-D.ietf-rats-corim], [RFC9393]. Melegassi Expires 5 December 2026 [Page 9] Internet-Draft MVPS-Memory June 2026 MVPS-Memory defines no new RATS protocol elements; it is a profile of how to populate and appraise existing ones for memory-resident-malware detection (Section 17). 13. Numerical Receipt All [T] claims in Sections 5-11 are exercised by python scripts/validate_memory_coherence.py which is pure-NumPy, deterministic (seed 20260603), uses exact Gaussian tails (one fixed-seed Monte-Carlo only to corroborate the T-MEM-3 coherent tail), and writes evidence/memory_coherence_receipt.json. Expected output is "Total: 8 Passed: 8 Failed: 0", the T-MEM-2 eta/value sweep (0.9167/2.94 -> 0.5833/0.00), the T-MEM-3 advantage 0.00 -> 5.25 with flat coherent power 0.9772, the T-MEM-4 max(0,k-rho) grid, the T-MEM-5 caught-then-reopened meta staircase, the T-MEM-6 identical-telemetry witness (|y - y'| ~ 0), the T-MEM-7 Pythagorean identity, and the T-MEM-8 N-invariant ceiling tau^2 with compute-invariant detectability. The receipt carries a body hash over its canonical content (excluding the timestamp): body_sha256 = 96c6962160abd77d2afb04158a44daf83f531a00a8cc3abcf6f6a288e7922a0e Any party can re-run the validator and compare the hash. 14. Conjectures and Falsification Protocols C-MEM-1 [C] (lead-time before privilege completion). On a host instrumented with the in-memory and VM-permission eyes, the coherent detector raises an INCOHERENT verdict before the token/UID-0 transition completes, yielding a positive expected lead time over a per-signal detector. The test is a paired lead-time comparison vs a per-signal EDR baseline (Wilson 95% lower bound on the gain > 0) on a labelled fileless-injection capture corpus with per-eye timestamps. C-MEM-2 [C] (irreducible memory blind subspace). Under a realistic eye budget, determine whether an eye-set exists with rank(H) = n over the damage-relevant subspace of a curated implant corpus, or whether resource limits leave an irreducible null(H). Submodularity of rank(H) suggests a (1 - 1/e) greedy schedule of which probes to attach. These conjectures MUST NOT be cited as guarantees. Melegassi Expires 5 December 2026 [Page 10] Internet-Draft MVPS-Memory June 2026 15. Operational Considerations An MVPS-Memory deployment SHOULD attach, at minimum, eyes covering the damage directions of the implant classes it cares about: an in-memory code/region scanner (the decisive page-cache eye), a VM-permission monitor (W^X / RX->RWX), a thread-start provider for unbacked executable memory, a credential/token hook, a KERNEL DRIVER-LOAD eye (against BYOVD, Section 3), and per-core PMU counters for spread effects. These eyes SHOULD be appraised jointly by a coherent detector, not scored in isolation. The reflexive-integrity layer (Section 8) MUST treat a silenced or inconsistent eye as a first-class signal, and SHOULD terminate the tower in an attested root of trust (Section 9). Per-tick verdicts and per-eye residuals SHOULD be persisted to a tamper-evident operational log [I-D.melegassi-opsawg-mvps-logging]. This document describes a host/endpoint detection profile; it does not mandate a kernel agent. A user-mode implementation cannot observe early boot and can itself be silenced by kernel-level malware (Section 3); production deployments SHOULD use kernel-level eyes and self-protection for the high-value coordinates. 16. Security Considerations MVPS-Memory is a defensive detection-and-localisation profile. It raises alarms and identifies likely-offending entities; it does NOT actuate, quarantine, or remediate. The central security property is geometric: an implant confined to null(H) of the attached eyes is undetectable by ANY appraisal of those eyes' output (T-MEM-6, T-MEM-8). Coverage of the damage directions of the threat model is therefore a security requirement, not a tuning choice; commissioning SHOULD verify that the eye-set spans the curated damage-direction corpus. An implant that silences k eyes re-opens max(0, k - rho) blind dimensions (T-MEM-4); deployments MUST provision eye redundancy rho at least equal to the silencing reach they defend against, and MUST anchor the meta-observer in an attested root of trust [RFC9334] [RFC9683] so that eye-silencing is itself observable (T-MEM-5). POST-QUANTUM EYE IDENTITY. By the non-blinding invariant (T-MEM-7) the only attacker move that is NOT bounded by the information geometry is forging a vantage's authenticated reports so that H is mis-estimated. Each eye's Evidence MUST therefore be cryptographically bound to a hardware-rooted key. For long-lived deployments that key SHOULD use a post-quantum signature -- ML-DSA Melegassi Expires 5 December 2026 [Page 11] Internet-Draft MVPS-Memory June 2026 [FIPS204] -- carried via COSE/JOSE [I-D.ietf-cose-dilithium] for EAT/CoRIM evidence and via X.509 [RFC5280] [I-D.ietf-lamps-dilithium-certificates] for the eye-identity certificate chain. The 2025-2026 BYOVD threat (Section 3) empirically confirms the split: real attackers REUSE valid signatures on vulnerable drivers rather than forge them, so the forgery channel is already economically closed and the residual attack is the geometric eye-silencing one this profile is built to flag. A spoofed eye is an adversary-controlled row of H and can both hide damage and forge it; telemetry ingestion MUST be authenticated. The Byzantine-robust aggregate (geometric median, breakdown point 1/2) used by the Verifier bounds the influence of a minority of lying eyes, but a majority of corrupted eyes is out of scope. This profile does not by itself remediate the underlying vulnerability an implant exploits; coherent detection is a compensating control alongside patching, exploit mitigations (W^X, CET/CFG), driver allow-listing, and attested boot. 17. IANA Considerations This document has no IANA actions. 18. References 18.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC9334] Birkholz, H., Thaler, D., Richardson, M., Smith, N., and W. Pan, "Remote ATtestation procedureS (RATS) Architecture", RFC 9334, DOI 10.17487/RFC9334, January 2023, . 18.2. Informative References [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation Melegassi Expires 5 December 2026 [Page 12] Internet-Draft MVPS-Memory June 2026 List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, . [RFC9393] Birkholz, H., Fitzgerald-McKay, J., Schmidt, C., and D. Waltermire, "Concise Software Identification Tags", RFC 9393, DOI 10.17487/RFC9393, March 2023, . [RFC9683] Fedorkow, G., Voit, E., and J. Fitzgerald-McKay, "Remote Integrity Verification of Network Devices Containing Trusted Platform Modules", RFC 9683, DOI 10.17487/RFC9683, October 2024, . [RFC9711] Lundblade, L., Mandyam, G., O'Donoghue, J., and C. Wallace, "The Entity Attestation Token (EAT)", RFC 9711, DOI 10.17487/RFC9711, 2025, . [FIPS204] National Institute of Standards and Technology, "Module-Lattice-Based Digital Signature Standard", FIPS PUB 204, DOI 10.6028/NIST.FIPS.204, August 2024. [I-D.ietf-rats-corim] Birkholz, H., Fossati, T., Deshpande, Y., Smith, N., and W. Pan, "Concise Reference Integrity Manifest", Work in Progress, draft-ietf-rats-corim. [I-D.ietf-cose-dilithium] Prorock, M., Steele, O., Misoczki, R., Osborne, M., and C. Cloostermans, "ML-DSA for JOSE and COSE", Work in Progress, draft-ietf-cose-dilithium. [I-D.ietf-lamps-dilithium-certificates] Massimo, J., Kampanakis, P., Turner, S., and B. Westerbaan, "Internet X.509 PKI - Algorithm Identifiers for ML-DSA", Work in Progress, draft-ietf-lamps-dilithium-certificates. [I-D.melegassi-opsawg-mvps-os-host] Melegassi, L., "MVPS-Host: Canonical Multi-Vantage Coherence Monitoring of Operating-System Fleets via Telemetry", Work in Progress, draft-melegassi-opsawg-mvps-os-host-00. [I-D.melegassi-irtf-mvps-methodology] Melegassi, L., "An Adversarial-Audit Methodology for Melegassi Expires 5 December 2026 [Page 13] Internet-Draft MVPS-Memory June 2026 MVPS Claims", Work in Progress. [I-D.melegassi-opsawg-mvps-logging] Melegassi, L., "An Append-Only, Hash-Chained Operational Log Format for MVPS", Work in Progress. Informative, non-IETF: MITRE ATT&CK techniques T1055 (Process Injection), T1562.001 (Impair Defenses: Disable or Modify Tools), T1014 (Rootkit), T1068 (Exploitation for Privilege Escalation); CVE-2025-68947 (BYOVD kernel-mode process termination). Author's Address Leonardo Melegassi Catellix Brazil Email: melegassi@catellix.com Melegassi Expires 5 December 2026 [Page 14]