Skip to content
Sentinel Stack Knowledge Portal

Unified Defense Graph

The following diagram maps the complete enforcement topology of the Sentinel Stack, showing signal flow from Layer 7 AI intelligence down to wire-speed NIC drops.

Architecture Topology

Section titled “Architecture Topology”
flowchart TD
    subgraph L7 ["Layer 7 - AI Intelligence Plane"]
        AIAgent["AI Agent<br/>(Intent)"]
        Cortex["Telos Cortex<br/>Engine"]
        DNS["DNS Proxy<br/>:5353"]
        Exec["Exec LOLBin"]
        
        AIAgent --> Cortex
        Cortex --> DNS
        Cortex --> Exec
    end

    subgraph R0R ["Ring 0 - Runtime Enforcement"]
        eBPFDaemon["Telos eBPF<br/>Daemon"]
        eBPFMaps["eBPF Hash/LRU<br/>Maps"]
        LSM1["lsm/bprm_<br/>check_security"]
        LSM2["lsm/socket_<br/>connect"]
        LSM3["lsm/file_open<br/>(Dynamic Taint)"]

        eBPFDaemon -- "Update Maps" --> eBPFMaps
        eBPFMaps --> LSM1
        eBPFMaps --> LSM2
        eBPFMaps --> LSM3
    end

    Cortex -- "gRPC / Unix Socket" --> eBPFDaemon

    subgraph R0C ["Ring 0 - Compile-Time Verification"]
        TelosLang["telos-lang<br/>Compiler"]
        Z3["Z3 SMT<br/>Verification"]
        VerifiedIR["Verified<br/>eBPF IR"]
        HardenedBytecode["Hardened<br/>Bytecode"]

        TelosLang --> Z3
        Z3 --> VerifiedIR
        VerifiedIR -- "LLVM BPF" --> HardenedBytecode
    end

    subgraph RMinus1 ["Ring -1 - Hypervisor Introspection"]
        SentinelVMI["Sentinel VMI<br/>Engine"]
        NPTGuard["NPT Guard<br/>(HW RO)"]
        SysCallTable["sys_call_<br/>table"]

        SentinelVMI --> NPTGuard
        NPTGuard --> SysCallTable
    end

    subgraph NIC ["Wire - NIC Boundary"]
        HyperionXDP["Hyperion XDP<br/>Engine"]
        PhysicalNIC["Physical NIC"]

        HyperionXDP -- "XDP_DROP" --> PhysicalNIC
    end

    SentinelVMI -- "vmi_alert_map<br/>RPC Push Malicious IPs" --> HyperionXDP

Signal Propagation Paths

Section titled “Signal Propagation Paths”
SourceDestinationTransportSignal
Telos CortexTelos eBPF DaemongRPC / Unix SocketIntent declarations, policy updates
Telos CortexHyperion XDPHTTP RPC (:9095/block)Malicious IP blacklist
Sentinel VMITelos Runtimevmi_alert_map (eBPF)Compromised PID + threat level
Sentinel VMIHyperion XDPvmi_alert_map (eBPF)PID for wire-speed isolation
telos-langTelos eBPF DaemonLLVM BPF bytecodeVerified kernel sandbox
sentinel-kvLoad-Time CheckerZ3 Proof artifactsMemory safety proofs