Study material
evidence of self-taught study

Engineering skills applied in the project

Nemesis exercises, in practice, a broad set of skills: operating systems, kernel, security, Rust and DevSecOps. Each one is mapped to the point in the code that evidences it and to the page that explains it.

Banner: Fernando Moreira, author of Nemesis Defender. Full-Stack TypeScript (React/Next.js), OWASP. Rust, eBPF/LSM, fail-closed. A shield with a padlock and the rule rm -rf to exit 2, DENIED. Three-layer architecture that blocks before execution.
Three-layer deterministic enforcement, in Rust, that blocks before execution.

How to read

Each row points to the concept page and the real source file. It is a traceable index of applied study, not a buzzword list. And the material’s rule holds: protection is the sum of layers (the coefficient), never the count of visitors.

In 30 seconds

The project joins the low level (kernel, eBPF, LSM, Landlock) with defensive software engineering (fail-closed Rust, linear regex, determinism) and static analysis (AST, taint, entropy), tied into a DevSecOps process with an adversarial gate. The three layers (the isolated concept), the way they reinforce each other (the correlation) and the real block before execution (the convergence) are what each page details.

The isolated concept: skills by domain

Operating systems and low-level engineering

SkillEvidence in the codeStudy
POSIX process model, stdio, exit code as contracthook reads stdin, std::process::exit(2); spawn with null stdio1
Kernel programming with eBPF, verifier and BPF-LSMnemesis-block.bpf.c, mapas, lsm/bprm_check_security2
Rootless sandbox and egress control (cgroup, Landlock)landlock.rs::apply_sandbox, lsm/socket_connect, LPM trie3

Rust and software engineering

SkillEvidence in the codeStudy
Workspace, reproducible build, committed Cargo.lockCargo.toml, --locked no CI4
Errors without exceptions (Result/Option) and fail-closed (catch_unwind → exit 2)main.rs match em fs::read; nemesis-pretool-check-unix.rs::main4
Algorithmic safety (linear regex, ReDoS) and determinismcrate regex; MAX_DECODE_DEPTH, faixas de tamanho4

Static analysis and language theory

SkillEvidence in the codeStudy
Parsing and AST traversal (tree-sitter, Visitor pattern)ast_scanner.rs::traverse_*5
Layered pipeline architecturelib.rs::scan_content5
Information theory (entropy) and data flow (taint)entropy.rs::shannon_entropy; taint_tracker.rs (3 passadas)5

AI and application security

SkillEvidence in the codeStudy
Agent integration (multi-IDE hooks), interceptiontool-to-intent translation in the pretool6
Deterministic vs probabilistic enforcementcompute_severity (pure function)6
Defense against prompt injection and IDE poisoningprompt_injection.rs, ide_config_poisoning.rs7
Malware and supply chain detectionrecursive decoder + manifest_scanner + AST visitors (method)8

Defense architecture and DevSecOps

SkillEvidence in the codeStudy
Defense in depth (3 independent layers)pretool + daemon + eBPF9
Trust modeling (corroboration, reversibility)Tier A/B em compute_severity, quarentena9
Honest threat modeling (declared limits)self-audit.yml notas, AGENTS.md §210
Build chain (SLSA, SHA pinning, audit) and observabilityself-audit.yml, release.yml, nemesis-doctor, run-pentest.sh10

How it correlates

None of these skills stands alone. Exit code (1) only contains because Rust's fail-closed (4) guarantees even an error ends in a block; the kernel (2) only acts with scope because the cgroup (3) knows which process is the agent; code reading (5) only matters because it feeds the decision (9); and the decision is only trustworthy because the process (10) validates it adversarially. Maturity is not in knowing each piece, it is in making them reinforce each other.

How Nemesis applies it (the convergence)

Nemesis flow: the agent attempts an action; layer 1 (pretool) blocks the hostile one with exit 2; layer 2 (daemon) quarantines what escaped; layer 3 (eBPF, kernel) is the safety net; everything is logged locally.
The observable convergence: the skills become real containment, from the agent request to the verdict.

All of this converges into a single observable fact: a destructive command or a malicious payload is blocked with exit 2 (or -EPERM in the kernel) before executing, or a hostile file is moved to quarantine before causing damage. That is what separates a prototype from a security tool: engineering becomes real containment, reversible and honest about its limits.

Synthesis

The thread is joining the low level (kernel/eBPF) with defensive software engineering (fail-closed Rust, determinism) and process (CI as an adversarial gate), with honesty about limits. That set is what the project develops and what this material evidences.

Voltar ao índice.