A public Prelude service that provides assurance a VST is production-ready

Prelude hosts an internal service, called Compute, responsible for providing assurance that a Verified Security Test (VST) is production-ready.

Compute is a web service that accepts a test identifier and the account identifier which owns it. Compute then performs the following actions:

  • Downloads the source code file from the cloud directory containing the test
  • Compiles the code for all applicable operating systems.
  • Scans the compiled binaries against all malware YARA rules provided by Virus Total's open-source project
  • Uploads the compiled binaries back to the cloud directory

During the compile step, a technique is used to ensure a file gets a unique hash every time it is sent to Compute - even if the file hasn't changed.

The final result is a test is converted from source code into an artifact that can be scheduled (for probe execution).

External use

Security engineers automatically leverage Compute when writing and uploading their own VSTs. Each upload fires off a request to Compute, which performs the chain of actions described above.

Follow the guide here to learn how to write your own VSTs.

Internal use

Prelude uses the Compute server in two ways:

  1. Each test the internal security team writes is compiled using Compute, to ensure consistency. Each test is then resent to Compute on a regular cadence to ensure it is rotating its file hash. This process ensures a defensive control cannot rely solely on signature matching to protect an endpoint.
  2. The Prelude team then sends all tests - which the internal team writes - into a continuous test range that runs them in various scenarios on all supported major/minor operating systems. This process aims to flush out any edge cases tests may encounter in the wild.