diff --git a/paper/access.aux b/paper/access.aux new file mode 100644 index 00000000..93db1057 --- /dev/null +++ b/paper/access.aux @@ -0,0 +1,148 @@ +\relax +\providecommand\babel@aux[2]{} +\@nameuse{bbl@beforestart} +\providecommand\hyper@newdestlabel[2]{} +\providecommand\HyField@AuxAddToFields[1]{} +\providecommand\HyField@AuxAddToCoFields[2]{} +\citation{malul2024} +\citation{kyverno_docs} +\citation{borg} +\citation{kyverno_docs} +\citation{kyverno_docs} +\citation{malul2024} +\citation{kyverno_docs} +\citation{borg} +\babel@aux{english}{} +\@writefile{toc}{\contentsline {section}{\numberline {1}Importance of the Problem}{1}{section.1}\protected@file@percent } +\@writefile{lot}{\contentsline {table}{\numberline {1}{\ignorespaces Comparison of automated Kubernetes remediation systems (Oct.~2025 snapshot).}}{2}{table.1}\protected@file@percent } +\newlabel{tab:comparison}{{1}{2}{Comparison of automated Kubernetes remediation systems (Oct.~2025 snapshot)}{table.1}{}} +\@writefile{lot}{\contentsline {table}{\numberline {2}{\ignorespaces Head-to-head policy-level acceptance on the 500-manifest security-context slice. Counts and rates regenerate from \url {https://github.com/bmendonca3/k8s-auto-fix/blob/main/data/detections.json}, \url {https://github.com/bmendonca3/k8s-auto-fix/blob/main/data/verified.json}, and baseline CSVs under \url {https://github.com/bmendonca3/k8s-auto-fix/tree/main/data/baselines}.}}{2}{table.2}\protected@file@percent } +\newlabel{tab:baselines}{{2}{2}{Head-to-head policy-level acceptance on the 500-manifest security-context slice. Counts and rates regenerate from \url {https://github.com/bmendonca3/k8s-auto-fix/blob/main/data/detections.json}, \url {https://github.com/bmendonca3/k8s-auto-fix/blob/main/data/verified.json}, and baseline CSVs under \url {https://github.com/bmendonca3/k8s-auto-fix/tree/main/data/baselines}}{table.2}{}} +\@writefile{toc}{\contentsline {section}{\numberline {2}Related Work}{2}{section.2}\protected@file@percent } +\citation{b1} +\citation{b3} +\citation{b2} +\citation{kube_linter_docs} +\citation{kyverno_docs} +\citation{opa_gatekeeper} +\citation{kubectl_reference} +\citation{aardvark} +\citation{kubeintellect} +\@writefile{toc}{\contentsline {section}{\numberline {3}System Design}{3}{section.3}\protected@file@percent } +\newlabel{sec:system-design}{{3}{3}{System Design}{section.3}{}} +\@writefile{toc}{\contentsline {subsection}{\numberline {3.1}Notation}{3}{subsection.3.1}\protected@file@percent } +\newlabel{sec:notation}{{3.1}{3}{Notation}{subsection.3.1}{}} +\@writefile{toc}{\contentsline {subsection}{\numberline {3.2}End-to-End Walkthrough on Real Manifests}{3}{subsection.3.2}\protected@file@percent } +\@writefile{toc}{\contentsline {subsection}{\numberline {3.3}Research Questions and Findings}{4}{subsection.3.3}\protected@file@percent } +\@writefile{toc}{\contentsline {section}{\numberline {4}Implementation and Metrics}{4}{section.4}\protected@file@percent } +\newlabel{sec:impl-metrics}{{4}{4}{Implementation and Metrics}{section.4}{}} +\citation{joseph2016} +\@writefile{lot}{\contentsline {table}{\numberline {3}{\ignorespaces At-a-glance comparison across remediation steps.}}{5}{table.3}\protected@file@percent } +\newlabel{tab:glance}{{3}{5}{At-a-glance comparison across remediation steps}{table.3}{}} +\@writefile{toc}{\contentsline {subsection}{\numberline {4.1}The Closed-Loop Pipeline}{5}{subsection.4.1}\protected@file@percent } +\@writefile{toc}{\contentsline {subsection}{\numberline {4.2}Verification Gates}{5}{subsection.4.2}\protected@file@percent } +\citation{artifacthub} +\@writefile{lof}{\contentsline {figure}{\numberline {1}{\ignorespaces Closed-loop architecture with detector, proposer, and verifier gates (policy re-check, schema validation, \texttt {kubectl apply --dry-run=server}) feeding the risk-aware scheduler. The scheduler consumes \texttt {policy\_metrics.json} entries \{${p}$, $\mathbb {E}[t]$, $R$, KEV\} to score work using the scheduling function.}}{6}{figure.1}\protected@file@percent } +\newlabel{fig:architecture}{{1}{6}{Closed-loop architecture with detector, proposer, and verifier gates (policy re-check, schema validation, \texttt {kubectl apply --dry-run=server}) feeding the risk-aware scheduler. The scheduler consumes \texttt {policy\_metrics.json} entries \{${p}$, $\mathbb {E}[t]$, $R$, KEV\} to score work using the scheduling function}{figure.1}{}} +\@writefile{toc}{\contentsline {section}{\numberline {5}Implementation Status and Evidence}{6}{section.5}\protected@file@percent } +\@writefile{toc}{\contentsline {subsection}{\numberline {5.1}Sample Detection Record}{6}{subsection.5.1}\protected@file@percent } +\@writefile{toc}{\contentsline {subsection}{\numberline {5.2}Unit Test Evidence}{6}{subsection.5.2}\protected@file@percent } +\@writefile{toc}{\contentsline {subsection}{\numberline {5.3}Dataset and Configuration}{6}{subsection.5.3}\protected@file@percent } +\@writefile{toc}{\contentsline {subsection}{\numberline {5.4}Evaluation Results}{6}{subsection.5.4}\protected@file@percent } +\newlabel{sec:evaluation}{{5.4}{6}{Evaluation Results}{subsection.5.4}{}} +\citation{xai_pricing} +\@writefile{lot}{\contentsline {table}{\numberline {4}{\ignorespaces Evidence for each stage of the implemented pipeline (October 2025 snapshot).}}{7}{table.4}\protected@file@percent } +\newlabel{tab:evidence}{{4}{7}{Evidence for each stage of the implemented pipeline (October 2025 snapshot)}{table.4}{}} +\@writefile{lot}{\contentsline {table}{\numberline {5}{\ignorespaces Execution environment for the reproduced rule-mode evaluations.}}{7}{table.5}\protected@file@percent } +\newlabel{tab:environment}{{5}{7}{Execution environment for the reproduced rule-mode evaluations}{table.5}{}} +\@writefile{lot}{\contentsline {table}{\numberline {6}{\ignorespaces LLM-backed proposer configuration for Grok/xAI sweeps (values from \texttt {configs/run.yaml}).}}{7}{table.6}\protected@file@percent } +\newlabel{tab:llm_config}{{6}{7}{LLM-backed proposer configuration for Grok/xAI sweeps (values from \texttt {configs/run.yaml})}{table.6}{}} +\@writefile{lot}{\contentsline {table}{\numberline {7}{\ignorespaces Top 10 Grok/xAI Failure Causes and Latencies}}{8}{table.7}\protected@file@percent } +\newlabel{tab:grok_failures}{{7}{8}{Top 10 Grok/xAI Failure Causes and Latencies}{table.7}{}} +\@writefile{lot}{\contentsline {table}{\numberline {8}{\ignorespaces Detector performance on synthetic hold-out manifests ($n=9$). Note: These are hand-crafted test cases with obvious violations; real-world performance is validated through live-cluster evaluation.}}{8}{table.8}\protected@file@percent } +\newlabel{tab:detector_performance}{{8}{8}{Detector performance on synthetic hold-out manifests ($n=9$). Note: These are hand-crafted test cases with obvious violations; real-world performance is validated through live-cluster evaluation}{table.8}{}} +\@writefile{lof}{\contentsline {figure}{\numberline {2}{\ignorespaces Median wait time (bars) and P95 error bars for each risk tier. Bandit scheduling keeps the top quartile under 0.7~h while FIFO defers the same items for 26--50~h, illustrating the fairness gains summarized in \url {data/scheduler/metrics_schedule_sweep.json} and \url {data/scheduler/metrics_sweep_live.json}.}}{8}{figure.2}\protected@file@percent } +\newlabel{fig:fairness}{{2}{8}{Median wait time (bars) and P95 error bars for each risk tier. Bandit scheduling keeps the top quartile under 0.7~h while FIFO defers the same items for 26--50~h, illustrating the fairness gains summarized in \url {data/scheduler/metrics_schedule_sweep.json} and \url {data/scheduler/metrics_sweep_live.json}}{figure.2}{}} +\@writefile{lot}{\contentsline {table}{\numberline {9}{\ignorespaces Verifier failure taxonomy comparing the rules baseline (pre-fixture) against the supported corpus after fixture seeding. Counts derive from \url {data/failures/taxonomy_counts.csv} generated by \texttt {scripts/aggregate\_failure\_taxonomy.py}.}}{9}{table.9}\protected@file@percent } +\newlabel{tab:failure_taxonomy}{{9}{9}{Verifier failure taxonomy comparing the rules baseline (pre-fixture) against the supported corpus after fixture seeding. Counts derive from \protect \url {data/failures/taxonomy_counts.csv} generated by \texttt {scripts/aggregate\_failure\_taxonomy.py}}{table.9}{}} +\@writefile{lof}{\contentsline {figure}{\numberline {3}{\ignorespaces Comparison of admission-time (Kyverno) and post-hoc (\texttt {k8s-auto-fix}) policy enforcement on overlapping policies (seed=1337).}}{9}{figure.3}\protected@file@percent } +\newlabel{fig:admission_vs_posthoc}{{3}{9}{Comparison of admission-time (Kyverno) and post-hoc (\texttt {k8s-auto-fix}) policy enforcement on overlapping policies (seed=1337)}{figure.3}{}} +\@writefile{lof}{\contentsline {figure}{\numberline {4}{\ignorespaces Acceptance comparison between rules-only, LLM-only, and hybrid remediation modes (\url {data/baselines/mode_comparison.csv}).}}{9}{figure.4}\protected@file@percent } +\newlabel{fig:mode_comparison}{{4}{9}{Acceptance comparison between rules-only, LLM-only, and hybrid remediation modes (\protect \url {data/baselines/mode_comparison.csv})}{figure.4}{}} +\@writefile{lof}{\contentsline {figure}{\numberline {5}{\ignorespaces Operator A/B study results comparing bandit scheduler against baseline modes (simulated). Dual-axis chart shows acceptance rate (green bars) and mean wait time (blue bars) across 247 simulated queue assignments (\url {data/operator\_ab/summary\_simulated.csv}).}}{9}{figure.5}\protected@file@percent } +\newlabel{fig:operator_ab}{{5}{9}{Operator A/B study results comparing bandit scheduler against baseline modes (simulated). Dual-axis chart shows acceptance rate (green bars) and mean wait time (blue bars) across 247 simulated queue assignments (\protect \url {data/operator\_ab/summary\_simulated.csv})}{figure.5}{}} +\@writefile{toc}{\contentsline {subsection}{\numberline {5.5}Threat Model}{9}{subsection.5.5}\protected@file@percent } +\citation{nvd,epss} +\citation{cisa_kev} +\@writefile{lot}{\contentsline {table}{\numberline {10}{\ignorespaces Risk calibration summary derived from \url {data/risk/risk_calibration.csv}. $\Delta R$ uses policy risk weights; “per time unit” divides by summed expected-time priors.}}{10}{table.10}\protected@file@percent } +\newlabel{tab:risk_calibration}{{10}{10}{Risk calibration summary derived from \protect \url {data/risk/risk_calibration.csv}. $\Delta R$ uses policy risk weights; “per time unit” divides by summed expected-time priors}{table.10}{}} +\@writefile{lot}{\contentsline {table}{\numberline {11}{\ignorespaces Acceptance and latency summary (seed 1337). Results generated from \url {data/eval/unified_eval_summary.json}.}}{10}{table.11}\protected@file@percent } +\newlabel{tab:eval_summary}{{11}{10}{Acceptance and latency summary (seed 1337). Results generated from \protect \url {data/eval/unified_eval_summary.json}}{table.11}{}} +\@writefile{toc}{\contentsline {subsection}{\numberline {5.6}Threats and Mitigations}{10}{subsection.5.6}\protected@file@percent } +\@writefile{toc}{\contentsline {subsection}{\numberline {5.7}Threat Intelligence and Risk Scoring (CVE/KEV/EPSS)}{10}{subsection.5.7}\protected@file@percent } +\@writefile{toc}{\contentsline {subsection}{\numberline {5.8}Guidance Refresh and RAG Hooks}{10}{subsection.5.8}\protected@file@percent } +\citation{auer2002} +\@writefile{lot}{\contentsline {table}{\numberline {12}{\ignorespaces Guardrail example: Cilium DaemonSet patch (excerpt).}}{11}{table.12}\protected@file@percent } +\newlabel{tab:cilium_patch}{{12}{11}{Guardrail example: Cilium DaemonSet patch (excerpt)}{table.12}{}} +\@writefile{lot}{\contentsline {table}{\numberline {13}{\ignorespaces Cross-Cluster Replication Results}}{11}{table.13}\protected@file@percent } +\newlabel{tab:cross_cluster_replication}{{13}{11}{Cross-Cluster Replication Results}{table.13}{}} +\@writefile{toc}{\contentsline {subsection}{\numberline {5.9}Risk-Bandit Scheduler with Aging and KEV Preemption}{11}{subsection.5.9}\protected@file@percent } +\newlabel{eq:scheduler_score}{{1}{11}{Risk-Bandit Scheduler with Aging and KEV Preemption}{equation.5.1}{}} +\@writefile{toc}{\contentsline {subsection}{\numberline {5.10}Baselines and Ablations}{11}{subsection.5.10}\protected@file@percent } +\@writefile{lot}{\contentsline {table}{\numberline {14}{\ignorespaces Verifier gate ablation using 19 patched samples (\texttt {data/ablation/verifier\_gate\_metrics.json}). Acceptance reports the share of patches passing under the scenario; escapes count regressions that the full verifier blocks.}}{12}{table.14}\protected@file@percent } +\newlabel{tab:verifier_ablation}{{14}{12}{Verifier gate ablation using 19 patched samples (\texttt {data/ablation/verifier\_gate\_metrics.json}). Acceptance reports the share of patches passing under the scenario; escapes count regressions that the full verifier blocks}{table.14}{}} +\@writefile{toc}{\contentsline {subsection}{\numberline {5.11}Metrics and Measurement}{12}{subsection.5.11}\protected@file@percent } +\@writefile{toc}{\contentsline {section}{\numberline {6}Limitations and Mitigations}{12}{section.6}\protected@file@percent } +\@writefile{toc}{\contentsline {section}{\numberline {7}Discussion and Future Work}{12}{section.7}\protected@file@percent } +\citation{xai_pricing} +\bibstyle{IEEEtran} +\bibcite{cis_benchmarks}{1} +\bibcite{pss}{2} +\bibcite{opa_gatekeeper}{3} +\bibcite{kube_linter_docs}{4} +\bibcite{k8s_security_context}{5} +\bibcite{rfc6902}{6} +\bibcite{kubectl_reference}{7} +\bibcite{xai_pricing}{8} +\bibcite{k8s_seccomp}{9} +\bibcite{nvd}{10} +\bibcite{cisa_kev}{11} +\bibcite{epss}{12} +\bibcite{trivy}{13} +\bibcite{grype}{14} +\bibcite{swe_bench_verified}{15} +\bibcite{llmsecconfig}{16} +\bibcite{malul2024}{17} +\bibcite{kubellm}{18} +\bibcite{kyverno_docs}{19} +\bibcite{borg}{20} +\@writefile{lof}{\contentsline {figure}{\numberline {6}{\ignorespaces Risk-Bandit scheduling loop (aging + KEV preemption) maximizing expected risk reduction per unit time with exploration and fairness.}}{13}{figure.6}\protected@file@percent } +\newlabel{fig:bandit-pseudocode}{{6}{13}{Risk-Bandit scheduling loop (aging + KEV preemption) maximizing expected risk reduction per unit time with exploration and fairness}{figure.6}{}} +\@writefile{toc}{\contentsline {section}{References}{13}{section*.1}\protected@file@percent } +\bibcite{artifacthub}{21} +\bibcite{auer2002}{22} +\bibcite{joseph2016}{23} +\bibcite{aardvark}{24} +\bibcite{kubeintellect}{25} +\bibcite{b1}{26} +\bibcite{b2}{27} +\bibcite{b3}{28} +\@writefile{toc}{\contentsline {section}{Biographies}{14}{IEEEbiography.0}\protected@file@percent } +\@writefile{toc}{\contentsline {subsection}{Brian Mendonca}{14}{IEEEbiography.1}\protected@file@percent } +\@writefile{toc}{\contentsline {subsection}{Vijay K. Madisetti}{14}{IEEEbiography.2}\protected@file@percent } +\@writefile{toc}{\contentsline {section}{Appendix\nobreakspace A: Grok/xAI Failure Analysis}{15}{section*.2}\protected@file@percent } +\newlabel{app:grok_failures}{{A}{15}{\appendixname \nobreakspace \thesectiondis \\* Grok/xAI Failure Analysis}{section*.2}{}} +\@writefile{toc}{\contentsline {section}{Appendix\nobreakspace B: Risk Score Worked Example}{16}{section*.3}\protected@file@percent } +\newlabel{app:risk_example}{{B}{16}{\appendixname \nobreakspace \thesectiondis \\* Risk Score Worked Example}{section*.3}{}} +\@writefile{toc}{\contentsline {section}{Appendix\nobreakspace C: Acronym Glossary}{17}{section*.4}\protected@file@percent } +\newlabel{app:acronyms}{{C}{17}{\appendixname \nobreakspace \thesectiondis \\* Acronym Glossary}{section*.4}{}} +\@writefile{toc}{\contentsline {section}{Appendix\nobreakspace D: Artifact Index}{18}{section*.5}\protected@file@percent } +\newlabel{app:artifact_index}{{D}{18}{\appendixname \nobreakspace \thesectiondis \\* Artifact Index}{section*.5}{}} +\@writefile{lot}{\contentsline {table}{\numberline {15}{\ignorespaces Primary artifacts bundled with the paper.}}{18}{table.15}\protected@file@percent } +\@writefile{toc}{\contentsline {section}{Appendix\nobreakspace E: Evaluation Artifact Manifest}{19}{section*.6}\protected@file@percent } +\newlabel{app:artifact_manifest}{{E}{19}{\appendixname \nobreakspace \thesectiondis \\* Evaluation Artifact Manifest}{section*.6}{}} +\@writefile{lot}{\contentsline {table}{\numberline {16}{\ignorespaces Key evaluation artifacts with record counts and purposes for full reproducibility.}}{19}{table.16}\protected@file@percent } +\newlabel{tab:artifact_manifest}{{16}{19}{Key evaluation artifacts with record counts and purposes for full reproducibility}{table.16}{}} +\@writefile{toc}{\contentsline {section}{Appendix\nobreakspace F: Corpus Mining and Integrity}{20}{section*.7}\protected@file@percent } +\newlabel{app:corpus}{{F}{20}{\appendixname \nobreakspace \thesectiondis \\* Corpus Mining and Integrity}{section*.7}{}} +\gdef \@abspage@last{20} diff --git a/paper/access.log b/paper/access.log new file mode 100644 index 00000000..2f21a1b7 --- /dev/null +++ b/paper/access.log @@ -0,0 +1,1177 @@ +This is pdfTeX, Version 3.141592653-2.6-1.40.25 (TeX Live 2023/Debian) (preloaded format=pdflatex 2025.12.9) 9 DEC 2025 22:06 +entering extended mode + restricted \write18 enabled. + %&-line parsing enabled. +**access.tex +(./access.tex +LaTeX2e <2023-11-01> patch level 1 +L3 programming layer <2024-01-22> +(./IEEEtran.cls +Document Class: IEEEtran 2015/08/26 V1.8b by Michael Shell +-- See the "IEEEtran_HOWTO" manual for usage information. +-- http://www.michaelshell.org/tex/ieeetran/ +\@IEEEtrantmpdimenA=\dimen140 +\@IEEEtrantmpdimenB=\dimen141 +\@IEEEtrantmpdimenC=\dimen142 +\@IEEEtrantmpcountA=\count187 +\@IEEEtrantmpcountB=\count188 +\@IEEEtrantmpcountC=\count189 +\@IEEEtrantmptoksA=\toks17 +LaTeX Font Info: Trying to load font information for OT1+ppl on input line 5 +03. +(/usr/share/texlive/texmf-dist/tex/latex/psnfss/ot1ppl.fd +File: ot1ppl.fd 2001/06/04 font definitions for OT1/ppl. +) +-- Using IEEE Computer Society mode. +-- Using 8.5in x 11in (letter) paper. +-- Using PDF output. +\@IEEEnormalsizeunitybaselineskip=\dimen143 +-- This is a 10 point document. +\CLASSINFOnormalsizebaselineskip=\dimen144 +\CLASSINFOnormalsizeunitybaselineskip=\dimen145 +\IEEEnormaljot=\dimen146 +LaTeX Font Info: Font shape `OT1/ppl/bx/n' in size <5.01874> not available +(Font) Font shape `OT1/ppl/b/n' tried instead on input line 1090. +LaTeX Font Info: Font shape `OT1/ppl/bx/it' in size <5.01874> not available +(Font) Font shape `OT1/ppl/b/it' tried instead on input line 1090. + +LaTeX Font Info: Font shape `OT1/ppl/bx/n' in size <7.02625> not available +(Font) Font shape `OT1/ppl/b/n' tried instead on input line 1090. +LaTeX Font Info: Font shape `OT1/ppl/bx/it' in size <7.02625> not available +(Font) Font shape `OT1/ppl/b/it' tried instead on input line 1090. + +LaTeX Font Info: Font shape `OT1/ppl/bx/n' in size <8.03> not available +(Font) Font shape `OT1/ppl/b/n' tried instead on input line 1090. +LaTeX Font Info: Font shape `OT1/ppl/bx/it' in size <8.03> not available +(Font) Font shape `OT1/ppl/b/it' tried instead on input line 1090. + +LaTeX Font Info: Font shape `OT1/ppl/bx/n' in size <9.03374> not available +(Font) Font shape `OT1/ppl/b/n' tried instead on input line 1090. +LaTeX Font Info: Font shape `OT1/ppl/bx/it' in size <9.03374> not available +(Font) Font shape `OT1/ppl/b/it' tried instead on input line 1090. + +LaTeX Font Info: Font shape `OT1/ppl/bx/n' in size <9.53561> not available +(Font) Font shape `OT1/ppl/b/n' tried instead on input line 1090. +LaTeX Font Info: Font shape `OT1/ppl/bx/it' in size <9.53561> not available +(Font) Font shape `OT1/ppl/b/it' tried instead on input line 1090. + +LaTeX Font Info: Font shape `OT1/ppl/bx/n' in size <11.04124> not available +(Font) Font shape `OT1/ppl/b/n' tried instead on input line 1090. +LaTeX Font Info: Font shape `OT1/ppl/bx/it' in size <11.04124> not available + +(Font) Font shape `OT1/ppl/b/it' tried instead on input line 1090. + +LaTeX Font Info: Font shape `OT1/ppl/bx/n' in size <12.045> not available +(Font) Font shape `OT1/ppl/b/n' tried instead on input line 1090. +LaTeX Font Info: Font shape `OT1/ppl/bx/it' in size <12.045> not available +(Font) Font shape `OT1/ppl/b/it' tried instead on input line 1090. + +LaTeX Font Info: Font shape `OT1/ppl/bx/n' in size <17.06374> not available +(Font) Font shape `OT1/ppl/b/n' tried instead on input line 1090. +LaTeX Font Info: Font shape `OT1/ppl/bx/it' in size <17.06374> not available + +(Font) Font shape `OT1/ppl/b/it' tried instead on input line 1090. + +LaTeX Font Info: Font shape `OT1/ppl/bx/n' in size <20.075> not available +(Font) Font shape `OT1/ppl/b/n' tried instead on input line 1090. +LaTeX Font Info: Font shape `OT1/ppl/bx/it' in size <20.075> not available +(Font) Font shape `OT1/ppl/b/it' tried instead on input line 1090. + +LaTeX Font Info: Font shape `OT1/ppl/bx/n' in size <24.09> not available +(Font) Font shape `OT1/ppl/b/n' tried instead on input line 1090. +LaTeX Font Info: Font shape `OT1/ppl/bx/it' in size <24.09> not available +(Font) Font shape `OT1/ppl/b/it' tried instead on input line 1090. + +\IEEEquantizedlength=\dimen147 +\IEEEquantizedlengthdiff=\dimen148 +\IEEEquantizedtextheightdiff=\dimen149 +\IEEEilabelindentA=\dimen150 +\IEEEilabelindentB=\dimen151 +\IEEEilabelindent=\dimen152 +\IEEEelabelindent=\dimen153 +\IEEEdlabelindent=\dimen154 +\IEEElabelindent=\dimen155 +\IEEEiednormlabelsep=\dimen156 +\IEEEiedmathlabelsep=\dimen157 +\IEEEiedtopsep=\skip48 +\c@section=\count190 +\c@subsection=\count191 +\c@subsubsection=\count192 +\c@paragraph=\count193 +\c@IEEEsubequation=\count194 +\abovecaptionskip=\skip49 +\belowcaptionskip=\skip50 +\c@figure=\count195 +\c@table=\count196 +\@IEEEeqnnumcols=\count197 +\@IEEEeqncolcnt=\count198 +\@IEEEsubeqnnumrollback=\count199 +\@IEEEquantizeheightA=\dimen158 +\@IEEEquantizeheightB=\dimen159 +\@IEEEquantizeheightC=\dimen160 +\@IEEEquantizeprevdepth=\dimen161 +\@IEEEquantizemultiple=\count266 +\@IEEEquantizeboxA=\box51 +\@IEEEtmpitemindent=\dimen162 +\IEEEPARstartletwidth=\dimen163 +\c@IEEEbiography=\count267 +\@IEEEtranrubishbin=\box52 +) (/usr/share/texlive/texmf-dist/tex/latex/cite/cite.sty +LaTeX Info: Redefining \cite on input line 302. +LaTeX Info: Redefining \nocite on input line 332. +Package: cite 2015/02/27 v 5.5 +) +(/usr/share/texlive/texmf-dist/tex/latex/amsmath/amsmath.sty +Package: amsmath 2023/05/13 v2.17o AMS math features +\@mathmargin=\skip51 + +For additional information on amsmath, use the `?' option. +(/usr/share/texlive/texmf-dist/tex/latex/amsmath/amstext.sty +Package: amstext 2021/08/26 v2.01 AMS text + +(/usr/share/texlive/texmf-dist/tex/latex/amsmath/amsgen.sty +File: amsgen.sty 1999/11/30 v2.0 generic functions +\@emptytoks=\toks18 +\ex@=\dimen164 +)) +(/usr/share/texlive/texmf-dist/tex/latex/amsmath/amsbsy.sty +Package: amsbsy 1999/11/29 v1.2d Bold Symbols +\pmbraise@=\dimen165 +) +(/usr/share/texlive/texmf-dist/tex/latex/amsmath/amsopn.sty +Package: amsopn 2022/04/08 v2.04 operator names +) +\inf@bad=\count268 +LaTeX Info: Redefining \frac on input line 234. +\uproot@=\count269 +\leftroot@=\count270 +LaTeX Info: Redefining \overline on input line 399. +LaTeX Info: Redefining \colon on input line 410. +\classnum@=\count271 +\DOTSCASE@=\count272 +LaTeX Info: Redefining \ldots on input line 496. +LaTeX Info: Redefining \dots on input line 499. +LaTeX Info: Redefining \cdots on input line 620. +\Mathstrutbox@=\box53 +\strutbox@=\box54 +LaTeX Info: Redefining \big on input line 722. +LaTeX Info: Redefining \Big on input line 723. +LaTeX Info: Redefining \bigg on input line 724. +LaTeX Info: Redefining \Bigg on input line 725. +\big@size=\dimen166 +LaTeX Font Info: Redeclaring font encoding OML on input line 743. +LaTeX Font Info: Redeclaring font encoding OMS on input line 744. +\macc@depth=\count273 +LaTeX Info: Redefining \bmod on input line 905. +LaTeX Info: Redefining \pmod on input line 910. +LaTeX Info: Redefining \smash on input line 940. +LaTeX Info: Redefining \relbar on input line 970. +LaTeX Info: Redefining \Relbar on input line 971. +\c@MaxMatrixCols=\count274 +\dotsspace@=\muskip16 +\c@parentequation=\count275 +\dspbrk@lvl=\count276 +\tag@help=\toks19 +\row@=\count277 +\column@=\count278 +\maxfields@=\count279 +\andhelp@=\toks20 +\eqnshift@=\dimen167 +\alignsep@=\dimen168 +\tagshift@=\dimen169 +\tagwidth@=\dimen170 +\totwidth@=\dimen171 +\lineht@=\dimen172 +\@envbody=\toks21 +\multlinegap=\skip52 +\multlinetaggap=\skip53 +\mathdisplay@stack=\toks22 +LaTeX Info: Redefining \[ on input line 2953. +LaTeX Info: Redefining \] on input line 2954. +) +(/usr/share/texlive/texmf-dist/tex/latex/amsfonts/amssymb.sty +Package: amssymb 2013/01/14 v3.01 AMS font symbols + +(/usr/share/texlive/texmf-dist/tex/latex/amsfonts/amsfonts.sty +Package: amsfonts 2013/01/14 v3.01 Basic AMSFonts support +\symAMSa=\mathgroup4 +\symAMSb=\mathgroup5 +LaTeX Font Info: Redeclaring math symbol \hbar on input line 98. +LaTeX Font Info: Overwriting math alphabet `\mathfrak' in version `bold' +(Font) U/euf/m/n --> U/euf/b/n on input line 106. +)) +(/usr/share/texlive/texmf-dist/tex/latex/algorithms/algorithmic.sty +Package: algorithmic 2009/08/24 v0.1 Document Style `algorithmic' + +(/usr/share/texlive/texmf-dist/tex/latex/base/ifthen.sty +Package: ifthen 2022/04/13 v1.1d Standard LaTeX ifthen package (DPC) +) +(/usr/share/texlive/texmf-dist/tex/latex/graphics/keyval.sty +Package: keyval 2022/05/29 v1.15 key=value parser (DPC) +\KV@toks@=\toks23 +) +\c@ALC@unique=\count280 +\c@ALC@line=\count281 +\c@ALC@rem=\count282 +\c@ALC@depth=\count283 +\ALC@tlm=\skip54 +\algorithmicindent=\skip55 +) +(/usr/share/texlive/texmf-dist/tex/latex/graphics/graphicx.sty +Package: graphicx 2021/09/16 v1.2d Enhanced LaTeX Graphics (DPC,SPQR) + +(/usr/share/texlive/texmf-dist/tex/latex/graphics/graphics.sty +Package: graphics 2022/03/10 v1.4e Standard LaTeX Graphics (DPC,SPQR) + +(/usr/share/texlive/texmf-dist/tex/latex/graphics/trig.sty +Package: trig 2021/08/11 v1.11 sin cos tan (DPC) +) +(/usr/share/texlive/texmf-dist/tex/latex/graphics-cfg/graphics.cfg +File: graphics.cfg 2016/06/04 v1.11 sample graphics configuration +) +Package graphics Info: Driver file: pdftex.def on input line 107. + +(/usr/share/texlive/texmf-dist/tex/latex/graphics-def/pdftex.def +File: pdftex.def 2022/09/22 v1.2b Graphics/color driver for pdftex +)) +\Gin@req@height=\dimen173 +\Gin@req@width=\dimen174 +) +(/usr/share/texlive/texmf-dist/tex/latex/base/textcomp.sty +Package: textcomp 2020/02/02 v2.0n Standard LaTeX package +) +(/usr/share/texlive/texmf-dist/tex/generic/babel/babel.sty +Package: babel 2024/01/07 v24.1 The Babel package +\babel@savecnt=\count284 +\U@D=\dimen175 +\l@unhyphenated=\language9 + +(/usr/share/texlive/texmf-dist/tex/generic/babel/txtbabel.def) +\bbl@readstream=\read2 +\bbl@dirlevel=\count285 + +(/usr/share/texlive/texmf-dist/tex/generic/babel-english/english.ldf +Language: english 2017/06/06 v3.3r English support from the babel system +Package babel Info: Hyphen rules for 'british' set to \l@english +(babel) (\language0). Reported on input line 82. +Package babel Info: Hyphen rules for 'UKenglish' set to \l@english +(babel) (\language0). Reported on input line 83. +Package babel Info: Hyphen rules for 'canadian' set to \l@english +(babel) (\language0). Reported on input line 102. +Package babel Info: Hyphen rules for 'australian' set to \l@english +(babel) (\language0). Reported on input line 105. +Package babel Info: Hyphen rules for 'newzealand' set to \l@english +(babel) (\language0). Reported on input line 108. +)) +(/usr/share/texlive/texmf-dist/tex/generic/babel/locale/en/babel-english.tex +Package babel Info: Importing font and identification data for english +(babel) from babel-en.ini. Reported on input line 11. +) +(/usr/share/texlive/texmf-dist/tex/latex/microtype/microtype.sty +Package: microtype 2023/03/13 v3.1a Micro-typographical refinements (RS) + +(/usr/share/texlive/texmf-dist/tex/latex/etoolbox/etoolbox.sty +Package: etoolbox 2020/10/05 v2.5k e-TeX tools for LaTeX (JAW) +\etb@tempcnta=\count286 +) +\MT@toks=\toks24 +\MT@tempbox=\box55 +\MT@count=\count287 +LaTeX Info: Redefining \noprotrusionifhmode on input line 1059. +LaTeX Info: Redefining \leftprotrusion on input line 1060. +\MT@prot@toks=\toks25 +LaTeX Info: Redefining \rightprotrusion on input line 1078. +LaTeX Info: Redefining \textls on input line 1368. +\MT@outer@kern=\dimen176 +LaTeX Info: Redefining \textmicrotypecontext on input line 1988. +\MT@listname@count=\count288 + +(/usr/share/texlive/texmf-dist/tex/latex/microtype/microtype-pdftex.def +File: microtype-pdftex.def 2023/03/13 v3.1a Definitions specific to pdftex (RS) + +LaTeX Info: Redefining \lsstyle on input line 902. +LaTeX Info: Redefining \lslig on input line 902. +\MT@outer@space=\skip56 +) +Package microtype Info: Loading configuration file microtype.cfg. + +(/usr/share/texlive/texmf-dist/tex/latex/microtype/microtype.cfg +File: microtype.cfg 2023/03/13 v3.1a microtype main configuration file (RS) +)) +(/usr/share/texlive/texmf-dist/tex/latex/booktabs/booktabs.sty +Package: booktabs 2020/01/12 v1.61803398 Publication quality tables +\heavyrulewidth=\dimen177 +\lightrulewidth=\dimen178 +\cmidrulewidth=\dimen179 +\belowrulesep=\dimen180 +\belowbottomsep=\dimen181 +\aboverulesep=\dimen182 +\abovetopsep=\dimen183 +\cmidrulesep=\dimen184 +\cmidrulekern=\dimen185 +\defaultaddspace=\dimen186 +\@cmidla=\count289 +\@cmidlb=\count290 +\@aboverulesep=\dimen187 +\@belowrulesep=\dimen188 +\@thisruleclass=\count291 +\@lastruleclass=\count292 +\@thisrulewidth=\dimen189 +) +(/usr/share/texlive/texmf-dist/tex/latex/xcolor/xcolor.sty +Package: xcolor 2023/11/15 v3.01 LaTeX color extensions (UK) + +(/usr/share/texlive/texmf-dist/tex/latex/graphics-cfg/color.cfg +File: color.cfg 2016/01/02 v1.6 sample color configuration +) +Package xcolor Info: Driver file: pdftex.def on input line 274. + +(/usr/share/texlive/texmf-dist/tex/latex/graphics/mathcolor.ltx) +Package xcolor Info: Model `cmy' substituted by `cmy0' on input line 1350. +Package xcolor Info: Model `hsb' substituted by `rgb' on input line 1354. +Package xcolor Info: Model `RGB' extended on input line 1366. +Package xcolor Info: Model `HTML' substituted by `rgb' on input line 1368. +Package xcolor Info: Model `Hsb' substituted by `hsb' on input line 1369. +Package xcolor Info: Model `tHsb' substituted by `hsb' on input line 1370. +Package xcolor Info: Model `HSB' substituted by `hsb' on input line 1371. +Package xcolor Info: Model `Gray' substituted by `gray' on input line 1372. +Package xcolor Info: Model `wave' substituted by `hsb' on input line 1373. +) +(/usr/share/texlive/texmf-dist/tex/latex/colortbl/colortbl.sty +Package: colortbl 2022/06/20 v1.0f Color table columns (DPC) + +(/usr/share/texlive/texmf-dist/tex/latex/tools/array.sty +Package: array 2023/10/16 v2.5g Tabular extension package (FMi) +\col@sep=\dimen190 +\ar@mcellbox=\box56 +\extrarowheight=\dimen191 +\NC@list=\toks26 +\extratabsurround=\skip57 +\backup@length=\skip58 +\ar@cellbox=\box57 +) +\everycr=\toks27 +\minrowclearance=\skip59 +\rownum=\count293 +) +(/usr/share/texlive/texmf-dist/tex/latex/tools/tabularx.sty +Package: tabularx 2023/07/08 v2.11c `tabularx' package (DPC) +\TX@col@width=\dimen192 +\TX@old@table=\dimen193 +\TX@old@col=\dimen194 +\TX@target=\dimen195 +\TX@delta=\dimen196 +\TX@cols=\count294 +\TX@ftn=\toks28 +) +(/usr/share/texlive/texmf-dist/tex/latex/multirow/multirow.sty +Package: multirow 2021/03/15 v2.8 Span multiple rows of a table +\multirow@colwidth=\skip60 +\multirow@cntb=\count295 +\multirow@dima=\skip61 +\bigstrutjot=\dimen197 +) +(/usr/share/texlive/texmf-dist/tex/latex/listings/listings.sty +\lst@mode=\count296 +\lst@gtempboxa=\box58 +\lst@token=\toks29 +\lst@length=\count297 +\lst@currlwidth=\dimen198 +\lst@column=\count298 +\lst@pos=\count299 +\lst@lostspace=\dimen199 +\lst@width=\dimen256 +\lst@newlines=\count300 +\lst@lineno=\count301 +\lst@maxwidth=\dimen257 + +(/usr/share/texlive/texmf-dist/tex/latex/listings/lstmisc.sty +File: lstmisc.sty 2023/02/27 1.9 (Carsten Heinz) +\c@lstnumber=\count302 +\lst@skipnumbers=\count303 +\lst@framebox=\box59 +) +(/usr/share/texlive/texmf-dist/tex/latex/listings/listings.cfg +File: listings.cfg 2023/02/27 1.9 listings configuration +)) +Package: listings 2023/02/27 1.9 (Carsten Heinz) + +(/usr/share/texlive/texmf-dist/tex/latex/base/alltt.sty +Package: alltt 2021/01/29 v2.0g defines alltt environment +) +(/usr/share/texlive/texmf-dist/tex/latex/hyperref/hyperref.sty +Package: hyperref 2024-01-20 v7.01h Hypertext links for LaTeX + +(/usr/share/texlive/texmf-dist/tex/generic/iftex/iftex.sty +Package: iftex 2022/02/03 v1.0f TeX engine tests +) +(/usr/share/texlive/texmf-dist/tex/latex/kvsetkeys/kvsetkeys.sty +Package: kvsetkeys 2022-10-05 v1.19 Key value parser (HO) +) +(/usr/share/texlive/texmf-dist/tex/generic/kvdefinekeys/kvdefinekeys.sty +Package: kvdefinekeys 2019-12-19 v1.6 Define keys (HO) +) +(/usr/share/texlive/texmf-dist/tex/generic/pdfescape/pdfescape.sty +Package: pdfescape 2019/12/09 v1.15 Implements pdfTeX's escape features (HO) + +(/usr/share/texlive/texmf-dist/tex/generic/ltxcmds/ltxcmds.sty +Package: ltxcmds 2023-12-04 v1.26 LaTeX kernel commands for general use (HO) +) +(/usr/share/texlive/texmf-dist/tex/generic/pdftexcmds/pdftexcmds.sty +Package: pdftexcmds 2020-06-27 v0.33 Utility functions of pdfTeX for LuaTeX (HO +) + +(/usr/share/texlive/texmf-dist/tex/generic/infwarerr/infwarerr.sty +Package: infwarerr 2019/12/03 v1.5 Providing info/warning/error messages (HO) +) +Package pdftexcmds Info: \pdf@primitive is available. +Package pdftexcmds Info: \pdf@ifprimitive is available. +Package pdftexcmds Info: \pdfdraftmode found. +)) +(/usr/share/texlive/texmf-dist/tex/latex/hycolor/hycolor.sty +Package: hycolor 2020-01-27 v1.10 Color options for hyperref/bookmark (HO) +) +(/usr/share/texlive/texmf-dist/tex/latex/auxhook/auxhook.sty +Package: auxhook 2019-12-17 v1.6 Hooks for auxiliary files (HO) +) +(/usr/share/texlive/texmf-dist/tex/latex/hyperref/nameref.sty +Package: nameref 2023-11-26 v2.56 Cross-referencing by name of section + +(/usr/share/texlive/texmf-dist/tex/latex/refcount/refcount.sty +Package: refcount 2019/12/15 v3.6 Data extraction from label references (HO) +) +(/usr/share/texlive/texmf-dist/tex/generic/gettitlestring/gettitlestring.sty +Package: gettitlestring 2019/12/15 v1.6 Cleanup title references (HO) + +(/usr/share/texlive/texmf-dist/tex/latex/kvoptions/kvoptions.sty +Package: kvoptions 2022-06-15 v3.15 Key value format for package options (HO) +)) +\c@section@level=\count304 +) +\@linkdim=\dimen258 +\Hy@linkcounter=\count305 +\Hy@pagecounter=\count306 + +(/usr/share/texlive/texmf-dist/tex/latex/hyperref/pd1enc.def +File: pd1enc.def 2024-01-20 v7.01h Hyperref: PDFDocEncoding definition (HO) +Now handling font encoding PD1 ... +... no UTF-8 mapping file for font encoding PD1 +) +(/usr/share/texlive/texmf-dist/tex/generic/intcalc/intcalc.sty +Package: intcalc 2019/12/15 v1.3 Expandable calculations with integers (HO) +) +\Hy@SavedSpaceFactor=\count307 + +(/usr/share/texlive/texmf-dist/tex/latex/hyperref/puenc.def +File: puenc.def 2024-01-20 v7.01h Hyperref: PDF Unicode definition (HO) +Now handling font encoding PU ... +... no UTF-8 mapping file for font encoding PU +) +Package hyperref Info: Hyper figures OFF on input line 4179. +Package hyperref Info: Link nesting OFF on input line 4184. +Package hyperref Info: Hyper index ON on input line 4187. +Package hyperref Info: Plain pages OFF on input line 4194. +Package hyperref Info: Backreferencing OFF on input line 4199. +Package hyperref Info: Implicit mode ON; LaTeX internals redefined. +Package hyperref Info: Bookmarks ON on input line 4446. +\c@Hy@tempcnt=\count308 + +(/usr/share/texlive/texmf-dist/tex/latex/url/url.sty +\Urlmuskip=\muskip17 +Package: url 2013/09/16 ver 3.4 Verb mode for urls, etc. +) +LaTeX Info: Redefining \url on input line 4784. +\XeTeXLinkMargin=\dimen259 + +(/usr/share/texlive/texmf-dist/tex/generic/bitset/bitset.sty +Package: bitset 2019/12/09 v1.3 Handle bit-vector datatype (HO) + +(/usr/share/texlive/texmf-dist/tex/generic/bigintcalc/bigintcalc.sty +Package: bigintcalc 2019/12/15 v1.5 Expandable calculations on big integers (HO +) +)) +\Fld@menulength=\count309 +\Field@Width=\dimen260 +\Fld@charsize=\dimen261 +Package hyperref Info: Hyper figures OFF on input line 6063. +Package hyperref Info: Link nesting OFF on input line 6068. +Package hyperref Info: Hyper index ON on input line 6071. +Package hyperref Info: backreferencing OFF on input line 6078. +Package hyperref Info: Link coloring OFF on input line 6083. +Package hyperref Info: Link coloring with OCG OFF on input line 6088. +Package hyperref Info: PDF/A mode OFF on input line 6093. + +(/usr/share/texlive/texmf-dist/tex/latex/base/atbegshi-ltx.sty +Package: atbegshi-ltx 2021/01/10 v1.0c Emulation of the original atbegshi +package with kernel methods +) +\Hy@abspage=\count310 +\c@Item=\count311 +\c@Hfootnote=\count312 +) +Package hyperref Info: Driver (autodetected): hpdftex. + +(/usr/share/texlive/texmf-dist/tex/latex/hyperref/hpdftex.def +File: hpdftex.def 2024-01-20 v7.01h Hyperref driver for pdfTeX + +(/usr/share/texlive/texmf-dist/tex/latex/base/atveryend-ltx.sty +Package: atveryend-ltx 2020/08/19 v1.0a Emulation of the original atveryend pac +kage +with kernel methods +) +\Fld@listcount=\count313 +\c@bookmark@seq@number=\count314 + +(/usr/share/texlive/texmf-dist/tex/latex/rerunfilecheck/rerunfilecheck.sty +Package: rerunfilecheck 2022-07-10 v1.10 Rerun checks for auxiliary files (HO) + +(/usr/share/texlive/texmf-dist/tex/generic/uniquecounter/uniquecounter.sty +Package: uniquecounter 2019/12/15 v1.4 Provide unlimited unique counter (HO) +) +Package uniquecounter Info: New unique counter `rerunfilecheck' on input line 2 +85. +) +\Hy@SectionHShift=\skip62 +) +(/usr/share/texlive/texmf-dist/tex/latex/xurl/xurl.sty +Package: xurl 2022/01/09 v 0.10 modify URL breaks +) +Package hyperref Info: Option `colorlinks' set `true' on input line 28. + +(/usr/share/texlive/texmf-dist/tex/latex/tools/bm.sty +Package: bm 2023/07/08 v1.2f Bold Symbol Support (DPC/FMi) +\symboldoperators=\mathgroup6 +\symboldletters=\mathgroup7 +\symboldsymbols=\mathgroup8 +Package bm Info: No bold for \OMX/cmex/m/n, using \pmb. +Package bm Info: No bold for \U/msa/m/n, using \pmb. +Package bm Info: No bold for \U/msb/m/n, using \pmb. +LaTeX Font Info: Redeclaring math alphabet \mathbf on input line 149. +) +(/usr/share/texlive/texmf-dist/tex/latex/psnfss/courier.sty +Package: courier 2020/03/25 PSNFSS-v9.3 (WaS) +) +\symrsfs=\mathgroup9 +{/var/lib/texmf/fonts/map/pdftex/updmap/pdftex.map}{t1-formata.map}{t1-times.ma +p}{t1-helvetica.map}{t1-giovannistd.map} +(/usr/share/texlive/texmf-dist/tex/latex/l3backend/l3backend-pdftex.def +File: l3backend-pdftex.def 2024-01-04 L3 backend support: PDF output (pdfTeX) +\l__color_backend_stack_int=\count315 +\l__pdf_internal_box=\box60 +) +(./access.aux) +\openout1 = `access.aux'. + +LaTeX Font Info: Checking defaults for OML/cmm/m/it on input line 85. +LaTeX Font Info: ... okay on input line 85. +LaTeX Font Info: Checking defaults for OMS/cmsy/m/n on input line 85. +LaTeX Font Info: ... okay on input line 85. +LaTeX Font Info: Checking defaults for OT1/cmr/m/n on input line 85. +LaTeX Font Info: ... okay on input line 85. +LaTeX Font Info: Checking defaults for T1/cmr/m/n on input line 85. +LaTeX Font Info: ... okay on input line 85. +LaTeX Font Info: Checking defaults for TS1/cmr/m/n on input line 85. +LaTeX Font Info: ... okay on input line 85. +LaTeX Font Info: Checking defaults for OMX/cmex/m/n on input line 85. +LaTeX Font Info: ... okay on input line 85. +LaTeX Font Info: Checking defaults for U/cmr/m/n on input line 85. +LaTeX Font Info: ... okay on input line 85. +LaTeX Font Info: Checking defaults for PD1/pdf/m/n on input line 85. +LaTeX Font Info: ... okay on input line 85. +LaTeX Font Info: Checking defaults for PU/pdf/m/n on input line 85. +LaTeX Font Info: ... okay on input line 85. + +-- Lines per column: 61 (exact). +(/usr/share/texlive/texmf-dist/tex/context/base/mkii/supp-pdf.mkii +[Loading MPS to PDF converter (version 2006.09.02).] +\scratchcounter=\count316 +\scratchdimen=\dimen262 +\scratchbox=\box61 +\nofMPsegments=\count317 +\nofMParguments=\count318 +\everyMPshowfont=\toks30 +\MPscratchCnt=\count319 +\MPscratchDim=\dimen263 +\MPnumerator=\count320 +\makeMPintoPDFobject=\count321 +\everyMPtoPDFconversion=\toks31 +) (/usr/share/texlive/texmf-dist/tex/latex/epstopdf-pkg/epstopdf-base.sty +Package: epstopdf-base 2020-01-24 v2.11 Base part for package epstopdf +Package epstopdf-base Info: Redefining graphics rule for `.eps' on input line 4 +85. + +(/usr/share/texlive/texmf-dist/tex/latex/latexconfig/epstopdf-sys.cfg +File: epstopdf-sys.cfg 2010/07/13 v1.3 Configuration of (r)epstopdf for TeX Liv +e +)) +LaTeX Info: Redefining \microtypecontext on input line 85. +Package microtype Info: Applying patch `item' on input line 85. +Package microtype Info: Applying patch `toc' on input line 85. +Package microtype Info: Applying patch `eqnum' on input line 85. +Package microtype Info: Applying patch `footnote' on input line 85. +Package microtype Info: Applying patch `verbatim' on input line 85. +Package microtype Info: Generating PDF output. +Package microtype Info: Character protrusion enabled (level 2). +Package microtype Info: Using default protrusion set `alltext'. +Package microtype Info: Automatic font expansion enabled (level 2), +(microtype) stretch: 20, shrink: 20, step: 1, non-selected. +Package microtype Info: Using default expansion set `alltext-nott'. +LaTeX Info: Redefining \showhyphens on input line 85. +Package microtype Info: No adjustment of tracking. +Package microtype Info: No adjustment of interword spacing. +Package microtype Info: No adjustment of character kerning. + +(/usr/share/texlive/texmf-dist/tex/latex/microtype/mt-ppl.cfg +File: mt-ppl.cfg 2005/11/16 v1.6 microtype config. file: Palatino (RS) +) +\c@lstlisting=\count322 +Package hyperref Info: Link coloring ON on input line 85. + (./access.out) +(./access.out) +\@outlinefile=\write3 +\openout3 = `access.out'. + + (/usr/share/texlive/texmf-dist/tex/latex/psnfss/t1pcr.fd +File: t1pcr.fd 2001/06/04 font definitions for T1/pcr. +) +LaTeX Font Info: Trying to load font information for OT1+phv on input line 1 +04. + +(/usr/share/texlive/texmf-dist/tex/latex/psnfss/ot1phv.fd +File: ot1phv.fd 2020/03/25 scalable font definitions for OT1/phv. +) +Package microtype Info: Loading generic protrusion settings for font family +(microtype) `phv' (encoding: OT1). +(microtype) For optimal results, create family-specific settings. +(microtype) See the microtype manual for details. +LaTeX Font Info: Font shape `OT1/phv/m/it' in size <11.04124> not available +(Font) Font shape `OT1/phv/m/sl' tried instead on input line 104. +LaTeX Font Info: Trying to load font information for OT1+pcr on input line 1 +04. + +(/usr/share/texlive/texmf-dist/tex/latex/psnfss/ot1pcr.fd +File: ot1pcr.fd 2001/06/04 font definitions for OT1/pcr. +) +Package microtype Info: Loading generic protrusion settings for font family +(microtype) `pcr' (encoding: OT1). +(microtype) For optimal results, create family-specific settings. +(microtype) See the microtype manual for details. +LaTeX Font Info: Calculating math sizes for size <8.03> on input line 104. + +(/usr/share/texlive/texmf-dist/tex/latex/microtype/mt-cmr.cfg +File: mt-cmr.cfg 2013/05/19 v2.2 microtype config. file: Computer Modern Roman +(RS) +) +LaTeX Font Info: Trying to load font information for U+msa on input line 104 +. + +(/usr/share/texlive/texmf-dist/tex/latex/amsfonts/umsa.fd +File: umsa.fd 2013/01/14 v3.01 AMS symbols A +) +(/usr/share/texlive/texmf-dist/tex/latex/microtype/mt-msa.cfg +File: mt-msa.cfg 2006/02/04 v1.1 microtype config. file: AMS symbols (a) (RS) +) +LaTeX Font Info: Trying to load font information for U+msb on input line 104 +. + +(/usr/share/texlive/texmf-dist/tex/latex/amsfonts/umsb.fd +File: umsb.fd 2013/01/14 v3.01 AMS symbols B +) +(/usr/share/texlive/texmf-dist/tex/latex/microtype/mt-msb.cfg +File: mt-msb.cfg 2005/06/01 v1.0 microtype config. file: AMS symbols (b) (RS) +) +LaTeX Font Info: Font shape `U/rsfs/m/n' will be +(Font) scaled to size 8.43152pt on input line 104. +LaTeX Font Info: Font shape `U/rsfs/m/n' will be +(Font) scaled to size 5.90202pt on input line 104. +LaTeX Font Info: Font shape `U/rsfs/m/n' will be +(Font) scaled to size 4.21576pt on input line 104. +LaTeX Font Info: Calculating math sizes for size <11.04124> on input line 10 +4. +LaTeX Font Info: Font shape `U/rsfs/m/n' will be +(Font) scaled to size 11.59334pt on input line 104. +LaTeX Font Info: Font shape `U/rsfs/m/n' will be +(Font) scaled to size 8.1153pt on input line 104. +LaTeX Font Info: Font shape `U/rsfs/m/n' will be +(Font) scaled to size 5.79666pt on input line 104. +LaTeX Font Info: Trying to load font information for U+pzd on input line 104 +. + +(/usr/share/texlive/texmf-dist/tex/latex/psnfss/upzd.fd +File: upzd.fd 2001/06/04 font definitions for U/pzd. +) +LaTeX Font Info: Calculating math sizes for size <9.53561> on input line 117 +. +LaTeX Font Info: Font shape `U/rsfs/m/n' will be +(Font) scaled to size 10.01242pt on input line 117. +LaTeX Font Info: Font shape `U/rsfs/m/n' will be +(Font) scaled to size 7.00865pt on input line 117. +LaTeX Font Info: Font shape `U/rsfs/m/n' will be +(Font) scaled to size 5.00621pt on input line 117. + +Overfull \hbox (11.12715pt too wide) in paragraph at lines 143--143 +[]|\OT1/ppl/m/n/9.03374 (-20) Validation/mutation + [] + +(../docs/reproducibility/baselines.tex) +Underfull \vbox (badness 10000) has occurred while \output is active [] + + [1{/usr/share/texlive/texmf-dist/fonts/enc/dvips/base/8r.enc} + + +] [2] +Underfull \hbox (badness 2707) in paragraph at lines 237--238 +\OT1/ppl/m/n/9.53561 (+20) and re-ports four pol-icy vi-o-la-tions: \OT1/pcr/m/ +n/9.53561 no_privileged\OT1/ppl/m/n/9.53561 (+20) , + [] + + +Underfull \hbox (badness 10000) in paragraph at lines 237--238 +\OT1/pcr/m/n/9.53561 drop_capabilities\OT1/ppl/m/n/9.53561 (+20) , \OT1/pcr/m/n +/9.53561 run_as_non_root\OT1/ppl/m/n/9.53561 (+20) , and + [] + + +Underfull \hbox (badness 1533) in paragraph at lines 237--238 +\OT1/pcr/m/n/9.53561 no_latest_tag\OT1/ppl/m/n/9.53561 (+20) . These cor-re-spo +nd to the struc-tured + [] + +[3] +Underfull \hbox (badness 5563) in paragraph at lines 276--277 +\OT1/ppl/m/it/9.53561 (+20) 1. De-tect\OT1/ppl/m/n/9.53561 (+20) : The de-tec-t +or flags \OT1/pcr/m/n/9.53561 read_only_root_fs\OT1/ppl/m/n/9.53561 (+20) , + [] + + +Underfull \hbox (badness 1939) in paragraph at lines 313--313 +[]|\OT1/ppl/m/n/7.02625 (+20) Scanner checks; no server dry- + [] + + +Underfull \hbox (badness 10000) in paragraph at lines 328--341 +[] + [] + + +Underfull \hbox (badness 2134) in paragraph at lines 328--341 +\OT1/ppl/m/n/9.53561 (+20) re-source bounds, and re-peat-able per-for-mance cla +ims + [] + +[4] +LaTeX Font Info: Trying to load font information for OMS+pcr on input line 3 +54. + (/usr/share/texlive/texmf-dist/tex/latex/psnfss/omspcr.fd +File: omspcr.fd +) +LaTeX Font Info: Font shape `OMS/pcr/m/n' in size <9.53561> not available +(Font) Font shape `OMS/cmsy/m/n' tried instead on input line 354. + +Underfull \hbox (badness 1546) in paragraph at lines 354--355 +[]\OT1/ppl/b/n/9.53561 (+20) Policy Re-check: \OT1/ppl/m/n/9.53561 (+20) The pa +tched man-i-fest is re- + [] + + +Underfull \hbox (badness 10000) in paragraph at lines 354--355 +\OT1/ppl/m/n/9.53561 (+20) each cov-ered pol-icy (e.g., \OT1/pcr/m/n/9.53561 no +_latest_tag\OT1/ppl/m/n/9.53561 (+20) , + [] + + +Underfull \hbox (badness 10000) in paragraph at lines 354--355 +\OT1/pcr/m/n/9.53561 no_privileged\OT1/ppl/m/n/9.53561 (+20) , \OT1/pcr/m/n/9.5 +3561 drop_capabilities\OT1/ppl/m/n/9.53561 (+20) , + [] + + +Underfull \hbox (badness 10000) in paragraph at lines 354--355 +\OT1/pcr/m/n/9.53561 drop_cap_sys_admin\OT1/ppl/m/n/9.53561 (+20) , \OT1/pcr/m/ +n/9.53561 run_as_non_root\OT1/ppl/m/n/9.53561 (+20) , + [] + + +Underfull \hbox (badness 10000) in paragraph at lines 354--355 +\OT1/pcr/m/n/9.53561 read_only_root_fs\OT1/ppl/m/n/9.53561 (+20) , \OT1/pcr/m/n +/9.53561 no_host_* \OT1/ppl/m/n/9.53561 (+20) flags, + [] + + +Underfull \hbox (badness 10000) in paragraph at lines 354--355 +\OT1/pcr/m/n/9.53561 no_allow_privilege_escalation\OT1/ppl/m/n/9.53561 (+20) , + [] + + +Underfull \hbox (badness 10000) in paragraph at lines 354--355 +\OT1/pcr/m/n/9.53561 enforce_seccomp\OT1/ppl/m/n/9.53561 (+20) , \OT1/pcr/m/n/9 +.53561 set_requests_limits\OT1/ppl/m/n/9.53561 (+20) ); + [] + + +Underfull \hbox (badness 4569) in paragraph at lines 354--355 +\OT1/pcr/m/n/9.53561 --enable-rescan\OT1/ppl/m/n/9.53561 (+20) . Non-allowliste +d \OT1/pcr/m/n/9.53561 hostPath + [] + + +Underfull \hbox (badness 10000) in paragraph at lines 356--357 +[]\OT1/ppl/b/n/9.53561 (+20) Server-side Dry-run: \OT1/ppl/m/n/9.53561 (+20) Wh +en \OT1/pcr/m/n/9.53561 kubectl \OT1/ppl/m/n/9.53561 (+20) is + [] + + +Underfull \hbox (badness 10000) in paragraph at lines 356--357 +\OT1/pcr/m/n/9.53561 --dry-run=server \OT1/ppl/m/n/9.53561 (+20) to sim-u-late +how the + [] + + +Underfull \hbox (badness 10000) in paragraph at lines 359--360 +[]\OT1/ppl/b/n/9.53561 (+20) No priv-i-leged con-tain-ers: \OT1/ppl/m/n/9.53561 + (+20) Blocks + [] + + +Underfull \hbox (badness 2277) in paragraph at lines 360--361 +[]\OT1/ppl/b/n/9.53561 (+20) Dangerous ca-pa-bil-i-ties blocked: \OT1/ppl/m/n/9 +.53561 (+20) Re-jects + [] + + +Underfull \hbox (badness 10000) in paragraph at lines 360--361 +\OT1/pcr/m/n/9.53561 capabilities.add \OT1/ppl/m/n/9.53561 (+20) en-tries con-t +ain-ing + [] + + +Underfull \hbox (badness 10000) in paragraph at lines 360--361 +\OT1/pcr/m/n/9.53561 NET_RAW\OT1/ppl/m/n/9.53561 (+20) , \OT1/pcr/m/n/9.53561 N +ET_ADMIN\OT1/ppl/m/n/9.53561 (+20) , \OT1/pcr/m/n/9.53561 SYS_ADMIN\OT1/ppl/m/n +/9.53561 (+20) , + [] + +LaTeX Font Info: Trying to load font information for OMS+phv on input line 3 +95. +(/usr/share/texlive/texmf-dist/tex/latex/psnfss/omsphv.fd +File: omsphv.fd +) +LaTeX Font Info: Font shape `OMS/phv/m/n' in size <8.03> not available +(Font) Font shape `OMS/cmsy/m/n' tried instead on input line 395. + +Underfull \hbox (badness 1577) in paragraph at lines 395--395 +\OT1/phv/m/n/8.03 (+20) Figure 1. []Closed-loop ar-chi-tec-ture with de-tec-tor +, pro-poser, and ver-i-fier gates (pol-icy re-check, schema val-i-da-tion, \OT1 +/pcr/m/n/8.03 kubectl apply + [] + +[5] (/usr/share/texlive/texmf-dist/tex/latex/psnfss/omsppl.fd) +Underfull \hbox (badness 10000) in paragraph at lines 435--435 +\OT1/pcr/m/n/8.03 policy_id\OT1/ppl/m/n/8.03 (+20) , \OT1/pcr/m/n/8.03 violatio +n_text\OMS/cmsy/m/n/8 g\OT1/ppl/m/n/8.03 (+20) ; seeded by \OT1/pcr/m/n/8.03 da +ta/manifests/001.yaml \OT1/ppl/m/n/8.03 (+20) and + [] + + +Underfull \hbox (badness 10000) in paragraph at lines 435--435 +\OT1/ppl/m/n/8.03 (+20) Cur-rent pol-icy checks as-sert the trig-ger-ing pol-ic +y (e.g., \OT1/pcr/m/n/8.03 no_latest_tag\OT1/ppl/m/n/8.03 (+20) , + [] + + +Underfull \hbox (badness 10000) in paragraph at lines 435--435 +\OT1/pcr/m/n/8.03 read_only_root_fs\OT1/ppl/m/n/8.03 (+20) , \OT1/pcr/m/n/8.03 +no_host_* \OT1/ppl/m/n/8.03 (+20) flags, \OT1/pcr/m/n/8.03 no_allow_privilege_e +scalation\OT1/ppl/m/n/8.03 (+20) , + [] + + +Underfull \hbox (badness 10000) in paragraph at lines 461--462 +\OT1/ppl/m/n/9.53561 (+20) con-tract tests, \OT1/pcr/m/n/9.53561 tests/test_pro +perty_guards.py + [] + + +Underfull \hbox (badness 1931) in paragraph at lines 461--462 +\OT1/ppl/m/n/9.53561 (+20) to ver-ify that the per-policy patch-ers be-have saf +ely + [] + + +Underfull \hbox (badness 10000) in paragraph at lines 461--462 +\OT1/ppl/m/n/9.53561 (+20) (e.g., \OT1/pcr/m/n/9.53561 drop_capabilities\OT1/pp +l/m/n/9.53561 (+20) , \OT1/pcr/m/n/9.53561 drop_cap_sys_admin\OT1/ppl/m/n/9.535 +61 (+20) , + [] + + +Underfull \hbox (badness 10000) in paragraph at lines 461--462 +\OT1/pcr/m/n/9.53561 run_as_non_root\OT1/ppl/m/n/9.53561 (+20) , \OT1/pcr/m/n/9 +.53561 enforce_seccomp\OT1/ppl/m/n/9.53561 (+20) , + [] + + +Underfull \hbox (badness 10000) in paragraph at lines 461--462 +\OT1/pcr/m/n/9.53561 no_allow_privilege_escalation\OT1/ppl/m/n/9.53561 (+20) , +\OT1/pcr/m/n/9.53561 no_host_path\OT1/ppl/m/n/9.53561 (+20) ). + [] + + +Underfull \hbox (badness 10000) in paragraph at lines 464--465 +\OT1/ppl/m/n/9.53561 (+20) Two de-lib-er-ately vul-ner-a-ble man-i-fests (\OT1/ +pcr/m/n/9.53561 001.yaml\OT1/ppl/m/n/9.53561 (+20) , + [] + + +Underfull \hbox (badness 1577) in paragraph at lines 466--467 +\OT1/ppl/m/n/9.53561 (+20) for the re-gen-er-a-tions in Sec-tion [][]5.4[][]; t +he full de-pen- + [] + +(./grok_failures_table.tex) +Underfull \hbox (badness 10000) in paragraph at lines 512--513 +\OT1/ppl/b/n/9.53561 (+20) Detector ac-cu-racy. \OT1/ppl/m/n/9.53561 (+20) Run- +ning + [] + + +Underfull \hbox (badness 6842) in paragraph at lines 512--513 +\OT1/pcr/m/n/9.53561 scripts/eval_detector.py \OT1/ppl/m/n/9.53561 (+20) on a s +yn-thetic nine- + [] + +[6] +Underfull \vbox (badness 2318) has occurred while \output is active [] + + [7] +<../figures/fairness_waits.png, id=362, 469.755pt x 252.945pt> +File: ../figures/fairness_waits.png Graphic file (type png) + +Package pdftex.def Info: ../figures/fairness_waits.png used on input line 554. + +(pdftex.def) Requested size: 227.64894pt x 122.57782pt. + +[8 <../figures/fairness_waits.png>] +<../figures/admission_vs_posthoc.png, id=382, 867.24pt x 505.89pt> +File: ../figures/admission_vs_posthoc.png Graphic file (type png) + +Package pdftex.def Info: ../figures/admission_vs_posthoc.png used on input lin +e 600. +(pdftex.def) Requested size: 227.64894pt x 132.79425pt. + +Underfull \hbox (badness 5490) in paragraph at lines 601--601 +\OT1/phv/m/n/8.03 (+20) Figure 3. []Comparison of admission-time (Kyverno) and +post- + [] + +<../figures/mode_comparison.png, id=383, 433.62pt x 289.08pt> +File: ../figures/mode_comparison.png Graphic file (type png) + +Package pdftex.def Info: ../figures/mode_comparison.png used on input line 607 +. +(pdftex.def) Requested size: 227.64894pt x 151.76926pt. +<../figures/operator_ab.png, id=386, 571.4148pt x 353.6412pt> +File: ../figures/operator_ab.png Graphic file (type png) + +Package pdftex.def Info: ../figures/operator_ab.png used on input line 614. +(pdftex.def) Requested size: 227.64894pt x 140.88737pt. + +Overfull \hbox (65.95776pt too wide) in paragraph at lines 644--655 + [][] + [] + +[9 <../figures/admission_vs_posthoc.png> <../figures/mode_comparison.png> <../f +igures/operator_ab.png>] +Underfull \hbox (badness 10000) in paragraph at lines 672--673 +\OT1/ppl/m/n/9.53561 (+20) The re-pro-ducibil-ity bun-dle (\OT1/pcr/m/n/9.53561 + make + [] + + +Underfull \hbox (badness 3989) in paragraph at lines 672--673 +\OT1/ppl/m/n/9.53561 (+20) be-fore ver-i-fi-ca-tion. We threat-modeled ma-li-ci +ous or + [] + + +Underfull \hbox (badness 1838) in paragraph at lines 672--673 +\OT1/ppl/m/n/9.53561 (+20) sur-faces un-ver-i-fied patches. Resid-ual risks|pri +marily + [] + + +Underfull \hbox (badness 1681) in paragraph at lines 672--673 +\OT1/ppl/m/n/9.53561 (+20) guardrails harden high-privilege Dae-mon-Sets with-o +ut + [] + + +Underfull \hbox (badness 10000) in paragraph at lines 723--723 + \OT1/phv/b/n/9.53561 (+20) 5.7 Threat In-tel-li-gence and Risk Scor-ing + [] + + +Underfull \vbox (badness 10000) has occurred while \output is active [] + + [10] +Underfull \hbox (badness 6592) in paragraph at lines 753--754 +\OT1/ppl/m/n/9.53561 (+20) CLI base-line (\OT1/pcr/m/n/9.53561 scripts/run_kyve +rno_baseline.py\OT1/ppl/m/n/9.53561 (+20) , + [] + + +Underfull \hbox (badness 10000) in paragraph at lines 753--754 +\OT1/pcr/m/n/9.53561 data/baselines/kyverno_baseline.csv\OT1/ppl/m/n/9.53561 (+ +20) ) achieves + [] + +[11] +Underfull \hbox (badness 10000) in paragraph at lines 789--789 +[]\OT1/pcr/m/n/9.53561 --- a/manifest.yaml +++ b/manifest.yaml + [] + + +Underfull \hbox (badness 10000) in paragraph at lines 789--789 +\OT1/pcr/m/n/9.53561 @@ -8,4 +8,4 @@ volumes: - name: + [] + + +Underfull \hbox (badness 10000) in paragraph at lines 789--789 +\OT1/pcr/m/n/9.53561 host-data hostPath: - path: /var/lib/data + [] + +[12] +LaTeX Font Info: Trying to load font information for TS1+ppl on input line 8 +74. + (/usr/share/texlive/texmf-dist/tex/latex/psnfss/ts1ppl.fd +File: ts1ppl.fd 2001/06/04 font definitions for TS1/ppl. +) +Underfull \hbox (badness 4492) in paragraph at lines 878--879 +[]\OT1/ppl/m/n/9.53561 (+20) Near-term ef-forts fo-cus on keep-ing the seeded + [] + + +Underfull \hbox (badness 1742) in paragraph at lines 878--879 +\OT1/ppl/m/n/9.53561 (+20) em-bed-ded sur-veys to val-i-date the sched-uler aga +inst + [] + + +Underfull \hbox (badness 10000) in paragraph at lines 878--879 +\OT1/pcr/m/n/9.53561 e4af5efa7b0a52d7b7e58d76879b0060b354af27\OT1/ppl/m/n/9.535 +61 (+20) ), + [] + + +Underfull \hbox (badness 10000) in paragraph at lines 878--879 +\OT1/ppl/m/n/9.53561 (+20) with a long-term snap-shot mir-rored in + [] + + +Overfull \hbox (10.90501pt too wide) in paragraph at lines 878--879 +\OT1/pcr/m/n/9.53561 archives/k8s-auto-fix-evidence-20251020.tar.gz\OT1/ppl/m/n +/9.53561 (-20) . + [] + + +Underfull \hbox (badness 1354) in paragraph at lines 922--923 +[]\OT1/ppl/m/n/8.03 (+20) FIRST Ex-ploit Pre-dic-tion Scor-ing Sys-tem (EPSS). +Ac-cessed: + [] + +[13] + +File: brian_mendonca_photo.png Graphic file (type png) + +Package pdftex.def Info: brian_mendonca_photo.png used on input line 971. +(pdftex.def) Requested size: 72.26357pt x 56.37804pt. +File: brian_mendonca_photo.png Graphic file (type png) + +Package pdftex.def Info: brian_mendonca_photo.png used on input line 971. +(pdftex.def) Requested size: 72.26357pt x 56.37804pt. + +File: vijay_madisetti_photo.png Graphic file (type png) + +Package pdftex.def Info: vijay_madisetti_photo.png used on input line 979. +(pdftex.def) Requested size: 72.26932pt x 87.05168pt. +File: vijay_madisetti_photo.png Graphic file (type png) + +Package pdftex.def Info: vijay_madisetti_photo.png used on input line 979. +(pdftex.def) Requested size: 72.26932pt x 87.05168pt. + [14 + + <./brian_mendonca_photo.png> <./vijay_madisetti_photo.png>] [15 + + + +] +[16 + + +] +Overfull \hbox (37.25505pt too wide) in paragraph at lines 1012--1031 + [][] + [] + +[17 + + +] [18 + + +] [19 + +] [20 + +] (./access.aux) + *********** +LaTeX2e <2023-11-01> patch level 1 +L3 programming layer <2024-01-22> + *********** +Package rerunfilecheck Info: File `access.out' has not changed. +(rerunfilecheck) Checksum: 023770683BAC105FADCC4889BB80D3E4;6178. + ) +Here is how much of TeX's memory you used: + 17817 strings out of 476106 + 278503 string characters out of 5793933 + 2118975 words of memory out of 5000000 + 38766 multiletter control sequences out of 15000+600000 + 654107 words of font info for 587 fonts, out of 8000000 for 9000 + 59 hyphenation exceptions out of 8191 + 75i,18n,79p,1558b,1132s stack positions out of 10000i,1000n,20000p,200000b,200000s + +Output written on access.pdf (20 pages, 1617471 bytes). +PDF statistics: + 878 PDF objects out of 1000 (max. 8388607) + 722 compressed objects within 8 object streams + 175 named destinations out of 1000 (max. 500000) + 119103 words of extra memory for PDF output out of 128383 (max. 10000000) diff --git a/paper/access.out b/paper/access.out new file mode 100644 index 00000000..0e82d229 --- /dev/null +++ b/paper/access.out @@ -0,0 +1,33 @@ +\BOOKMARK [1][-]{section.1}{\376\377\000I\000m\000p\000o\000r\000t\000a\000n\000c\000e\000\040\000o\000f\000\040\000t\000h\000e\000\040\000P\000r\000o\000b\000l\000e\000m}{}% 1 +\BOOKMARK [1][-]{section.2}{\376\377\000R\000e\000l\000a\000t\000e\000d\000\040\000W\000o\000r\000k}{}% 2 +\BOOKMARK [1][-]{section.3}{\376\377\000S\000y\000s\000t\000e\000m\000\040\000D\000e\000s\000i\000g\000n}{}% 3 +\BOOKMARK [2][-]{subsection.3.1}{\376\377\000N\000o\000t\000a\000t\000i\000o\000n}{section.3}% 4 +\BOOKMARK [2][-]{subsection.3.2}{\376\377\000E\000n\000d\000-\000t\000o\000-\000E\000n\000d\000\040\000W\000a\000l\000k\000t\000h\000r\000o\000u\000g\000h\000\040\000o\000n\000\040\000R\000e\000a\000l\000\040\000M\000a\000n\000i\000f\000e\000s\000t\000s}{section.3}% 5 +\BOOKMARK [2][-]{subsection.3.3}{\376\377\000R\000e\000s\000e\000a\000r\000c\000h\000\040\000Q\000u\000e\000s\000t\000i\000o\000n\000s\000\040\000a\000n\000d\000\040\000F\000i\000n\000d\000i\000n\000g\000s}{section.3}% 6 +\BOOKMARK [1][-]{section.4}{\376\377\000I\000m\000p\000l\000e\000m\000e\000n\000t\000a\000t\000i\000o\000n\000\040\000a\000n\000d\000\040\000M\000e\000t\000r\000i\000c\000s}{}% 7 +\BOOKMARK [2][-]{subsection.4.1}{\376\377\000T\000h\000e\000\040\000C\000l\000o\000s\000e\000d\000-\000L\000o\000o\000p\000\040\000P\000i\000p\000e\000l\000i\000n\000e}{section.4}% 8 +\BOOKMARK [2][-]{subsection.4.2}{\376\377\000V\000e\000r\000i\000f\000i\000c\000a\000t\000i\000o\000n\000\040\000G\000a\000t\000e\000s}{section.4}% 9 +\BOOKMARK [1][-]{section.5}{\376\377\000I\000m\000p\000l\000e\000m\000e\000n\000t\000a\000t\000i\000o\000n\000\040\000S\000t\000a\000t\000u\000s\000\040\000a\000n\000d\000\040\000E\000v\000i\000d\000e\000n\000c\000e}{}% 10 +\BOOKMARK [2][-]{subsection.5.1}{\376\377\000S\000a\000m\000p\000l\000e\000\040\000D\000e\000t\000e\000c\000t\000i\000o\000n\000\040\000R\000e\000c\000o\000r\000d}{section.5}% 11 +\BOOKMARK [2][-]{subsection.5.2}{\376\377\000U\000n\000i\000t\000\040\000T\000e\000s\000t\000\040\000E\000v\000i\000d\000e\000n\000c\000e}{section.5}% 12 +\BOOKMARK [2][-]{subsection.5.3}{\376\377\000D\000a\000t\000a\000s\000e\000t\000\040\000a\000n\000d\000\040\000C\000o\000n\000f\000i\000g\000u\000r\000a\000t\000i\000o\000n}{section.5}% 13 +\BOOKMARK [2][-]{subsection.5.4}{\376\377\000E\000v\000a\000l\000u\000a\000t\000i\000o\000n\000\040\000R\000e\000s\000u\000l\000t\000s}{section.5}% 14 +\BOOKMARK [2][-]{subsection.5.5}{\376\377\000T\000h\000r\000e\000a\000t\000\040\000M\000o\000d\000e\000l}{section.5}% 15 +\BOOKMARK [2][-]{subsection.5.6}{\376\377\000T\000h\000r\000e\000a\000t\000s\000\040\000a\000n\000d\000\040\000M\000i\000t\000i\000g\000a\000t\000i\000o\000n\000s}{section.5}% 16 +\BOOKMARK [2][-]{subsection.5.7}{\376\377\000T\000h\000r\000e\000a\000t\000\040\000I\000n\000t\000e\000l\000l\000i\000g\000e\000n\000c\000e\000\040\000a\000n\000d\000\040\000R\000i\000s\000k\000\040\000S\000c\000o\000r\000i\000n\000g\000\040\000\050\000C\000V\000E\000/\000K\000E\000V\000/\000E\000P\000S\000S\000\051}{section.5}% 17 +\BOOKMARK [2][-]{subsection.5.8}{\376\377\000G\000u\000i\000d\000a\000n\000c\000e\000\040\000R\000e\000f\000r\000e\000s\000h\000\040\000a\000n\000d\000\040\000R\000A\000G\000\040\000H\000o\000o\000k\000s}{section.5}% 18 +\BOOKMARK [2][-]{subsection.5.9}{\376\377\000R\000i\000s\000k\000-\000B\000a\000n\000d\000i\000t\000\040\000S\000c\000h\000e\000d\000u\000l\000e\000r\000\040\000w\000i\000t\000h\000\040\000A\000g\000i\000n\000g\000\040\000a\000n\000d\000\040\000K\000E\000V\000\040\000P\000r\000e\000e\000m\000p\000t\000i\000o\000n}{section.5}% 19 +\BOOKMARK [2][-]{subsection.5.10}{\376\377\000B\000a\000s\000e\000l\000i\000n\000e\000s\000\040\000a\000n\000d\000\040\000A\000b\000l\000a\000t\000i\000o\000n\000s}{section.5}% 20 +\BOOKMARK [2][-]{subsection.5.11}{\376\377\000M\000e\000t\000r\000i\000c\000s\000\040\000a\000n\000d\000\040\000M\000e\000a\000s\000u\000r\000e\000m\000e\000n\000t}{section.5}% 21 +\BOOKMARK [1][-]{section.6}{\376\377\000L\000i\000m\000i\000t\000a\000t\000i\000o\000n\000s\000\040\000a\000n\000d\000\040\000M\000i\000t\000i\000g\000a\000t\000i\000o\000n\000s}{}% 22 +\BOOKMARK [1][-]{section.7}{\376\377\000D\000i\000s\000c\000u\000s\000s\000i\000o\000n\000\040\000a\000n\000d\000\040\000F\000u\000t\000u\000r\000e\000\040\000W\000o\000r\000k}{}% 23 +\BOOKMARK [1][-]{section*.1}{\376\377\000R\000e\000f\000e\000r\000e\000n\000c\000e\000s}{}% 24 +\BOOKMARK [1][-]{IEEEbiography.0}{\376\377\000B\000i\000o\000g\000r\000a\000p\000h\000i\000e\000s}{}% 25 +\BOOKMARK [2][-]{IEEEbiography.1}{\376\377\000B\000r\000i\000a\000n\000\040\000M\000e\000n\000d\000o\000n\000c\000a}{IEEEbiography.0}% 26 +\BOOKMARK [2][-]{IEEEbiography.2}{\376\377\000V\000i\000j\000a\000y\000\040\000K\000.\000\040\000M\000a\000d\000i\000s\000e\000t\000t\000i}{IEEEbiography.0}% 27 +\BOOKMARK [1][-]{section*.2}{\376\377\000A\000p\000p\000e\000n\000d\000i\000x\000\040\000A\000:\000\040\000G\000r\000o\000k\000/\000x\000A\000I\000\040\000F\000a\000i\000l\000u\000r\000e\000\040\000A\000n\000a\000l\000y\000s\000i\000s}{}% 28 +\BOOKMARK [1][-]{section*.3}{\376\377\000A\000p\000p\000e\000n\000d\000i\000x\000\040\000B\000:\000\040\000R\000i\000s\000k\000\040\000S\000c\000o\000r\000e\000\040\000W\000o\000r\000k\000e\000d\000\040\000E\000x\000a\000m\000p\000l\000e}{}% 29 +\BOOKMARK [1][-]{section*.4}{\376\377\000A\000p\000p\000e\000n\000d\000i\000x\000\040\000C\000:\000\040\000A\000c\000r\000o\000n\000y\000m\000\040\000G\000l\000o\000s\000s\000a\000r\000y}{}% 30 +\BOOKMARK [1][-]{section*.5}{\376\377\000A\000p\000p\000e\000n\000d\000i\000x\000\040\000D\000:\000\040\000A\000r\000t\000i\000f\000a\000c\000t\000\040\000I\000n\000d\000e\000x}{}% 31 +\BOOKMARK [1][-]{section*.6}{\376\377\000A\000p\000p\000e\000n\000d\000i\000x\000\040\000E\000:\000\040\000E\000v\000a\000l\000u\000a\000t\000i\000o\000n\000\040\000A\000r\000t\000i\000f\000a\000c\000t\000\040\000M\000a\000n\000i\000f\000e\000s\000t}{}% 32 +\BOOKMARK [1][-]{section*.7}{\376\377\000A\000p\000p\000e\000n\000d\000i\000x\000\040\000F\000:\000\040\000C\000o\000r\000p\000u\000s\000\040\000M\000i\000n\000i\000n\000g\000\040\000a\000n\000d\000\040\000I\000n\000t\000e\000g\000r\000i\000t\000y}{}% 33 diff --git a/paper/access.pdf b/paper/access.pdf index 70901dec..7a82de62 100644 Binary files a/paper/access.pdf and b/paper/access.pdf differ diff --git a/paper/access.tex b/paper/access.tex index 3b8beddd..745eecb5 100644 --- a/paper/access.tex +++ b/paper/access.tex @@ -1,11 +1,10 @@ \PassOptionsToPackage{table}{xcolor} -\documentclass{ieeeaccess} +\documentclass[10pt,journal,compsoc]{IEEEtran} \usepackage{cite} \usepackage{amsmath,amssymb,amsfonts} \usepackage{algorithmic} \usepackage{graphicx} \usepackage{textcomp} -% \usepackage{caption} % Removed: Conflicts with the ieeeaccess class % \usepackage{mathptmx} % Disabled to avoid RSFS font requirement on minimal TeX \usepackage[english]{babel} % Enable microtype gently to reduce overfull boxes (protrusion/expansion) @@ -19,6 +18,7 @@ \usepackage{alltt} \usepackage{hyperref} +\usepackage{xurl} \definecolor{accessblue}{rgb}{0,0.2,0.5} \hypersetup{ colorlinks=true, @@ -83,38 +83,26 @@ %Your document starts from here ___________________________________________________ \begin{document} -\history{} -\doi{DOI: TBD} -% (Revert to default IEEE Access title page styling) \title{Closed-Loop Threat-Guided Auto-Fixing of Kubernetes Container Security Misconfigurations} -\author{\uppercase{Brian Mendonca}\authorrefmark{1}, and -\uppercase{Vijay K. Madisetti}\authorrefmark{2}, \IEEEmembership{Fellow, IEEE}} -\address[1]{College of Computing, Georgia Institute of Technology, Atlanta, GA 30332 USA (e-mail: brian.mendonca6@gmail.com)} -\address[2]{School of Cybersecurity and Privacy, Georgia Institute of Technology, Atlanta, GA 30332 USA (e-mail: vkm@gatech.edu)} +\author{Brian Mendonca and Vijay K. Madisetti, \IEEEmembership{Fellow, IEEE}% +\IEEEcompsocitemizethanks{\IEEEcompsocthanksitem Brian Mendonca is with the College of Computing, Georgia Institute of Technology, Atlanta, GA 30332 USA (e-mail: brian.mendonca6@gmail.com). +\IEEEcompsocthanksitem Vijay K. Madisetti is with the School of Cybersecurity and Privacy, Georgia Institute of Technology, Atlanta, GA 30332 USA (e-mail: vkm@gatech.edu).}% +\thanks{The authors thank the ArtifactHub maintainers for curating the public Helm corpus, the CNCF SIG-Security reviewers for early feedback, and xAI for providing Reasoning API credits that made the Grok evaluations possible.}} -% Short running heads to avoid header overflow -\markboth -{Mendonca et al.: k8s-auto-fix} -{Mendonca et al.: k8s-auto-fix} - -\corresp{Corresponding author: Dr. Vijay Madisetti (e-mail: vkm@gatech.edu).} - -\tfootnote{The authors thank the ArtifactHub maintainers for curating the public Helm corpus, the CNCF SIG-Security reviewers for early feedback, and xAI for providing Reasoning API credits that made the Grok evaluations possible.} - -\titlepgskip=-22pt - -% Abstract and keywords must be defined before \maketitle for ieeeaccess +\IEEEtitleabstractindextext{% \begin{abstract} Kubernetes container security in cloud computing deployments is easy to breach, and most tools stop after identifying the problems. We propose a powerful new approach, \texttt{k8s-auto-fix}, to close the loop: it detects an issue, suggests a small patch, verifies it safely, and lines it up for application. On a 1,000-manifest replay against a real cluster, our approach fixed every item without rollbacks (1,000/1,000). On a 15,718-detection offline run, deterministic rules plus safety checks accepted 13,338 of 13,373 patched items (99.74\%; auto-fix rate 0.8486; median patch length 9). An optional LLM mode reaches 88.78\% acceptance on a 5,000-manifest corpus. A simple risk-aware scheduler also cuts the worst-case wait for high-risk items by 7.9$\times$. We release all data and scripts so others can reproduce these results. \end{abstract} -\begin{keywords} +\begin{IEEEkeywords} Kubernetes, SAST, DAST, Admission control, Server-side dry-run, YAML, Pod Security, JSON Patch, Policy Enforcement, Kyverno, OPA Gatekeeper, Auto-fix, CI/CD, CVE, EPSS, RAG, Risk-based scheduling -\end{keywords} +\end{IEEEkeywords}} \maketitle +\IEEEdisplaynontitleabstractindextext +\IEEEpeerreviewmaketitle % Gentle line-breaking stretch to reduce overfull boxes \sloppy @@ -128,7 +116,7 @@ \section{Importance of the Problem} \begin{itemize} \item Build a detect $\rightarrow$ propose $\rightarrow$ verify $\rightarrow$ schedule loop with three safety gates (policy re-check, schema check, server dry-run) that lands 100\% success on a 1,000-manifest live replay. \item Prioritize work with a simple risk-aware scheduler that reduces the P95 wait for high-risk items by 7.9$\times$ while maintaining fairness. - \item Release scripts, data, telemetry, and figures so every number in the paper can be regenerated (\url{ARTIFACTS.md}). + \item Release scripts, data, telemetry, and figures so every number in the paper can be regenerated (\url{https://github.com/bmendonca3/k8s-auto-fix/blob/main/ARTIFACTS.md}). \end{itemize} %==================== @@ -159,7 +147,7 @@ \section{Importance of the Problem} \begin{table*}[t!] \centering \small -\caption{Head-to-head policy-level acceptance on the 500-manifest security-context slice. Counts and rates regenerate from \url{data/detections.json}, \url{data/verified.json}, and baseline CSVs under \url{data/baselines/}.} +\caption{Head-to-head policy-level acceptance on the 500-manifest security-context slice. Counts and rates regenerate from \url{https://github.com/bmendonca3/k8s-auto-fix/blob/main/data/detections.json}, \url{https://github.com/bmendonca3/k8s-auto-fix/blob/main/data/verified.json}, and baseline CSVs under \url{https://github.com/bmendonca3/k8s-auto-fix/tree/main/data/baselines}.} \label{tab:baselines} \input{../docs/reproducibility/baselines.tex} \end{table*} @@ -231,7 +219,7 @@ \subsection{End-to-End Walkthrough on Real Manifests} \smallskip \noindent\textbf{Case 1: Remediating a Privileged Pod with a \texttt{:latest} Image Tag} -This example, drawn from \url{data/manifests/001.yaml}, shows a common but high-risk pattern: a privileged container using a floating tag. +This example, drawn from \url{https://github.com/bmendonca3/k8s-auto-fix/blob/main/data/manifests/001.yaml}, shows a common but high-risk pattern: a privileged container using a floating tag. \begin{codeblock} apiVersion: v1 @@ -246,9 +234,9 @@ \subsection{End-to-End Walkthrough on Real Manifests} capabilities: { add: ["SYS_ADMIN", "NET_ADMIN"] } \end{codeblock} -\noindent\textit{1. Detect} (Union): The detector consumes this manifest and reports four policy violations: \texttt{no\_privileged}, \texttt{drop\_capabilities}, \texttt{run\_as\_non\_root}, and \texttt{no\_latest\_tag}. These correspond to the structured output in \url{data/detections.json}. +\noindent\textit{1. Detect} (Union): The detector consumes this manifest and reports four policy violations: \texttt{no\_privileged}, \texttt{drop\_capabilities}, \texttt{run\_as\_non\_root}, and \texttt{no\_latest\_tag}. These correspond to the structured output in \url{https://github.com/bmendonca3/k8s-auto-fix/blob/main/data/detections.json}. -\noindent\textit{2. Propose} (Rules Engine): The proposer's rules engine consumes the detection report and generates a minimal, idempotent JSON Patch designed to fix all identified violations. The resulting patch, written to \url{data/patches.json}, is as follows: +\noindent\textit{2. Propose} (Rules Engine): The proposer's rules engine consumes the detection report and generates a minimal, idempotent JSON Patch designed to fix all identified violations. The resulting patch, written to \url{https://github.com/bmendonca3/k8s-auto-fix/blob/main/data/patches.json}, is as follows: \begin{codeblock} [ {"op":"replace","path":"/spec/containers/0/securityContext/privileged","value":false}, @@ -266,9 +254,9 @@ \subsection{End-to-End Walkthrough on Real Manifests} \item \textbf{Schema Validation}: Passes, confirming the patch produces a structurally valid Kubernetes object. \item \textbf{Server Dry-Run}: Succeeds, as \texttt{kubectl apply --dry-run=server} reports the manifest would be accepted by the API server in a Kind cluster seeded with necessary fixtures. \end{itemize} -The successful outcome is recorded in \url{data/verified.json}. +The successful outcome is recorded in \url{https://github.com/bmendonca3/k8s-auto-fix/blob/main/data/verified.json}. -\noindent\textit{4. Schedule} (Risk-Bandit): The scheduler assigns the verified patch a high priority. Its risk score ($R$) is elevated due to the privileged container, its empirical success probability ($p$) is high based on historical data for these policies, and its expected remediation time ($\mathbb{E}[t]$) is low. This combination results in a high score, pushing it to the front of the remediation queue (\url{data/schedule.json}). +\noindent\textit{4. Schedule} (Risk-Bandit): The scheduler assigns the verified patch a high priority. Its risk score ($R$) is elevated due to the privileged container, its empirical success probability ($p$) is high based on historical data for these policies, and its expected remediation time ($\mathbb{E}[t]$) is low. This combination results in a high score, pushing it to the front of the remediation queue (\url{https://github.com/bmendonca3/k8s-auto-fix/blob/main/data/schedule.json}). \smallskip \noindent\textbf{Case 2: Hardening a Worker Pod with a \texttt{hostPath} Mount} @@ -283,7 +271,7 @@ \subsection{End-to-End Walkthrough on Real Manifests} hostPath: { path: "/var/run/docker.sock" } \end{codeblock} -This second case, from \url{data/manifests/002.yaml}, targets three additional misconfigurations: a writable root filesystem, a dangerous \texttt{hostPath} volume mount, and missing resource requests and limits. +This second case, from \url{https://github.com/bmendonca3/k8s-auto-fix/blob/main/data/manifests/002.yaml}, targets three additional misconfigurations: a writable root filesystem, a dangerous \texttt{hostPath} volume mount, and missing resource requests and limits. \noindent\textit{1. Detect}: The detector flags \texttt{read\_only\_root\_fs}, \texttt{no\_host\_path}, and \texttt{set\_requests\_limits}. @@ -753,7 +741,7 @@ \subsection{Risk-Bandit Scheduler with Aging and KEV Preemption} \[ R_i = (w_{\text{policy}} + \kappa \cdot \mathbf{1}_{\text{KEV}}) \cdot e_{\text{policy}}, \] -with $\kappa = 25$ risk units in the current configuration. $\smash{p_i}$ is the on-line verifier pass rate for that policy (accepted / attempted counts in \texttt{data/policy\_metrics.json}), and $\mathbb{E}[t_i]$ is the running average of proposer+verifier latency recorded in the same file. We also report $\Delta R_i = R_i - R_i^{\text{post}}$ for every accepted patch, summing per corpus to produce Table~\ref{tab:risk_calibration}. These definitions arose directly from the COSMIC review’s call for explicit decision logic, and Appendix~\ref{app:risk_example} now simply provides a numeric worked example rather than introducing new notation. +with $\kappa = 25$ risk units in the current configuration. $p_i$ is the on-line verifier pass rate for that policy (accepted / attempted counts in \url{https://github.com/bmendonca3/k8s-auto-fix/blob/main/data/policy_metrics.json}), and $\mathbb{E}[t_i]$ is the running average of proposer+verifier latency recorded in the same file. We also report $\Delta R_i = R_i - R_i^{\text{post}}$ for every accepted patch, summing per corpus to produce Table~\ref{tab:risk_calibration}. These definitions arose directly from the COSMIC review's call for explicit decision logic, and Appendix~\ref{app:risk_example} now simply provides a numeric worked example rather than introducing new notation. This scheduling function defines the score used today, where $R_i$ is the risk score, $p_i$ the empirical success rate, $\mathbb{E}[t_i]$ the observed latency, $\text{wait}_i$ the queue age, and $\text{kev}_i$ a boost for KEV-listed violations, mirroring UCB-style bandit heuristics~\cite{auer2002}. $p_i$ and $\mathbb{E}[t_i]$ are refreshed from proposer/verifier telemetry; exploration uses an upper-confidence term and aging ensures fairness. The evaluation in Section~\ref{sec:evaluation} contrasts this bandit against FIFO, showing substantial reductions in top-risk wait time. Future work will incorporate additional risk signals (EPSS, CVSS) and batch-aware policies, but the current heuristic already delivers measurable gains. @@ -889,104 +877,6 @@ \section{Discussion and Future Work} Near-term efforts focus on keeping the seeded fixtures current so the 1,000/1,000 live-cluster outcome persists for new corpora, broadening Kyverno webhook baselines across additional policy families and alternative clusters, enriching Grok/xAI telemetry with monotonic latency traces, and conducting an operator rotation with embedded surveys to validate the scheduler against real analyst workflows. All artifacts remain available at \url{https://github.com/bmendonca3/k8s-auto-fix} (commit \texttt{e4af5efa7b0a52d7b7e58d76879b0060b354af27}), with a long-term snapshot mirrored in \texttt{archives/k8s-auto-fix-evidence-20251020.tar.gz}. -\appendices - -\section{Grok/xAI Failure Analysis} -\label{app:grok_failures} - -The raw data for the Grok/xAI failure analysis can be found in \texttt{data/grok\_failure\_analysis.csv}. This file provides a comprehensive list of all failure causes and their corresponding counts, generated from the analysis of the 5,000-manifest Grok corpus. - -\section{Risk Score Worked Example} -\label{app:risk_example} - -The released telemetry enables reviewers to recompute risk units and $\Delta R/t$ for any queue item. As a concrete example we trace detection \texttt{001} from the Grok/xAI replay: -\begin{enumerate} - \item Look up the detection metadata in \texttt{data/batch\_runs/detections\_grok200.json} to confirm the violation is \texttt{latest-tag}. - \item Normalise the policy identifier and pull its risk weight and expected latency from \texttt{data/policy\_metrics\_grok200.json}. For \texttt{no\_latest\_tag} the risk is 50 units and the proposer+verifier expected time is 9.363~s (averaged from the recorded latencies). - \item Inspect the proposer/verifier records (\texttt{data/batch\_runs/patches\_grok200.json}; \texttt{data/batch\_runs/verified\_grok200.json}) to see that the patch was accepted with a measured end-to-end latency of 7.339~s and verifier latency of 0.332~s. -\end{enumerate} -Because the patch succeeded, the pre-risk $R^{\text{pre}} = 50$ drops to $R^{\text{post}} = 0$, yielding $\Delta R = 50$ and $\Delta R/t = 50 / 9.363 = 5.34$ risk units per second. Summing the same quantities across the corpus reproduces Table~\ref{tab:risk_calibration}, as computed by \texttt{scripts/risk\_calibration.py}. - -\section{Acronym Glossary} -\label{app:acronyms} -\begin{table}[h] -\centering -\small -\begin{tabular}{@{}ll@{}} -\toprule -\textbf{Acronym} & \textbf{Definition} \\ -\midrule -CIS & Center for Internet Security \\ -PSS & Pod Security Standards \\ -CRD & Custom Resource Definition \\ -RBAC & Role-Based Access Control \\ -CTI & Cyber Threat Intelligence \\ -KEV & CISA Known Exploited Vulnerabilities \\ -EPSS & Exploit Prediction Scoring System \\ -CVE/CVSS & Common Vulnerabilities and Exposures / Scoring System \\ -RAG & Retrieval-Augmented Generation \\ -MTTR & Mean Time To Remediate \\ -CEL & Common Expression Language (Kubernetes) \\ -SAST & Static Application Security Testing \\ -DAST & Dynamic Application Security Testing \\ -\bottomrule -\end{tabular} -\end{table} - -\section{Artifact Index} -\label{app:artifact_index} -\begin{table*}[t!] -\centering -\small -\caption{Primary artifacts bundled with the paper.} -\begin{tabularx}{\textwidth}{@{}>{\ttfamily\raggedright\arraybackslash}p{2.8in}>{\raggedright\arraybackslash}X@{}} -\toprule -\textrm{\textbf{Artifact (path)}} & \textbf{Description} \\ -\midrule -data/live\_cluster/results\_1k.json & Live-cluster replay outcomes (1,000 manifests, dry-run/live apply parity). \\ -data/batch\_runs/grok\_5k/\allowbreak metrics\_grok5k.json & Grok/xAI telemetry (acceptance, latency, token counts) for the 5k sweep. \\ -data/risk/risk\_calibration.csv & Risk accounting summary ($\Delta R$, residual risk, $\Delta R/t$) for supported and 5k corpora. \\ -data/metrics\_schedule\_compare.json & Queue replay statistics for FIFO vs.\ risk-aware schedulers (rank, wait, $\Delta R/t$). \\ -data/grok\_failure\_analysis.csv & Grok failure taxonomy (dry-run retrievals, StatefulSet validation, etc.). \\ -\bottomrule -\end{tabularx} -\end{table*} - -\section{Evaluation Artifact Manifest} -\label{app:artifact_manifest} -\begin{table*}[t!] -\centering -\small -\caption{Key evaluation artifacts with record counts and purposes for full reproducibility.} -\label{tab:artifact_manifest} -\begin{tabularx}{\textwidth}{@{}>{\ttfamily\raggedright\arraybackslash}p{3in}>{\raggedright\arraybackslash}X r@{}} -\toprule -\textrm{\textbf{Artifact Path}} & \textbf{Purpose} & \textbf{Count} \\ -\midrule -data/live\_cluster/results\_1k.json & Live-cluster replay outcomes (dry-run + apply) & 1{,}000 \\ -data/live\_cluster/summary\_1k.csv & Live-cluster aggregate statistics & 1 \\ -data/batch\_runs/grok\_5k/metrics\_grok5k.json & Grok-5k acceptance \& token telemetry & 5{,}000 \\ -data/batch\_runs/grok\_full/metrics\_grok\_full.json & Manifest slice (1{,}313) acceptance & 1{,}313 \\ -data/batch\_runs/grok200\_latency\_summary.csv & Proposer latency summary (Grok-200) & 280 \\ -data/batch\_runs/verified\_grok200\_latency\_summary.csv & Verifier latency summary (Grok-200) & 140 \\ -data/eval/significance\_tests.json & Statistical significance tests (z-test, Mann-Whitney U) & 12 \\ -data/eval/table4\_counts.csv & Table 4 manifest counts per corpus & 4 \\ -data/eval/table4\_with\_ci.csv & Wilson 95\% confidence intervals & 4 \\ -data/scheduler/fairness\_metrics.json & Scheduler fairness (Gini, starvation) & 830 \\ -data/scheduler/metrics\_schedule\_sweep.json & Scheduler parameter sweep results & 16 \\ -data/risk/risk\_calibration.csv & Risk reduction ($\Delta R$) per corpus & 2 \\ -\bottomrule -\end{tabularx} -\end{table*} - - -\section{Corpus Mining and Integrity} -\label{app:corpus} -\noindent\textbf{ArtifactHub mining pipeline.} Running the data collection helper\footnote{Command: \texttt{python scripts/\allowbreak collect\_artifacthub.py\ --limit\ 5000}.} renders Helm charts directly from ArtifactHub using \texttt{helm\ template}, normalizes resource filenames, and writes structured manifests under \url{data/manifests/artifacthub/}. The script records fetch failures and chart metadata so regenerated datasets can be diffed against the published summary. - -\medskip -\noindent\textbf{Corpus hashes.} After manifests are rendered, \texttt{python scripts/generate\_corpus\_appendix.py} emits \url{docs/appendix\_corpus.md}, a SHA-256 inventory of every manifest (including the curated smoke tests in \url{data/manifests/001.yaml} and \url{002.yaml}). This appendix enables reproducibility reviewers to verify corpus integrity and trace individual evaluation examples back to their Helm chart origins. - %==================== % References %==================== @@ -1086,12 +976,118 @@ \section{Corpus Mining and Integrity} He received the B.E.\ in Mechanical Engineering (summa cum laude, GPA 3.99) from Arizona State University in 2021. His research interests include secure configuration management for cloud-native systems, program analysis for infrastructure-as-code, and data-informed quality engineering. \end{IEEEbiography} -\begin{IEEEbiography}[{\includegraphics[width=1in,height=1.25in,clip,keepaspectratio]{vijay.png}}]{Vijay K. Madisetti} +\begin{IEEEbiography}[{\includegraphics[width=1in,height=1.25in,clip,keepaspectratio]{vijay_madisetti_photo.png}}]{Vijay K. Madisetti} is Professor of Cybersecurity and Privacy at the Georgia Institute of Technology. He earned his Ph.D.\ in Electrical Engineering and Computer Sciences from the University of California at Berkeley. Professor Madisetti is a Fellow of the IEEE and has been honored with the Terman Medal by the American Society of Engineering Education (ASEE), and also received Georgia Tech's Outstanding PhD Dissertation Advisor Award. He has authored several widely referenced textbooks on topics including cloud computing, data analytics, blockchain, and microservices, and has extensive experience in secure system architectures and privacy-preserving technologies. Dr. Madisetti is co-author of the IEEE VHDL RTL Language Standard, and inventor on over 80 issued US patents. \end{IEEEbiography} -\EOD +\clearpage +\appendices + +\clearpage +\section{Grok/xAI Failure Analysis} +\label{app:grok_failures} + +The raw data for the Grok/xAI failure analysis can be found in \url{https://github.com/bmendonca3/k8s-auto-fix/blob/main/data/grok_failure_analysis.csv}. This file provides a comprehensive list of all failure causes and their corresponding counts, generated from the analysis of the 5,000-manifest Grok corpus. + +\clearpage +\section{Risk Score Worked Example} +\label{app:risk_example} + +The released telemetry enables reviewers to recompute risk units and $\Delta R/t$ for any queue item. As a concrete example we trace detection \texttt{001} from the Grok/xAI replay: +\begin{enumerate} + \item Look up the detection metadata in \url{https://github.com/bmendonca3/k8s-auto-fix/blob/main/data/batch_runs/detections_grok200.json} to confirm the violation is \texttt{latest-tag}. + \item Normalise the policy identifier and pull its risk weight and expected latency from \url{https://github.com/bmendonca3/k8s-auto-fix/blob/main/data/policy_metrics_grok200.json}. For \texttt{no\_latest\_tag} the risk is 50 units and the proposer+verifier expected time is 9.363~s (averaged from the recorded latencies). + \item Inspect the proposer/verifier records (\url{https://github.com/bmendonca3/k8s-auto-fix/blob/main/data/batch_runs/patches_grok200.json}; \url{https://github.com/bmendonca3/k8s-auto-fix/blob/main/data/batch_runs/verified_grok200.json}) to see that the patch was accepted with a measured end-to-end latency of 7.339~s and verifier latency of 0.332~s. +\end{enumerate} +Because the patch succeeded, the pre-risk $R^{\text{pre}} = 50$ drops to $R^{\text{post}} = 0$, yielding $\Delta R = 50$ and $\Delta R/t = 50 / 9.363 = 5.34$ risk units per second. Summing the same quantities across the corpus reproduces Table~\ref{tab:risk_calibration}, as computed by \texttt{scripts/risk\_calibration.py}. + +\clearpage +\section{Acronym Glossary} +\label{app:acronyms} +\begin{table}[h] +\centering +\small +\begin{tabular}{@{}ll@{}} +\toprule +\textbf{Acronym} & \textbf{Definition} \\ +\midrule +CIS & Center for Internet Security \\ +PSS & Pod Security Standards \\ +CRD & Custom Resource Definition \\ +RBAC & Role-Based Access Control \\ +CTI & Cyber Threat Intelligence \\ +KEV & CISA Known Exploited Vulnerabilities \\ +EPSS & Exploit Prediction Scoring System \\ +CVE/CVSS & Common Vulnerabilities and Exposures / Scoring System \\ +RAG & Retrieval-Augmented Generation \\ +MTTR & Mean Time To Remediate \\ +CEL & Common Expression Language (Kubernetes) \\ +SAST & Static Application Security Testing \\ +DAST & Dynamic Application Security Testing \\ +\bottomrule +\end{tabular} +\end{table} + +\clearpage +\onecolumn +\section{Artifact Index} +\label{app:artifact_index} +\begin{table}[h!] +\centering +\small +\caption{Primary artifacts bundled with the paper.} +\resizebox{\columnwidth}{!}{% +\begin{tabularx}{\textwidth}{@{}>{\raggedright\arraybackslash}p{4.4in}>{\raggedright\arraybackslash}X@{}} +\toprule +\textbf{Artifact (path)} & \textbf{Description} \\ +\midrule +\url{https://github.com/bmendonca3/k8s-auto-fix/blob/main/data/live_cluster/results_1k.json} & Live-cluster replay outcomes (1,000 manifests, dry-run/live apply parity). \\ +\url{https://github.com/bmendonca3/k8s-auto-fix/blob/main/data/batch_runs/grok_5k/metrics_grok5k.json} & Grok/xAI telemetry (acceptance, latency, token counts) for the 5k sweep. \\ +\url{https://github.com/bmendonca3/k8s-auto-fix/blob/main/data/risk/risk_calibration.csv} & Risk accounting summary ($\Delta R$, residual risk, $\Delta R/t$) for supported and 5k corpora. \\ +\url{https://github.com/bmendonca3/k8s-auto-fix/blob/main/data/metrics_schedule_compare.json} & Queue replay statistics for FIFO vs.\ risk-aware schedulers (rank, wait, $\Delta R/t$). \\ +\url{https://github.com/bmendonca3/k8s-auto-fix/blob/main/data/grok_failure_analysis.csv} & Grok failure taxonomy (dry-run retrievals, StatefulSet validation, etc.). \\ +\bottomrule +\end{tabularx}} +\end{table} + +\clearpage +\section{Evaluation Artifact Manifest} +\label{app:artifact_manifest} +\begin{table}[h!] +\centering +\small +\caption{Key evaluation artifacts with record counts and purposes for full reproducibility.} +\label{tab:artifact_manifest} +\resizebox{\columnwidth}{!}{% +\begin{tabularx}{\textwidth}{@{}>{\raggedright\arraybackslash}p{4.4in}>{\raggedright\arraybackslash}X r@{}} +\toprule +\textbf{Artifact Path} & \textbf{Purpose} & \textbf{Count} \\ +\midrule +\url{https://github.com/bmendonca3/k8s-auto-fix/blob/main/data/live_cluster/results_1k.json} & Live-cluster replay outcomes (dry-run + apply) & 1{,}000 \\ +\url{https://github.com/bmendonca3/k8s-auto-fix/blob/main/data/live_cluster/summary_1k.csv} & Live-cluster aggregate statistics & 1 \\ +\url{https://github.com/bmendonca3/k8s-auto-fix/blob/main/data/batch_runs/grok_5k/metrics_grok5k.json} & Grok-5k acceptance \& token telemetry & 5{,}000 \\ +\url{https://github.com/bmendonca3/k8s-auto-fix/blob/main/data/batch_runs/grok_full/metrics_grok_full.json} & Manifest slice (1{,}313) acceptance & 1{,}313 \\ +\url{https://github.com/bmendonca3/k8s-auto-fix/blob/main/data/batch_runs/grok200_latency_summary.csv} & Proposer latency summary (Grok-200) & 280 \\ +\url{https://github.com/bmendonca3/k8s-auto-fix/blob/main/data/batch_runs/verified_grok200_latency_summary.csv} & Verifier latency summary (Grok-200) & 140 \\ +\url{https://github.com/bmendonca3/k8s-auto-fix/blob/main/data/eval/significance_tests.json} & Statistical significance tests (z-test, Mann-Whitney U) & 12 \\ +\url{https://github.com/bmendonca3/k8s-auto-fix/blob/main/data/eval/table4_counts.csv} & Table 4 manifest counts per corpus & 4 \\ +\url{https://github.com/bmendonca3/k8s-auto-fix/blob/main/data/eval/table4_with_ci.csv} & Wilson 95\% confidence intervals & 4 \\ +\url{https://github.com/bmendonca3/k8s-auto-fix/blob/main/data/scheduler/fairness_metrics.json} & Scheduler fairness (Gini, starvation) & 830 \\ +\url{https://github.com/bmendonca3/k8s-auto-fix/blob/main/data/scheduler/metrics_schedule_sweep.json} & Scheduler parameter sweep results & 16 \\ +\url{https://github.com/bmendonca3/k8s-auto-fix/blob/main/data/risk/risk_calibration.csv} & Risk reduction ($\Delta R$) per corpus & 2 \\ +\bottomrule +\end{tabularx}} +\end{table} + + +\clearpage +\section{Corpus Mining and Integrity} +\label{app:corpus} +\noindent\textbf{ArtifactHub mining pipeline.} Running the data collection helper\footnote{Command: \texttt{python scripts/\allowbreak collect\_artifacthub.py\ --limit\ 5000}.} renders Helm charts directly from ArtifactHub using \texttt{helm\ template}, normalizes resource filenames, and writes structured manifests under \url{https://github.com/bmendonca3/k8s-auto-fix/tree/main/data/manifests/artifacthub/}. The script records fetch failures and chart metadata so regenerated datasets can be diffed against the published summary. + +\medskip +\noindent\textbf{Corpus hashes.} After manifests are rendered, \texttt{python scripts/generate\_corpus\_appendix.py} emits \url{https://github.com/bmendonca3/k8s-auto-fix/blob/main/docs/appendix_corpus.md}, a SHA-256 inventory of every manifest (including the curated smoke tests in \url{https://github.com/bmendonca3/k8s-auto-fix/blob/main/data/manifests/001.yaml} and \url{https://github.com/bmendonca3/k8s-auto-fix/blob/main/data/manifests/002.yaml}). This appendix enables reproducibility reviewers to verify corpus integrity and trace individual evaluation examples back to their Helm chart origins. \end{document}