--- vault_clearance: KETER halo: classification: KETER confidence: MEDIUM front: "17_Project_CerberusLantern" custodian: "The Architect" created: 2026-03-27 updated: 2026-03-28 wing: NOT_READY containment: "FORM — hostile-software paradigm map" --- # FORM — Firewall Ontology for Risk Mediation **BOOK:** [BOOK.md](BOOK.md) — observability and policy citations as bounties add them. > **F**irewall **O**ntology for **R**isk **M**ediation. > Map **install-first, trust-later culture** vs **three-head Cerberus** — inbound VM, outbound tripwires, host integrity (Meridian / Shadow of Sight / Corpse of the Colossus). --- ## The Two Paradigms ### Orthodox (consumer endpoint default) - **Philosophy:** Download, click, allow firewall prompt, hope EDR catches it. - **Free parameters:** AV heuristics, user fatigue, infinite UAC clicks. - **Output:** **Convenience wins** until breach narrative. ### CerberusLantern (ours) - **Philosophy:** **Three heads. One gate. Nothing enters or leaves without being seen.** - **Inbound (Meridian):** Foreign software runs in VM **before** bare metal. - **Outbound (Shadow of Sight):** Tripwires on KETER files; network/DNS monitoring. - **System (Corpse of the Colossus):** Host compromise (baseline/diff), driver audits, behavioral anomaly detection, **steganographic containment** (covert carriers / polyglot payloads). - **Free parameters:** Promotion checklist from VM → host; watch lists; registry scope. - **Output:** **Layered evidence**, not a single green icon. --- ## Head-to-Head: Axes That Matter | Axis | Orthodox | CerberusLantern | |------|----------|-----------------| | **Default stance** | Trust vendor | Trust evidence | | **Inbound** | Native install | Sandboxed rehearsal | | **Outbound** | Opaque | Instrumented | | **Supply chain** | “They’re famous” | Registry + behavior | --- ## The Murder Board — Where Orthodox Fails 1. **One-time scan fantasy** — malware is a **process**, not a point. 2. **Shared clipboard / folder** — VM escape and exfil handoffs ignored. 3. **Driver blind spot** — ring0 beats userland AV. 4. **Nationality as proxy** — bad threat model; **provenance + behavior** matter. **Countermove:** Explicit promotion rules; international **risk registry** as evidence-linked, not stereotype-linked. --- ## What We Take From Orthodox (Honestly) | From industry practice | Why | Into Cerberus how | |------------------------|-----|-------------------| | **VM tooling** | Isolation | Meridian baseline images pinned | | **EDR concepts** | Behavior | Inform Colossus — not trusted blindly | | **DNS logging** | Visibility | Shadow of Sight channel | --- ## The Proof: Concrete Comparisons to Run 1. **Promotion drill:** Known-good app vs known-bad sample — checklist gates differ. 2. **Tripwire:** Touch KETER path — alert path fires (tabletop ok if not wired yet). 3. **Driver delta:** Hardware change → audit log entry. 4. **Egress:** Run untrusted binary in VM — observe attempted destinations — compare to host policy. --- ## Expected Result - **Orthodox** wins **time to first click**. - **CerberusLantern** wins **defensible posture** for high-value vaults — at **operator cost**. --- ## FORM — Final Assessment CerberusLantern is **HALO for motion** — not just labels on files, but **where binaries may run** and **what they may touch**. FORM maps the opposition to default endpoint hygiene. ## Executable suite (synthetic cultivator) Run the **FORM Antimalware Suite** to regression-test Chimera, Shadow, three-head integration, and optional Colossus host integrity on **benign fixtures only**: - Record: [FORM_ANTIMALWARE_SUITE.md](FORM_ANTIMALWARE_SUITE.md) - Runner: `python suite/form_antimalware_suite.py` or `python engine/cerberus.py form-suite` --- ## Totem (Abyssal Beast) The **Totem** is the FORM-mandated **evaluation layer** for the Cerberus suite: not a separate product, but the **standard** for “did we regress against the industry-shaped adversary model?” It is exercised as **control** runs (clean Lantern / golden image) vs **test** runs (after VM work, installs, or Meridian scrub), with explicit pass/fail oracles and optional `CONTROL_*` / `TEST_*` artifacts. - Suite vs Totem (law, tables, checklists): [CERBERUS_SUITE_AND_TOTEM.md](CERBERUS_SUITE_AND_TOTEM.md) - Synthetic primers and case list: [FORM_ANTIMALWARE_SUITE.md](FORM_ANTIMALWARE_SUITE.md) - Synthetic Totem primer runner: `python engine/cerberus.py form-suite` (or `python suite/form_antimalware_suite.py`) --- **Orthodox apex toolbar (vault-wide):** EDR / sandbox / aggregation tools (with ToS and runnability tags) are tabled in [16_Project_Constellation/FORM_ORTHODOX_APEX_TOOLING.md](../16_Project_Constellation/FORM_ORTHODOX_APEX_TOOLING.md) — **Chapter 17**; extends [FORM_ANTIMALWARE_SUITE.md](FORM_ANTIMALWARE_SUITE.md) / Totem framing. *FORM — Firewall Ontology for Risk Mediation. See inbound, see outbound, see the corpse.*