stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/scanner/threat-vector-inference-and-capability-detection.md

2.2 KiB
Raw Blame History

Threat Vector Inference and Capability Detection

Module

Scanner

Status

IMPLEMENTED

Description

Automated inference of threat vectors from entrypoint characteristics, capability detection (network, file system, crypto, IPC), and data flow boundary mapping for security surface assessment.

Implementation Details

  • Threat Vector Inference:
    • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Analysis/ThreatVectorInferrer.cs - ThreatVectorInferrer inferring threat vectors (External, Internal, Privileged) from entrypoint characteristics and exposure patterns
    • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/ThreatVector.cs - ThreatVector enum defining threat vector classifications
  • Capability Detection:
    • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Analysis/CapabilityDetector.cs - CapabilityDetector detecting entrypoint capabilities (NetworkAccess, FileSystem, Crypto, ProcessExec, IPC) from code patterns
    • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/CapabilityClass.cs - CapabilityClass flags enum for detected capabilities
  • Data Flow Boundary Mapping:
    • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Analysis/DataBoundaryMapper.cs - DataBoundaryMapper mapping data flow trust boundaries between entrypoints and downstream services
    • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/DataFlowBoundary.cs - DataFlowBoundary enum defining trust boundary types

E2E Test Plan

  • Analyze an HTTP-exposed entrypoint and verify ThreatVectorInferrer classifies it as "External" threat vector
  • Analyze an internal-only service and verify it is classified as "Internal" threat vector
  • Verify CapabilityDetector identifies NetworkAccess capability for entrypoints making HTTP calls
  • Verify CapabilityDetector identifies FileSystem capability for entrypoints performing file I/O
  • Verify DataBoundaryMapper correctly identifies trust boundary crossings (e.g., user input -> database query)
  • Verify all three analysis components (threat vector, capability, data flow boundary) produce deterministic results for the same code patterns