Files
CyberStrikeAI/docs/en-US/security-model.md
T
2026-07-07 14:04:18 +08:00

2.9 KiB

Security Model

中文

CyberStrikeAI is not a generic chatbot. It is a high-privilege security automation system with command execution, MCP tools, WebShell management, optional C2, batch tasks, and multi-agent orchestration.

Trust Boundaries

Main actors:

  • Web user: can chat, change settings, manage resources, and trigger tools.
  • Agent: selects tools based on role, context, and middleware.
  • MCP tools: may access files, run commands, call services, or touch targets.
  • External MCP: third-party local or remote tool providers.
  • Robot callbacks: platform-authenticated message ingress outside Web login.

Anyone who can log into the Web UI should be treated as an operator of the instance.

Threat Model

Threat Path Impact Controls
Password leak login, then use terminal/WebShell/C2 platform takeover strong password, HTTPS, internal network, audit
Prompt injection target content instructs Agent to misuse tools unauthorized actions role boundaries, HITL, least tools
Malicious MCP external tool lies or has side effects host/target impact trusted MCP only, isolation
Tool YAML tampering command template changed malicious execution file permissions, review
C2 misuse payload or task against unauthorized target legal and business risk disabled by default, approvals
WebShell misuse destructive command on business host outage/data loss naming, read-only first, HITL
DB leak copy data/*.db or uploads sensitive target data permissions, encrypted backups

HITL Is Not Magic

HITL sees a tool name, arguments, and context. It does not always see real-world impact. Be conservative when:

  • a harmless-looking command wraps bash -c or base64;
  • the MCP tool description is untrusted;
  • WebShell target identity is vague;
  • C2 payload delivery happens outside the platform;
  • a read-only tool can still create traffic or side effects.

Audit Agent is useful for routine checks, not for replacing humans on destructive operations.

Data Minimization

Avoid long-term storage of:

  • real customer credentials;
  • raw production data;
  • long-lived cookies;
  • unrelated scan output;
  • stale WebShell or C2 sessions.

Project closeout should include cleanup of uploads, WebShell connections, C2 payloads, temporary workspaces, and bulky execution logs.

Production Baseline

  • Strong password and HTTPS.
  • Internal/VPN/proxy restricted access.
  • audit.enabled: true.
  • Random mcp.auth_header_value when HTTP MCP is exposed.
  • c2.enabled: false unless required.
  • Minimal external MCP.
  • No high-risk tools in global allowlist.

Source Anchors

  • Sessions: internal/security/auth_manager.go
  • Auth middleware: internal/security/auth_middleware.go
  • Rate limiting: internal/security/ratelimit.go
  • Shell execution: internal/security/executor.go
  • HITL execution: internal/handler/hitl_execution.go
  • Audit service: internal/audit/service.go