mirror of
https://github.com/Ed1s0nZ/CyberStrikeAI.git
synced 2026-07-10 22:33:48 +02:00
73 lines
2.9 KiB
Markdown
73 lines
2.9 KiB
Markdown
# Security Model
|
|
|
|
[中文](../zh-CN/security-model.md)
|
|
|
|
CyberStrikeAI is not a generic chatbot. It is a high-privilege security automation system with command execution, MCP tools, WebShell management, optional C2, batch tasks, and multi-agent orchestration.
|
|
|
|
## Trust Boundaries
|
|
|
|
Main actors:
|
|
|
|
- Web user: can chat, change settings, manage resources, and trigger tools.
|
|
- Agent: selects tools based on role, context, and middleware.
|
|
- MCP tools: may access files, run commands, call services, or touch targets.
|
|
- External MCP: third-party local or remote tool providers.
|
|
- Robot callbacks: platform-authenticated message ingress outside Web login.
|
|
|
|
Anyone who can log into the Web UI should be treated as an operator of the instance.
|
|
|
|
## Threat Model
|
|
|
|
| Threat | Path | Impact | Controls |
|
|
| --- | --- | --- | --- |
|
|
| Password leak | login, then use terminal/WebShell/C2 | platform takeover | strong password, HTTPS, internal network, audit |
|
|
| Prompt injection | target content instructs Agent to misuse tools | unauthorized actions | role boundaries, HITL, least tools |
|
|
| Malicious MCP | external tool lies or has side effects | host/target impact | trusted MCP only, isolation |
|
|
| Tool YAML tampering | command template changed | malicious execution | file permissions, review |
|
|
| C2 misuse | payload or task against unauthorized target | legal and business risk | disabled by default, approvals |
|
|
| WebShell misuse | destructive command on business host | outage/data loss | naming, read-only first, HITL |
|
|
| DB leak | copy `data/*.db` or uploads | sensitive target data | permissions, encrypted backups |
|
|
|
|
## HITL Is Not Magic
|
|
|
|
HITL sees a tool name, arguments, and context. It does not always see real-world impact. Be conservative when:
|
|
|
|
- a harmless-looking command wraps `bash -c` or base64;
|
|
- the MCP tool description is untrusted;
|
|
- WebShell target identity is vague;
|
|
- C2 payload delivery happens outside the platform;
|
|
- a read-only tool can still create traffic or side effects.
|
|
|
|
Audit Agent is useful for routine checks, not for replacing humans on destructive operations.
|
|
|
|
## Data Minimization
|
|
|
|
Avoid long-term storage of:
|
|
|
|
- real customer credentials;
|
|
- raw production data;
|
|
- long-lived cookies;
|
|
- unrelated scan output;
|
|
- stale WebShell or C2 sessions.
|
|
|
|
Project closeout should include cleanup of uploads, WebShell connections, C2 payloads, temporary workspaces, and bulky execution logs.
|
|
|
|
## Production Baseline
|
|
|
|
- Strong password and HTTPS.
|
|
- Internal/VPN/proxy restricted access.
|
|
- `audit.enabled: true`.
|
|
- Random `mcp.auth_header_value` when HTTP MCP is exposed.
|
|
- `c2.enabled: false` unless required.
|
|
- Minimal external MCP.
|
|
- No high-risk tools in global allowlist.
|
|
|
|
## Source Anchors
|
|
|
|
- Sessions: `internal/security/auth_manager.go`
|
|
- Auth middleware: `internal/security/auth_middleware.go`
|
|
- Rate limiting: `internal/security/ratelimit.go`
|
|
- Shell execution: `internal/security/executor.go`
|
|
- HITL execution: `internal/handler/hitl_execution.go`
|
|
- Audit service: `internal/audit/service.go`
|