feat: taint checking and security#197
feat: taint checking and security#197ambrishrawat wants to merge 52 commits intogenerative-computing:mainfrom
Conversation
Merge ProtectionsYour pull request matches the following merge protections and will not be merged until they are valid. 🟢 Enforce conventional commitWonderful, this rule succeeded.Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/
|
|
@nrfulton quick clarifications -
|
We should infer automatically where-ever possible. I nthis case, I'm not sure how you would infer taint. I guess you assumption here is that |
|
Yes, that was the thinking. Making it configurable may make more sense for taint. Any thoughts on the best way to expose that? Would love your take on the code too. |
|
If there is a tainted variable in the context, everything downstream should get tainted. As for how variables get tainted in the first place, a common way people do this is to define sources, sinks, and (optionally) washers. These are wrappers around interfaces that produce sensitive data (e.g. HR database api), or where it enters an unsafe place (e.g. sending to a UI). |
ambrishrawat
force-pushed
the
security_poc
branch
from
4798f64 to
d1b09e1
Compare
Signed-off-by: Ambrish Rawat <ambrish.rawat@ie.ibm.com>
Signed-off-by: Ambrish Rawat <ambrish.rawat@ie.ibm.com>
Signed-off-by: Ambrish Rawat <ambrish.rawat@ie.ibm.com>
Signed-off-by: Ambrish Rawat <ambrish.rawat@ie.ibm.com>
Signed-off-by: Ambrish Rawat <ambrish.rawat@ie.ibm.com>
Signed-off-by: Ambrish Rawat <ambrish.rawat@ie.ibm.com>
Signed-off-by: Ambrish Rawat <ambrish.rawat@ie.ibm.com>
Signed-off-by: Ambrish Rawat <ambrish.rawat@ie.ibm.com>
Signed-off-by: Ambrish Rawat <ambrish.rawat@ie.ibm.com>
ambrishrawat
force-pushed
the
security_poc
branch
from
d5f8033 to
5466c31
Compare
docs/dev/taint_analysis.md
Outdated
| component = CBlock("user input") | ||
| component.mark_tainted() # Sets SecLevel.tainted_by(component) |
There was a problem hiding this comment.
- CBlocks should be immutable.
- Naming a variable
Ccmponentand assigning it to aCBlockis confusing. - The cyclic reference here is a bit confusing and invites buggy code. Use
tainted_by(None)instead oftainted_by(self)for the root node.
c = CBlock("user input", sec_level=SecLevel.tained_by(None))There was a problem hiding this comment.
Updated this; tainted_by(None) for root now
docs/dev/taint_analysis.md
Outdated
| component = CBlock("user input") | ||
| component.mark_tainted() # Sets SecLevel.tainted_by(component) | ||
|
|
||
| if component._meta["_security"].is_tainted(): |
There was a problem hiding this comment.
Defined it as a property and now this works as c.sec_level.is_tainted()
| print(f"Original CBlock is tainted: {not tainted_desc.is_safe()}") | ||
|
|
||
| # Create session | ||
| session = MelleaSession(OllamaModelBackend("llama3.2")) |
There was a problem hiding this comment.
Unless the example critically depends on using a particular model, always use session = start_session() instead. This makes the examples easier to maintain.
|
|
||
| # The result should be tainted | ||
| print(f"Result is tainted: {not result.is_safe()}") | ||
| if not result.is_safe(): |
There was a problem hiding this comment.
We should use is_tainted instead of is_safe. The meaning of safe is very ambiguous.
There was a problem hiding this comment.
Removed all instances of is_safe
mellea/security/core.py
Outdated
| Returns: | ||
| The CBlock or Component that tainted this content, or None | ||
| """ | ||
| if self.level_type == "tainted_by": |
There was a problem hiding this comment.
Especially in a module called security.core, we should avoid use of magic strings.
mellea/security/core.py
Outdated
| sources.append(action) | ||
|
|
||
| # For Components, check their constituent parts for taint | ||
| if hasattr(action, 'parts'): |
There was a problem hiding this comment.
Instead us something like:
match action:
case Component...
case CBlock...(If type(action) :> Component then check is not necessary because the Component protocol has a parts() method. )
There was a problem hiding this comment.
Updated it to use match/case
Signed-off-by: Ambrish Rawat <ambrish.rawat@ie.ibm.com>
Signed-off-by: Ambrish Rawat <ambrish.rawat@ie.ibm.com>
|
Thanks for the review @nrfulton ! |
Signed-off-by: Ambrish Rawat <ambrish.rawat@ie.ibm.com>
|
hi ambrish! |
Merge ProtectionsYour pull request matches the following merge protections and will not be merged until they are valid. 🟢 Enforce conventional commitWonderful, this rule succeeded.Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/
|
Merge ProtectionsYour pull request matches the following merge protections and will not be merged until they are valid. 🟢 Enforce conventional commitWonderful, this rule succeeded.Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/
|
Merge ProtectionsYour pull request matches the following merge protections and will not be merged until they are valid. 🟢 Enforce conventional commitWonderful, this rule succeeded.Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/
|
Merge ProtectionsYour pull request matches the following merge protections and will not be merged until they are valid. 🟢 Enforce conventional commitWonderful, this rule succeeded.Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/
|
mellea/security/core.py
Outdated
| def wrapper(*args, **kwargs): | ||
| # Check all arguments for marked content (tainted or classified) | ||
| for arg in args: | ||
| if isinstance(arg, TaintChecking): |
There was a problem hiding this comment.
I'm wondering if there's an issue with here in not looking recursively (ie via taint_sources() )? the args may be ok, but we could have a tainted Component?
There was a problem hiding this comment.
Ah I see that, yes need to call taint_sources here and do a recursive check for classified sources as well. I will update this.
Merge ProtectionsYour pull request matches the following merge protections and will not be merged until they are valid. 🟢 Enforce conventional commitWonderful, this rule succeeded.Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/
|
|
|
||
|
|
||
| def declassify(cblock: "CBlock") -> "CBlock": | ||
| """Create a declassified version of a CBlock (non-mutating). |
There was a problem hiding this comment.
Only CBlocks or any subclass? If the latter, we return a CBlock which would lose the subclass info?
For example could it be an ImageBlock?
Also note that ImageBlock never calls super().init() which means the value that is being copied does not exist == crash?
There was a problem hiding this comment.
Right, this particular declassify is merely illustrative, hence only applicable to CBlocks. One would need bespoke declassification methods for applications to sparsify taint information across the code. That was my initial thinking
Merge ProtectionsYour pull request matches the following merge protections and will not be merged until they are valid. 🟢 Enforce conventional commitWonderful, this rule succeeded.Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/
|
Signed-off-by: Ambrish Rawat <ambrish.rawat@ie.ibm.com>
Merge ProtectionsYour pull request matches the following merge protections and will not be merged until they are valid. 🟢 Enforce conventional commitWonderful, this rule succeeded.Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/
|
Signed-off-by: Ambrish Rawat <ambrish.rawat@ie.ibm.com>
|
@planetf1 Updated the logic for privileged. It recursively checks for both taint and classified. |
Signed-off-by: Ambrish Rawat <ambrish.rawat@ie.ibm.com>
Signed-off-by: Ambrish Rawat <ambrish.rawat@ie.ibm.com>
Signed-off-by: Ambrish Rawat <ambrish.rawat@ie.ibm.com>
Merge ProtectionsYour pull request matches the following merge protections and will not be merged until they are valid. 🟢 Enforce conventional commitWonderful, this rule succeeded.Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/
|
planetf1
left a comment
planetf1
left a comment
There was a problem hiding this comment.
I think there are also some
- uses of Any where the types should be stricter
- incorrect types
- missing type annotations
I know we have omissions elsewhere, but it feels that the focus on security here makes it worth paying close attention.
Need to have a fiddle with mypy/py (the default rules are not strict enough) to be sure
mellea/core/base.py
Outdated
| sec_level: Any = None, | ||
| ): | ||
| """Initialize ModelOutputThunk with an optional pre-computed value and metadata.""" | ||
| super().__init__(value, meta) |
There was a problem hiding this comment.
| super().__init__(value, meta) |
I think this is left over from conflict resolution as it's a double init() ?
| List of constituent components. Empty by default; subclasses override | ||
| to expose their internal structure. | ||
| """ | ||
| return [] |
There was a problem hiding this comment.
We'll now return none -- inconsistent with annotations, and likely to cause a crash?
mellea/backends/huggingface.py
Outdated
| @@ -838,6 +844,11 @@ async def _generate_from_context_with_kv_cache( | |||
|
|
|||
| output = ModelOutputThunk(None) | |||
There was a problem hiding this comment.
left over from conflict since we're assigning a few lines later. And what about assigning _start (not checked if we do that much further down). We'd lose it?
mellea/backends/huggingface.py
Outdated
| @@ -983,6 +994,11 @@ async def _generate_from_context_standard( | |||
|
|
|||
| output = ModelOutputThunk(None) | |||
There was a problem hiding this comment.
is this another dup ? similar -- worth checking for this pattern through the code?
mellea/core/base.py
Outdated
| meta: dict[str, Any] | None = None, | ||
| parsed_repr: S | None = None, | ||
| tool_calls: dict[str, ModelToolCall] | None = None, | ||
| sec_level: Any = None, |
There was a problem hiding this comment.
As per Nathan's comment above there's another example. I think we should be explicit - especially given it's security. May be worth doing a more thorough check on type annotations and use of Any?
| nested = _collect_sources_by_predicate(item, None, predicate) | ||
| sources.extend(nested) | ||
| except Exception: | ||
| pass |
There was a problem hiding this comment.
what else could happen here? Do we need more checks for other exceptions? Or log something at least? I guess we're trying to be non-intrusive (need to understand code better to suggest exact changes!)
|
|
||
| @runtime_checkable | ||
| class Component(Protocol, Generic[S]): | ||
| class Component(TaintChecking, Protocol, Generic[S]): |
There was a problem hiding this comment.
so any contribs/older code outside mellea would be impacted -- should we ensure we capture in release notes/doc as a breaking change
| lambda self: getattr(self, "_sec_level", None), | ||
| doc="Get the security level for this Component.", | ||
| ) | ||
| setattr(obj, "sec_level", sec_level_prop) |
There was a problem hiding this comment.
this works on a class but fails on an instance - other parts of the code have checks for class vs instance to do the right thing, but this is omitted here
Signed-off-by: Ambrish Rawat <ambrish.rawat@ie.ibm.com>
|
I've started taking a look at this. Will finish my review soon. |
6 participants
This PR introduces a minimal proof-of-concept for taint and security propagation across CBlock, ModelOutputThunk, and session flows, as discussed in generative-computing/mellea#189
.