experiments

package
v0.0.0-...-172c968 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 19, 2024 License: Apache-2.0 Imports: 17 Imported by: 0

Documentation

Overview

Copyright 2023 Operant AI

Copyright 2023 Operant AI

Index

Constants

This section is empty.

Variables

View Source 
var ExperimentsRegistry = []Experiment{
	&PrivilegedContainerExperimentConfig{},
	&HostPathMountExperimentConfig{},
	&ClusterAdminBindingExperimentConfig{},
	&ContainerSecretsExperimentConfig{},
	&RemoteExecuteAPIExperimentConfig{},
	&ListK8sSecretsConfig{},
}

ExperimentsRegistry is a list of all experiments

Functions

This section is empty.

Types

type ClusterAdminBinding 

type ClusterAdminBinding struct{}

type ClusterAdminBindingExperimentConfig 

type ClusterAdminBindingExperimentConfig struct {
	Metadata   ExperimentMetadata  `yaml:"metadata"`
	Parameters ClusterAdminBinding `yaml:"parameters"`
}

func (*ClusterAdminBindingExperimentConfig) Cleanup 

func (p *ClusterAdminBindingExperimentConfig) Cleanup(ctx context.Context, client *k8s.Client, experimentConfig *ExperimentConfig) error

func (*ClusterAdminBindingExperimentConfig) Description 

func (p *ClusterAdminBindingExperimentConfig) Description() string

func (*ClusterAdminBindingExperimentConfig) Framework 

func (p *ClusterAdminBindingExperimentConfig) Framework() string

func (*ClusterAdminBindingExperimentConfig) Run 

func (p *ClusterAdminBindingExperimentConfig) Run(ctx context.Context, client *k8s.Client, experimentConfig *ExperimentConfig) error

func (*ClusterAdminBindingExperimentConfig) Tactic 

func (p *ClusterAdminBindingExperimentConfig) Tactic() string

func (*ClusterAdminBindingExperimentConfig) Technique 

func (p *ClusterAdminBindingExperimentConfig) Technique() string

func (*ClusterAdminBindingExperimentConfig) Type 

func (p *ClusterAdminBindingExperimentConfig) Type() string

func (*ClusterAdminBindingExperimentConfig) Verify 

func (p *ClusterAdminBindingExperimentConfig) Verify(ctx context.Context, client *k8s.Client, experimentConfig *ExperimentConfig) (*verifier.Outcome, error)

type ContainerSecrets 

type ContainerSecrets struct {
	ConfigMapCheck bool                  `yaml:"config_map_check"`
	PodEnvCheck    bool                  `yaml:"pod_env_check"`
	Env            []ContainerSecretsEnv `yaml:"env"`
}

type ContainerSecretsEnv 

type ContainerSecretsEnv struct {
	EnvKey   string `yaml:"env_key"`
	EnvValue string `yaml:"env_value"`
}

type ContainerSecretsExperimentConfig 

type ContainerSecretsExperimentConfig struct {
	Metadata   ExperimentMetadata `yaml:"metadata"`
	Parameters ContainerSecrets   `yaml:"parameters"`
}

func (*ContainerSecretsExperimentConfig) Cleanup 

func (p *ContainerSecretsExperimentConfig) Cleanup(ctx context.Context, client *k8s.Client, experimentConfig *ExperimentConfig) error

func (*ContainerSecretsExperimentConfig) Description 

func (p *ContainerSecretsExperimentConfig) Description() string

func (*ContainerSecretsExperimentConfig) Framework 

func (p *ContainerSecretsExperimentConfig) Framework() string

func (*ContainerSecretsExperimentConfig) Run 

func (p *ContainerSecretsExperimentConfig) Run(ctx context.Context, client *k8s.Client, experimentConfig *ExperimentConfig) error

func (*ContainerSecretsExperimentConfig) Tactic 

func (p *ContainerSecretsExperimentConfig) Tactic() string

func (*ContainerSecretsExperimentConfig) Technique 

func (p *ContainerSecretsExperimentConfig) Technique() string

func (*ContainerSecretsExperimentConfig) Type 

func (p *ContainerSecretsExperimentConfig) Type() string

func (*ContainerSecretsExperimentConfig) Verify 

func (p *ContainerSecretsExperimentConfig) Verify(ctx context.Context, client *k8s.Client, experimentConfig *ExperimentConfig) (*verifier.Outcome, error)

type Experiment 

type Experiment interface {
	// Type returns the type of the experiment
	Type() string
	// Description describes the experiment in a brief sentence
	Description() string
	// Framework returns the attack framework e.g., MITRE/OWASP
	Framework() string
	// Tactic returns the attack tactic category
	Tactic() string
	// Technique returns the attack method
	Technique() string
	// Run runs the experiment, returning an error if it fails
	Run(ctx context.Context, client *k8s.Client, experimentConfig *ExperimentConfig) error
	// Verify verifies the experiment, returning an error if it fails
	Verify(ctx context.Context, client *k8s.Client, experimentConfig *ExperimentConfig) (*verifier.Outcome, error)
	// Cleanup cleans up the experiment, returning an error if it fails
	Cleanup(ctx context.Context, client *k8s.Client, experimentConfig *ExperimentConfig) error
}

Experiment is the interface for an experiment

type ExperimentConfig 

type ExperimentConfig struct {
	// Metadata for the experiment
	Metadata ExperimentMetadata `yaml:"metadata"`
	// Parameters for the experiment
	Parameters interface{} `yaml:"parameters"`
}

ExperimentConfig is a structure which represents the configuration for an experiment

type ExperimentMetadata 

type ExperimentMetadata struct {
	// Name of the experiment
	Name string `yaml:"name"`
	// Namespace to apply the experiment to
	Namespace string `yaml:"namespace"`
	// Type of the experiment
	Type string `yaml:"type"`
}

ExperimentMetadata is a structure which represents the metadata required for an experiment

type ExperimentsConfig 

type ExperimentsConfig struct {
	ExperimentConfigs []ExperimentConfig `yaml:"experiments"`
}

ExperimentsConfig is a structure which represents the configuration for a set of experiments

type HostPath 

type HostPath struct {
	Path string `yaml:"path"`
}

type HostPathMount 

type HostPathMount struct {
	HostPath HostPath `yaml:"host_path"`
}

type HostPathMountExperimentConfig 

type HostPathMountExperimentConfig struct {
	Metadata   ExperimentMetadata `yaml:"metadata"`
	Parameters HostPathMount      `yaml:"parameters"`
}

func (*HostPathMountExperimentConfig) Cleanup 

func (p *HostPathMountExperimentConfig) Cleanup(ctx context.Context, client *k8s.Client, experimentConfig *ExperimentConfig) error

func (*HostPathMountExperimentConfig) Description 

func (p *HostPathMountExperimentConfig) Description() string

func (*HostPathMountExperimentConfig) Framework 

func (p *HostPathMountExperimentConfig) Framework() string

func (*HostPathMountExperimentConfig) Run 

func (p *HostPathMountExperimentConfig) Run(ctx context.Context, client *k8s.Client, experimentConfig *ExperimentConfig) error

func (*HostPathMountExperimentConfig) Tactic 

func (p *HostPathMountExperimentConfig) Tactic() string

func (*HostPathMountExperimentConfig) Technique 

func (p *HostPathMountExperimentConfig) Technique() string

func (*HostPathMountExperimentConfig) Type 

func (p *HostPathMountExperimentConfig) Type() string

func (*HostPathMountExperimentConfig) Verify 

func (p *HostPathMountExperimentConfig) Verify(ctx context.Context, client *k8s.Client, experimentConfig *ExperimentConfig) (*verifier.Outcome, error)

type K8sSecretsParameters 

type K8sSecretsParameters struct {
	ExecutorConfig executor.RemoteExecuteAPI `yaml:"executor_config"`
	Namespaces     []string                  `yaml:"namespaces"`
}

type ListK8sSecretsConfig 

type ListK8sSecretsConfig struct {
	Metadata   ExperimentMetadata   `yaml:"metadata"`
	Parameters K8sSecretsParameters `yaml:"parameters"`
}

func (*ListK8sSecretsConfig) Cleanup 

func (p *ListK8sSecretsConfig) Cleanup(ctx context.Context, client *k8s.Client, experimentConfig *ExperimentConfig) error

func (*ListK8sSecretsConfig) Description 

func (p *ListK8sSecretsConfig) Description() string

func (*ListK8sSecretsConfig) Framework 

func (p *ListK8sSecretsConfig) Framework() string

func (*ListK8sSecretsConfig) Run 

func (p *ListK8sSecretsConfig) Run(ctx context.Context, client *k8s.Client, experimentConfig *ExperimentConfig) error

func (*ListK8sSecretsConfig) Tactic 

func (p *ListK8sSecretsConfig) Tactic() string

func (*ListK8sSecretsConfig) Technique 

func (p *ListK8sSecretsConfig) Technique() string

func (*ListK8sSecretsConfig) Type 

func (p *ListK8sSecretsConfig) Type() string

func (*ListK8sSecretsConfig) Verify 

func (p *ListK8sSecretsConfig) Verify(ctx context.Context, client *k8s.Client, experimentConfig *ExperimentConfig) (*verifier.Outcome, error)

type PrivilegedContainer 

type PrivilegedContainer struct {
	Privileged  bool `yaml:"privileged"`
	HostPid     bool `yaml:"host_pid"`
	HostNetwork bool `yaml:"host_network"`
	RunAsRoot   bool `yaml:"run_as_root"`
}

PrivilegedContainer is an experiment that creates a deployment with a privileged container

type PrivilegedContainerExperimentConfig 

type PrivilegedContainerExperimentConfig struct {
	Metadata   ExperimentMetadata  `yaml:"metadata"`
	Parameters PrivilegedContainer `yaml:"parameters"`
}

func (*PrivilegedContainerExperimentConfig) Cleanup 

func (p *PrivilegedContainerExperimentConfig) Cleanup(ctx context.Context, client *k8s.Client, experimentConfig *ExperimentConfig) error

func (*PrivilegedContainerExperimentConfig) Description 

func (p *PrivilegedContainerExperimentConfig) Description() string

func (*PrivilegedContainerExperimentConfig) Framework 

func (p *PrivilegedContainerExperimentConfig) Framework() string

func (*PrivilegedContainerExperimentConfig) Run 

func (p *PrivilegedContainerExperimentConfig) Run(ctx context.Context, client *k8s.Client, experimentConfig *ExperimentConfig) error

func (*PrivilegedContainerExperimentConfig) Tactic 

func (p *PrivilegedContainerExperimentConfig) Tactic() string

func (*PrivilegedContainerExperimentConfig) Technique 

func (p *PrivilegedContainerExperimentConfig) Technique() string

func (*PrivilegedContainerExperimentConfig) Type 

func (p *PrivilegedContainerExperimentConfig) Type() string

func (*PrivilegedContainerExperimentConfig) Verify 

func (p *PrivilegedContainerExperimentConfig) Verify(ctx context.Context, client *k8s.Client, experimentConfig *ExperimentConfig) (*verifier.Outcome, error)

type RemoteExecuteAPIExperimentConfig 

type RemoteExecuteAPIExperimentConfig struct {
	Metadata   ExperimentMetadata        `yaml:"metadata"`
	Parameters executor.RemoteExecuteAPI `yaml:"parameters"`
}

RemoteExecuteAPI is an experiment that uses the remote executor to check a remote output The image must be created independently -- the current default is `alconen/egress_server`, which runs a simple web app on port 4000 that checks http connectivity to a few domains ("https://google.com", "https://linkedin.com", "https://openai.com/") and responds with a success based on the success of those calls. The source can be found at cmd/executor-server

func (*RemoteExecuteAPIExperimentConfig) Cleanup 

func (p *RemoteExecuteAPIExperimentConfig) Cleanup(ctx context.Context, client *k8s.Client, experimentConfig *ExperimentConfig) error

func (*RemoteExecuteAPIExperimentConfig) Description 

func (p *RemoteExecuteAPIExperimentConfig) Description() string

func (*RemoteExecuteAPIExperimentConfig) Framework 

func (p *RemoteExecuteAPIExperimentConfig) Framework() string

func (*RemoteExecuteAPIExperimentConfig) Run 

func (p *RemoteExecuteAPIExperimentConfig) Run(ctx context.Context, client *k8s.Client, experimentConfig *ExperimentConfig) error

func (*RemoteExecuteAPIExperimentConfig) Tactic 

func (p *RemoteExecuteAPIExperimentConfig) Tactic() string

func (*RemoteExecuteAPIExperimentConfig) Technique 

func (p *RemoteExecuteAPIExperimentConfig) Technique() string

func (*RemoteExecuteAPIExperimentConfig) Type 

func (p *RemoteExecuteAPIExperimentConfig) Type() string

func (*RemoteExecuteAPIExperimentConfig) Verify 

func (p *RemoteExecuteAPIExperimentConfig) Verify(ctx context.Context, client *k8s.Client, experimentConfig *ExperimentConfig) (*verifier.Outcome, error)

type Result 

type Result struct {
	Name      string      `json:"name"`
	URLResult []URLResult `json:"url_result"`
}

type Runner 

type Runner struct {
	// contains filtered or unexported fields
}

Runner runs a set of experiments

func NewRunner 

func NewRunner(ctx context.Context, experimentFiles []string) *Runner

NewRunner returns a new Runner

func (*Runner) Cleanup 

func (r *Runner) Cleanup()

Cleanup cleans up all experiments in the Runner

func (*Runner) Run 

func (r *Runner) Run()

Run runs all experiments in the Runner

func (*Runner) RunVerifiers 

func (r *Runner) RunVerifiers(writeJSON bool)

RunVerifiers runs all verifiers in the Runner for the provided experiments

type URLResult 

type URLResult struct {
	URL     string `json:"url"`
	Success bool   `json:"success"`
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.