ai_root_shield 0.2.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4058e912dcc5fae977252eb4ef275a26aed884396fecb5f8b43502d2f4fc677e
-  data.tar.gz: 4f181c2508ca61cfbc1cb72ddd0da47849db2692b4cf8f49ff3c0880999479b9
+  metadata.gz: 7aa3147f758f9775ee0b5739aa6edf8c6a905052b72760bbbe5991c80a2c4925
+  data.tar.gz: bc5d646ce2e6c86bceef124763ed0ff3168a70bb90c6946f24e8e37fe5310df4
 SHA512:
-  metadata.gz: 2962bc0900324a1facec5c601fd63348bc13e39f9fb7c43c463c69174f4270f2131f54e5917d663b9d03ad488abce82ef3069de735bddbd96a5dc333b6a38577
-  data.tar.gz: 1740c00fe8e574f0f44d860c4b269a61b5fc6ed36091481a79ab504d6592f76dbfbddeac75803814216684f6e90fb6c994962227294ed4d96ac6dbbe1df87150
+  metadata.gz: 8a1160dbbbc26d2956ec0262ec5fbeeacce25335229cafdce11d88311bffe1fa040d060b47db07aff39344f3bd7f468433ea5ca2d4d768fc5d39d7e8b898de05
+  data.tar.gz: 0cfb012442a47483f041651fc47089348e115c1837583d54de71584f5678e5ccc34458f98adf40084f49d7149459e7c0d7f01fa9d8dd4af77b77ae76b06aeb44

data/CHANGELOG.md

@@ -12,12 +12,61 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Real-time threat monitoring capabilities
 - Custom rule engine for security policies
 
+## [0.4.0] - 2024-12-XX
+
+### Added
+- **Advanced Network Security** capabilities
+- Certificate pinning helper with TLS public key pinning integration
+- Advanced proxy detection (VPN, Tor, custom DNS, MITM appliance detection)
+- Enterprise policy management with JSON-based customizable security rules
+- Policy compliance validation and violation reporting
+- Network security analysis integration
+- Support for banking, enterprise, and development policy templates
+- CLI support for network security features (`--enable-cert-pinning`, `--enable-proxy-detection`, `--policy`)
+
+### Enhanced
+- Comprehensive security status reporting across all components
+- Enhanced CLI with network analysis options (`--target-ip`, `--target-url`)
+- Policy-driven risk assessment and compliance checking
+- Real-time network threat detection and reporting
+
+### Technical
+- Certificate chain validation and pin extraction
+- Multi-layered proxy detection (Tor exit nodes, VPN services, MITM appliances)
+- JSON policy definition with inheritance and merging
+- Audit logging and compliance reporting
+- Network analysis integration with existing risk calculation
+
+## [0.3.0] - 2024-01-03
+
+### Added
+- 🛡️ **RASP Protection**: Runtime Application Self-Protection with real-time threat blocking
+- 🛡️ **Anti-Debug Mechanisms**: Ptrace, GDB, LLDB detection and blocking
+- 🛡️ **Anti-Tamper Protection**: Code integrity and memory patch detection
+- 🛡️ **Dynamic Memory Protection**: Frida injection hook mitigation
+- 🛡️ **Runtime Integrity Monitor**: Critical function hash validation
+- 🛡️ **Real-Time Event Reporting**: Instant alerts for security violations
+- CLI RASP support with `--enable-rasp` and `--rasp-time` options
+- Comprehensive RASP test suite with 69 passing tests
+- Process monitoring for debugger detection
+- Memory map analysis for injection detection
+- Code integrity hash validation
+- Event callback system for real-time alerts
+
+### Changed
+- Enhanced CLI with RASP protection options
+- Updated main library interface with RASP methods
+- Improved error handling and protection status reporting
+
+### Dependencies
+- Added `fiddle` for low-level system interactions (Ruby standard library)
+
 ## [0.2.0] - 2024-01-02
 
 ### Added
-- **AI Behavioral Analysis**: ONNX-powered behavioral pattern analysis with anomaly detection
-- **ML-Based Emulator Detection**: Advanced machine learning techniques for emulator identification
-- **AI Confidence Scoring**: Confidence metrics integrated into risk assessment
+- 🤖 **AI Behavioral Analysis**: ONNX-powered behavioral pattern analysis with anomaly detection
+- 🤖 **ML-Based Emulator Detection**: Advanced machine learning techniques for emulator identification
+- 🤖 **AI Confidence Scoring**: Confidence metrics integrated into risk assessment
 - File access pattern analysis with entropy calculation
 - Sensor data consistency validation
 - Hardware fingerprinting with advanced characteristics

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    ai_root_shield (0.2.0)
+    ai_root_shield (0.4.0)
       digest (~> 3.1)
       json (~> 2.6)
       numo-narray (~> 0.9)

data/README.md

@@ -4,6 +4,7 @@
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 [![Ruby](https://img.shields.io/badge/ruby-%23CC342D.svg?style=flat&logo=ruby&logoColor=white)](https://www.ruby-lang.org/)
 [![Security](https://img.shields.io/badge/security-first-green.svg)](https://github.com/ahmetxhero/ai-root-shield)
+[![Buy Me A Coffee](https://img.shields.io/badge/Buy%20Me%20A%20Coffee-support%20my%20work-FFDD00?style=flat&logo=buy-me-a-coffee&logoColor=black)](https://buymeacoffee.com/ahmetxhero)
 
 > **Created by [Ahmet KAHRAMAN](https://ahmetxhero.web.app)** - Mobile Developer & Cyber Security Expert  
 > *"Security first, innovation always"* 🛡️
@@ -17,6 +18,15 @@ An AI-powered Ruby library that performs comprehensive on-device compromise dete
 - **Hooking Framework Detection**: Detects Frida, Xposed, Substrate, and other instrumentation tools
 - **Application Integrity Checks**: Validates app signatures and detects repackaging/tampering
 - **Network Security Analysis**: Identifies TLS issues, custom CAs, and MITM tools
+- **🆕 Advanced Network Security**: Certificate pinning helper and comprehensive proxy detection
+- **🆕 Enterprise Policy Management**: JSON-based customizable security rules and compliance validation
+- **🆕 Certificate Pinning Helper**: TLS public key pinning with easy integration
+- **🆕 Advanced Proxy Detection**: VPN, Tor, custom DNS, and MITM appliance detection
+- **RASP Protection**: Runtime Application Self-Protection with real-time threat blocking
+- **Anti-Debug Mechanisms**: Ptrace, GDB, LLDB detection and blocking
+- **Anti-Tamper Protection**: Code integrity and memory patch detection
+- **Dynamic Memory Protection**: Frida injection hook mitigation
+- **Runtime Integrity Monitor**: Critical function hash validation
 - **AI Behavioral Analysis**: ONNX-powered behavioral pattern analysis with anomaly detection
 - **ML-Based Emulator Detection**: Advanced machine learning techniques for emulator identification
 - **AI Confidence Scoring**: Confidence metrics integrated into risk assessment
@@ -68,9 +78,9 @@ config = {
   enable_hooking_detection: true,
   enable_integrity_checks: true,
   enable_network_analysis: true,
-  enable_ai_behavioral_analysis: true,  # New in v0.2.0
+  enable_ai_behavioral_analysis: true,  # v0.2.0
   risk_threshold: 70,
-  ai_confidence_threshold: 0.7  # New in v0.2.0
+  ai_confidence_threshold: 0.7  # v0.2.0
 }
 
 result = AiRootShield.scan_device_with_config("device_logs/sample.json", config)
@@ -127,6 +137,102 @@ puts "AI Confidence: #{result[:ai_confidence]}"
 puts "ML Emulator Score: #{result[:ml_emulator_score]}"
 ```
 
+## Advanced Network Security & Policy Management (New in v0.4.0)
+
+Enterprise-grade network security and policy management capabilities:
+
+### Features
+- **Certificate Pinning Helper**: Easy TLS public key pinning integration with common CA support
+- **Advanced Proxy Detection**: Comprehensive detection of VPN, Tor, custom DNS, and MITM appliances
+- **Enterprise Policy Management**: JSON-based customizable security rules and compliance validation
+- **Policy Templates**: Pre-built policies for banking, enterprise, and development environments
+- **Compliance Reporting**: Detailed violation tracking and audit logging
+- **Network Analysis Integration**: Real-time network threat detection and assessment
+
+### Usage
+
+```ruby
+# Configure enterprise policy
+AiRootShield.configure_policy('examples/policies/banking_policy.json')
+
+# Set up certificate pinning
+pinning = AiRootShield.configure_certificate_pinning
+pinning.add_pin('api.mybank.com', ['sha256/YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg='])
+
+# Configure proxy detection
+AiRootShield.configure_proxy_detection
+
+# Scan with network analysis
+result = AiRootShield.scan_device_with_config('device_logs.json', {
+  enable_network_analysis: true,
+  target_ip: '192.168.1.100',
+  target_url: 'https://api.mybank.com'
+})
+
+puts "Compliance Status: #{result[:compliance][:compliant] ? 'COMPLIANT' : 'NON-COMPLIANT'}"
+puts "Network Analysis: #{result[:network_analysis]}"
+```
+
+### CLI Usage
+
+```bash
+# Scan with enterprise policy and network security
+$ ai_root_shield --policy examples/policies/banking_policy.json \
+                 --enable-cert-pinning \
+                 --enable-proxy-detection \
+                 --target-url https://api.mybank.com \
+                 --verbose device_logs.json
+```
+
+## RASP Protection (v0.3.0)
+
+Runtime Application Self-Protection provides real-time threat detection and blocking:
+
+### Features
+- **Anti-Debug Protection**: Detects and blocks ptrace, GDB, LLDB, and other debuggers
+- **Anti-Tamper Protection**: Monitors code integrity and detects memory patches
+- **Dynamic Memory Protection**: Prevents Frida injection and hook attempts
+- **Runtime Integrity Monitor**: Validates critical function hashes in real-time
+- **Real-Time Event Reporting**: Instant alerts for security violations
+
+### Usage
+
+```ruby
+# Start RASP protection
+rasp = AiRootShield.start_rasp_protection(
+  enable_anti_debug: true,
+  enable_anti_tamper: true,
+  enable_memory_protection: true,
+  enable_integrity_monitor: true,
+  enable_real_time_alerts: true,
+  protection_interval: 1.0
+)
+
+# Register event callback
+rasp.on_rasp_event do |event|
+  puts "[RASP] #{event[:type]}: #{event[:message]}"
+  # Take action based on threat type
+end
+
+# Check protection status
+status = rasp.protection_status
+puts "RASP Active: #{status[:active]}"
+puts "Events Detected: #{status[:events_detected]}"
+
+# Stop protection when done
+AiRootShield.stop_rasp_protection
+```
+
+### CLI RASP Support
+
+```bash
+# Enable RASP protection during scan
+$ ai_root_shield --enable-rasp --rasp-time 10 --verbose device_logs.json
+
+# Monitor for 30 seconds with RASP
+$ ai_root_shield --enable-rasp --rasp-time 30 device_logs.json
+```
+
 ## Risk Scoring
 
 The library provides a comprehensive risk score (0-100) based on detected security factors:
@@ -170,7 +276,7 @@ The library expects device logs in JSON format with the following structure:
     "ABNORMAL_TIMING_PATTERNS"
   ],
   "timestamp": 1640995200,
-  "version": "0.2.0"
+  "version": "0.3.0"
 }
 ```
 

data/examples/policies/banking_policy.json

@@ -0,0 +1,79 @@
+{
+  "version": "1.0",
+  "name": "Banking Security Policy",
+  "description": "High-security policy for banking and financial applications",
+  "minimum_security_level": 95,
+  "compliance_rules": {
+    "device_requirements": {
+      "allow_rooted_devices": false,
+      "allow_jailbroken_devices": false,
+      "allow_emulators": false,
+      "require_screen_lock": true,
+      "minimum_os_version": {
+        "android": "10.0",
+        "ios": "14.0"
+      },
+      "require_biometric_authentication": true,
+      "require_device_encryption": true
+    },
+    "network_security": {
+      "allow_vpn": false,
+      "allow_proxy": false,
+      "allow_tor": false,
+      "require_certificate_pinning": true,
+      "allowed_dns_servers": [
+        "8.8.8.8",
+        "1.1.1.1"
+      ],
+      "blocked_dns_servers": [],
+      "require_tls_1_3_minimum": true,
+      "block_self_signed_certificates": true,
+      "require_hsts": true
+    },
+    "application_integrity": {
+      "allow_debug_builds": false,
+      "allow_repackaged_apps": false,
+      "require_code_signing": true,
+      "allowed_certificate_issuers": [
+        "Bank Certificate Authority"
+      ],
+      "require_app_store_installation": true,
+      "block_sideloaded_apps": true,
+      "require_integrity_verification": true
+    },
+    "runtime_protection": {
+      "enable_rasp": true,
+      "allow_debugging": false,
+      "allow_hooking_frameworks": false,
+      "enable_tamper_detection": true,
+      "enable_anti_debug": true,
+      "enable_memory_protection": true,
+      "protection_interval": 500,
+      "enable_screenshot_protection": true
+    }
+  },
+  "risk_thresholds": {
+    "low": 5,
+    "medium": 15,
+    "high": 30,
+    "critical": 50
+  },
+  "actions": {
+    "on_policy_violation": "immediate_block",
+    "on_high_risk": "immediate_block",
+    "on_critical_risk": "immediate_block",
+    "custom_actions": {
+      "any_security_threat": "immediate_block_and_alert"
+    }
+  },
+  "reporting": {
+    "enable_audit_logs": true,
+    "log_level": "info",
+    "retention_days": 365,
+    "enable_real_time_alerts": true,
+    "alert_endpoints": [
+      "https://security.bank.com/critical-alerts",
+      "https://soc.bank.com/mobile-threats"
+    ]
+  }
+}

data/examples/policies/development_policy.json

@@ -0,0 +1,64 @@
+{
+  "version": "1.0",
+  "name": "Development Environment Policy",
+  "description": "Relaxed policy for development and testing environments",
+  "minimum_security_level": 40,
+  "compliance_rules": {
+    "device_requirements": {
+      "allow_rooted_devices": true,
+      "allow_jailbroken_devices": true,
+      "allow_emulators": true,
+      "require_screen_lock": false,
+      "minimum_os_version": {
+        "android": "7.0",
+        "ios": "11.0"
+      }
+    },
+    "network_security": {
+      "allow_vpn": true,
+      "allow_proxy": true,
+      "allow_tor": false,
+      "require_certificate_pinning": false,
+      "allowed_dns_servers": [],
+      "blocked_dns_servers": [],
+      "require_tls_1_2_minimum": false,
+      "block_self_signed_certificates": false
+    },
+    "application_integrity": {
+      "allow_debug_builds": true,
+      "allow_repackaged_apps": true,
+      "require_code_signing": false,
+      "allowed_certificate_issuers": [],
+      "require_app_store_installation": false,
+      "block_sideloaded_apps": false
+    },
+    "runtime_protection": {
+      "enable_rasp": false,
+      "allow_debugging": true,
+      "allow_hooking_frameworks": true,
+      "enable_tamper_detection": false,
+      "enable_anti_debug": false,
+      "enable_memory_protection": false,
+      "protection_interval": 5000
+    }
+  },
+  "risk_thresholds": {
+    "low": 30,
+    "medium": 60,
+    "high": 80,
+    "critical": 95
+  },
+  "actions": {
+    "on_policy_violation": "log_only",
+    "on_high_risk": "log_only",
+    "on_critical_risk": "alert",
+    "custom_actions": {}
+  },
+  "reporting": {
+    "enable_audit_logs": true,
+    "log_level": "debug",
+    "retention_days": 30,
+    "enable_real_time_alerts": false,
+    "alert_endpoints": []
+  }
+}

data/examples/policies/enterprise_policy.json

@@ -0,0 +1,89 @@
+{
+  "version": "1.0",
+  "name": "Enterprise Security Policy",
+  "description": "Comprehensive enterprise security policy for mobile applications",
+  "minimum_security_level": 80,
+  "compliance_rules": {
+    "device_requirements": {
+      "allow_rooted_devices": false,
+      "allow_jailbroken_devices": false,
+      "allow_emulators": false,
+      "require_screen_lock": true,
+      "minimum_os_version": {
+        "android": "9.0",
+        "ios": "13.0"
+      },
+      "allowed_device_models": [],
+      "blocked_device_models": []
+    },
+    "network_security": {
+      "allow_vpn": false,
+      "allow_proxy": false,
+      "allow_tor": false,
+      "require_certificate_pinning": true,
+      "allowed_dns_servers": [
+        "8.8.8.8",
+        "8.8.4.4",
+        "1.1.1.1",
+        "1.0.0.1"
+      ],
+      "blocked_dns_servers": [
+        "94.140.14.14",
+        "76.76.19.19"
+      ],
+      "require_tls_1_2_minimum": true,
+      "block_self_signed_certificates": true
+    },
+    "application_integrity": {
+      "allow_debug_builds": false,
+      "allow_repackaged_apps": false,
+      "require_code_signing": true,
+      "allowed_certificate_issuers": [
+        "Apple Inc.",
+        "Google Inc.",
+        "Enterprise CA"
+      ],
+      "require_app_store_installation": true,
+      "block_sideloaded_apps": true
+    },
+    "runtime_protection": {
+      "enable_rasp": true,
+      "allow_debugging": false,
+      "allow_hooking_frameworks": false,
+      "enable_tamper_detection": true,
+      "enable_anti_debug": true,
+      "enable_memory_protection": true,
+      "protection_interval": 1000
+    }
+  },
+  "risk_thresholds": {
+    "low": 15,
+    "medium": 35,
+    "high": 60,
+    "critical": 80
+  },
+  "actions": {
+    "on_policy_violation": "block",
+    "on_high_risk": "alert_and_log",
+    "on_critical_risk": "block_and_alert",
+    "custom_actions": {
+      "device_rooted": "immediate_block",
+      "tor_detected": "immediate_block",
+      "debugging_detected": "immediate_block"
+    }
+  },
+  "reporting": {
+    "enable_audit_logs": true,
+    "log_level": "warning",
+    "retention_days": 180,
+    "enable_real_time_alerts": true,
+    "alert_endpoints": [
+      "https://security.company.com/alerts"
+    ]
+  },
+  "exemptions": {
+    "test_devices": [],
+    "development_environments": [],
+    "emergency_override_codes": []
+  }
+}