ai_root_shield 0.2.0 → 0.4.0

data/lib/ai_root_shield/rasp_protection.rb

@@ -0,0 +1,359 @@
+# frozen_string_literal: true
+
+require "digest"
+require "fiddle"
+
+module AiRootShield
+  # Runtime Application Self-Protection (RASP) system
+  # Provides real-time protection against debugging, tampering, and injection attacks
+  class RaspProtection
+    # RASP event types for real-time reporting
+    RASP_EVENTS = {
+      debug_attempt: "DEBUG_ATTEMPT_DETECTED",
+      tamper_detected: "CODE_TAMPER_DETECTED", 
+      injection_blocked: "INJECTION_ATTEMPT_BLOCKED",
+      integrity_violation: "INTEGRITY_VIOLATION_DETECTED",
+      memory_patch: "MEMORY_PATCH_DETECTED"
+    }.freeze
+
+    def initialize(config = {})
+      @config = {
+        enable_anti_debug: true,
+        enable_anti_tamper: true,
+        enable_memory_protection: true,
+        enable_integrity_monitor: true,
+        enable_real_time_alerts: true,
+        alert_callback: nil,
+        critical_functions: [],
+        protection_interval: 1.0
+      }.merge(config)
+      
+      @event_callbacks = []
+      @protection_active = false
+      @integrity_hashes = {}
+      @original_memory_maps = {}
+      @protection_thread = nil
+      @last_check_time = Time.now
+      
+      initialize_protection if @config[:enable_real_time_alerts]
+    end
+
+    # Start RASP protection monitoring
+    def start_protection
+      return if @protection_active
+      
+      @protection_active = true
+      
+      # Initialize anti-debug protection
+      setup_anti_debug_protection if @config[:enable_anti_debug]
+      
+      # Initialize anti-tamper protection
+      setup_anti_tamper_protection if @config[:enable_anti_tamper]
+      
+      # Initialize memory protection
+      setup_memory_protection if @config[:enable_memory_protection]
+      
+      # Initialize integrity monitoring
+      setup_integrity_monitoring if @config[:enable_integrity_monitor]
+      
+      # Start real-time monitoring thread
+      start_monitoring_thread
+      
+      report_rasp_event(:protection_started, "RASP protection activated")
+    end
+
+    # Stop RASP protection monitoring
+    def stop_protection
+      @protection_active = false
+      @protection_thread&.kill
+      @protection_thread = nil
+      
+      report_rasp_event(:protection_stopped, "RASP protection deactivated")
+    end
+
+    # Register callback for RASP events
+    def on_rasp_event(&block)
+      @event_callbacks << block if block_given?
+    end
+
+    # Check current protection status
+    def protection_status
+      {
+        active: @protection_active,
+        anti_debug_enabled: @config[:enable_anti_debug],
+        anti_tamper_enabled: @config[:enable_anti_tamper],
+        memory_protection_enabled: @config[:enable_memory_protection],
+        integrity_monitor_enabled: @config[:enable_integrity_monitor],
+        events_detected: @events_detected || 0,
+        last_check: @last_check_time
+      }
+    end
+
+    private
+
+    def initialize_protection
+      @events_detected = 0
+      @last_check_time = Time.now
+    end
+
+    # Anti-Debug Protection Implementation
+    def setup_anti_debug_protection
+      # Check for ptrace attachment
+      check_ptrace_protection
+      
+      # Check for debugger processes
+      check_debugger_processes
+      
+      # Check for debug environment variables
+      check_debug_environment
+    end
+
+    def check_ptrace_protection
+      # Attempt to detect ptrace attachment
+      if ptrace_detected?
+        report_rasp_event(:debug_attempt, "Ptrace debugger attachment detected")
+        take_protection_action(:debug_attempt)
+      end
+    end
+
+    def ptrace_detected?
+      # Check /proc/self/status for TracerPid on Linux
+      return false unless File.exist?("/proc/self/status")
+      
+      status_content = File.read("/proc/self/status")
+      tracer_line = status_content.lines.find { |line| line.start_with?("TracerPid:") }
+      
+      if tracer_line
+        tracer_pid = tracer_line.split(":")[1].strip.to_i
+        return tracer_pid != 0
+      end
+      
+      false
+    rescue
+      false
+    end
+
+    def check_debugger_processes
+      debugger_processes = ["gdb", "lldb", "strace", "ltrace", "frida-server", "frida"]
+      
+      debugger_processes.each do |debugger|
+        if process_running?(debugger)
+          report_rasp_event(:debug_attempt, "Debugger process detected: #{debugger}")
+          take_protection_action(:debug_attempt)
+        end
+      end
+    end
+
+    def process_running?(process_name)
+      `pgrep #{process_name}`.strip.length > 0
+    rescue
+      false
+    end
+
+    def check_debug_environment
+      debug_vars = ["DEBUG", "LLDB_DEBUGSERVER_PATH", "DYLD_INSERT_LIBRARIES"]
+      
+      debug_vars.each do |var|
+        if ENV[var]
+          report_rasp_event(:debug_attempt, "Debug environment variable detected: #{var}")
+          take_protection_action(:debug_attempt)
+        end
+      end
+    end
+
+    # Anti-Tamper Protection Implementation
+    def setup_anti_tamper_protection
+      # Calculate initial code integrity hashes
+      calculate_code_integrity_hashes
+      
+      # Monitor for code modifications
+      monitor_code_integrity
+    end
+
+    def calculate_code_integrity_hashes
+      # Hash critical Ruby files and libraries
+      critical_files = [
+        __FILE__,
+        File.join(__dir__, "detector.rb"),
+        File.join(__dir__, "ai_behavioral_analyzer.rb")
+      ]
+      
+      critical_files.each do |file|
+        next unless File.exist?(file)
+        
+        content = File.read(file)
+        @integrity_hashes[file] = Digest::SHA256.hexdigest(content)
+      end
+    end
+
+    def monitor_code_integrity
+      @integrity_hashes.each do |file, original_hash|
+        next unless File.exist?(file)
+        
+        current_content = File.read(file)
+        current_hash = Digest::SHA256.hexdigest(current_content)
+        
+        if current_hash != original_hash
+          report_rasp_event(:tamper_detected, "Code integrity violation: #{file}")
+          take_protection_action(:tamper_detected)
+        end
+      end
+    rescue
+      # File access errors might indicate tampering
+      report_rasp_event(:tamper_detected, "File access anomaly detected")
+    end
+
+    # Memory Protection Implementation
+    def setup_memory_protection
+      # Monitor for Frida injection signatures
+      check_frida_injection
+      
+      # Monitor memory patches
+      monitor_memory_patches
+    end
+
+    def check_frida_injection
+      frida_indicators = [
+        "frida",
+        "gum-js-loop",
+        "gmain",
+        "glib-",
+        "FridaGadget"
+      ]
+      
+      # Check loaded libraries for Frida signatures
+      if maps_content = read_proc_maps
+        frida_indicators.each do |indicator|
+          if maps_content.include?(indicator)
+            report_rasp_event(:injection_blocked, "Frida injection detected: #{indicator}")
+            take_protection_action(:injection_blocked)
+          end
+        end
+      end
+    end
+
+    def read_proc_maps
+      File.read("/proc/self/maps") if File.exist?("/proc/self/maps")
+    rescue
+      nil
+    end
+
+    def monitor_memory_patches
+      # Check for suspicious memory modifications
+      if maps_content = read_proc_maps
+        # Look for executable memory regions that shouldn't be there
+        suspicious_regions = maps_content.lines.select do |line|
+          line.include?("rwxp") && !line.include?("[stack]") && !line.include?("[heap]")
+        end
+        
+        unless suspicious_regions.empty?
+          report_rasp_event(:memory_patch, "Suspicious executable memory regions detected")
+          take_protection_action(:memory_patch)
+        end
+      end
+    end
+
+    # Runtime Integrity Monitor Implementation
+    def setup_integrity_monitoring
+      # Monitor critical function integrity
+      monitor_critical_functions
+    end
+
+    def monitor_critical_functions
+      @config[:critical_functions].each do |function_info|
+        validate_function_integrity(function_info)
+      end
+    end
+
+    def validate_function_integrity(function_info)
+      # Validate function hash if provided
+      if function_info[:hash] && function_info[:method]
+        current_hash = calculate_method_hash(function_info[:method])
+        
+        if current_hash != function_info[:hash]
+          report_rasp_event(:integrity_violation, 
+            "Critical function integrity violation: #{function_info[:method]}")
+          take_protection_action(:integrity_violation)
+        end
+      end
+    end
+
+    def calculate_method_hash(method_obj)
+      # Calculate hash of method source if available
+      if method_obj.respond_to?(:source)
+        Digest::SHA256.hexdigest(method_obj.source)
+      else
+        # Fallback to method object hash
+        Digest::SHA256.hexdigest(method_obj.to_s)
+      end
+    rescue
+      nil
+    end
+
+    # Real-time Monitoring Thread
+    def start_monitoring_thread
+      @protection_thread = Thread.new do
+        while @protection_active
+          perform_protection_checks
+          sleep(@config[:protection_interval])
+        end
+      end
+    end
+
+    def perform_protection_checks
+      @last_check_time = Time.now
+      
+      # Perform all protection checks
+      check_ptrace_protection if @config[:enable_anti_debug]
+      check_debugger_processes if @config[:enable_anti_debug]
+      monitor_code_integrity if @config[:enable_anti_tamper]
+      check_frida_injection if @config[:enable_memory_protection]
+      monitor_memory_patches if @config[:enable_memory_protection]
+      monitor_critical_functions if @config[:enable_integrity_monitor]
+    end
+
+    # Event Reporting System
+    def report_rasp_event(event_type, message, details = {})
+      return unless @config[:enable_real_time_alerts]
+      
+      @events_detected = (@events_detected || 0) + 1
+      
+      event_data = {
+        type: RASP_EVENTS[event_type] || event_type.to_s.upcase,
+        message: message,
+        timestamp: Time.now.to_f,
+        details: details,
+        protection_status: protection_status
+      }
+      
+      # Call registered callbacks
+      @event_callbacks.each do |callback|
+        callback.call(event_data) rescue nil
+      end
+      
+      # Call configured alert callback
+      @config[:alert_callback]&.call(event_data) rescue nil
+      
+      # Log to stderr for immediate visibility
+      warn "[RASP] #{event_data[:type]}: #{message}" if @config[:enable_real_time_alerts]
+    end
+
+    # Protection Actions
+    def take_protection_action(threat_type)
+      case threat_type
+      when :debug_attempt
+        # Could implement process termination, obfuscation, etc.
+        report_rasp_event(:protection_action, "Anti-debug countermeasure activated")
+      when :tamper_detected
+        # Could implement integrity restoration, alerts, etc.
+        report_rasp_event(:protection_action, "Anti-tamper countermeasure activated")
+      when :injection_blocked
+        # Could implement injection blocking, process isolation, etc.
+        report_rasp_event(:protection_action, "Injection blocking countermeasure activated")
+      when :integrity_violation
+        # Could implement function restoration, alerts, etc.
+        report_rasp_event(:protection_action, "Integrity protection countermeasure activated")
+      end
+    end
+  end
+end

data/lib/ai_root_shield/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module AiRootShield
-  VERSION = "0.2.0"
+  VERSION = "0.4.0"
 end

data/lib/ai_root_shield.rb

@@ -8,25 +8,153 @@ require_relative "ai_root_shield/analyzers/hooking_detector"
 require_relative "ai_root_shield/analyzers/integrity_checker"
 require_relative "ai_root_shield/analyzers/network_analyzer"
 require_relative "ai_root_shield/ai_behavioral_analyzer"
+require_relative "ai_root_shield/rasp_protection"
 require_relative "ai_root_shield/risk_calculator"
 require_relative "ai_root_shield/device_log_parser"
+require_relative "ai_root_shield/certificate_pinning_helper"
+require_relative "ai_root_shield/advanced_proxy_detector"
+require_relative "ai_root_shield/enterprise_policy_manager"
 
 module AiRootShield
   class Error < StandardError; end
 
+  # Global instances
+  @rasp_protection = nil
+  @policy_manager = nil
+  @certificate_pinning = nil
+  @proxy_detector = nil
+
   # Main entry point for device scanning
   # @param device_logs_path [String] Path to device logs JSON file
   # @return [Hash] Risk assessment result with score and factors
   def self.scan_device(device_logs_path)
-    Detector.new.scan(device_logs_path)
+    scan_device_with_config(device_logs_path)
   end
 
-  # Scan device with custom configuration
+  # Scan device with custom configuration and policy validation
   # @param device_logs_path [String] Path to device logs JSON file
   # @param config [Hash] Configuration options
-  # @return [Hash] Risk assessment result with score and factors
+  # @return [Hash] Risk assessment result with score, factors, and compliance
   def self.scan_device_with_config(device_logs_path, config = {})
-    Detector.new(config).scan(device_logs_path)
+    detector = Detector.new(config)
+    scan_result = detector.scan(device_logs_path)
+    
+    # Add network security analysis if enabled
+    if config[:enable_network_analysis]
+      scan_result = enhance_with_network_analysis(scan_result, config)
+    end
+    
+    # Add policy compliance validation if policy manager is configured
+    if @policy_manager
+      compliance_result = @policy_manager.validate_compliance(scan_result)
+      scan_result[:compliance] = compliance_result
+    end
+    
+    scan_result
+  end
+
+  # Start RASP protection
+  # @param config [Hash] RASP configuration options
+  # @return [RaspProtection] RASP protection instance
+  def self.start_rasp_protection(config = {})
+    @rasp_protection = RaspProtection.new(config)
+    @rasp_protection.start_protection
+    @rasp_protection
+  end
+
+  # Stop RASP protection
+  def self.stop_rasp_protection
+    @rasp_protection&.stop_protection
+    @rasp_protection = nil
+  end
+
+  # Configure enterprise policy
+  # @param policy_config [String, Hash] Policy file path or configuration hash
+  # @return [EnterprisePolicyManager] Policy manager instance
+  def self.configure_policy(policy_config)
+    @policy_manager = EnterprisePolicyManager.new(policy_config)
+  end
+
+  # Configure certificate pinning
+  # @param config [Hash] Certificate pinning configuration
+  # @return [CertificatePinningHelper] Certificate pinning helper instance
+  def self.configure_certificate_pinning(config = {})
+    @certificate_pinning = CertificatePinningHelper.new(config)
+  end
+
+  # Configure proxy detection
+  # @param config [Hash] Proxy detection configuration
+  # @return [AdvancedProxyDetector] Proxy detector instance
+  def self.configure_proxy_detection(config = {})
+    @proxy_detector = AdvancedProxyDetector.new(config)
+  end
+
+  # Validate certificate pinning for a URL
+  # @param url [String] URL to validate
+  # @return [Hash] Validation result
+  def self.validate_certificate_pinning(url)
+    return { error: "Certificate pinning not configured" } unless @certificate_pinning
+    
+    cert_chain = @certificate_pinning.get_certificate_chain(url)
+    @certificate_pinning.validate_pin(url, cert_chain)
+  end
+
+  # Detect proxy usage for an IP address
+  # @param ip_address [String] IP address to analyze
+  # @param additional_data [Hash] Additional network data
+  # @return [Hash] Proxy detection result
+  def self.detect_proxy(ip_address, additional_data = {})
+    return { error: "Proxy detection not configured" } unless @proxy_detector
+    
+    @proxy_detector.detect_proxy(ip_address, additional_data)
+  end
+
+  # Get current RASP protection instance
+  # @return [RaspProtection, nil] Current RASP protection instance
+  def self.rasp_protection
+    @rasp_protection
+  end
+
+  # Get current policy manager instance
+  # @return [EnterprisePolicyManager, nil] Current policy manager instance
+  def self.policy_manager
+    @policy_manager
+  end
+
+  # Get current certificate pinning helper instance
+  # @return [CertificatePinningHelper, nil] Current certificate pinning helper instance
+  def self.certificate_pinning
+    @certificate_pinning
+  end
+
+  # Get current proxy detector instance
+  # @return [AdvancedProxyDetector, nil] Current proxy detector instance
+  def self.proxy_detector
+    @proxy_detector
+  end
+
+  # Check if RASP protection is active
+  # @return [Boolean] True if RASP protection is active
+  def self.rasp_active?
+    @rasp_protection&.protection_status&.dig(:active) || false
+  end
+
+  # Get comprehensive security status
+  # @return [Hash] Security status across all components
+  def self.security_status
+    {
+      version: VERSION,
+      rasp_active: rasp_active?,
+      policy_configured: !@policy_manager.nil?,
+      certificate_pinning_configured: !@certificate_pinning.nil?,
+      proxy_detection_configured: !@proxy_detector.nil?,
+      components: {
+        rasp: @rasp_protection&.protection_status,
+        policy: @policy_manager&.policy_statistics,
+        certificate_pinning: @certificate_pinning&.pinning_status,
+        proxy_detection: @proxy_detector&.detection_statistics
+      }
+    }
   end
 
   # Get version information
@@ -34,4 +162,43 @@ module AiRootShield
   def self.version
     VERSION
   end
+
+  private
+
+  # Enhance scan result with network security analysis
+  # @param scan_result [Hash] Original scan result
+  # @param config [Hash] Configuration options
+  # @return [Hash] Enhanced scan result
+  def self.enhance_with_network_analysis(scan_result, config)
+    network_analysis = {}
+    
+    # Add proxy detection if configured
+    if @proxy_detector && config[:target_ip]
+      proxy_result = @proxy_detector.detect_proxy(config[:target_ip], config[:network_data] || {})
+      network_analysis[:proxy_detection] = proxy_result
+      
+      # Add proxy indicators to risk factors if detected
+      if proxy_result[:proxy_detected]
+        scan_result[:factors] ||= []
+        proxy_result[:proxy_types].each do |type|
+          scan_result[:factors] << "NETWORK_#{type.upcase}_DETECTED"
+        end
+      end
+    end
+    
+    # Add certificate pinning validation if configured
+    if @certificate_pinning && config[:target_url]
+      pinning_result = validate_certificate_pinning(config[:target_url])
+      network_analysis[:certificate_pinning] = pinning_result
+      
+      # Add certificate pinning failure to risk factors if invalid
+      unless pinning_result[:valid]
+        scan_result[:factors] ||= []
+        scan_result[:factors] << "CERTIFICATE_PINNING_FAILED"
+      end
+    end
+    
+    scan_result[:network_analysis] = network_analysis unless network_analysis.empty?
+    scan_result
+  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ai_root_shield
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.4.0
 platform: ruby
 authors:
 - Ahmet KAHRAMAN
@@ -149,9 +149,12 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.9'
-description: An AI-powered Ruby library that performs on-device compromise detection
-  for mobile applications without requiring a backend. Detects root/jailbreak, emulators,
-  hooking frameworks, and provides behavioral risk analysis.
+description: An AI-powered Ruby library that performs comprehensive on-device compromise
+  detection for mobile applications. Features include root/jailbreak detection, emulator
+  detection, hooking framework detection, application integrity checks, advanced network
+  security analysis with certificate pinning and proxy detection, enterprise policy
+  management, AI behavioral analysis, and RASP protection - all without requiring
+  a backend.
 email:
 - ahmetxhero@gmail.com
 executables:
@@ -168,16 +171,23 @@ files:
 - Rakefile
 - examples/device_logs/clean_device.json
 - examples/device_logs/rooted_android.json
+- examples/policies/banking_policy.json
+- examples/policies/development_policy.json
+- examples/policies/enterprise_policy.json
 - exe/ai_root_shield
 - lib/ai_root_shield.rb
+- lib/ai_root_shield/advanced_proxy_detector.rb
 - lib/ai_root_shield/ai_behavioral_analyzer.rb
 - lib/ai_root_shield/analyzers/emulator_detector.rb
 - lib/ai_root_shield/analyzers/hooking_detector.rb
 - lib/ai_root_shield/analyzers/integrity_checker.rb
 - lib/ai_root_shield/analyzers/network_analyzer.rb
 - lib/ai_root_shield/analyzers/root_detector.rb
+- lib/ai_root_shield/certificate_pinning_helper.rb
 - lib/ai_root_shield/detector.rb
 - lib/ai_root_shield/device_log_parser.rb
+- lib/ai_root_shield/enterprise_policy_manager.rb
+- lib/ai_root_shield/rasp_protection.rb
 - lib/ai_root_shield/risk_calculator.rb
 - lib/ai_root_shield/version.rb
 - models/README.md
@@ -205,5 +215,6 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 rubygems_version: 3.6.9
 specification_version: 4
-summary: AI-powered mobile device compromise detection library
+summary: AI-powered mobile security library with advanced network security and enterprise
+  policy management
 test_files: []